Network Security
Our network security news section contains a range of articles relating to securing networks and blocking cyberattacks, ransomware and malware downloads. This section also features articles on recent network security breaches, alerting organizations to the latest attack trends being used by cybercriminals.
Layered cybersecurity defenses are essential given the increase in hacking incidents and the explosion in ransomware and malware variants over the past two years. Organizations can tackle the threat by investing in new security defenses such as next generation firewalls, end point protection systems, web filtering solutions and advanced anti-malware and antivirus defenses.
While much investment goes on tried and tested solutions that have been highly effective in the past, many cybersecurity solutions – antivirus software – are not as effective as they once were. In order to maintain pace with hackers and cybercriminals and get ahead of the curve, organizations should consider implementing a wide range of new cybersecurity solutions to block network intrusions, prevent data breaches and improve protection against the latest malware and ransomware threats.
This category contains information and advice on alternative network security solutions that can be adopted to improve network security and ensure networks are not infiltrated by hackers and infected with malicious software.
by titanadmin | May 25, 2018 | Industry News, Internet Security, Network Security |
Data breach costs have risen considerably in the past year, according to a recent study of corporate IT security risks by Kaspersky Lab. Compared to 2016, the cost of a data breach for enterprises increased by 24% in 2017, and by even more for SMBs, who saw data breach costs rise by 36% in 2017.
The average cost of data breach recovery for an average-sized enterprise is now $1.23 million per data breach, while the cost for SMBs is now $120,000 per incident.
For the study, Kaspersky Lab surveyed 6,614 business decision makers. Respondents were asked about the main threats they have to deal with, cybersecurity incidents they have experienced in the past year, how much they spent resolving those incidents, and how that money was spent.
When a data breach is experienced, the costs can quickly mount. Enterprises and SMBs must contain the attack, scan systems for malware and backdoors, and pay for improvements to security and infrastructure to prevent similar attacks from occurring in the future. Staff need to receive additional training, new staff often need to be brought in, and third-parties hired to assist with recovery and security assessments.
Data breach recovery can take time and considerable effort. Additional wages have to be paid to staff assisting in the recovery process, there can be losses due to system downtime, repairing damage to a brand prove costly, credit monitoring and identity theft recovery services may have to be provided to breach victims, insurance premiums rise, credit ratings drop, and there may also be regulatory fines to cover.
The largest component of data breach costs is making emergency improvements to security and infrastructure to prevent further attacks, which is around $193,000 per breach for enterprises, the second biggest cost for enterprises is repairing reputation damage, which causes major increases in insurance costs and can severely damage credit ratings. On average, this costs enterprises $180,000. Providing after-the-event security awareness training to the workforce was the third biggest cost for enterprises at $137,000.
It is a similar story for SMBs who typically pay around $15,000 for each of the above three cost categories. A lack of inhouse expertise means SMBs often have to call in cybersecurity experts to assist with making improvements to security and for forensic analyses to determine how access to data was gained.
Data breaches affecting third-party hosted infrastructure are the costliest for SMBs, followed by attacks on non-computing connected devices, third party cloud services, and targeted attacks. For enterprises, the costliest data breaches are targeted attacks followed by attacks on third-party infrastructure, attacks on non-computing connected devices, third party cloud services, and leaks from internal systems.
The high cost of recovering from a data breach means a successful cyberattack on an SMB could be catastrophic, forcing the company to permanently shut its doors. It is therefore no surprise that businesses are allocating more of their IT budgets to improving their security defenses. Enterprises are now spending an average of $8.9 million on cybersecurity each year, while SMBs spend an average of $246,000. Even though the cost of additional cybersecurity defenses is high, it is still far lower than the cost of recovering from data breaches.
While data breach prevention is a key driver for greater investment in cybersecurity, that is far from the only reason for devoting a higher percentage of IT budgets to security. The main drivers for increasing security spending are the increasing complexity of IT infrastructure (34%), improving the level of security expertise (34%), and management wanting to improve security defenses (29%).
by titanadmin | May 24, 2018 | Internet Security, Network Security |
A suspected nation-state sponsored hacking group has succeeded in infecting at least half a million routers with VPNFilter malware.
VPNFilter is a modular malware capable of various functions, including the monitoring of all communications, launching attacks on other devices, theft of credentials and data, and even destroying the router on which the malware has been installed. While most IoT malware infections – including those used to build large botnets for DDoS attacks – are not capable of surviving a reboot, VPNFilter malware can survive such a reset.
The malware can be installed on the type of routers often used by small businesses and consumers such as those manufactured by Netgear, Linksys, TP-Link and MikroTik, as well as network-attached storage (NAS) devices from QNAP, according to security researchers at Cisco Talos who have been monitoring infections over the past few months.
The ultimate aim of the attackers is unknown, although the infected devices could potentially be used for a wide range of malicious activities, including major cyberattacks on critical infrastructure, such as disrupting power grids – as was the case with BlackEnergy malware.
Since it is possible for the malware to disable Internet access, the threat actors behind the campaign could easily prevent large numbers of individuals in a targeted region from going online.
While the malware has been installed on routers around the world – infections have been detected in 54 countries – the majority of infections are in Ukraine. Infections in Ukraine have increased significantly in the past few weeks.
While the investigation into the campaign is ongoing, the decision was taken to go public due to a massive increase in infected devices over the past three weeks, together with the incorporation of advanced capabilities which have made the malware a much more significant threat.
While the researchers have not pointed the finger at Russia, they have identified parts of the code which are identical to that used in BlackEnergy malware, which was used in several attacks in Ukraine. BlackEnergy has been linked to Russia by some security researchers. BlackEnergy malware has been used by other threat actors not believed to be tied to Russia to the presence of the same code in both forms of malware is not concrete proof of any link to Russia.
The FBI has gone a step further by attributing the malware campaign to the hacking group Fancy Bear (APT28/Pawn Storm) which has links to the Russian military intelligence agency GRU. Regardless of any nation-state backing, the sophisticated nature of the malware means it is the work of a particularly advanced hacking group.
Most of the attacked routers are aging devices that have not received firmware updates to correct known flaws and many of the attacked devices have not had default passwords changed, leaving them vulnerable to attack. It is not entirely clear exactly how devices are being infected although the exploitation of known vulnerabilities is most probable, rather than the use of zero-day exploits; however, the latter has not been ruled out.
Some progress has been made disrupting the VPNFilter malware campaign. The FBI has seized and sinkholed a domain used by the malware to communicate with the threat group behind the campaign. Without that domain, the attackers cannot control the infected routers and neither identify new devices that have been infected.
Ensuring a router is updated and has the latest firmware will offer some degree of protection, as will changing default passwords on vulnerable devices. Unfortunately, it is not easy to tell if a vulnerable router has been infected. Performing a factory reset of a vulnerable router is strongly recommended as a precaution.
Rebooting the device will not eradicate the malware, but it will succeed in removing some of the additional code downloaded to the device. However, those additional malware components could be reinstalled once contact is re-established with the device.
by titanadmin | May 10, 2018 | Internet Security, Network Security, Website Filtering |
Ransomware attacks on businesses appear to be declining. In 2017 and 2018 there has been a marked decrease in the number of attacks. While this is certainly good news, it is currently unclear whether the fall in attacks is just a temporary blip or if the trend will continue.
Ransomware attacks may have declined, but there has been a rise in the use of cryptocurrency mining malware, with cybercriminals taking advantage in the high price of cryptocurrencies to hijack computers and turn them into cryptocurrency-mining slaves. These attacks are not as devastating or costly as ransomware attacks, although they can still take their toll, slowing down endpoints which naturally has an impact on productivity.
While ransomware attacks are now occurring at a fraction of the level of 2016 – SonicWall’s figures suggest there were 184 million attacks in 2017 compared to 638 million in 2016 – the risk of an attack is still significant.
Small players are still taking advantage of ransomware-as-a-service – available through darknet forums and marketplaces – to conduct attacks and organized cybercriminal gangs are conducting targeted attacks. In the case of the latter, victims are being selected based on their ability to pay and the likelihood of a payment being made.
These targeted attacks have primarily been conducted on organizations in the healthcare industry, educational institutions, municipalities and the government. Municipalities are targeted because massive disruption can be caused, and attacks are relatively easy to pull off. Municipalities typically do not have the budgets to devote to cybersecurity.
Attacks in healthcare and education industries are made easier by the continued use of legacy software and operating systems and highly complex networks that are difficult to secure. Add to that the reliance on access to data and not only are attacks relatively easy, there is a higher than average chance of a ransom being paid.
In the past, the aim of ransomware gangs was to infect as many users as possible. Now, targeted attacks are conducted with the aim of infecting as many end points as possible within an organization. The more systems and computers that are taken out of action, the greater the disruption and cost of mitigating the attack without paying the ransom.
Most organizations, government agencies, municipalities, have sound backup policies and can recover all data encrypted by ransomware without paying the ransom. However, the time taken to recover files from backups and restore systems – and the cost of doing so – makes payment of the ransom preferable.
The attack on the City of Atlanta shows just how expensive recovery can be. The cost of restoring systems and mitigating the attack was at least $2.6 million – The ransom demand was in the region of $50,000. It is therefore no surprise that so many victims have chosen to pay up.
Even though the ransom payment is relatively low compared to the cost of recovery, it is still far more expensive than the cost of implementing security solutions to prevent attacks.
There is no single solution that can block ransomware and malware attacks. Multi-layered defenses must be installed to protect the entire attack surface. Most organizations have implemented anti-spam solutions to reduce the risk of email-based attacks, and security awareness training is helping to eliminate risky behaviors and teach security best practices, but vulnerabilities still remain with DNS security often lacking.
Vulnerabilities in DNS are being abused to install ransomware and other malware variants and hide communications with command and control servers and call home addresses. Implementing a DNS-based web filtering solution offers protection against phishing, ransomware and malware by preventing users from visiting malicious websites where malware and ransomware is downloaded and blocking C2 server communications. DNS-based web filters also provide protection against the growing threat from cryptocurrency mining malware.
To mount an effective defense against phishing, malware and ransomware attacks, traditional cybersecurity defenses such as ant-virus software, spam filters, and firewalls should be augmented with web filtering to provide security at the DNS layer. To find out more about how DNS layer security can improve your security posture, contact TitanHQ today and ask about WebTitan.
by titanadmin | May 2, 2018 | Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam Software, Website Filtering |
Another school district has fallen victim to a ransomware attack, which has seen files encrypted and systems taken out of action for two weeks. The Leominster school district ransomware attack saw a ransom demand of approximately $10,000 in Bitcoin was issued for the keys to unlock the encrypted files, which includes the school’s entire student database.
School districts attacked with ransomware often face a difficult decision when ransomware is installed. Attempt to restore systems and recover lost data from backups or pay the ransom demand. The first option is time consuming, costly, and can see systems remain out of action for several days. The second option includes no guarantees that the attackers will make good on their promise and will supply valid keys to unlock the encryption. The keys may not be held, it may not be possible to unlock files, or a further ransom demand could be issued. There have been many examples of all three of those scenarios.
The decision not to pay the ransom demand may be the costlier option. The recent ransomware attack on the City of Atlanta saw a ransom demand issued in the region of $50,000. The cost of recovering from the attack was $2.6 million, although that figure does include the cost of improvements to its security systems to prevent further attacks.
School districts are often targeted by cybercriminals and ransomware offers a quick and easy way to make money. The attackers know all too well that data can most likely be recovered from backups and that the ransom does not need to be paid, but the cost of recovery is considerable. Ransom demands are set accordingly – high enough for the attackers to make a worthwhile amount, but low enough to tempt the victims into paying.
In the case of the Leominster ransomware attack, the second option was chosen and the ransom demand of was paid. That decision was taken after carefully weighing up both options. The risk that no keys would be supplied was accepted. In this case, they were supplied, and efforts are well underway to restore files and implement further protections to ensure similar incidents do not occur in the future.
Even though the ransom was paid, the school district was still without access to its database and some of its computer systems two weeks after the attack. Files were encrypted on April 14, but systems were not brought back online until May 1.
Unfortunately for the Leominster School District, ransom payments are not covered by its cyberinsurance policy, so the payment had to come from its general fund.
There is no simple way to defend against ransomware attacks, as no single cybersecurity solution will prove to be 100% effective at blocking the threat. Multiple attack vectors are used, and it is up to school districts to implement defenses to protect the entire attack surface. The solution is to defend in numbers – use multiple security solutions to create layered defenses.
Some of the most important defenses include:
- An advanced firewall to defend the network perimeter
- Antivirus and anti-malware solutions on all endpoints/servers
- Vulnerability scanning and good patch management policies. All software, systems, websites, applications, and operating systems should be kept up to date with patches applied promptly
- An advanced spam filtering solution to prevent malicious emails from being delivered to end users. The solution should block all executable files
- Disable RDP if it is not required
- Provide security awareness training for employees and teach staff and students the skills to enable them to identify malicious emails and stop risky behaviors
- A web filtering solution capable of blocking access to malicious websites
The cost of implementing these solutions is likely to be far lower than the cost of a ransom payment and certainly lower than the cost of mitigating a ransomware attack.
by titanadmin | Apr 27, 2018 | Industry News, Internet Security, Network Security |
The cost of the Equifax data breach has risen to more than $242 million, and that figure will continue to rise and could even double.
According to the Equifax financial report for the first quarter of 2018, the total spent on mitigation and preventative measures to avoid a further security breach is now $242.7 million.
The breach, which was made public in September 2017, affected 147.9 million customers, making it one of the largest data breaches ever discovered and certainly one of the most serious considering the types of data involved. Yahoo may have experienced much larger breaches, but the data exposed in those incidents was far less sensitive.
Fortunately for Equifax, it holds a sizable insurance policy against cybersecurity incidents. The policy will cover up to $125 million of the cost, minus a $7.5 million deductible. That insurance policy has already paid out $60 million, with $10 million in payments received in the first quarter of 2018.
The breakdown of cost of the Equifax data breach so far for Q1, 2018 is:
- $45.7 million on IT security
- $28.9 million on legal fees and investigation of the breach
- $4.1 million on product liability
- $10 million has been recovered from an insurance payout.
The net expenses from the breach in the first quarter of 2018 was $68.7 million. That is on top of the $114 million spent in the final quarter of 2017, which is broken down as $64.6 million on product costs and customer support, $99.4 million on professional fees, minus $50 million that was paid by its insurance carrier. The net spend so far for Q4, 2017 and Q1, 2018 is $140.5 million, although Equifax reports that the total costs related to the cybersecurity incident and incremental IT and data security costs has been $242.7 million.
Equifax has also reported that throughout 2018 and 2019 the firm will be investing heavily in IT and is committed to building an industry-leading data security system, although the firm has not disclosed how much it is expecting to spend, as the company does not have visibility into costs past 2018.
Equifax has predicted that there will be at least a further $275 million in expenses related to the cyberattack which must still be covered, although a further $57.5 million should be covered by its insurance policy.
While considerable costs have been incurred so far, the firm has done little to repair the reputational damage suffered as a result of the breach and has yet to hire many of the new staff it plans to bring in to help with the breach recovery, including a new CTO. The firm has said that it is taking a very aggressive approach in attracting the top talent in both IT and data security.
The high cost of the Equifax data breach to date, and the ongoing costs, is likely to make this the most expensive data breach of all time.
by titanadmin | Apr 26, 2018 | Internet Security, Network Security |
The Atlanta ransomware attack that took IT systems and computers out of action and brought many municipal operations to a grinding halt has proven particularly costly for the city.
On March 22, 2018, ransomware was deployed on its network forcing a shutdown of PCs and systems used by some 8,000 employees. Those employees were forced to work on pen and paper while attempts were made to recover from the attack. With IT systems offline, many municipal services stopped entirely.
The attackers sent a ransom demand for approximately $50,000. By paying the ransom, the city could potentially have been given the keys to unlock the files encrypted by the SamSam ransomware variant used in the attack. However, there are never any guarantees decryption keys will be supplied. Many victims have received further demands for payment after the initial demand was paid, and there have been many cases where the attackers have not made good on their promise and did not supply any valid keys.
It is unclear whether the ransom payment was made, although that appears unlikely. The payment portal used by the attackers went offline shortly after the attack and the cleanup costs following the Atlanta ransomware attack have been considerable. The high cost suggests the city opted to recover its data and restore systems from backups.
In the immediate aftermath of the Atlanta ransomware attack, the city awarded emergency procurements to eight firms to assist with recovery efforts. The total cost of those services was $2,667,328.
The city spent $60,000 on incident response services, $50,000 on crisis communication services, and $60,000 on support staff augmentation. Secureworks was paid $650,000 for emergency incident response services, Two contracts were awarded to assist with its Microsoft cloud and Windows environments, including migrating certain on-premises systems to the cloud. Those two contracts totaled $1,330,000 and a further $600,000 was paid to Ernst & Young for advisory services for cyber incident response. The $2.6 million cost could rise further still.
Paying the threat actors who conducted the Atlanta ransomware attack could well have seen sizable savings made, although it would certainly not have cost $50,000. Some of the costs associated with recovery from the attack have been spent on improving security to prevent further incidents, and certainly to make recovery less costly. Those costs would still have to be recovered even if the ransom was paid.
What is clear however, is that $2.6 million paid on reactive services following a ransomware attack will not give tremendous value for money. Had that amount been spent on preventative measures prior to the attack, the city would have got substantially more value for every buck spent. Some industry experts have estimated the cost of preventative measures rather than reactive measures would have been just 20% of the price that was paid.
The attack revealed the City of Atlanta was unprepared and had failed to implement appropriate defenses. The city was vulnerable to attack due to the failure to apply security best practices, such as closing open ports on its systems and segmenting its network. The vulnerabilities made an attack far to easy. However, it would be unfair to single out the city as many others are in exactly the same position.
This incident should therefore serve as a stern warning to other cities and organizations that the failure to adequately prepare for an attack, implement appropriate defenses, and apply security best practices will likely lead to an incredibly costly attack.
It may be difficult to find the money to spend on ransomware attack prevention measures, but it will be much harder to find five times the cost to implement defenses and respond after an attack has taken place.
by titanadmin | Apr 25, 2018 | Industry News, Network Security |
A warning has been issued to the healthcare industry over an extensive campaign of targeted cyberattacks by the Orangeworm threat group. The Orangeworm threat group has been operating since 2015, but activity has been largely under the radar. It is only recently that the group’s activities have been identified and disclosed.
Attacks have been conducted on a range of industries, although the primary targets appear to be large healthcare organizations. 39% of confirmed attacks by the Orangeworm threat group have been on organizations in the healthcare industry, including large healthcare providers and pharmaceutical firms. IT service providers, manufacturers, and logistics firms have also been attacked, many of which have links to the healthcare industry.
Some of the IT service providers discovered to have been attacked have contracts with healthcare organizations, while logistics firms have been attacked that deliver medical equipment, as have manufacturers of medical devices. The aim appears to be to infect and investigate the infrastructure of the entire supply chain.
The Orangeworm threat group is using a custom backdoor, which is deployed once access to a network is gained. First the backdoor is deployed on one device, giving the Orangeworm threat group full control of that device. The backdoor is then aggressively spread laterally within a network via unprotected network shares to infect as many devices as possible with the Kwampirs backdoor. While some steps have been taken by the group to avoid detection, this lateral worm-like movement is noisy and easily detected. The threat group does not seem to be overly concerned about hiding its activity.
This attack method works best on legacy operating systems such as Windows XP. Windows XP is no longer supported, and even though the continued use of the operating system is risky and in breach of industry regulations, many healthcare organizations still have many devices operating on Windows XP, especially machines connected to imaging equipment such as MRI and X-Ray machines. It is these machines that have been discovered to have been infected with the Kwampirs backdoor.
Once access is gained, the group is spending a considerable amount of time exploring networks and collecting information. While the theft of patient health information is possible, this does not appear to be a financially motivated attack and systems are not sabotaged.
Symantec, which identified a signature which has allowed the identification of the backdoor and raised the alert about the Orangeworm threat group, believes this is a large-scale espionage campaign with the aim of learning as much as possible about the targets’ systems. What the ultimate goal of the threat group is, no one knows.
The method of spreading the backdoor does not have the hallmarks of nation-state sponsored attacks, which tend to use quieter methods of spreading malware to avoid detection. However, the attacks are anything but random. The companies that have been attacked appear to have been targeted and well researched before the attacks have taken place.
That suggests the Orangeworm threat group is a cybercriminal gang or small collective of hackers, but the group is clearly organized, committed to its goals, and is capable of developing quite sophisticated malware. However, even though the group is clearly capable, and has operated under the radar for three years, during that time no updates have been made to their backdoor. That suggests the group has been confident that they would not be detected, or that they simply didn’t see the need to make any updates when their campaign was working so well.
While espionage may be the ultimate aim, the Orangeworm threat group could easily turn to more malicious and damaging attacks. Once the backdoor has been installed on multiple devices, they would be under full control of the hackers. The group has the capability to deploy malware such as wipers and ransomware and cause considerable damage or financial harm.
The ease at which networks can be infiltrated and the backdoor spread should be of major concern for the healthcare industry. The attacks show just how vulnerable the industry is and how poorly protected many organizations are.
The continued use of outdated and unsupported operating systems, a lack of network segmentation to prevent lateral movement once access has been gained, the failure to protect network shares, and poor visibility of the entire network make these attacks far too easy. In fact, simply following security best practices will prevent such attacks.
The attacks by the Orangeworm threat group should serve as a wakeup call to the industry. The next wave of attacks could be far, far worse.
by titanadmin | Apr 19, 2018 | Industry News, Internet Security, Network Security |
What is the future of the system administrator? What can sysadmins expect over the coming months and years and how are their jobs likely to change? Our predictions on what is likely to happen to the role in the foreseeable future.
What Does the Future of the System Administrator Have in Store?
The system administrator is an important role in any organization. Without sysadmins to deal with the day to day IT problems faced by organizations, the business would grind to a halt. Sysadmins also play an essential role in ensuring the security of the network by taking proactive steps to keep systems secure as well as responding to threats before they result in a data breach. With more cyberattacks occurring, increasingly complex IT systems being installed, and the fast pace of technological development, one thing is for sure: The future of the system administrator is likely to continue to involve long hours and hard work.
It is also easy to predict that the future of the system administrator will involve major changes to job descriptions. That has always been the case and never more so than now. There will be a continued need for on the job training and new systems and processes must continue to be learned. Being a System administrator is therefore unlikely to be boring.
According to data from the US Bureau of Labor Statistics, there is likely to be sustained growth in the profession for the next two years. While the forecast was previously 12% growth, this has now been reduced to 6% – similar to other occupations. The increased automation of many sysadmin tasks is partly responsible for this decline in growth, since businesses are likely to need less staff as manual processes are reduced. That said, the figures indicate demand for IT workers will remain high. Even with newer, faster technology being implemented, staff are still required to keep everything running smoothly.
XaaS, the Cloud, Virtualization, and VoIP Use to Grow
Unfortunately, while automation means greater efficiency, it can entail many hidden costs. For a start, with more automation it can become harder to determine the source of a problem when something goes wrong. Increased automation also means the system administrator must become even more knowledgeable. Automation typically involves scripting in various languages, so while you may have been able to get away with knowing Python or Windows PowerShell, you will probably need to become proficient in both, and maybe more.
If you are considering becoming a system administrator, now is the time to learn your first scripting language, as it will make it easier to learn others on the job if you understand the basics. It will also help you to get the job in the first place. The more you know, the better.
Use of the cloud is increasing, especially for backup and archiving, which in turn has reduced the need for server-centered tasks. While there has been a reduction in labor-intensive routine data operations, there has been a rise in the need to become proficient in the use of Application Programming Interfaces (APIs).
While many functions are now being outsourced through XaaS, it is still important to understand those functions. The future of the system administrator is likely to require XaaS to be screened and assessed to make sure those services match the IT needs of the organization. Sales staff will likely say their XaaS meets all business needs. Having an SA that understands the functions, the technology, and the needs of the business will be invaluable for screening out the services that are unsuitable.
To cut costs, many businesses are turning to VoIP. While this does offer considerable cost savings, businesses cannot tolerate less than the 99.999% of uptime offered by phone companies. The future of the system administrator is therefore likely to involve a thorough understanding of the dynamics of network load.
Virtualization has also increased, with a myriad of virtual networks making the SA’s job more complex. That means knowledge of switching and routing will have to improve.
Communication, Collaboration, and Negotiation Skills Required
The SA’s job no longer just involves studying manuals and learning new systems. SAs are now expected to be able to communicate more effectively, understand the business, and collaborate with others. SAs will need strong communication skills, must become excellent collaborators, and also be skilled at negotiation. Fortunately, there are many courses available that can help SAs improve in these areas.
by titanadmin | Apr 17, 2018 | Email Scams, Internet Security, Network Security, Phishing & Email Spam, Spam Advice, Spam News, Spam Software |
Providing security awareness training for employees helps to eradicate risky behaviors that could potentially lead to a network compromise. Training programs should cover all the major threats faced by your organization, including web-based attacks, phishing emails, malware, and social engineering scams via the telephone, text message, or social media channels.
All too often, businesses concentrate on securing the network perimeter with firewalls, deploying advanced anti-malware solutions, and implementing other technological controls such as spam filters and endpoint protection systems, yet they fail to provide effective security awareness training for employees. Even when security awareness training programs are developed, they are often once-a-year classroom-based training sessions that are forgotten quickly.
If you view security awareness training for employees as a once-a-year checkbox item that needs to be completed to ensure compliance with industry regulations, chances are your training will not have been effective.
The threat landscape is changing rapidly. Cybercriminals often change their tactics and develop new methods to attack organizations. If your security program does not incorporate these new methods of attack, and you do not provider refresher security awareness training for employees throughout the year, your employees will be more likely to fall for a scam or engage in actions that threaten the security of your data and the integrity of your network.
Many Businesses Fail to Provide Effective Security Awareness Training for Employees
One recent study has highlighted just own ineffective many security awareness training programs are. Positive Technologies ran a phishing and social engineering study on ten organizations to determine how effective their security awareness programs were and how susceptible employees are to some of the most common email-based scams.
These include emails with potentially malicious attachments, emails with hyperlinks to websites where the employee was required to enter their login credentials, and emails with attachments and links to a website. While none of the emails were malicious in nature, they mirrored real-world attack scenarios.
27% of employees responded to the emails with a link that required them to enter their login credentials, 15% responded to emails with links and attachments, and 7% responded to emails with attachments.
Even a business with 100 employees could see multiple email accounts compromised by a single phishing campaign or have to deal with multiple ransomware downloads. The cost of mitigating real world attacks is considerable. Take the recent City of Atlanta ransomware attack as an example. Resolving the attack has cost the city $2.7 million, according to Channel 2 Action News.
The study revealed a lack of security awareness across each organization. While employees were the biggest threat to network security, accounting for 31% of all individuals who responded to the emails, 25% were team supervisors who would have elevated privileges. 19% were accountants, administrative workers, or finance department employees, whose computers and login credentials would be considerably more valuable to attackers. Department managers accounted for 13% of the responders.
Even the IT department was not immune. While there may not have been a lack of security awareness, 9% of responders were in IT and 3% were in information security.
The study highlights just how important it is not only to provide security awareness training for employees, but to test the effectiveness of training and ensure training is continuous, not just a once a year session to ensure compliance.
Tips for Developing Effective Employee Security Awareness Training Programs
Employee security awareness training programs can reduce susceptibility to phishing attacks and other email and web-based threats. If you want to improve your security posture, consider the following when developing security awareness training for employees:
- Create a benchmark against which the effectiveness of your training can be measured. Conduct phishing simulations and determine the overall level of susceptibility and which departments are most at risk
- Offer a classroom-style training session once a year in which the importance of security awareness is explained and the threats that employees should be aware of are covered
- Use computer-based training sessions throughout the year and ensure all employees complete the training session. Everyone with access to email or the network should receive general training, with job and department-specific training sessions provided to tackle specific threats
- Training should be followed by further phishing and social engineering simulations to determine the effectiveness of training. A phishing simulation failure should be turned into a training opportunity. If employees continue to fail, re-evaluate the style of training provided
- Use different training methods to help with knowledge retention
- Keep security fresh in the mind with newsletters, posters, quizzes, and games
- Implement a one-click reporting system that allows employees to report potentially suspicious emails to their security teams, who can quickly take action to remove all instances of the email from company inboxes
Lire cet article en français.
by titanadmin | Apr 13, 2018 | Industry News, Internet Security, Network Security |
The SamSam ransomware attacks are continuing and the threat actors behind the campaign are showing no sign of stopping. So far in 2018 there have been at least 10 attacks in the United States, although many more may have gone unreported. Most of the known attacks have hit government agencies, municipalities, and healthcare organizations – all of whom are required to disclose attacks.
The attacks have caused massive disruption, taking computers, servers, and information systems out of action for several days to several weeks. Faced with the prospect of continued disruption to essential business processes, some organizations have chosen to pay the ransom – a risky strategy since there is no guarantee that the keys to unlock the encryption will work or even be supplied.
Others have refused to be extorted, often at great cost. One U.S. healthcare provider, Erie County Medical Center, took six weeks to fully recover from the attack. Mitigating the attack has cost several million dollars.
Multiple SamSam ransomware attacks are possible as the Colorado Department of Transportation discovered. After recovering from an attack in February, a second attack occurred in March.
It is not only financial harm that is caused by the attacks. Another hospital was attacked, and its outpatient clinic and three physician hospitals were unable to view histories or schedule appointments. The ransomware attack on the electronic medical record provider AllScripts saw its EMR systems taken out of action for several days. During that time, around 1,500 medical centers were unable to access patient health records resulting in many cancellations of non-critical medical appointments.
The March SamSam ransomware attack on the City of Atlanta brought many government services to a grinding halt. The extensive attack forced the shutdown of many systems, many of which remained inaccessible for six days. Bills and parking tickets couldn’t be paid and court proceedings had to be cancelled. The huge backlog of work continued to cause delays when systems were restored.
While the SamSam ransomware attacks have been concentrated on just a few industry sectors, the attacks are not necessarily targeted. What the victims have in common is they have been found to have easily exploitable vulnerabilities on public facing servers. They were attacked because mistakes had been made, vulnerabilities had not been patched promptly, and weak passwords had been set.
The threat actors behind the latest SamSam ransomware attacks have not been confirmed, although researchers at Secureworks believe the attacks are being conducted by the Gold LOWELL threat group. It is not known whether they are a defined group or a network of closely affiliated threat actors. What is known, whether it is GOLD LOWELL or other group, is they are largely staying under the radar.
What is more certain is the SamSam ransomware attacks will continue. In the first four weeks of January, the Bitcoin wallet used by the attackers showed $325,000 of ransom payments had been paid. The total in April is likely to be substantially higher. Hancock Health, one of two Indiana hospitals attacked this year, has confirmed that it paid a ransom demand of approximately $55,000 for the keys to unlock the encryption. As long as the attacks remain profitable and the threat actors can stay under the radar, there is no incentive to stop.
In contrast to many threat actors that use phishing emails and spam messages to deliver ransomware downloaders, this group exploits vulnerabilities on public-facing servers. Access is gained to the network, the attackers spend time navigating the network and moving laterally, before the ransomware payload is finally deployed. Detecting network intrusions quickly may prevent file encryption, or at least limit the damage caused.
The ongoing campaign has now prompted the U.S. Department of Health and Human Services’ Healthcare Cybersecurity Integration and Communications Center (HCCIC) to issue a warning to healthcare organizations about the continued threat of attacks. Healthcare organizations should heed the advice of the HCCIC and not only implement defences to block attacks but also to prepare for the worst. If contingency plans are made and incident response procedures are developed in advance, disruption and cost will be kept to a minimum.
That advice from the HCCIC to prevent SamSam ransomware attacks is:
- Conduct vulnerability scans and risk assessments to identify potential vulnerabilities
- Ensure those vulnerabilities are remediated
- Ensure patches are applied promptly
- Use strong usernames and passwords and two-factor authentication
- Limit the number of users who can login to remote desktop solutions
- Restrict access to RDP behind firewalls and use a VPN or RDP gateway
- Use rate limiting to stop brute force attacks
- Ensure backups are made for all data to allow recovery without paying the ransom and make sure those backups are secured
- Develop a contingency plan to ensure that the business can continue to function while the attack is mitigated
- Develop procedures that can easily be followed in the event of a ransomware attack
- Implement defenses capable of detecting attacks quickly when they occur
- Conduct annual penetration tests to identify vulnerabilities and ensure those vulnerabilities are rapidly addressed
by titanadmin | Apr 9, 2018 | Email Scams, Network Security, Phishing & Email Spam, Spam News, Spam Software |
Under Armour has experienced a massive MyFitnessPal data breach that has resulted in the personal information of 150 million users being accessed and stolen by a hacker.
The data relates to users of the mobile MyFitnessPal app and the web version of the fitness and health tracking platform. The types of data stolen in the MyFitnessPal data breach include hashed usernames, passwords and email addresses.
While payment card data is held by Under Armour, the information is processed and stored separately and was unaffected. Other highly sensitive information typically used for identity theft and fraud such as Social Security numbers was not obtained by the attacker.
The MyFitnessPal data breach is notable for the sheer volume of data obtained and is the largest data breach to be detected this year; however, the theft of hashed data would not normally pose an immediate risk to users. That is certainly the case for the passwords, which were hashed using bcrypt – a particularly strong hashing algorithm. However, usernames and passwords were only hashed using the SHA-1 hashing function, which does not offer the same level of protection. It is possible to decode SHA-1 hashed data, which means the information could potentially be accessed by the attacker.
Further, the attacker has had the data for some time. Under Armour became aware of the breach on March 25, 2018, but the attack took place more than a month before it was detected – some six weeks before the announcement about the data breach was made.
Given the method used to protect the usernames and passwords, the data can be considered accessible and it is almost certain the person or persons responsible for the attack will attempt to monetize the data. If the attacker cannot personally decrypt the data, it is certain that the data will be some to someone who can.
While it is possible that the bcrypt-encrypted passwords can be decoded, it is unlikely that decryption will be attempted. To do so would take a considerable amount of time and effort. Further, Under Armour is notifying affected users and is encouraging them to change their passwords as a precaution to ensure accounts cannot be accessed.
While MyFitnessPal accounts may remain secure, that does not mean that users of MyFitnessPal will be unaffected by the breach. The attacker – or current holders of the data – will no doubt use the 150 million email addresses and usernames for phishing campaigns.
Under Armour started notifying affected users four days following the MyFitnessPal data breach. Any user affected should login and change their password as a precaution to prevent their account from being accessed. Users also need to be alert to the risk from phishing.
Phishing campaigns related to the MyFitnessPal data breach can be expected although the attackers will likely develop a variety of phishing emails to target breach victims.
An incident of the scale of the MyFitnessPal data breach also poses a risk to businesses. If an employee was to respond to a phishing campaign, it is possible that they could download malware onto their work device – an action that could result in the business network being compromised.
Attacks on this scale are becoming far more common, and with huge volumes of email addresses now being used for phishing campaigns, advanced anti-spam services for businesses are now a necessity.
If you have yet to implement a spam filter, are unhappy with your current provider and the detection/false positive rate, contact TitanHQ to find out about SpamTitan – The leading anti-spam software for enterprises and SMBs.
by titanadmin | Mar 31, 2018 | Internet Security, Network Security |
Several new AutoHotKey malware variants have been discovered in recent weeks as threat actors turn to the scripting language to quickly develop new malware variants. The latest discovery – Fauxpersky malware – is very efficient at stealing passwords.
AutoHotKey is a popular open-source scripting language. AutoHotKey make it easy to create scripts to automate and schedule tasks, even inside third-party software. It is possible to use AutoHotKey to interact with the local file system and the syntax is simple, making it straightforward to use, even without much technical knowledge. AutoHotKey allows scripts to be compiled into an executable file that can be easily run on a system.
The usefulness of AutoHotKey has not been lost on malware developers, and AutoHotKey malware is now used for keylogging and to install other malware variants such as cryptocurrency miners, the first of the latter was discovered in February 2018.
Several other AutoHotKey malware variants have since been discovered with the latest known as Fauxpersky, so named because it masquerades as Kaspersky antivirus.
Fauxpersky Malware
Fauxpersky malware lacks sophistication, but it can be considered a significant threat – One that has potential to cause considerable harm. If undetected, it allows the attackers to steal passwords that can be used for highly damaging attacks and give the attackers a foothold in the network.
Fauxpersky malware was discovered by security researchers Amit Serper and Chris Black. The researchers explained in a recent blog post that the malware may not be particularly advanced and stealthy, but it is a threat and could allow the authors to steal passwords to gain access to data.
Fauxpersky infects USB drives which are used to spread the malware between devices. The malware can also replicate across the system’s listed drives. Communication with the attackers is via a Google Form, that is used to send stolen passwords and keystroke lists to the attackers’ inbox. Since the transmission is encrypted, it doesn’t appear to be data exfiltration by traffic monitoring systems.
Once installed it renames the drive and appends “Protected y Kaspersky Internet Security 2017” to the drive name. The malware records all keystrokes made on a system and also adds context to help the attackers determine what the user is doing. The name of the window where the text is being typed is added to the text file.
Once the list of keystrokes has been sent, it is deleted from the hard drive to prevent detection. The researchers reported the new threat to Google which rapidly took down the malicious form although others may well be created to take its place.
AutoHotKey Malware Likely to become More Sophisticated
AutoHotKey malware is unlikely to replace more powerful scripting languages such as PowerShell, although the rise in use of AHK and the number of new variants detected in recent weeks suggest it will not be dropped any time soon. AHK malware has now been discovered with several obfuscation functions to make it harder to detect, and many AV vendors have yet to implement the capability to detect this type of malware. In the short to medium term, we are likely to see an explosion of AHK malware variants, especially keyloggers designed to steal passwords.
by titanadmin | Mar 30, 2018 | Internet Security, Network Security |
A disaster recovery plan will help to ensure your business continues to function when disaster strikes, and you can recover as quickly as possible. Developing a disaster recovery plan in advance is essential as it will allow you to prevent many lost hours in the early stages of an attack when rapid action is critical.
When Disaster Strikes You Must be Ready for Action
When disaster strikes, you need to act fast to get your systems back online and return to normal business operations. One of the biggest problems for many organizations, is the amount of time that is lost immediately after a cyberattack is discovered. When staff are scrambling around not knowing what to do, precious minutes, hours, and even days can be lost.
The first few hours after a cyberattack can be critical. The time it takes to respond can have a significant impact on the cost of mitigating the attack and the harm caused. In the case of ransomware, that could be movement within your network, with one infected endpoint becoming two, then 4, then 8 and so on until files on your entire network are encrypted. Each lost minute can mean hours of extra work and major productivity losses.
The only way to ensure the fastest possible response is to be prepared for the unexpected. That means you must have a disaster recovery plan formulated that is easily accessible and can be followed by all staff involved in the breach response. Staff not responsible for recovery must be aware how they must operate in the absence of computers and critical systems to ensure the business does not grind to a halt.
Developing a Disaster Recovery Plan
There are many potential disaster scenarios. Natural disasters such as earthquakes, floods, tornados can cause major disruption, as can terrorist attacks and sabotage. The most likely disaster scenario in the current climate is a cyberattack.
All of these disaster scenarios threaten your systems and business data, so your disaster recovery plan must ensure your systems are protected and the confidentiality, integrity, and availability of data is safeguarded while you respond.
While the threat may be similar for all scenarios, priorities will be different for each situation and the order of actions and the actions themselves will be specific to different threats. It is therefore essential to plan for each of the likely disasters and to develop procedures for each. For example, your plan should cover a cyberattack affecting each specific location that you operate, and a separate plan developed for a ransomware attack, malware infection, and system outage.
Assess Business Impact and Set Priorities
A cyberattack could take out multiple systems which will all need to be restored and brought back online. That process could take days or weeks, but some systems must take priority over others. After your disaster recovery policy has been developed, you must set priorities. To effectively prioritize you will need to perform a business impact analysis on all systems. You should conduct a BIA to determine the possible financial, safety, contractual, reputational, and regulatory impact of any disaster and assess the impact on confidentiality, integrity, and availability of data. When the BIA has been completed, it should make it clear what the priorities are for recovery.
Everyone Must Know Their Role
When disaster strikes, everyone in the IT department must be aware of their responsibilities. You must know who will need to be called in when the attack occurs outside office hours, which means you must maintain up to date contact information such as phone numbers, addresses, and email addresses. You will also need to have a list of contractors and cybersecurity firms that can assist. You must know which law enforcement agencies to contact and any regulators or authorities that should be notified. All employees within the organization must be aware how their day-to-day activities will change and the role they will play, and what you will say to your customers, clients, and business associates.
Testing, Testing, Testing
You will naturally have developed a disaster recovery plan and emergency mode operations plan, but those plans rarely need to be put into action. You therefore need to be 100% sure that your disaster recovery plan developed a couple of years previously will work as planned. That is unlikely unless it is thoroughly tested and is regularly updated to take hardware, software, and business changes into account.
Your disaster recovery plan must be tested to make sure that it will work in practice. That means testing individual aspects against specific scenarios and also running through a full test – like a fire drill – to make sure that the whole plan works.
Don’t wait until disaster strikes before developing a disaster recovery plan and don’t wait for a disaster to find out all of your planning has been in vain as system changes have rendered the plan unworkable.
by titanadmin | Mar 29, 2018 | Network Security, Phishing & Email Spam, Spam Advice, Spam News |
No matter how many cybersecurity solutions you have deployed or the maturity of your cybersecurity program, it is now essential for develop and effective security awareness program and to ensure all employees and board members are trained how to recognize email threats.
Threat actors are now using highly sophisticated tactics to install malware, ransomware, and obtain login credentials and email is the attack method of choice. Businesses are being targeted and it will only be a matter of time before a malicious email is delivered to an employee’s inbox. It is therefore essential that employees are trained how to recognize email threats and told how they should respond when a suspicious email arrives in their inbox.
The failure to provide security awareness training to staff amounts to negligence and will leave a gaping hole in your security defenses. To help get you on the right track, we have listed some key elements of an effective security awareness program.
Important Elements of an Effective Security Awareness Program
Get the C-Suite Involved
One of the most important starting points is to ensure the C-Suite is on board. With board involvement you are likely to be able to obtain larger budgets for your security training program and it should be easier to get your plan rolled out and followed by all departments in your organization.
In practice, getting executives to support a security awareness program can be difficult. One of the best tactics to adopt to maximize the chance of success is to clearly explain the importance of developing a security culture and to back this up with the financial benefits that come from having an effective security awareness program. Provide data on the extent that businesses are being attacked, the volume of phishing and malicious emails being sent, and the costs other businesses have had to cover mitigating email-based attacks.
The Ponemon Institute has conducted several major surveys and provides annual reports on the cost of cyberattacks and data breaches and is a good source for facts and figures. Security awareness training companies are also good sources of stats. Present information clearly and show the benefit of the program and what you require to ensure it is a success.
Get Involvement from Other Departments
The IT department should not be solely responsible for developing an effective security awareness training program. Other departments can provide assistance and may be able to offer additional materials. Try to get the marketing department on board, human resources, the compliance department, privacy officers. Individuals outside of the security team may have some valuable input not only in terms of content but also how to conduct the training to get the best results.
Develop a Continuous Security Awareness Program
A one-time classroom-based training session performed once a year may have once been sufficient, but with the rapidly changing threat landscape and the volume of phishing emails now being sent, an annual training session is no longer enough.
Training should be an ongoing process provided throughout the year, with up to date information included on current and emerging threats. Each employee is different, and while classroom-based training sessions work for some, they do not work for everyone. Develop a training program using a variety of training methods including annual classroom-based training sessions, regular computer-based training sessions, and use posters, games, newsletters, and email alerts to keep security issues fresh in the mind.
Use Incentives and Gamification
Recognize individuals who have completed training, alerted the organization to a new phishing threat, or have scored highly in security awareness training and tests. Try to create competition between departments by publishing details of departments that have performed particularly well and have the highest percentage of employees who have completed training, have reported the most phishing threats, scored the highest in tests, or have correctly identified the most phishing emails in a round of phishing simulations.
Security awareness training should ideally be enjoyable. If the training is fun, employees are more likely to want to take part and retain knowledge. Use gamification techniques and choose security awareness training providers that offer interesting and engaging content.
Test Employees Knowledge with Phishing Email Simulations
You can provide training, but unless you test your employees’ security awareness you will have no idea how effective your training program has been and if your employees have been paying attention.
Before you commence your training program it is important to have a baseline against which you can measure success. This can be achieved using security questionnaires and conducting phishing simulation exercises.
Conducting phishing simulation exercises using real world examples of phishing emails after training has been completed will highlight which employees are security titans and which need further training. A failed phishing simulation exercise can be turned into a training opportunity.
Comparing the before and after results will show the benefits of your program and could be used to help get more funding.
Train your staff regularly and test their understanding and in a relatively short space of time you can develop a highly effective human firewall that complements your technological cybersecurity defenses. If a malicious email makes it past your spam filter, you can be confident that your employees will have the skills to recognize the threat and alert your security team.
by titanadmin | Mar 28, 2018 | Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam Advice |
A city of Atlanta ransomware attack has been causing havoc for city officials and Atlanta residents alike. Computer systems have been taken out of action for several days, with city workers forced to work on pen and paper. Many government services have ground to a halt as a result of the attack.
The attack, like many that have been conducted on the healthcare industry, involved a variant of ransomware known as SamSam.
The criminal group behind the attack is well known for conducting attacks on major targets. SamSam ransomware campaigns have been conducted on large healthcare providers, major educational institutions, and government organizations.
Large targets are chosen and targeted as they have deep pockets and it is believed the massive disruption caused by the attacks will see the victims pay the ransom. Those ransom payments are considerable. Demands of $50,000 or more are the norm for this group. The City of Atlanta ransomware attack saw a ransom demand issued for 6 Bitcoin – Approximately $51,000. In exchange for that sum, the gang behind the attack has offered the keys to unlock the encryption.
SamSam ransomware attacks in 2018 include the cyberattack on the electronic health record system provider Allscripts. The Allscripts ransomware attack saw its systems crippled, with many of its online services taken out of action for several days preventing some healthcare organizations from accessing health records. The Colorado Department of Transportation was also attacked with SamSam ransomware.
SamSam ransomware was also used in an attack on Adams Memorial Hospital and Hancock Health Hospital in Indiana, although a different variant of the ransomware was used in those attacks.
A copy of the ransom note from the city of Atlanta ransomware attack was shared with the media which shows the same Bitcoin wallet was used as other major attacks, tying this attack to the same group.
SecureWorks, the cybersecurity firm called in to help the City of Atlanta recover from the attack, has been tracking the SamSam ransomware campaigns over the past few months and attributes the attacks to a cybercriminal group known as GOLD LOWELL, which has been using ransomware in attacks since 2015.
While many ransomware attacks occur via spam email with downloaders sent as attachments, the GOLD LOWELL group is known for leveraging vulnerabilities in software to install ransomware. The gang has exploited vulnerabilities in JBoss in past attacks on healthcare organizations and the education sector. Flaws in VPNs and remote desktop protocol are also exploited.
The ransomware is typically deployed after access to a network has been gained. SecureWorks tracked one campaign in late 2017 and early 2018 that netted the gang $350,000 in ransom payments. The earnings for the group have now been estimated to be in the region of $850,000.
Payment of the ransom is never wise, as this encourages further attacks, although many organizations have no choice. For some, it is not a case of not having backups. Backups of all data are made, but the time taken to restore files across multiple servers and end points is considerable. The disruption caused while that process takes place and the losses suffered as a result are often far higher than any ransom payment. A decision is therefore made to pay the ransom and recover from the attack more quickly. However, the GOLD LOWELL gang has been known to ask for additional payments when the ransom has been paid.
The city of Atlanta ransomware attack commenced on Thursday March 22, and with the gang typically giving victims 7 days to make the payment. The city of Atlanta only has until today to make that decision before the keys to unlock the encryption are permanently deleted.
However, yesterday there were signs that certain systems had been restored and the ransomware had been eradicated. City employees were advised that they could turn their computers back on, although not all systems had been restored and disruptions are expected to continue.
As of today, no statement has been released about whether the ransom was paid or if files were recovered from backups.
How to Defend Against Ransomware Attacks
The city of Atlanta ransomware attack most likely involved the exploitation of a software vulnerability; however, most ransomware attacks occur as a result of employees opening malicious email attachments or visiting hyperlinks sent in spam emails.
Last year, 64% of all malicious emails involved ransomware. An advanced spam filter such as SpamTitan is therefore essential to prevent attacks. End users must also be trained how to recognize malicious emails and instructed never to open email attachments or click on links from unknown senders.
Software must be kept up to date with patches applied promptly. Vulnerability scans should be conducted, and any issues addressed promptly. All unused ports should be closed, RDP and SMBv1 disabled if not required, privileged access management solutions deployed, and sound backup strategies implemented.
by titanadmin | Mar 21, 2018 | Internet Security, Network Security, Phishing & Email Spam |
2017 ransomware statistics do not make for pleasant reading. Ransomware attacks continued to increase, the cost of mitigating attacks rose, and the number of ransomware variants in use has soared. Further, there are no signs that the attacks will stop and mounting evidence that the ransomware epidemic will get worse in 2018.
Key 2017 Ransomware Statistics
We have compiled some of the important 2017 ransomware statistics from research conducted by a range of firms over the past few months.
Kaspersky Lab’s research suggests ransomware attacks on businesses were happening every 2 minutes in Q1, 2017, but by Q3 attacks were far more frequent, occurring approximately every 40 seconds. Cybersecurity Ventures predicts the frequency of attacks will increase and by 2019 there will be an attack occurring every 14 seconds.
Cybersecurity Ventures also predicts ransomware will continue to be a major problem for businesses throughout 2018 and 2019, with the total cost of ransomware attacks expected to reach $11.5 billion by 2019.
The healthcare industry is likely to be heavily targeted due to the relative ease of conducting attacks and the likelihood of a ransom being paid. Cybersecurity Ventures predicts there will be a fourfold increase in ransomware attacks on healthcare organizations by 2019.
While research from IBM in 2016 suggested 70% of businesses pay ransom demands to recover data, in 2017 the percentage dropped considerably. Far fewer firms are now considering paying ransoms to recover data.
Symantec’s 2017 Internet Security Threat Report indicates ransom demands increased by 266% between 2015 and 2017.
There is considerable variation in published 2017 ransomware statistics. Malwarebytes reports there was a 90% increase in ransomware attacks in 2017. Beazley reports the increase was 18% and the healthcare sector accounted for 45% of those attacks. A recent McAfee Report puts the rise in ransomware attacks at 59% for the year, with a 35% quarter-over-quarter increase in attacks in Q4.
Microsoft’s Security Intelligence Report indicates Asia had the highest number of ransomware attacks in 2017, with Myanmar and Bangladesh the worst hit countries. Mobile devices that were the worst hit, with the most frequently encountered ransomware variant being LockScreen – an Android ransomware variant.
55% of Firms Experienced A Ransomware Attack in 2017
The research and marketing consultancy firm CyberEdge Group conducted a study that showed 55% of surveyed organizations had experienced at least one ransomware attack in 2017. Out of the organizations that had data encrypted by ransomware, 61% did not pay the ransom.
87% of firms that experienced an attack were able to recover the encrypted data from backups. However, 13% of attacked firms lost data due to the inability to recover files from backups.
Organizations that are prepared to pay a ransom are not guaranteed viable keys to recover their encrypted files. The CyberEdge survey revealed approximately half of companies that decided to pay the ransom were unable to recover their data.
FedEx reported in 2017 that the NotPetya attack cost the firm an estimated $300 million, the same figure quoted by shipping firm Maersk and pharma company Merck. Publishing firm WPP said its NotPetya attack cost around $15 million.
Strategies are being developed by businesses to respond to ransomware attacks quickly. Some companies, especially in the UK, have bought Bitcoin to allow fast recovery. However, those that have may find their stash doesn’t go as far as it was first thought thanks to the decline in value of the cryptocurrency. Further, many cybercriminals have switched to other forms of cryptocurrency and are no longer accepting Bitcoin. A third of mid-sized companies in the UK have purchased Bitcoin for ransoms according to Exeltex Consulting Group.
by titanadmin | Mar 20, 2018 | Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam News |
The cybersecurity threat level is at an all time high, according to a recently published threat report from McAfee. The AV solution provider has compiled a report from data collected over the final quarter of 2017 which shows the last three months of 2017 saw record numbers of new malware samples detected – 63.4 million samples. A level never before seen.
The soaring value of Bitcoin and other cryptocurrencies in the final quarter of 2017 fueled a massive rise in cryptocurrency hijacking and the use of cryptocurrency miners over other forms of malware that were favored in previous quarters. With Bitcoin valued at $19,000 in December and cryptocurrency mining hardware costing several thousand dollars, it is no surprise that so many threat actors chose to hijack other computers and steal money from cryptocurrency wallets.
Cryptocurrency miners were being used in spam email campaigns, disguised as mobile apps, and there was a massive rise in the hijacking of websites and loading cryptocurrency mining code.
While mining cryptocurrencies has proven to be highly profitable for cybercriminals, they did not abandon the use of other malware variants. The use of ransomware continues to increase, with spam email the primary method of delivery.
McAfee reports that there was 35% ransomware growth in Q4, and 59% growth in 2017. For the fourth consecutive quarter there has been an increase in new ransomware variants, with much of the increase due to the widespread use of Ransom:Win32/Genasom. There is unlikely to be a fall in use of ransomware any time soon.
The use of spam email to deliver malware and ransomware continues to grow, with two botnets – Necurs and Gamut – responsible for delivering 97% of all spam email in Q4, with the former now the most prevalent spamming botnet.
Botnets are also being developed to exploit IoT devices, which typically lack security and often have poor passwords. Infecting the devices allows massive botnets to be easily assembled for use in DDoS and DoS attacks.
Q4 was the fourth consecutive quarter where new malware samples have continued to increase, with total malware samples now just short of 700,000,000. New Mac malware also increased for the third consecutive quarter and there are now approximately 750,000 Mac malware variants, although there was a fall in new mobile malware samples from the 2-year high in Q3.
There was a rise in new Faceliker and macro malware, although the biggest increase was PowerShell malware. Q4 saw a massive jump in new PowerShell downloaders.
While the cybersecurity threat level continues to increase, and all industries are at risk, healthcare was the most targeted industry in 2017 by some distance. Healthcare may have been the third most targeted industry sector in 2016-2017, but the first three quarters of 2017 saw more than twice as many attacks on healthcare organizations than any other industry sector.
McAfee reports that there has been a 210% increase in cybersecurity incidents reported by healthcare organizations in 2017 compared to 2016, although there was some respite in Q4, which saw a 78% quarter over quarter decline in security incidents.
McAfee suggests it is poor security practices that have contributed to the rise in healthcare data breaches and cyberattacks. Many of the reported incidents could have been prevented if cybersecurity best practices had been followed.
by titanadmin | Mar 12, 2018 | Industry News, Internet Security, Network Security |
There have been several major cyberattacks on restaurants in recent months. Organized cybercriminals gangs are using specially crafted malware to silently steal credit card data from POS systems. Not only do the initial intrusions go undetected, the presence of the malware is often not detected for several months, during which time tens of thousands of credit card details are stolen.
Last month saw another large restaurant chain suffer a major breach of payment card data. The cyberattack on Applebee’s affects more than 160 of its RMH Franchise Holdings owned and operated restaurants across 15 states.
Customers who visited one of the RMH restaurants in Alabama, Arizona, Texas, Florida, Illinois, Indiana, Kansas, Kentucky, Ohio, Mississippi, Missouri, Nebraska, Oklohoma, Pennsylvania or Wyoming between November 2017 and January 2018 and paid for their meal on a credit or debit card have potentially had their card details stolen. Customers who paid using the self-pay tabletop devices were not affected, and neither were customers who paid online. The data breach was confined to RMH-operated restaurants. Other restaurants in the Applebee’s network were unaffected.
The data theft occurred as a result of malware on its POS system. The malware had been developed to capture data such as card numbers, expiry dates, CVV codes, and cardholder names. After recording the data, the information was exfiltrated to the attacker’s command and control server.
RMH reports that it has security systems in place to prevent cyberattacks and was able to contain the incident prior to discovery of malware on February 13, 2018. One a breach was discovered, RMH conducted a thorough investigation to identify the full extent of the breach and the individuals potentially impacted. A leading computer forensics firm was contracted to assist with the investigation and help mitigate of the attack. RHM has not disclosed how the malware was installed and nether the type of malware used in the attack.
The Applebee’s cyberattack is the latest in a string of cyberattacks on restaurants and retailers. In 2017 there were similar cyberattacks on restaurants throughout the United States. Arby’s fast food restaurants experienced a POS-malware related breach that affected many of its 1,000+ corporate stores. Chipotle Mexican Grill discovered malware had been installed on its POS system, with most of its stored affected over a 1-month period last spring.
Retailers are also major targets. Earlier this year, the retailer Forever21 discovered malware has been installed on its POS system. It took the retailer 7 months to identify the breach, during which time the credit and debit card details of many thousands of its customers were stolen.
Last year, many of the 750 Kmart stores were infected with POS malware – the second major credit card breach experienced by the chain in the past three years. Buckle Inc., was also attacked, with an undisclosed number of its stores affected. The malware infection remained on its system undetected for more than 5 months.
The breaches highlight the importance of implementing layered defenses to protect the entire attack surface, from spam email defenses to web filters, next generation firewalls, and advanced intrusion detection systems. It is also essential for retailers and restaurateurs to conduct regular vulnerability scans of the entire network to identify and address security flaws, with technical solutions implemented to constantly monitor POS systems for signs of compromise.
by titanadmin | Mar 9, 2018 | Internet Security, Network Security |
A massive campaign spreading the Dofoil Trojan has been detected by Microsoft. The campaign has already seen almost half a million PCs infected with the malware in just 12 hours. The Dofoil Trojan is otherwise known as Smoke Loader – a downloader that has been active for several years.
The Dofoil Trojan is a small application which once installed on a PC is capable of downloading other forms of malware. The Dofoil Trojan has been used in various campaigns since at least 2011 to install malware, with the latest campaign used to install cryptocurrency mining malware.
More than 400,000 Dofoil Trojan Infections Detected in Just 12 Hours
The alarm was raised on March 6 when Windows Defender detected around 80,000 instances of the Trojan on PCs with the number rising rapidly to well over 400,000 in the following 12 hours. Several variants of the Dofoil Trojan were being used in the campaign which was mostly targeting devices in Russia, Ukraine, and Turkey.
The cryptocurrency mining malware is being used to mine Electroneum coins on infected devices, although the malware can mine various different cryptocurrencies.
Detecting the malware can be difficult as it uses process hollowing to create a new instance of a legitimate Windows process for malicious purposes. In this case the malware is disguised as a Windows binary file to avoid detection – wuauclt.exe. Explorer.exe is used to create a copy of the malware in the Roaming AppData folder which is renamed ditereah.exe. The Windows registry is also altered to ensure persistence, modifying an existing entry to point to the malware copy. The malware communicates with its C2 server and is also capable of installing further malware variants onto an infected device.
While Microsoft was able to detect infections, what is not known at this stage is how the malware was installed on so many devices in such as short space of time. While the malware could potentially have been distributed by spam email, another means of distribution is suspected. Microsoft notes that in several cases the malware is believed to have been spread via torrent files, which are used in P2P file sharing, often to obtain pirated movies, music, and software.
Microsoft has only reported on the number of infections it has detected via Windows Defender. The company does not have visibility into devices that do not have the anti-malware software installed. The total number of infections is therefore likely to be far greater. The 400,000+ infections are likely to be just the tip of the iceberg.
Microsoft notes that its efforts to disrupt the operation did not just stop devices from mining cryptocurrencies. Infection with the Dofoil Trojan allows the attackers to download any number of additional malicious payloads including more dangerous malware variants and ransomware.
More than 50,000 Websites Discovered to Host Cryptocurrency Mining Malware
According to a recent Bad Packets report, more than 50,000 websites have been infected with cryptocurrency mining malware which runs via browsers whenever visitors are on a compromised website. The JavaScript-based malware uses the CPUs of visitors’ computers to generate cryptocurrencies.
While many of these sites have been hijacked and loaded with the malware without the knowledge of the site owner, many sites have the JavaScript added deliberately by site owners as a further method of making money from the websites.
These sites do not result in infection with malware. Typically, the only problems experienced by website visitors is a slowing down of their computers. However, in some cases, the malware has been configured to take full advantage of visitors’ computers and some hardware damage has been caused as a result.
Since it is difficult to determine which sites have been infected or are using cryptocurrency miners, the solution for users is to use a browser extension such as minerBlock to prevent the scripts from running. Users of the Opera browser need do nothing as the browser already blocks cryptocurrency mining scripts from running.
by titanadmin | Mar 6, 2018 | Email Scams, Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam Advice, Spam News, Spam Software |
Phishing attacks in healthcare are to be expected. Healthcare providers hold vast quantities of data on patients. Hospitals typically employ hundreds or thousands of members of staff, use many third-party vendors, and historically they have had relatively poor cybersecurity defenses compared to other industry sectors. That makes them an attractive target for phishers.
Phishing is a method of gaining access to sensitive information which typically involves a malicious actor sending an email to an employee in which they attempt to get that individual to reveal their login credentials. This is achieved using social engineering techniques to make the email recipient believe the email is a genuine. For instance, a security alert could inform the email recipient that an online account has been compromised and a password change is required. They are directed to a spoofed website where they are asked to login. The site is fake but looks genuine.
Credentials are entered and passed to the attacker who uses them to gain access to that individual’s account. Phishing can also involve malware. Emails attempt to convince the recipient to open a malware-infected attachment or download a malicious file from a compromised website.
Compliance with HIPAA Rules Helps to Prevent Phishing Attacks in Healthcare
HIPAA Rules require healthcare providers to implement administrative, technical, and physical safeguards to reduce the risk of cyberattacks and phishing. HIPAA only demands a minimum standard for data security be reached, although complying with HIPAA Rules can help to prevent phishing attacks in healthcare.
HIPAA is not technologically specific on the defenses that should be used to protect patient data. Healthcare providers can choose appropriate defenses based on the results of a risk analysis.
It is possible for healthcare organizations to be compliant with HIPAA Rules but still be vulnerable to phishing attacks. If healthcare providers are to block the majority of phishing attacks and truly secure patients’ data, they must go above and beyond the requirements of HIPAA.
HHS’ Office for Civil Rights Warns of Phishing Attacks in Healthcare
Recent phishing attacks in healthcare have prompted the HHS’ Office for Civil Rights to issue a warning about the risk from phishing.
Attacks are now highly sophisticated and can be hard to detect. The emails are often free from spelling mistakes, have near perfect grammar, include brand images and logos, and appear to have been sent from genuine domains. The reasons given for taking a specific course of action are perfectly plausible as is the need for urgent action.
OCR also highlights the rise in spear phishing attacks in healthcare. These attacks involve more targeted attempts to gain access to sensitive information and can be conducted on specific individuals or groups of individuals in an organization – The payroll or HR department for instance.
These attacks often see a CEO or superiors impersonated to add legitimacy to the attack. These attacks tend to require the opening of attachments or visiting links to download malware. Spear phishing emails are also used to request bank transfers or for sensitive information to be sent via email – W2-Forms of employees for instance. Many healthcare employees have been fooled by these scams.
Recent Phishing Attacks in Healthcare
Listed below are some of the recent examples of phishing attacks in healthcare. This is just a small selection of incidents that have resulted in healthcare records being exposed or stolen. The reality is that many data breaches start with a phishing email. Security awareness training company Cofense suggests that as many as 91% of data breaches have their root in a phishing campaign.
November 2017: 1,670 patients of Forrest General Hospital have their PHI exposed following a phishing attack on business associate HORNE.
October 2017: Henry Ford Health System discovers several email accounts were compromised as a result of employees responding to phishing emails. The PHI of 18,470 patients may have been stolen.
September 2017: Employees of UPMC Susquehanna responded to phishing emails with the attackers able to gain access to the PHI of 1,200 patients.
September 2017: A phishing attack on Wisconsin-based Network Health resulted in the PHI of approximately 51,000 patients being exposed.
August 2017: Chase Brexton Health Care in Maryland experienced a phishing attack that saw several email accounts compromised along with the PHI of 16,000 patients.
July 2017: The Medical College of Wisconsin experienced a phishing attack that allowed attackers to gain access to email accounts and the PHI of 9,500 patients.
July 2017: RiverMend Health employees responded to phishing emails and their accounts were accessed by the attackers. The PHI of 1,200 patients was potentially viewed or stolen.
June 2017: A phishing attack on Elderplan Inc., saw several email accounts compromised along with the PHI of 22,000 individuals.
June 2017: MJHS Home Care experienced a phishing attack that saw email access gained by an unauthorized individual. The compromised email accounts contained the PHI of 6,000 patients.
Staff Training and Anti-Phishing Technology
HIPAA does not specifically mention spam filters, but since phishing is used to target employees via email, spam filtering can be considered essential. By filtering out the majority of spam and malicious messages there is less potential for an employee to click on a malicious link or open a malware infected email attachment.
SpamTitan is a cloud-based anti-spam service that blocks more than 99.9% of spam emails from being delivered to inboxes and has a 0.03% false positive rate. Dual antivirus engines (Bitdefender/ClamAV) ensure malicious email attachments are blocked.
Healthcare employees are the last line of defense, so it is important for them to be able to recognize email threats and anti-phishing training is a requirement of HIPAA. In July 2017, OCR issued advice to healthcare organizations on anti-phishing training in its cybersecurity newsletter.
OCR also recommends using multi-factor authentication to ensure email accounts are not compromised when a password is guessed or stolen. Software and operating systems must be kept up to date and fully patched to prevent vulnerabilities from being exploited, and anti-virus and anti-malware solutions should be deployed to prevent infection. Regular backups can also prevent data loss in the event of a malware or ransomware infection.
by titanadmin | Feb 26, 2018 | Email Scams, Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam News |
A Colorado Department of Transportation ransomware attack on February 21, 2018 affected at least 21 computers preventing files from being accessed by employees. A prompt response to the ransomware attack limited the harm caused, although to prevent the spread of the ransomware more than 2,000 computers were shut down.
The attack has already caused considerable disruption, which is ongoing as the cleanup operation continues.
The DOT says it received a ransom demand which would need to be paid in order to obtain the keys to unlock encrypted files, but that the DOT has no intention of paying any money to the attackers. Instead the firm has called in an external cybersecurity firm (McAfee) to restore data on the affected workstations and ensure all devices are clean and protected from infection. All encrypted files will be recovered from backups.
Fortunately, the ransomware attack was limited to certain endpoints. Other computer systems that are used with surveillance cameras and traffic alerts were not affected.
The Colorado Department of Transportation ransomware attack is one of several high-profile attacks involving SamSam ransomware to have been reported this year. Hancock Health Hospital in Indiana was one notable victim. The hospital was issued with a ransom demand and paid the attackers for the keys to unlock the encryption, even though backups could have been used to recover files. A Bitcoin payment worth approximately $55,000 is believed to have been paid. The payment was believed to be considerably less than the cost of disruption while files were recovered from backups.
Another Indiana hospital – Adams Memorial Hospital was also attacked with a variant of SamSam ransomware, and Allscripts – an electronic health record provider – also suffered an attack that took down some of its web services.
SamSam ransomware first surfaced in 2015, and while some antivirus and antimalware solutions can detect the malware, the attackers continue to release new variants that are much better at evading detection.
Bleeping Computer reported on January 19 that one of the Bitcoin wallets used by the gang involved in SamSam ransomware campaign had already made approximately $300,000 from ransom payments, although that figure will almost certainly be higher since multiple Bitcoin wallets are believed to be used and the campaign is ongoing.
On February 15, Secureworks reported that the profits from the attacks had increased to at least $350,000, with the firm attributing the attacks to a hacking group called Gold Lowell.
It is unclear how the Colorado Department of Transportation ransomware attack occurred. Some sources report that the attack involved phishing emails, although Gold Lowell’s modus operandi is leveraging vulnerabilities in Remote Desktop Protocol (RDP) services.
With the campaign ongoing, all businesses should be alert to the threat from phishing and RDP attacks. Spam filters, such as TitanHQ’s cloud-based anti-spam service, are essential as is anti-phishing training for employees. If RDP is necessary, strong passwords should be set and controls implemented to reduce the potential for brute force attacks. Rate limiting on login attempts for example. It is also important to make sure that multiple data backups are performed to ensure files can be recovered in the event of an attack.
by titanadmin | Feb 23, 2018 | Email Scams, Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam News |
A new report has been released that shows there has been a massive rise in the global cost of cybercrime, highlighting the seriousness of the threat from hackers and scammers. 2017 global cybercrime costs exceeded $600 billion, according to the McAfee report. That represents a 20% increase since 2014, when the global cybercrime costs were calculated to be around $500 billion. The current global cybercrime costs equate to 0.8% of global GDP.
The report shows that in spite of increases in cybersecurity spending, hackers and scammers are still managing to breach organizations’ defenses and gain access to sensitive data, login credentials, corporate bank accounts, and intellectual property.
Accurately Determining the Global Cost of Cybercrime
Any calculation of global cybercrime costs involves some margin of error, as the figures cannot be totally based on reported losses by businesses. Many companies do not disclose details of data breaches, and even fewer publish information of the financial impact of cyberattacks. When details about financial losses are published, typically only a fraction of the losses are reported. In many cases the losses are not known until many years after the event. It is therefore difficult to obtain a true picture of the losses due to cybercrime because of the shortage of data.
To try to gain an accurate picture of the total cost of cybercrime, McAfee had to turn to the same modelling techniques used by government agencies to determine the costs of criminal activities such as drug trafficking, prostitution, maritime piracy, and organizational crime groups.
McAfee is not the only company to make these predictions. Compared to some reports the figures from McAfee seem quite conservative. The true cost could be considerably higher.
Factors Contributing to the Increase in Losses
McAfee reports that several factors have contributed to the large increase in cybercrime costs over the past few years. The growth in popularity of ransomware has played a part. Ransomware has proved to be a particularly plump cash cow, allowing cybercriminals to rake in millions by extorting companies. The anonymity of cryptocurrencies has helped these cybercriminal gangs obtain payments without detection, while the use of TOR has helped the gangs stay under the radar of law enforcement agencies.
Ransomware-as-a-service has also boosted profits for cybercriminals. The increase in the number of individuals conducting attacks has made it possible to increase the scale of operations and distribute the malicious code more effectively. State-sponsored hacks have also increased, including attacks aimed at sabotaging businesses and critical infrastructure as well as major heists that have seen millions of dollars stolen.
McAfee cites research showing around 300,000 new malware samples are now being identified on a daily basis, while data breaches are exposing a staggering 780,000 records a day.
Personal records can sell for big bucks on darknet forums; however, one of the biggest costs is the theft of intellectual property, which McAfee estimates has resulted in at least 25% of the annual losses to cybercrime. When patented processes are obtained, the benefits of millions in research and development is lost and companies can lose their competitive advantage.
One thing is clear from the report. With global cybercrime costs rising, and the sophistication and frequency of attacks increasing, companies have little alternative than to invest more in cybersecurity and develop more sophisticated defenses.
by titanadmin | Feb 22, 2018 | Email Scams, Internet Security, Network Security, Phishing & Email Spam, Spam Advice, Spam News, Spam Software, Website Filtering |
Cybercriminal gangs operating in Nigeria have been discovered to be using phishing kits in a highly sophisticated phishing campaign that has seen millions of dollars obtained from big businesses.
The scammers are regularly fooling employees into revealing their email login credentials – The first stage of the complex scam. The ultimate goal of the attackers is to gain access to corporate bank accounts and convince accounts department employees to make sizeable transfers to their accounts.
According to research conducted by IBM, these scams have been highly successful. Fortune 500 companies are being targeted and losses have been estimated to be of the order of several million dollars.
These scams take time to pull off and considerable effort is required on the part of the scammers. However, the potential rewards are worth the effort. Bank transfers of tens or hundreds of thousands of dollars can be made and business email accounts can be plundered.
A Sophisticated Multi-Stage Phishing Scam
In order to pull off the scam, the attackers must first gain access to at least one corporate email account. Access is gained using phishing emails, with social engineering tactics used to convince employees to click on a malicious link. Those links direct the email recipients to malicious DocuSign login pages where credentials are harvested. These malicious pages have been created on multiple websites.
According to IBM, the gang behind this campaign has created more than 100 of these pages, many of which have been loaded onto genuine websites that have been compromised by the attackers.
Once access to one email account is gained, it is easy to obtain email addresses from the contact list to fool other employees. When an email account is accessed, the attackers search the account for messages involving accounts and payments. The attackers then send emails carrying on conversations between staff members, inserting themselves into conversations and continuing active discussions.
“The attackers typically took a week between the point they gained initial access to a user’s email account and the time they started setting up the infrastructure to prepare a credible ruse,” said IBM’s X-Force researchers. “During this time, they likely conducted extensive research on the target’s organizational structure, specifically focusing on the finance department’s processes and vendors.”
By setting up email rules and filters, it is possible to block genuine conversations between the employees that could uncover the scam. By doing this, all conversations take place between a specific individual and the attacker.
This method of attack allows the attackers to gain access to banking credentials and send highly convincing emails requesting transfers to their accounts. Targeted employees are unlikely to be unaware that they are not emailing a legitimate contact.
This is a manual, labor-intensive scam involving no malware. That has the advantage of allowing the attackers to evade anti-malware technologies.
How to Protect Against These Sophisticated Email Scams
While these scams are complex, they start with a simple phishing email to gain access to a corporate email account. Once access to an email account has been gained, stopping the scam becomes much harder. The easiest time to prevent such an attack is at the initial stage, by preventing the phishing emails from reaching the inboxes of employees and training employees how to identify phishing emails.
That requires an advanced spam filtering solution that can identify the common signatures of spam and scam emails. By setting aggressive filtering policies, the vast majority of spam emails will be captured and quarantined. With the SpamTitan cloud-based anti-spam service, that equates to more than 99.9% of all spam and malicious emails. SpamTitan also has a particularly low false positive rate – less than 0.03% – ensuring genuine emails are still delivered.
No spam solution can be 100% effective, so it is also important to prepare the workforce and train staff how to identify malicious emails. Security awareness and anti-phishing training allows organizations to create a ‘human firewall’ to complement technical solutions.
Spear phishing – highly targeted email attacks – are harder to block, but it is possible to implement solutions to prevent scams such as this from resulting in credentials being obtained. In this campaign, links are sent in emails. By implementing a web filtering solution, those links can be blocked. In tandem with a spam filter, organizations with a security aware workforce will be well protected from phishing attacks.
Further, the use of two-factor authentication is an important security measure to implement. This will prevent attackers from using an unknown device to access an email account.
For further information on web filters and spam filters, and the benefits of installing them at your organization, contact the TitanHQ team today and take the first step toward improving your defenses against sophisticated phishing scams.
by titanadmin | Feb 21, 2018 | Email Scams, Network Security, Phishing & Email Spam, Spam Software |
A new IRS-themed rapid ransomware email scam has been detected that uses the threat of significant financial penalties for late tax payments to fool victims into installing ransomware.
Tax season is well underway and cybercriminals have been increasing their efforts to obtain tax credentials to file fraudulent tax returns in the names of their victims. Businesses are the prime targets, as a successful scam can see the tax credentials of hundreds or thousands of employees obtained from a single response to an scam email.
However, it is not only tax fraudsters that are taking advantage of tax season. Ransomware attacks are also likely, as has been highlighted by a recently uncovered email scam that impersonates the IRS.
The purpose of this scam is to install Rapid ransomware. Rapid ransomware is a relatively new ransomware variant first detected in January 2018. In contrast to many ransomware variants that encrypt files and then terminate, rapid ransomware remains active after encryption and will encrypt any further files that are created on the infected device.
In addition to encrypting files, the ransomware deletes Windows shadow volume copies and disables automatic repair to hamper any attempts to restore files without paying the ransom. There is currently no decryptor for Rapid ransomware. Recovery will depend on backups being available or the ransom demand must be paid.
IRS Spoofed to Spread Rapid Ransomware
The Rapid ransomware email scam is similar to many other scams conducted during tax season. The emails are well written and plausible. There is urgency to encourage rapid action and a threat of financial penalties if the emails are ignored.
The emails have the subject line: ‘Please Note – IRS Urgent Message 164’ and contain a zipped notification attachment which email recipients are required to open to obtain further information.
In the body of the email, the recipient is led to believe they have significant tax arrears related to a property. The recipient is told that no action is taken by the IRS when tax arrears are cleared within 4-6 months of their due date, but since the recipient’s tax is 7 months out of date they are liable for a fine. They are told that if they do not respond to the email within one day and attempt to rectify the situation, ‘significant charges and fines may apply’. They are also told to open and study the attached document. The zip file contains a Word file containing a macro. If allowed to run, the macro downloads a PowerShell file, which in turn downloads Rapid ransomware.
Security aware individuals should be able to identify signs that the email is not genuine. First, the email is addressed ‘Dear Customer.’ In the event of the IRS contacting an individual about tax arrears, it would be likely that the email would be addressed using the individual’s name. However, such a situation would not occur. The IRS has confirmed in numerous warnings about phishing emails that it does not initiate contact about tax arrears via email. Further, tax arrears are serious, but not so serious that a response of 1 day would be given for a response.
The scammers behind this campaign have made some glaring mistakes in their campaign. The email address spoofed has the domain nottscc.gov.uk. While the email address looks official, it relates to Nottinghamshire County Council in the UK and the IRS is the American tax agency. However, many devices do not show the full domain so this may not be noticed. Another major error is the use of German language in the Word document, including instructions for enabling the macro.
Scam Highlights Need for Spam Filters and Security Awareness Training
Due to the errors made by the scammers, in particular the use of German and a UK local government email address – this email scam should be easily detected by employees and consumers, but such mistakes are not always made. The email is plausible, and otherwise it would be likely that many individuals would be fooled by such a scam.
For businesses, these scams can prove incredibly costly. In this case, there is no set ransom payment. Victims need to email the scammers to find out how to pay the ransom and how much is being charged. If the emails come from a business domain, the ransom payment would likely be increased. Further, ransomware can spread laterally within a network and result in file encryption on multiple endpoints and servers. With ransoms typically charged for each infected device, the costs can be considerable.
This Rapid ransomware email scam highlights the need for spam protections to be put in place to prevent malicious emails from being delivered. With SpamTitan implemented, more than 99.9% of spam email is blocked, preventing employees from having their phishing email identification skills tested.
It is also important to provide security awareness training to employees to teach them the skills they need to identify scams such as this. Not all email scams will be as easy to detect as this one. Training goes a long way toward ensuring that when emails slip past security defenses they are quickly identified by the workforce.
by titanadmin | Feb 19, 2018 | Email Scams, Internet Security, Network Security, Phishing & Email Spam, Spam News, Spam Software |
Saturn ransomware is a new threat recently identified by security researchers at MalwareHunterTeam. Saturn ransomware takes its name from the extension added to encrypted files (.saturn).
While it is easy to determine the ransomware variant used in an attack, this will be of little use to victims. There is currently no decryptor available to recover files.
A single infection can rapidly spread laterally, encrypting files on an infected device as well as network shares. Recovering files from backups may prove difficult. Saturn ransomware searches for and deletes shadow volume copies, clears the Windows backup catalog, and also disables Windows startup repair.
If no viable backup exists, the victim must pay a ransom payment in bitcoin of approximately $300 per infected device. If payment is not made within 7 days of infection, the ransom payment doubles.
As with many new ransomware variants, attacks can come from all angles. That is because the new ransomware variant is being offered to affiliates as ransomware-as-a-service.
Ransomware-as-a-service allows the malware developers to maximize the number of infections – and profits – by recruiting a large team of distributors to send spam emails, load the ransomware onto malicious websites, and install the malicious software by taking advantage of poor security defenses. In exchange for their efforts, affiliates are given a percentage of the ransom payments that are received.
The developers of Saturn ransomware have made it as easy as possible for affiliates. A portal has been developed that allows affiliates to obtain copies of the ransomware binaryeither embedded in exe files or Office, PDF files or other documents. To tempt individuals into using this ransomware variant instead of other RaaS offerings, the developers are offering a large percentage of the ransom payments to affiliates – 70%.
The ease of running campaigns together with the high potential rewards for infection means many affiliates are likely to start using the new ransomware variant in attacks. The new malware is already being offered on various darknet forums.
How to Block Saturn Ransomware Attacks
Spam email is the easiest way of spreading ransomware. Massive spam campaigns require little skill and there is no shortage of email addresses for sale on the dark web. We can therefore expect this new ransomware variant to be widely distributed over the coming weeks.
With spam email likely to be the main vector of attack, one of the best defenses to deploy to prevent infection is to use anti spam software such as SpamTitan. SpamTitan blocks more than 99.9% of spam email. With SpamTitan in place, emails can be blocked and will not reach end users inboxes.
However, no single defense can provide total protection from ransomware attacks. Layered defenses are required. Antivirus and antimalware solutions should be used, although signature and heuristics-based defenses will not provide total protection. Businesses should also use a technology that identifies changes to files to ensure that if infection occurs, rapid action can be taken to limit the spread of the ransomware.
Multiple copies of files should also be made to ensure that should the unthinkable happen, data will not be lost. Businesses should make at least three backups, stored on two different media, with at least one copy stored securely off-site. Good patch management policies are also required to prevent vulnerabilities from being leveraged to install the ransomware.
Technical defenses are essential, but don’t forget the human element. Ransomware spread via spam email requires some user interaction – the opening of an email attachment or the clicking of a link. Security awareness training and phishing email simulations are now a necessity to reduce user susceptibility to email-based attacks.
by titanadmin | Feb 16, 2018 | Email Scams, Network Security, Phishing & Email Spam, Spam Advice, Spam Software |
A new malware campaign has been detected that uses Microsoft Word without macros. Opening a Word document sent via email will not generate the usual warnings that macros must be enabled.
Employees may have been warned to be wary of any emails containing attachments, and never to enable macros on documents received via email. However, the use of Microsoft Word without macros means that even opening email attachments can see malware downloaded, if patches have not been applied.
The multi-stage infection process uses the CVE-2017-11822 Word vulnerability to install an information stealer. CVE-2017-11822 was patched by Microsoft last year, although companies that have not patched their systems recently will be vulnerable to this attack.
CVE-2017-11822 is a vulnerability in Office Equation Editor. The bug has been present in Microsoft Office for the past 17 years. Last year, Microsoft rated the code execution vulnerability as important rather than critical, but many security professionals disagreed and claimed the vulnerability was very dangerous as the bug could be exploited to run arbitrary code and the vulnerability was present in all Office versions.
Microsoft Equation Editor is an application that allows the insertion and editing of complex equations in Office documents as OLE items. Last year, security researchers were able to exploit the vulnerability to run a sequence of commands, including the downloading of files from the Internet. This campaign similarly triggers the downloading of a document – a Rich Text File (RTF) via an OLE object embedded in the Word document.
The OLE object opens the RTF file which uses the vulnerability to run a MSHTA command line, which downloads and runs an HTA file containing a VBScript. The VBScript unpacks a PowerShell script, which in turn downloads and runs the information-stealing malware. The purpose of the malware is to steal passwords from web browsers, email accounts and FTP servers.
The email campaign has been developed to target businesses. So far, four email templates have been detected by SpiderLabs researchers, although more will almost certainly be used over the coming days and weeks.
The four emails intercepted by have the subject lines:
- TNT Statement of Account
- Request for Quotation (RFQ)
- Telex Transfer Notification
- Swift Copy for Balance Payment
While a patch was released last year to address the vulnerability, Microsoft has taken further steps this Patch Tuesday by removing some of the functionality of Microsoft Equation Editor to prevent CVE-2017-11882 from being exploited.
Businesses can mitigate this attack in three main ways:
- Ensuring Office installations and operating systems are kept patched and 100% up to date
- Use of anti spam software to prevent malicious emails from being delivered to end users
- Training end users on cybersecurity best practices and the danger of opening Office documents from unknown individuals. Consider sending a warning about this campaign and the email subject lines being used
by titanadmin | Feb 14, 2018 | Email Scams, Internet Security, Network Security, Phishing & Email Spam, Spam News, Spam Software |
Every February, Valentine’s day email scams are to be expected and this year has been no different. On Monday, a massive new phishing campaign was launched. The Necurs botnet was used to deliver millions upon millions of dating, romance and Valentine’s themed emails.
Dating and Valentine’s Day Email Scams Pose Problems for Businesses
Dating scams increased significantly in January and continued in February. You have probably seen the emails already in one of your inboxes.
The emails appear to have been sent by Russian women desperate to find love. Unsolicited emails from attractive women complete with suggestive pictures and messages claiming the recipient is particularly attractive are certain to be spam, yet the emails are effective. The FBI’s figures indicate around $230 million is lost to these scams alone each year. In 2016, the FBI received around 15,000 complaints about financial losses as a result of dating and romance scams.
There were two major peaks in spam email volume between January 15 and 17 and January 29 and February 2 when around 35 million dating spam messages were delivered via the Necurs botnet. Over 230 million messages were sent in a two-week period in January. The aim of the campaign is to obtain credit card details, payments to cover flights to bring the women over to the US, but in many cases the purpose is to fool the email recipient into downloading malware.
Cybercriminals use all manner of tactics to entice users to click. Another effective technique, highlighted by security awareness training firms KnowBe4 and PhishMe, is the use of eCards, especially on Valentine’s Day. Links are sent that appear to be from legitimate eCard sites that require users to click the link to view a Valentine’s day card from a secret admirer. The purpose is to deliver malware.
Valentine’s day email scams this year also include messages alerting the recipient about the failed delivery of flowers from Interflora and email attachments claiming to be delivery receipts.
It is the likelihood of these emails being opened that makes defending against them a major headache for businesses. One single click is all it takes for malware to be installed, and since many malware variants can rapidly spread laterally, one click could be all it takes to compromise an entire network.
The Winter Olympics Scams Continue
This month has also seen plenty of Winter Olympics phishing campaigns conducted. Cybercriminals have been taking advantage of interest in the games to get their emails opened. Malicious links are used to direct users to websites that claim to have up to date news on the events, the competitors, fake news, and the results of events.
The reality is these links direct users to phishing websites, exploit kits, and sites where malware is silently downloaded. With workers unable to watch the sports live at work, these malicious emails stand a high chance of being opened.
With Valentine’s day and the Winter Olympics, February has been a busy month for scammers and with the Pyeongchang Winter Olympics still in full flow, businesses need to be on high alert.
Fortunately, there is one technology in particular that can help businesses counter these email-based threats. An advanced spam filtering solution: The most effective defense against email-based attacks. An advanced spam filter such as SpamTitan blocks more than 99.9% of spam emails, 100% of known malware, and ensures that phishing and other malicious emails do not reach inboxes.
To find out more about SpamTitan – the best spam filter for business use – contact the TitanHQ team today.
by titanadmin | Feb 8, 2018 | Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam Software, Website Filtering |
Following a slew of cyber extortion attacks on schools, the FBI and the Department of Education’s Office of the Inspector General have issued a warning. Schools need to be alert to the threat of cyber extortion and must take steps to mitigate risk by addressing vulnerabilities, developing appropriate policies and procedures, and using technologies to secure their networks.
K12 schools and other educational institutions are an attractive target for cybercriminals. They hold large quantities of valuable data – The types of data that can be used to commit identity theft and tax fraud. Further, in education, security defenses are typically of a much lower standard than in other industries. Poor defenses and large volumes of valuable data mean cyberattacks are inevitable.
The warning comes after several cyber extortion attacks on schools by a group of international hackers known collectively as TheDarkOverlord. The hacking group has conducted numerous attacks on the healthcare industry the public school system since April 2016.
The modus operandi of the hacking group is to search for vulnerabilities that can be easily exploited to gain access to internal networks. Once network access is gained, sensitive data is identified and exfiltrated. A ransom demand is then issued along with the threat to publish the data if payment is not made. The hacking group does not make empty threats. Several organizations that have failed to pay have seen their data dumped online. Recent attacks have also included threats of violence against staff and students.
Access to networks is typically gained by exploiting vulnerabilities such as weak passwords, poor network security, unpatched software, and misconfigured databases and cloud storage services.
The FBI reports that the hacking group has conducted at least 69 cyber extortion attacks on schools, healthcare organizations, and businesses and has stolen more that 100 million records containing personally identifiable information. More than 200,000 of those records have been released online after ransom demands were ignored. More than 7,000 students have had their PII exposed by the hackers.
The escalation of the threats to include violence have caused panic and some schools have been temporarily closed as a result. Sensitive data has been released which has placed staff and students at risk of financial losses due to fraud. The FBI recommends not paying any ransom demand as it just encourages further criminal activity. What schools must do is take steps to mitigate risk and make it harder for their institution to be attacked. By doing so, cybercriminals are likely to continue their search for organizations that are easier to attack.
Ransomware and DDoS Attacks are Rife
TDO is not the only criminal group conducting cyber extortion attacks on schools, and these direct attacks are not the only way access to school networks is gained.
The past two years have seen a massive rise in the use of ransomware on schools. Ransomware attacks are often indiscriminate, taking advantage of vulnerabilities in human firewalls: A lack of security awareness of staff and students. These attacks commonly involve email, with malicious attachments and links used to deliver the ransomware payload.
Ransomware is malicious code that is used to search for stored files and encrypt them to prevent access. With files encrypted, organizations must either restore files from backups or pay the ransom demand to obtain the key to unlock the encryption. Since the code can also encrypt backup files, many organizations have had no alternative other than paying the ransom, since data loss is not an option.
Other cyber extortion attacks on schools do not involve data theft. DoS and DDoS attacks bombard servers with thousands or millions of requests preventing access and often damaging hardware. Cybercriminal gangs use mafia-style tactics to extort money, threatening to conduct DoS/DDoS attacks unless payment is made. Alternatively, they may conduct the attacks and demand payment to stop the attack.
The rise in cyber extortion attacks on schools means action must be taken to secure networks. A successful attack often results in educational institutions suffering major losses. The ransom payment is only a small part of the total cost. Removing ransomware, rebuilding systems, and protecting individuals whose sensitive data has been exposed can cost hundreds of thousands of dollars.
How to Protect Against Cyber Extortion Attacks on Schools
Schools and other educational institutions can develop policies and procedures and use technologies to deter cybercriminals and improve network and email security. By adhering to IT best practices and adopted a layered approach to security, it is possible to mount a robust defense and prevent cyber extortion attacks on schools.
Educational institutions should:
Implement strong passwords: Weak passwords can easily be cracked using brute force methods. Set strong passwords (Upper/lower case letters, numbers, and special characters or long 15+ digit passphrases) and use rate limiting to block access attempts after a set number of failures. Never reuse passwords for multiple accounts.
Patch promptly: Vulnerabilities in software and operating systems can easily be exploited to gain access to networks. Develop good patch management policies and ensure all software and operating systems are updated promptly.
Implement an advanced spam filter: Phishing and spam emails are commonly used to deliver ransomware and obtain login credentials. Do not rely on the spam filters of email service providers. Implement separate, advanced anti spam software or a cloud-based filtering service to block email-based threats and prevent them from reaching inboxes.
Provide security awareness training: Cybersecurity should be taught. Staff and students should be made aware of email and web-based threats and told how to identify malicious emails and potential web-based threats.
Implement a web filter: A web filter is necessary for CIPA compliance to protect students from harm caused by viewing obscene images online. A web filter is also an important cybersecurity defense that can block malware and ransomware and stop staff and students from visiting phishing websites. Web filters protect staff and students at school, but also protect devices that are taken home.
Secure remote desktop/access services: Conduct audits to determine which devices have remote access enabled. If remote access is not necessary, ensure it is disabled. If the services cannot be disabled, ensure they are secured. Use Secure Sockets Layer (SSL) Transport Layer Security for server authentication, ensure sessions are encrypted, and use strong passwords. Whitelist access is strongly recommended to ensure only authorized devices can connect.
Use two-factor authentication: Use two-factor authentication on all accounts to prevent access if a password is used on an unfamiliar device.
Limit administrator accounts: Administrator accounts should be limited. When administrator access is not required, log out from those accounts and use an account with fewer privileges.
Segment your network: Segmenting the network can limit the damage caused when malware and ransomware is installed, preventing it from spreading across the entire network.
Scan for open ports and disable: Conduct a scan to identify all open ports and ensure those open, unused ports are disabled.
Monitor audit logs: Audit logs for all remote connection protocols, check logs to ensure all accounts were intentionally created, and audit access logs to check for unauthorized activity.
Backup all data: Good backup polices are essential for recovery from ransomware attacks: Adopt a 3-2-1 approach. Make three copies of backups, store them on at least two different media, and keep one copy off site. Backups should be on air-gapped devices (not connected to the Internet or network).
by titanadmin | Jan 30, 2018 | Email Scams, Internet Security, Network Security, Phishing & Email Spam, Spam News, Spam Software |
Phishing emails cost a North Carolina school district $314,000 to resolve and caused considerable disruption while the infection was removed.
The high cost of resolving the attack was due to a particularly nasty and difficult to remove malware variant called Emotet malware which had been installed on endpoints and servers after employees responded to phishing emails.
The Rockingham County School District was attacked in late November. Numerous employees of the school district received a phishing email in their inboxes which appeared to be an incorrect invoice from their anti-virus provider. The emails contained an attachment and asked users to open the file to confirm. Doing so triggered the infection process, that resulted in the Emotet virus being downloaded.
The purpose of the malware is to obtain banking credentials. To ensure the maximum number of credentials are stolen, the virus is able to spread to other users. It was the attempt to spread that saw the infection detected. Some employees of the school district discovered their Google email accounts had been disabled as a result of spamming, which prompted an investigation. Internet access through web browsers was also impacted, suggesting a widespread malware infection.
While a malware infection was confirmed, removing the virus was not an easy task. There is no anti-virus software program that can remove the virus and prevent infection. The school district was able to clean and reimage some infected devices, but they were subsequently reinfected.
Unable to resolve the malware infection internally, the school district was forced to bring in external security consultants. In total, approximately a dozen infected servers had to be rebuilt to remove the infection. The school district also had to cover the cost of reimaging 3,000 workstations. The recovery is expected to involve some 1,200 on-site hours by IT staff and the process is expected to take up to a month.
During that time, the school district has had limited access to computers and had to loan around 200 Windows devices for key personnel. In order to cover the cost of the phishing attack, the school district took $314,000 in funds from its coffers.
“We feel like the $314,000 will get us back to where we were before we had the virus,” said school district Superintendent Rodney Shotwell.
The high cost of the phishing attack and the disruption caused shows just how important it is to deploy an advanced anti spam software solution to prevent malicious emails from reaching inboxes, and the importance of providing security awareness training to all employees to help them identify potential phishing attacks.
by titanadmin | Jan 26, 2018 | Email Scams, Network Security, Phishing & Email Spam, Spam Advice, Spam News |
The exponential growth in the price of cryptocurrencies has been accompanied by similar growth in email campaigns spreading cryptocurrency mining malware. There has also been a big rise in new mining malware variants, with three new malware variants detected in the past week. Conservative estimates suggest one malware variant has already been installed on at least 15 million systems, although the true figure could well be closer to 30 million.
The data comes from the cybersecurity firm Palo Alto Networks, which performed an analysis of the URLs used in the campaign using Bitly telemetry. It is difficult to determine how many systems have been affected since Bitly is not the only URL shortening service being used in the campaign. AdFly is also in use, which suggests the number of infected systems could well be twice as high.
The malicious links for this campaign are being sent in spam email. Clicking the links will direct the user to a malicious website containing executable files that install the Monero mining application XMRig using VBS scripts. The popularity of Monero mining is due to the lower processor demands than cryptocurrencies such as Bitcoin. Monero mining can take place on less powerful computers such as those typically at home. In addition to spam email campaigns, the malicious executable files are being loaded to popular file sharing websites
Symantec reports there has been a rise in browser-based cryptocurrency mining. Websites owners are loading cryptocurrency miners onto their websites that is implemented using a scripting language. The ease of access to JavaScript APIs that can be used for this purpose has increased the popularity of this mining technique. Symantec also reports there has been a 34% rise in mobile applications containing cryptocurrency mining code.
Cryptocurrency mining malware does not pose such a big threat to organizations as other forms of malware and ransomware, but there are implications for businesses. The malware does require a considerable amount of processing power, so there will be an impact on performance on infected machines. Infection will see applications slow considerably, and that will have an impact on productivity.
Campaigns are also being conducted that target businesses. The aim is to installing cryptocurrency mining malware on business servers. These attacks are not email-based, instead vulnerabilities are identified and exploited to install the malware, with Apache Struts (CVE-2017-5638) and DotNetNuke (CVE-2017-9822) vulnerabilities commonly exploited.
Preventing Infection with Cryptocurrency Mining Malware
Businesses can prevent cryptocurrency mining malware from being installed on their servers by ensuring all applications are patched and kept up to date. The patch to fix the Apache Struts vulnerability was released in September 2017, yet many businesses have not applied the patch. The DNN vulnerability has also been patched.
The risk of infections on employee and home computers requires antivirus and antimalware software and an advanced spam filter to prevent malicious messages from reaching inboxes. Businesses should also be training their staff how to recognize malicious emails. Training programs and phishing email simulations have been shown to help reduce susceptibility to email-based attacks by up to 95%.
The past few months have also seen a rise in cryptocurrency mining malware infections via unsecured WiFi networks, with cybercriminals performing man-in-the-middle attacks that hack the WiFi sessions of any user connected to one of the rogue WiFi access points. Unsecured public WiFi hotspots should be avoided, or VPNs used.
by titanadmin | Jan 24, 2018 | Email Scams, Network Security, Phishing & Email Spam, Spam Advice, Spam Software |
In this post we explain two of the most important strategies to adopt to block phishing and ransomware attacks.
Ensure Malicious Messages Do Not Reach Inboxes
Last year, Netwrix released a report based on a survey that showed 100% of government IT workers believed employees were the biggest threat to security. While those figures are the highest of many such surveys, the common theme throughout all of the research is employees are the most likely cause of a data breach.
One of the biggest areas of weakness is email-based attacks. Research conducted by the Friedrich Alexander University in Germany suggests half of users click links in emails from unknown senders. Those links often lead employees to phishing and malware-laced websites. With such high click rates, it is no surprise that so many IT workers believe employees are the weakest link in their security defenses.
Stopping employees from taking risky actions is difficult, so organizations must do all they can to ensure malicious emails are not delivered to inboxes. Only then, can IT workers be sure that employees will not click links or open dangerous email attachments.
How Does SpamTitan Work?
TitanHQ is a leading provider of
spam filtering solutions for enterprises. SpamTitan ensures the vast majority of spam and malicious emails are identified and quarantined and are not delivered to inboxes. SpamTitan has been independently tested and shown to block 99.97% of spam emails, ensuring end users are protected. But what can organizations do to protect their employees from the 0.03% of emails that are delivered to inboxes?
There is No Silver Bullet That Will Block Phishing and Ransomware Threats 100% of the Time
No business can no survive without email and unfortunately, no spam filtering solution can block 100% of all spam emails, 100% of the time. At least not without also blocking many genuine messages. Organizations cannot rely on a spam filter to block phishing and ransomware threats. It is just one important layer of security. Several other layers are required.
Anti-virus and anti-malware solutions are essential for detecting malicious software, but these signature-based security controls are proving less and less effective as years go by. For instance, the solutions are not particularly good at detecting fileless malware.
Most businesses further reduce risk by implementing endpoint protection systems that can detect anomalies and unnatural behavior on endpoints, indicative of an intrusion, malware activity, or ransomware scanning for files and making changes.
However, AV software and endpoint detection systems only detect phishing and ransomware attacks when they are occurring. If you want to block phishing and ransomware attacks, the most effective solution is a human firewall.
IT departments can blame employees for being the weakest link when it comes to security, but if employees are not trained and shown how to recognize malicious emails, they will remain the biggest security threat to an organization.
The Human Firewall – The Best Defense Against Phishing, Malware, and Ransomware Emails
A firewall is the first line of defense, and anti spam software will help to keep inboxes free from malicious messages. The rear guard is made up of your employees. To ensure you have a strong defensive backline, you must provide security awareness training. Many employees do not know that they are taking big risks that could compromise the network. It is up to organizations to ensure that those risks are explained.
Most malware and ransomware attacks involve at least some user interaction: The clicking of a link, the opening of a malicious document, or the enabling of a macro. Employees must be told this is how malware is installed and how access to email accounts and networks is gained. By training the workforce to be more security aware, employees can be turned into a formidable last line of defense.
Security Awareness Training Should Be Continuous
While it was once possible to provide annual security training and be reasonably confident that employees would be able to recognize malicious emails, that is no longer the case. Email-based cyberattacks are now far more sophisticated, and cybercriminals are investing considerably more time in developing highly convincing campaigns. Cybercriminals’ tactics are constantly changing. Training programs must reflect that.
To develop a strong human firewall, training should be ongoing. An annual classroom-based training session should be accompanied by regular CBT training sessions, provided in bite-sized chunks. Cybersecurity should be kept fresh in the mind with monthly email bulletins, as well as ad hoc alerts about new threats.
Research conducted by several security awareness training companies shows, training is very effective. PhishMe, Wombat Security Technologies, and Knowbe4 all suggest that with regular training it is possible to reduce susceptibility to email-based attacks by up to 95%.
Test the Effectiveness of Security Awareness Training with Phishing Simulations
You can backup all your data to ensure you can recover files in the event of a disaster, but if your backups are never tested you can never be sure file recovery is possible.
Similarly, providing security awareness training to employees will not guarantee you have created a strong human firewall. Your firewall must be tested. By sending phishing simulations to your workforce you can find out just how effective your training has been. You can identify weak links – employees that have not grasped the concept of phishing and email security and those individuals can be scheduled additional training. Phishing simulation exercises also help to reinforce training. When a test is failed, it can be turned into a learning opportunity, which helps to improve knowledge retention.
Implement technological solutions to block phishing and ransomware attacks and train your employees and test them on all manner of email-based attacks. When the real deal arrives in an inbox they will be prepared and deal with it appropriately. Fail to block emails or provide high quality training, and your company is likely to have to deal with a costly, and potentially disastrous, email-based attack.
Lire cet article en français.
by titanadmin | Jan 5, 2018 | Industry News, Internet Security, Network Security |
It has been pretty difficult to avoid the news of Meltdown and Spectre – Two vulnerabilities recently discovered that could potentially be exploited to gain access to sensitive information on PCs, Macs, servers, and smartphones. Meltdown and Spectre affect virtually all devices that contain CPUs, which amounts to billions of devices worldwide.
What are Meltdown and Spectre?
Meltdown and Spectre are two separate vulnerabilities affecting CPUs – central processing units. The chips that power a wide range of electronic devices. The flaws make devices vulnerable to side-channel attacks, in which it is possible to extract information from instructions that have been run on CPUs, using the CPU cache as a side channel.
There are three types of attacks, two for Spectre and one for Meltdown. Spectre Variant 1 – tracked as CVE-2017-5753- is a bounds check bypass, while Spectre variant 2 – tracked as CVE-2017-5715 – is a branch target injection. Variant 3, termed Meltdown – tracked as CVE-2017-5754 – is a rogue data cache load, memory access permission check that is performed after kernel memory read.
The less technical explanation is the attacks leverage the prediction capabilities of the CPU. The CPU will predict processes, load them to an easily accessible, fast sector of the memory to save time and ensure fast performance. Spectre allows data to be read from the memory, but also for information to be loaded into the memory and read that would otherwise not be possible.
Meltdown also reads information from the memory, stealing information from memory used by the kernel that would not normally be possible.
What Devices are Affected by Meltdown and Spectre?
US-CERT has warned that the following vendors have been affected by Meltdown and Spectre: AMD, Apple, Arm, Google, Intel, Linux Kernel, Microsoft, and Mozilla. Apple has said that virtually all of its Macs, iPhones, and iPads are affected. PCs and laptops with Intel, Arm, and AMD chips are affected by Spectre, as are Android smartphones. while Meltdown affects desktops, laptops, and servers with Intel chips. Since servers are affected, that has major implications for cloud service providers.
How Serious are Meltdown and Spectre?
How serious are Meltdown and Spectre? Serious enough for the Intel chief executive officer, Brian Krzanich, to sell $25 million of his shares in the company prior to the announcement of the flaws, although he maintains there was no impropriety and the sale of the shares was unrelated to the announcement of the flaws a little over a month later.
For users of virtually all devices that contain CPUs, the flaws are certainly serious. They could potentially be exploited by malicious actors to gain access to highly sensitive data stored in the memory, which can include passwords and credit card data.
What makes these flaws especially serious is the number of devices that are affected – billions of devices. Since one of the flaws affects the hardware itself, which cannot be easily corrected without a redesign of the chips, resolving the problem will take a considerable amount of time. Some security experts have predicted it could take decades before the flaws are totally eradicated.
Fortunately, companies have been scrambling to develop patches that can at least reduce the risk of the flaws being exploited. For example, Chrome and Firefox have already released updates that will prevent attacks from occurring via browsers. Since the attacks can be performed using JavaScript, securing web browsers is essential.
At present, it would appear that the flaws have not been exploited in the wild, although now the news has broken, there will certainly be no shortage of individuals attempting to exploit the flaws. Whether they are able to do so remains to be seen.
What Can You do to Prevent Meltdown and Spectre Attacks?
As is the case when any vulnerability is identified, protecting against Meltdown and Spectre requires patches to be applied. All software should be updated to the latest versions, including operating systems, software packages, and browsers. Keeping your systems 100% up to date is the best protection against these and other attacks.
Some third-party antivirus software will prevent Windows patches from being installed, so before Windows can be updated, antivirus must be updated. Ensure that your AV program is kept up to date, and if you have automatic updates configured for Windows, as soon as your system is ready for the update it will be installed.
Chrome and Firefox have already been updated, Microsoft will be rolling out a patch for Windows 10 on Thursday, and over the next few days, updates will be released for Windows 7 and 8. Apple has already updated MacOS version 10.13.2, with earlier versions due to receive an update soon.
Google has already issued updates for Android phones, although only Google devices have so far been updated, with other manufactures due to roll out the updates shortly. Google has already updates its Cloud Platform, and Amazon Web Services has also reportedly been updated. Linux updates will also be issued shortly.
Fixes for Meltdown are easier to implement, while Spectre will be harder as true mitigations would require major changes to the way the chips work. It is unlikely, certainly in the short term, for Intel to attempt that. Instead, mitigations will focus on how programs interact with the CPUs. As US-CERT has warned, “[The] Underlying vulnerability is caused by CPU architecture design choices. Fully removing the vulnerability requires replacing vulnerable CPU hardware,” although that advice is no longer detailed in its updated vulnerability warning.
Applying patches will help to keep computers protected, but that may come at a cost. For example, the fix for the Meltdown vulnerability changes the way the computer works, which means the processor will have to work harder as it has to repeatedly access information from the memory – tasks that would otherwise not normally need to be performed.
That will undoubtedly have an impact on the performance of the machine. How much of a dip in performance can be expected? Some experts predict the changes could slow computers down by as much as 30%, which would certainly be noticed at times when processor activity is particularly high.
by titanadmin | Jan 4, 2018 | Industry News, Internet Security, Network Security |
A recently discovered Forever 21 POS malware attack has seen customers’ credit card data compromised. While malware attacks on retail POS systems are now commonplace, in the case of the Forever 21 POS malware attack, the security breach stands out due to the length of time malware was present on its systems. Attackers first gained access to its POS system seven months before the infection was discovered.
The Forever 21 POS malware infections were first identified in October, when a third-party linked credit card fraud to customers who had previously visited Forever 21 stores. The potential malware infections were investigated and a third-party cybersecurity firm was called in to assist.
Forever 21 first made the announcement about a data breach in November, although the investigation has been ongoing and now new details about the attack have been released.
The investigation has revealed the attack was extensive and affected many POS devices used in its U.S. stores. The Forever 21 POS malware attack started on April 3, 2017, with further devices compromised over the following 7 months until action was taken to secure its systems on November 18, 2017. Forever 21 reports that some POS devices in its stores were only compromised for a few days, others for a few weeks, while some were compromised for the entire timeframe.
In response to the increased threat of cyberattacks on retailers, Forever 21 started using encryption technology on its payment processing systems in 2015; however, the investigation revealed the encryption technology was not always active.
While the encryption technology was active, the attackers would have been prevented from obtaining the credit card details of its customers, although the information could be stolen at times when the encryption technology was turned off.
Further, some devices that were compromised by the malware maintained logs of completed credit card transactions. When the encryption technology was not active, details of completed transactions were stored in the logs and could therefore be read by the attackers. Since those logs contained details of transactions prior to the malware infections, it is possible that customers who visited affected Forever 21 stores prior to April 3, 2017 may also have had their credit card details stolen.
Each store uses multiple POS devices to take payments from consumers, and in most cases only one device per store was compromised. The attackers concentrated their efforts on stores where POS devices did not have encryption enabled. Further, the attackers main aim appeared to be to find and infect devices that maintained logs of transactions.
On most POS devices, the attackers searched for track data read from payment cards, and in most cases, while the number, expiry date and CVV code was obtained, the name of the card holder was not.
The investigation into the Forever 21 POS malware attack is ongoing, and at present it is unclear exactly how many of the company’s 700+ stores have been affected, how many devices were infected, and how many customers have had their credit and debit card details stolen. However, it is fair to assume that an attack of this duration will have affected many thousands of customers.
The type of malware used in the attack is not known, and no reports have been released that indicate how the attackers gained access to its systems. It is not yet known if stores outside the US have been affected.
by titanadmin | Dec 31, 2017 | Internet Security, Network Security |
2017 has been a bad year for data breaches, but what were the worst data breaches of 2017? We have compiled a list of the largest and most serious cyberattacks that came to light this year.
The Worst Data Breaches of 2017
Equifax – 143 Million Records
The Equifax data breach was discovered in September and ranks first in our list of the worst data breaches of 2017, not just for the size of the breach, but also due to the nature of data stolen by the attackers. Equifax reports that the breach impacted as many as 143 million consumers – That’s 44% of the population of the United States.
The data stolen in the attack including highly sensitive information – the types of data cybercriminals seek in order to commit identity theft and fraud. Social Security numbers and driver’s license numbers were stolen along with names, addresses, dates of birth, and credit card numbers. The breach was the result of an unpatched software vulnerability.
Deep Root Analytics – 198 Million Records
The data breach at Deep Root Analytics was massive, involving almost 200 million records. Deep Root Analytics is a marketing firm that was contracted by the Republican National Convention to gather political information on U.S voters.
The data were stored in an Amazon AWS S3 bucket that could be accessed without the need for a password for two weeks before the lack of protection was discovered. During that time, voter records could be accessed, including names, addresses, dates of birth, and phone numbers.
Uber – 57 Million Records
The Uber data breach may not have been the most severe in terms of the types of data exposed, but it certainly ranks as one of the worst data breaches of 2017, affecting some 57 million riders and drivers.
What really makes this one of the worst breaches of 2017 is the discovery that Uber attempted to keep the breach quiet. Uber paid the attacker $100,000 to keep quiet and not publish the data, which included names, addresses, email addresses, and in some cases, driver’s license numbers. The breach occurred in October 2016, but it was not disclosed for more than a year.
Verizon – 14 Million Records
As with many other data breaches in 2017, this security breach was due to an unsecured Amazon AWS S3 bucket that was controlled by NICE systems – A partner of Verizon. It is unclear whether Verizon customer data was stolen, but the records of 14 million customers were exposed. Those records included names, PIN numbers, and phone numbers in the form of logs from Verizon customers that had called its customer service department. Potentially, the information could be used to access customers’ accounts. The data were stored in an unprotected Amazon AWS S3 bucket
Dun & Bradstreet – 33.7 Million Records
The data analytics firm Dun & Bradstreet created a marketing database containing 52 GB of data, including 33.7 million email addresses and contact information. While Dun & Bradstreet maintains its systems were not compromised, one of the companies that the database was sold to certainly was. The database contained the records of millions of employees of major companies including Wal-Mart and CVS Health, as well as the U.S Postal Service and the Department of Defense.
America’s JobLink – 4.8 Million Records
A misconfigured application was exploited by a hacker to gain access to the records of 4.8 million individuals. The data were maintained by America’s JobLink – a firm that connects employers and job seekers
The breach was detected in March 2017, although an analysis revealed the code error was introduced in October 2016. The hacker exploited the vulnerability in February and had access to the data for a month.
The breach was particularly bad as it involved names, dates of birth and Social Security numbers, placing the breach victims at a high risk of identity theft and fraud. It is unclear whether the hacker managed to steal all 4.8 million records.
Deloitte – 350+ records
In the list of the largest data breaches of 2017, the Deloitte breach would come in very close to the bottom; however, in terms of the potential severity of the breach it ranks near the top. An estimated 350 clients were impacted when a hacker gained access to Deloitte’s email server and email conversations between the firm and its clients. Those clients included government departments – including Homeland Security and the Department of Defense – the National Institutes of Health, FIFA, and the U.S Postal Service.
The breach was discovered this year, although the hackers reportedly had access to its systems for several months. The email server was breached using an admin account, with the breach preventable had two-factor authentication been used.
River City Media – 1.4 Billion Records
A massive illegal spam operation run by River City Media was uncovered this year by security researchers, who discovered more than 1.4 billion records had been left exposed online. An analysis of the data showed there were 393 million unique email addresses in the database, along with names, IP addresses, and real addresses.
The investigation into River City Media revealed the group was sending as many as a billion emails a day, and was masquerading as a legitimate marketing company. The files were exposed due to poor RSync backup practices, which ensured a disaster would not result in data loss, but the firm inadvertently left its data exposed online.
Onliner Spambot – 711 Million Records
Another massive data breach to affect spammers involved the operator of the onliner spambot, which harvested email addresses to send spam emails. A database of some 711 million email addresses was left exposed online after the server on which the data were stored had been left unprotected. It is unknown how many people discovered the database and are now using it to plague those 711 million individuals with email more spam email. The breach was largely limited to email addresses, but in terms of size, it certainly ranks as one of the worst data breaches of 2017.
by titanadmin | Dec 29, 2017 | Internet Security, Network Security |
Every December, a list of terrible passwords is published by SplashData, and this year the list of the worst passwords of 2017 contains the same horrors as years gone by. Passwords that not only would take a hacker next to no time to guess, but in many cases, could be cracked at the first attempt.
The list of the worst passwords of 2017 is compiled from databases of leaked and stolen passwords that have been published online throughout 2017. This year, SplashData compiled its list from more than 5 million leaked passwords.
The minimum password length on many websites has now been increased to eight characters; however, it is still possible to use passwords of six characters in many places. This year, the worst password is six characters long and is the extremely unimaginative: 123456. A password so easy to guess, it is barely worth setting a password at all.
In second place is an eight-character password, which is similarly not worth using at all: password. In third place is 12345678. Those three passwords retained the same positions as last year.
Each year, the same passwords appear on the list, with slight fluctuations in their positions in the list. However, there are some new entries this year. The rebooting of the Star Wars saga has spurred many people to choose Star Wars related passwords, with starwars featuring in 16th position on the list.
An interesting entry makes it into 25th place – trustno1. Good advice, but even with the addition of a number, it is still a poor password choice. At first glance, number 24 in the list appears to be reasonable, but qazwsx is the first six characters on the left-hand side of the keyboard.
Using the passwords letmein, passw0rd, admin, master, and whatever, are all equally bad. All of those words make the top 25 in the list of the worst passwords of 2017.
Top 25 Worst Passwords of 2017
- 123456
- password
- 12345678
- qwerty
- 12345
- 123456789
- letmein
- 1234567
- football
- iloveyou
- admin
- welcome
- monkey
- login
- abc123
- starwars
- 123123
- dragon
- passw0rd
- master
- hello
- whatever
- qazwsx
- trustno1
The list of the worst passwords of 2017 reveals many people are extremely unimaginative when choosing a password to secure their email, social media, and online accounts.
SplashData estimates 3% of people have used the worst password on the list, while 10% have used one of the first 25 passwords to “secure” at least one online account.
Most people know that strings of consecutive numbers are bad, as is any variation of the word password, but changing to a dictionary word or a pop culture reference is just as bad, as Morgan Slain, CEO of SplashData, Inc., explained, “Hackers are using common terms from pop culture and sports to break into accounts online because they know many people are using those easy-to-remember words.”
That means using football (or any other sport) or starwars will not prevent a hacker from gaining access to an account for very long.
What Makes a Bad Password?
Brute force attacks, those where repeated attempts are made to guess passwords, does not involve a hacker sitting at a computer typing bad passwords until the correct one is guessed. Those attacks are performed by bots, and it doesn’t take long for a bot to guess a poor password.
Without rate limiting – setting a maximum number of failed attempts before access is temporarily blocked – to slow down the process, the bots can cycle through the list of the worst passwords of 2017 quickly, followed by those used in other years and other dictionary words.
Hackers also know the tricks that people use to keep passwords easy to remember, while meeting the strong password requirements set by IT departments, such as adding an explanation mark to the end of an easy to remember word or replacing certain letters with their numerical equivalent: An A with a 4, or an O with a zero for instance.
What Makes a Good Password?
A good password should contain upper and lowercase letters, numbers, and special characters, and should preferably be a random string of 10 or more characters. That of course makes passwords very difficult to remember. Writing the password down so you don’t forget it is also a very bad idea, as is reusing passwords on multiple sites and recycling old passwords.
In 2017, NIST revised its advice on choosing passwords as its research showed that forcing people to choose upper and lower-case passwords and special characters did not always ensure people chose strong passwords. Instead, they get around the technology by simply changing the first letter to a capital letter and adding a special character and number to the end, for instance.
Instead, NIST recommended using a passphrase rather than a password. A phrase that only you would know.
A list of four or five unrelated words would work well. Dogforkliftmonkeyhousecar would be a strong password phrase to use (other than the fact it has now been published online). It would be difficult to crack but easy to remember with a mnemonic.
To keep your accounts secure, make sure you choose strong and complex passwords, ideally long passwords of at least 15 characters. However, remembering the 20 or so unique passwords you are likely to need will still be hard.
The solution is to use a password manager, and to secure that account with a strong hard to guess password. Then only one complex password must be remembered.
by titanadmin | Dec 27, 2017 | Email Scams, Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam Advice |
Digimine malware is a new threat that was first identified from a campaign in South Korea; however, the attacks have now gone global.
Ransomware is still a popular tool that allows cybercriminals to earn a quick payout, but raised awareness of the threat means more companies are taking precautions. Ransomware defenses are being improved and frequent backups are made to ensure files can be recovered without paying the ransom. Not only is it now much harder to infect systems with ransomware, rapid detection means large-scale attacks on companies are prevented. It’s harder to get a big payday and the ability to restore files from backups mean fewer organizations are paying up.
The surge in popularity of cryptocurrency, and its meteoric rise in value, have presented cybercriminals with another lucrative opportunity. Rather than spread ransomware, they are developing and distributing cryptocurrency miners. By infecting a computer with a cryptocurrency miner, attackers do not need to rely on a victim paying a ransom.
Rather than locking devices and encrypting files, malware is installed that starts mining (creating) the cryptocurrency Monero, an alternative to Bitcoin. Mining cryptocurrency is the verification of cryptocurrency transactions for digital exchanges, which involves using computers to solve complex numeric problems. For verifying transactions, cryptocurrency miners are rewarded with coins, but cryptocurrency mining requires a great deal of processing power. To make it profitable, it must be performed on an industrial scale.
The processing power of hundreds of thousands of devices would make the operation highly profitable for cybercriminals, a fact that has certainly not been lost on the creators of Digimine malware.
Infection with Digimine malware will see the victim’s device slowed, as its processing power is being taken up mining Monero. However, that is not all. The campaign spreading this malware variant works via Facebook Messenger, and infection can see the victim’s contacts targeted, and could potentially result in the victim’s Facebook account being hijacked.
The Digimine malware campaign is being spread through the Desktop version of Facebook Messenger, via Google Chrome rather than the mobile app. Once a victim is infected, if their Facebook account is set to login automatically, the malware will send links to the victim’s contact list. Clicking those links will result in a download of the malware, the generation of more messages to contacts and more infections, building up an army of hijacked devices for mining Monero.
Infections were first identified in South Korea; however, they have now spread throughout east and south-east Asia, and beyond to Vietnam, Thailand, Philippines, Azerbaijan, Ukraine, and Venezuela, according to Trend Micro.
A similar campaign has also been detected by FortiGuard Labs. That campaign is being conducted by the actors behind the ransomware VenusLocker, who have similarly switched to Monero mining malware. That campaign also started in South Korea and is spreading rapidly. Rather than use Facebook Messenger, the VenusLocker gang is using phishing emails.
Phishing emails for this campaign contain infected email attachments that download the miner. One of the emails claims the victim’s credentials have been accidentally exposed in a data breach, with the attachment containing details of the attack and instructions to follow to mitigate risk.
These attacks appear to mark a new trend and as ransomware defenses continue to improve, it is likely that even more gangs will change tactics and switch to cryptocurrency mining.
by titanadmin | Dec 20, 2017 | Email Scams, Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam News |
A Q3 malware threat report from McAfee charts the continued rise in malware threats throughout the year. Malware variants have now reached an all time high, with the volume of threats having risen each quarter in 2017.
In 2016, there were high levels of malware in Q1, rising slightly in Q2 before tailing off in Q3 and A4. That trend has not been seen this year. The malware threat report shows Q1 figures were higher than the previous two quarters, with a massive rise in Q3 and a continued increase in Q3. Malware threats rose 10% quarter over quarter, rising to a quarterly total of 57.6 million new samples of malware: The highest quarterly total detected by McAfee. That averages out at a new malware sample detected every quarter of a second!
The ransomware epidemic has also got worse in Q3, with new ransomware variants increasing by 36% last quarter, fueled by a sharp increase in Android screen lockers. In total, new mobile malware variants increased by 60% in Q3.
In its Q3 Malware Threat Report, McAfee noted that attackers were continuing to rely on spam email to distribute malware, with the Gamut botnet the most prevalent spamming botnet in Q3, closely followed by the Necurs botnet. The latter was used to spread ransomware variants such as Locky. Mac malware rose by 7% in Q3, and macro malware increased by 8%.
Technologies such as PowerShell are still commonly used to install malware, along with Office macros. New PowerShell malware variants doubled in Q3, 2017, and while new JavaScript malware declined by 26% quarter over quarter, the level of new JavaScript malware is still substantially higher than the level seen in 2016.
Vulnerabilities in software and operating systems were also extensively exploited, even though patches to address those vulnerabilities were released promptly.
McAfee notes that employees and organizations are making it far too easy for attackers. Employees are responding to phishing emails, are visiting malicious links and are opening attachments and enabling the content. Employers are no better. Patches are released, yet they are not being applied promptly, opening the door to attackers. In many cases, patches have still not been applied several months after they have been released.
One of the most commonly exploited vulnerabilities in Q3, 2017 was CVE-2017-0199 which affected WordPad and Microsoft Office. An exploit for the vulnerability was made available through GitHub, making remote code execution attacks easy; provided employees could be convinced to open specially crafted files. Many employees fell for the scam emails.
The McAfee Q3 Malware Threat Report highlighted several continuing malware trends, including the increase in the use of fileless malware. PowerShell malware increased by 119% in Q3 alone.
Q3 saw a new Locky variant released – Lukitus. Lukitus was spread via spam email, with more than 23 million messages delivered in the first 24 hours since its release. That, combined with other new ransomware threats, have contributed to a 44% increase in ransomware samples in the past 12 months.
Q3 also saw the release of a new variant of the Trickbot Trojan, which incorporated the EternalBlue exploit that was also used in the WannaCry and NotPetya attacks.
While no industry is immune to attack, it is the healthcare and public sectors that are taking the brunt of the attacks, accounting for 40% of all reported security incidents in Q3. In the United States, healthcare was the most commonly attacked industry.
The extensive use of spam and phishing emails to spread malware highlights the importance of using an advanced spam filtering solution such as SpamTitan, especially considering how employees are still struggling to identify malicious emails. Blocking these threats and preventing malicious messages from being delivered will help organizations prevent costly data breaches.
The high level of infections that occurred as a result of exploited vulnerabilities also shows how important it is to apply patches promptly. McAfee notes that many of the exploited vulnerabilities in Q3 were patched as early as January. If patches are not applied promptly, they will be exploited by cybercriminals to install malware.
by titanadmin | Dec 19, 2017 | Industry News, Network Security, Spam Advice, Spam Software |
In this article we explore the cost of HIPAA noncompliance for healthcare organizations, including the financial penalties and data breach costs, and one of the most important technologies to deploy to prevent healthcare data breaches.
The Health Insurance Portability and Accountability Act (HIPAA)
In the United States, healthcare organizations that transmit health information electronically are required to comply with the Health Insurance Portability and Accountability Act (HIPAA). HIPAA was introduced in 1996 with the primary aim of improving healthcare coverage for employees between jobs, although it has since been expanded to include many privacy and security provisions following the introduction of the HIPAA Privacy and Security Rules.
These rules require HIPAA-covered entities – health plans, healthcare providers, healthcare clearinghouses and business associates – to implement a range of safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI). Those safeguards include protections for stored PHI and PHI in transit.
HIPAA is not technology specific, if that were the case, the legislation would need to be frequently updated to include new protections and the removal of outdated technologies that are discovered not to be as secure as was initially thought. Instead, HIPAA leaves the actual technologies to the discretion of each covered entity.
In order to determine what technologies are required to keep PHI secure, covered entities must first conduct a risk analysis: A comprehensive, organization-wide analysis of all risks to the confidentiality, integrity, and availability of PHI. All risks identified must be managed and reduced to an appropriate and acceptable level.
The risk analysis is one of the most common areas where healthcare organizations fall afoul of HIPAA Rules. Healthcare organizations have been discovered not to have included all systems, hardware and software in the risk analysis, or fail to conduct the analysis on the entire organization. Vulnerabilities are missed and gaps remain in security controls. Those gaps allow hackers to take advantage and gain access to computers, servers, and databases.
When vulnerabilities are exploited, and a data breach occurs, HIPAA-covered entities must report the security breach to the Department of Health and Human Services’ Office for Civil Rights (OCR): The main enforcer of HIPAA Rules. OCR investigates data breaches to determine whether they could realistically have been prevented and if HIPAA Rules have been violated.
What is the Cost of HIPAA Noncompliance?
When healthcare organizations are discovered not to have complied with HIPAA Rules, financial penalties are often issued. Fines of up to $1.5 million per violation category (per year that the violation has been allowed to persist) can be issued by OCR. The cost of HIPAA noncompliance can therefore be severe. Multi-million-dollar fines can, and are, issued.
The cost of HIPAA noncompliance is far more than any financial penalty issued by OCR, or state attorneys general, who are also permitted to issue fines for noncompliance. HIPAA requires covered entities to notify individuals impacted by a data breach. The breach notification costs can be considerable if the breach has impacted hundreds of thousands of patients. Each patient will need to be notified by mail. If Social Security numbers or other highly sensitive information is exposed, identity theft protection services should be offered to all breach victims.
Forensic investigations must be conducted to determine how access to data was gained, and to establish whether all malware and backdoors have been removed. Security must then be enhanced to prevent similar breaches from occurring in the future.
A data breach often sees multiple lawsuits filed by the victims, who seek damages for the exposure of their information. Data breaches have a major negative impact on brand image and increase patient churn rate. Patients often switch providers after their sensitive information is stolen.
On average, a data breach of less than 50,000 records costs $4.5 million to resolve according to the Ponemon Institute and has an average organizational cost of $7.35 million.
The 78.8 million-record breach experienced by Anthem Inc. in 2015 is expected to have cost the insurer upwards of $200 million. That figure does not include lost brand value and reputation damage, and neither a HIPAA fine from OCR.
A summary of the cost of HIPAA noncompliance, including recent fines issued by attorneys general and OCR has been detailed in the infographic below.
The Importance of Protecting Email Accounts
There are many ways that unauthorized individuals can gain access to protected health information – via remote desktop applications, by exploiting vulnerabilities that have not been patched, accessing databases that have been left exposed on the Internet, or when devices containing unencrypted PHI are stolen. However, the biggest single threat to healthcare data comes from phishing.
Research from PhishMe indicates more than 90% of data breaches start with a phishing email, and a recent HIMSS Analytics survey confirmed that phishing is the biggest threat, with email ranked as the most likely source of a healthcare data breach.
Protecting email accounts is therefore an essential part of HIPAA compliance. OCR has already fined healthcare organizations for data breaches that have resulted from phishing emails.
Healthcare organizations should implement a solution that blocks malicious emails and scans for malware and ransomware. In addition to technology, employees must also be trained how to identify malicious emails and taught to be more security aware.
How TitanHQ Can Help with HIPAA Compliance
TitanHQ developed SpamTitan to keep inboxes secure and prevent email spam, phishing messages, and malware from being delivered to inboxes. SpamTitan blocks more than 99.9% of spam email, and dual anti-virus engines ensure emails with malicious attachments are identified and quarantined. With SpamTitan, your organization’s email accounts will be protected – an essential part of HIPAA compliance.
WebTitan compliments SpamTitan and offers an additional layer of protection. WebTitan is a web filtering solution that allows you to carefully control the websites that your employees visit. WebTitan will prevent employees from visiting malicious websites via emailed hyperlinks, general web browsing, malvertising or redirects, protecting your organization from web-based attacks, drive by downloads of ransomware and malware, and exploit kit attacks.
For more information on TitanHQ’s cybersecurity solutions for healthcare, contact the TitanHQ team today.
by titanadmin | Dec 15, 2017 | Email Scams, Network Security, Phishing & Email Spam, Spam News, Spam Software |
Antivirus software vendor Symantec has detected a massive spam email campaign that is spreading Adwind RAT variants. While the Adwind RAT may sound like relatively harmless adware, that could not be further from the truth.
The latest Adwind RAT variants have a wide range of malicious functions, and serve as keyloggers that can record login credentials and monitor user activity, take screenshots, hijack the microphone and webcam to record audio and video, and as if that was not enough, the Adwind RAT allows the attacker to download further malicious files.
As is now the norm, the emails spreading Adwind RAT variants are convincing and appear to be genuine communications from legitimate firms. At a time when parcels are likely to arrive in the mail, the attackers have chosen a particularly relevant ploy to maximize the chance of emails being opened. Notifications about parcels that could not be delivered.
Businesses are also being targeted with malicious attachments claiming to be account statements, invoices, purchase orders, and payment receipts. The emails are well written and appear to have been sent from legitimate firms.
The spam emails include two malicious email attachments, a JAR file and what appears to be a PDF file. In the case of the latter, it has a double file extension, which will appear as a PDF file if file extensions are not displayed. In reality, it is another JAR file. The files contain layers of obfuscation in an attempt to bypass antivirus controls.
If the JAR files are executed, they drop a further JAR file and run VBS scripts which launch legitimate Windows tools to investigate the environment, identify the firewall in use, and other security products installed on the device. They then set about disabling monitoring controls.
The timing of this Adwind RAT campaign is ideal to catch out as many people as possible. The festive period is a busy time, and the rush to find bargains and purchase presents online sees many Internet users let their guard down. Further, as many businesses close over the festive period it gives the attackers more time to explore networks.
Infection with the Adwind RAT can see sensitive data stolen, and login credentials obtained, email accounts to be pilfered and abused and access to be gained to corporate bank accounts. A single successful installation of the Adwind RAT can be devastating.
The AdWind RAT is one of 360,000 New Daily Threats
Of course, the Adwind RAT spam email campaign is just one example of a malicious actor spreading malware. One example from tens of thousands, each spreading different malware and ransomware variants.
Each day new campaigns are launched. Figures from Kaspersky Lab indicate 2017 has seen an astonishing 360,000 new malicious files detected each day.
While consumers must be alert to the threat from spam email, the threat to businesses is far greater. The threat is multiplied by the number of employees who have a work email account.
A single computer infected with malware is serious, although once a foothold has been gained, the infection can spread rapidly. Recent research by SafeBreach, published in the Hacker’s Playbook Findings Report, suggests that 70% of the time, hackers are able to navigate the network and move laterally once access has been gained. A single malware attack can turn into an organization-wide nightmare infection.
The recent ransomware attacks in the United States are a good example. A ransomware attack on the Mecklenburg County government in South Carolina resulted in 48 servers being taken out of action, and that attack was identified rapidly. The Texas Department of Agriculture experienced a similar attack that impacted 39 schools via its network connections.
It is now essential to implement a host of defenses to prevent malware attacks. One of the most effective defenses is to upgrade your spam filter to an advanced solution such as SpamTitan.
SpamTitan blocks more than 99.9% of spam emails and detects and blocks malware using dual anti-virus engines. SpamTitan not only scans messages for the presence of malware and malware downloaders, but also message content for the common signatures of spam and malicious links. When threats are detected, the emails are quarantined before they can do any harm.
If you have a spam filter, yet have still experienced an email-based malware or ransomware attack, now is the ideal time to switch providers and discover the difference SpamTitan can make. If you have yet to install a third-party spam filter, there is no time to lose. Take advantage of the free trial and start protecting your organization from email spam and malware attacks.
Call the TitanHQ team today for further information on SpamTitan, details of pricing, and for further details on how you can sign up for the no-obligation free trial. The knowledgeable sales team will be able to answer any questions you have.
by titanadmin | Dec 13, 2017 | Email Scams, Internet Security, Network Security, Phishing & Email Spam, Spam News, Spam Software |
A particularly nasty new threat has emerged: Spider ransomware. The new crypto-ransomware variant was discovered by security researchers at Netskope on December 10, and the campaign is ongoing.
While many ransomware variants give victims a week to make contact and pay the ransom, the actors behind Spider ransomware are far less patient. If the ransom payment is not made within 96 hours of infection, the key to unlock files will be blocked and files will be permanently encrypted. Further, victims are warned “do not try anything stupid, the program has several security measures to delete all your files and cause damage to your PC.”
Naturally, that something stupid is not attempting to recover files from backups. If viable backups exist, victims will be able to recover their files without paying the ransom, but the warning may put off some victims from trying.
Such a short window for payment does not give victims much time. Many ransomware attacks occur on a Friday, and are only discovered when employees return to work on a Monday. Discovering a Spider ransomware attack in this scenario means businesses will have to act particularly quickly in order to avoid file loss.
While the threat is severe, the attackers have made it as easy as possible for victims to pay by providing a detailed help section. Payment must be made in Bitcoin via the Tor browser and detailed instructions are provided. The attackers say in the ransom note, “This all may seem complicated to you, actually it’s really easy.” They even provide a video tutorial showing victims how to pay the ransom and unlock their files. They also point out that the process of unlocking files is similarly easy. Pasting the encryption key and clicking on a button to start the decryption process is all that is required.
As with the majority of crypto-ransomware variants, Spider ransomware is being distributed by spam email. The emails use the hook of ‘Debt Collection’ to encourage recipients of the email to open the attachment. That attachment is a Microsoft Office document containing an obfuscated macro. If allowed to run, the macro will trigger the download of the malicious payload via a PowerShell script.
The latest Spider ransomware campaign is being used to attack organizations in Croatia and Bosnia and Herzegovina, with the ransom note and instructions written in Croatian and English. It is possible that attacks will spread to other geographical areas.
There is currently no free decryptor for spider ransomware. Protecting against this latest ransomware threat requires technological solutions to block the attack vector. If spam emails are not delivered to end user’s inboxes, the threat is mitigated.
Using an advanced cloud-based anti-spam service such as SpamTitan is strongly advisable. SpamTitan blocks more than 99.9% of spam emails ensuring malicious email messages are not delivered.
As an additional protection against ransomware and malware threats such as this, organizations should disable macros to prevent them from running automatically if a malicious attachment is opened. IT teams should also enable the ‘view known file extensions’ option on Windows PCs to prevent attacks using double file extensions.
End users should also receive security awareness training to teach them not to engage in risky behaviors. They should be taught never to enable macros on emailed documents, told how to recognize a phishing or ransomware emails, and instructed to forward messages on to the security team if they are received. This will allow spam filter rules to be updated and the threat to be mitigated.
It is also essential for regular backups to be performed, with multiple copies stored on at least two different media, with one copy kept on an air-gapped device. Backups are the only way of recovering from most ransomware attacks without paying the ransom.
