Network Security
Our network security news section contains a range of articles relating to securing networks and blocking cyberattacks, ransomware and malware downloads. This section also features articles on recent network security breaches, alerting organizations to the latest attack trends being used by cybercriminals.
Layered cybersecurity defenses are essential given the increase in hacking incidents and the explosion in ransomware and malware variants over the past two years. Organizations can tackle the threat by investing in new security defenses such as next generation firewalls, end point protection systems, web filtering solutions and advanced anti-malware and antivirus defenses.
While much investment goes on tried and tested solutions that have been highly effective in the past, many cybersecurity solutions – antivirus software – are not as effective as they once were. In order to maintain pace with hackers and cybercriminals and get ahead of the curve, organizations should consider implementing a wide range of new cybersecurity solutions to block network intrusions, prevent data breaches and improve protection against the latest malware and ransomware threats.
This category contains information and advice on alternative network security solutions that can be adopted to improve network security and ensure networks are not infiltrated by hackers and infected with malicious software.
by titanadmin | Aug 7, 2017 | Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam News, Spam Software, Website Filtering |
Ransomware attacks on small businesses can be devastating. Many small businesses have little spare capital and certainly not enough to be handing out cash to cybercriminals, let alone enough to cover the cost of loss of business while systems are taken out of action. Many small businesses are one ransomware attack away from total disaster. One attack and they may have to permanently shut their doors.
A recent research study commissioned by Malwarebytes – conducted by Osterman Research – has highlighted the devastating effect of ransomware attacks on small businesses.
1,054 businesses with fewer than 1,000 employees were surveyed and asked about the number of ransomware attacks they had experienced, the cost of mitigating those attacks and the impact of the ransomware attacks on their business.
Anyone following the news should be aware of the increase in ransomware attacks. Barely a week goes by without a major attack being announced. The latest study has confirmed the frequency of attacks has increased. More than one third of companies that took part in the survey revealed they had experienced at least one ransomware attack in the past 12 months.
22% of Small Businesses Shut Down Operations Immediately Following a Ransomware Attack
The survey also showed the devastating impact of ransomware attacks on small businesses. More than one fifth of small businesses were forced to cease operations immediately after an attack. 22% of businesses were forced to close their businesses.
Those companies able to weather the storm incurred significant costs. 15% of companies lost revenue as a result of having their systems and data locked by ransomware and one in six companies experienced downtime in excess of 25 hours. Some businesses said their systems were taken out of action for more than 100 hours.
Paying a ransom is no guarantee that systems can be brought back online quickly. Each computer affected requires its own security key. Those keys must be used carefully. A mistake could see data locked forever. A ransomware attack involving multiple devices could take several days to resolve. Forensic investigations must also be conducted to ensure all traces of the ransomware have been removed and no backdoors have been installed. That can be a long-winded, painstaking process.
Multiple-device attacks are becoming more common. WannaCry-style ransomware attacks that incorporate a worm component see infections spread rapidly across a network. However, many ransomware variants can scan neworks and self-replicate. One third of companies that experienced attack, said it spread to other devices and 2% said all devices had been encrypted.
Can Ransomware Attacks on Small Businesses be Prevented?
Can ransomware attacks on small businesses be prevented? Confidence appears to be low. Almost half of respondents were only moderately confident they could prevent a ransomware attack on their business. Even though a third of businesses had ‘anti-ransomware’ defenses in place, one third still experienced attacks.
Unfortunately, there is no single solution that can prevent ransomware attacks on small businesses. What organizations must do is employ multi-layered defenses, although that can be a major challenge, especially with limited resources.
A risk assessment is a good place to start. Organizations need to look at their defenses critically and assess their infrastructure for potential vulnerabilities that could be exploited.
Improving Defenses Against Ransomware
Ransomware attacks on small businesses usually occur via email with employees targeted using phishing emails. Organizations should consider implementing a spam filtering solution to reduce the number of malicious emails that reach inboxes.
Some emails will inevitably slip past these defenses, so it is important for staff to be security aware. Security awareness training should be ongoing and should involve phishing simulations to find out how effective training has been and to single out employees that need further training.
While ransomware can arrive as an attachment, it is usually downloaded via scripts of when users visit malicious websites. By blocking links and preventing end users from visiting malicious sites, ransomware downloads can be blocked. A web filtering solution can be used to block malicious links and sites.
Anti-virus solutions should be kept up to date, although traditional signature-based detection technology is not as effective as it once was. Alone, anti-virus software will not offer sufficient levels of protection.
As was clearly shown by the WannaCry and NotPetya attacks, malware can be installed without any user interaction if systems are not configured correctly and patches and software updates are not applied promptly. Sign up to alerts and regularly check for updated software and don’t delay patching computers.
A ransomware attack need not be devastating. If organizations back up their data to the cloud, on a portable (unplugged) local storage device and have a copy of data off site, in the event of an attack, data will not be lost.
by titanadmin | Jul 31, 2017 | Email Scams, Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam News |
A new survey from CSO shows ransomware and phishing attacks in 2017 have increased, although companies have reported a decline in the number of cyber incidents experienced over the past year. While it is certainly good news that organizations are experiencing fewer cyberattacks, the report suggests that the severity of the attacks has increased and more organizations have reported suffering losses as a result of security incidents.
CSO conducted the annual U.S State of Cybercrime survey on 510 respondents, 70% of whom were at the vice president level or higher. Companies had an average IT security budget of $11 million.
This year’s report suggests organizations are struggling to keep up with the number of patches and software upgrades now being issued, although the consequences of the delays have been clearly shown this year with the NotPetya and WannaCry attacks. The failure to patch promptly has seen many organizations attacked, with some companies still struggling to recover. Nuance Communications was badly affected by NotPetya, and a month after the attacks, only 75% of its customers have regained access to its services. TNT also suffered extensive disruption to services in the weeks following the attacks, although these are just two companies out of many to experience extended disruption.
IT security budgets have increased by an average of 7.5% year over year with 10% of companies saying they have increased IT security spending by 20% or more in the past 12 months. While new technologies are taking up the bulk of the new budgets, organizations are also investing in audits and knowledge assessments, information sharing, redeveloping their cybersecurity strategy, policies and processes and are adding new skills. 67% of respondents said they have now expanded their security capabilities in include mobile devices, the cloud and IoT.
Even though the threat of attack is severe, many companies still believe a cyber response plan should not be part of their cybersecurity strategy, although acceptance that cyberattacks will occur has seen 19% of respondents plan to implement a response strategy in the next 12 months.
Even though there was a fall in the number of security incidents, losses experienced as a result of those attacks have remained constant or have increased over the past 12 months for 68% of respondents. Only 30% of companies said they had experienced no losses as a result of security incidents, down 6 percentage points from last year.
More CSOs and CISOs are now reporting directly to the board on a monthly basis, up 17% since last year. However, as was also confirmed by a recent survey conducted by KPMG, many boards still view cybersecurity as an IT issue – The CSO survey suggests 61% of boards believe cybersecurity is a concern of the IT department not a matter for the board, a drop of just two percentage points since last year.
Phishing attacks in 2017 have increased significantly, with 36% of companies reporting attacks – up from 26% last year. 17% of companies experienced ransomware attacks – up from 14% – and financial fraud increased from 7% to 12%. Business email compromise scams are also increasing, up from 5% to 9% in the past 12 months.
The increase in ransomware and phishing attacks in 2017 highlights the need for security awareness training for employees and an improvement to spam filtering controls. Organizations need to ensure they have sufficient staffing levels to ensure patches are applied promptly, while investment in people must improve to ensure they have the skills, resources and training to respond to the latest threats. Boards must also appreciate that cybersecurity is not just a matter for IT departments, and the CSO survey shows that too much faith is being placed in cybersecurity protections. Currently only 53% of companies are testing the effectiveness of their security programs.
by titanadmin | Jul 20, 2017 | Network Security, Phishing & Email Spam, Spam News, Spam Software |
The Ovidiy Stealer is a password stealing malware that will record login credentials and transmit the information to the attacker’s C2 server. As with many other password stealers, information is recorded as it is entered into websites such as banking sites, web-based email accounts, social media accounts and other online accounts.
The good news is that even if infected, the Ovidiy Stealer will not record information entered via Internet Explorer or Safari. The malware is also not persistent. If the computer is rebooted, the malware will stop running.
The bad news is, if you use Chrome or Opera, your confidential information is likely to be compromised. Other browsers known to be supported include Orbitum, Torch, Amigo and Kometa. However, since the malware is being constantly updated it is likely other browsers will be supported soon.
Ovidiy Stealer is a new malware, first detected only a month ago. It is primarily being used in attacks in Russian-speaking regions, although it is possible that multi-language versions will be developed and attacks will spread to other regions.
Researchers at Proofpoint – who first detected the password stealing malware – believe email is the primary attack vector, with the malware packaged in an executable file sent as an attachment. Proofpoint also suggests that rather than email attachments, links to download pages are also being used. Samples have been detected bundled with LiteBitcoin installers and the malware is also being distributed through file-sharing websites, in particular via Keygen software cracking programs.
New password stealers are constantly being released, but what sets the Ovidiy Stealer aside and makes it particularly dangerous is it is being sold online at a particularly low price. Just $13 (450-750 Rubles) will get one build bundled into an executable ready for delivery via a spam email campaign. Due to the low price there are likely to be many malicious actors conducting campaigns to spread the malware, hence the variety of attack vectors.
Would be attackers willing to part with $13 are able to view the number of infections via a web control panel complete with login. Via the control panel they can manage their account, see the number of infections, build more stubs and view the logs generated by the malware.
Protecting against malware such as Ovidiy Stealer requires caution as it takes time before new malware are detected by AV solutions. Some AV solutions are already detecting the malware, but not all. As always, when receiving an email from an unknown sender, do not open attachments or click on hyperlinks.
Organizations can greatly reduce risk from this password-stealer and other malware spread via spam email by implementing an advanced spam filtering solution such as SpamTitan to prevent malicious emails from reaching end users’ inboxes. SpamTitan uses dual AV engines to maximize detections and blocks over 99.9% of spam email.
by titanadmin | Jul 19, 2017 | Industry News, Network Security |
You’ve secured the network perimeter, installed a spam filter, trained your employees to recognize phishing emails and have an intrusion detection system in place, but are you deprovisioning former employees to prevent data theft? According to a new report from OneLogin, 58% of companies are lax when it comes to blocking network access when employees leave the company.
For the study, 600 IT professionals with responsibility or partial responsibility for security decisions about hardware, software or cloud services were interviewed. When asked about the time delay between employees leaving the company and their accounts being deactivated, 58% said that it takes more than a day for that to happen and a quarter said it takes more than a week. 28% of respondents said deprovisioning former employees takes a month or longer.
48% of respondents said they were aware that former employees still had access to applications after they had left the company and 44% said they were not confident that deprovisioning former employees had actually occurred.
Even though there is a significant time delay involved in blocking access for former employees, only four out of ten organizations are using a security information and event management solution (SIEM). A SIEM would allow them to monitor app usage by former employees and would alert them if systems were still being accessed, yet only 45% of respondents said they used such a solution.
Organizations are taking a big risk by not ensuring accounts are deactivated before employees walk through the door for the final time. The study revealed that the risk is considerable. When asked if they had suffered data breaches due to former employees, 24% said they had.
Deprovisioning employees is time consuming, especially when they have been employed for a long time and have access to many business applications and networks. 92% of respondents said it takes up to an hour to deprovision employees and many must complete the process manually. Time may be pressed, but failing to block access promptly is a data breach waiting to happen.
by titanadmin | Jul 3, 2017 | Industry News, Network Security, Phishing & Email Spam, Spam Software |
Trump Hotels has announced that guests at some of its hotels have been impacted by the Sabre Hospitality Solutions data breach and have had their credit/debit card details stolen. Sabre Hospitality Solutions provides the hotel reservation system used at certain Trump Hotels, and it was this system that was compromised not the systems used at Trump Hotels. Sabre’s system is used by more than 32,000 hotels and lodging establishments around the world.
Attackers gained access to the Sabre SynXis Central Reservations system (CRS) which is used by hotels and travel agencies to make hotel bookings. Sabre discovered the breach on June 5, 2017, with the attacker understood to have obtained account credentials that enabled access to the CRS and the payment card data processed through the system.
The data breach affected 13 Trump Hotels (Central Park, Chicago, Doonbeg, Doral, Las Vegas, Panama, Soho, Toronto, Turnberry, Vancouver, Waikiki, DC, Rio de Janeiro) and the Albemarle Estate. Each hotel was affected at a different time and for a different duration, with the first instance occurring on August 10, 2016. The last data access was on March 9, 2017. The hotel reservation system was compromised at most of the affected hotels for a few days up to three weeks in November 2016, with the exception of Trump Las Vegas, Trump Panama, and Trump DC, which saw systems compromised for around four months.
When the Sabre Hospitality Solutions data breach was detected, the company contracted cybersecurity firm Mandiant to conduct a forensic analysis to determine how the breach occurred, which hotels were affected and to ensure that access to its systems was blocked. Sabre reports that after March 9, 2017, no further unauthorized access to its system has occurred.
During the time that access to data was possible, the attackers were able to obtain the names of card holders, card numbers, expiration dates and in some cases, CVV codes. Other information potentially accessed includes guests’ names, addresses, phone numbers and potentially other information, although not Social Security numbers or driver’s licenses.
The Sabre Hospitality Solutions data breach affected many organizations, with Google recently announcing that some of its employees have had information exposed. In the case of Google, it was a travel agency – Carlson Wagonlit Travel (CWT) – that was affected. CWT was one of the companies used by Google to book hotels for its staff.
The hospitality industry has been hit with numerous POS system breaches over the past few years. The industry is an attractive target for cybercriminals. Most hotel bookings are made with credit and debit cards, cybersecurity protections are often poor and once access is gained to the systems it can be months before a data breach is detected.
A variety of attack vectors are used, although login credentials are commonly stolen in phishing attacks. Phishing emails are sent to company employees and social engineering tricks are used to convince those employees to disclose their login credentials or open malicious email attachments that install malware.
Email security solutions that prevent spam emails from being delivered to end users’ inboxes offer protection against phishing attacks. As an additional precaution, security awareness training should be provided to all hotel employees who have access to corporate email accounts.
With SpamTitan installed, hotel chains are well protected from phishing attacks. SpamTitan blocks more than 99.9% of spam emails, adding an important layer of protection for hotels to prevent data breaches.
by titanadmin | Jun 29, 2017 | Email Scams, Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam News, Spam Software |
NotPetya ransomware attacks have spread globally, with the latest figures from Microsoft suggesting there are now more than 12,500 reported victims spread across 65 countries. The attacks first started to be reported on Tuesday morning with companies in the Ukraine hit particularly hard.
At first it appeared that the attacks involved Petya ransomware, although it has since been confirmed that this is a new ransomware variant. The ransomware has already attracted a variety of names such as GoldenEye, SortaPetya, ExPetr, and NotPetya. We shall use the latter.
Security researchers believe the NotPetya ransomware attacks started in Ukraine. The first attacks occurred the day before a national holiday – a common time to launch an attack. IT staff were unlikely to be working, so the probability of the attacks being halted before the ransomware was allowed to run would be increased.
The NotPetya ransomware attacks have been discovered to have occurred via a variety of vectors. Ukraine was hit particularly hard, which suggested a country-specific attack vector. Some security researchers have suggested the first attacks occurred via a Ukrainian accounting package called M.E. Doc, with the attackers managing to compromise a software update. M.E.Doc hinted that this may be the case initially, but later denied they were the cause of the attack. If it is true that a software update was involved, it would not be the first time M.E.Doc was attacked. A similar ransomware attack occurred via M.E.Doc software updates in May.
However, that is only one potential attack vector used in the NotPetya ransomware attacks. It has been confirmed that the attackers are also using two NSA exploits that were released by Shadow Brokers in April. As was the case with the WannaCry ransomware attacks, the EternalBlue exploit is being used. The latest attacks are also using another exploit released at the same time called EternalRomance.
In contrast to the WannaCry ransomware attacks last month, the exploits used in the NotPetya ransomware attacks only scan for vulnerable devices on local networks, not via the Internet.
Both exploits will not work if computers have already been patched with MS17-010 released by Microsoft in March. Following the WannaCry attacks, Microsoft also issued a patch for older, unsupported Windows versions to prevent further ransomware attacks.
However, patching would not necessarily have prevented infection. In contrast to WannaCry, NotPetya ransomware attacks have been reported by companies that have patched their computers. Security researchers have confirmed that all it takes for infection to occur is for one computer to have been missed when applying the patches. That allows the attackers to attack that machine, and also any other machines connected to the local network, even if the patch has been applied.
The attacks also appear to be occurring via phishing emails containing malicious Microsoft Office documents. As has been the case with many other ransomware attacks, the failure to implement spam defenses can result in infection. The use of an advanced spam filter such as SpamTitan offers excellent protection against email-based ransomware attacks, preventing those emails from reaching end users’ inboxes.
Upon infection, the ransomware waits one hour before executing and forcing a reboot. When the computer restarts, the ransom note appears. The ransom demand is for $300 per infected machine. In contrast to the majority of ransomware variants, NotPetya does not encrypt files. Instead it replaces the Master File Table (MFT). Since the MFT shows the computer where files are located on the hard drive, without it files cannot be found. Files are not encrypted, but they still cannot be accessed.
Preventing ransomware attacks such as this requires regular patching to address vulnerabilities and anti-spam solutions to prevent malicious emails from being delivered.
Fortunately, NotPetya ransomware attacks can be blocked. Cybereason security researcher Amit Serber has found a way to vaccinate computers against this specific ransomware variant. He suggests IT teams “Create a file called perfc in the C:\Windows folder and make it read only.” This method has been confirmed as effective by other security researchers, although it will not work if infection has already occurred.
Unfortunately, recovery following an attack may not be possible if infected computers cannot be restored from backups. Kaspersky Lab reports there is a flaw in the ransomware saying, “We have analyzed the high level code of the encryption routine and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks.” Further, the email account used by the attacker to verify ransom payments has been shut down by a German email provider.
by titanadmin | Jun 14, 2017 | Email Scams, Internet Security, Network Security, Phishing & Email Spam, Spam News, Spam Software |
Corporate phishing emails are one of the biggest cybersecurity risks faced by organizations. Cybercriminals are well aware that even companies with robust cybersecurity defenses are vulnerable to phishing attacks.
Phishing email volume is higher than at any other time in history. Employees are being targeted with threat actors now using sophisticated social engineering techniques to maximize the probability of employees clicking on links, opening infected email attachments or disclosing their login credentials. If corporate phishing emails are delivered to end users’ inboxes, there is a high chance that at least one employee will be fooled. All it takes is for one employee to click on a malicious link or open an infected attachment for malware to be installed or access to sensitive data be provided.
The threat from phishing attacks has been steadily increasing in recent years, although this year has seen phishing attacks soar. A recent study conducted by Mimecast has shown that cybercriminals have been stepping up their efforts in recent months. Last quarter, there was a 400% increase in corporate phishing emails according to the study.
A phishing trends & intelligence report for Q1, 2017 from the security awareness training firm PhishLabs showed that in the first quarter of 2017, overall phishing email volume increased by 20% compared to the previous quarter. 88% of phishing attacks were concentrated on five industries: payment services, financial institutions, cloud storage/file hosting firms, webmail/online services and e-commerce companies.
The anti-phishing training and phishing simulation platform provider PhishMe also noted a major increase in phishing emails in Q1, 2017. The firm’s Q1, 2017 malware review also showed there had been a 69.2% increase in botnet malware usage in the first quarter of this year.
Business email compromise attacks are also on the rise. Proofpoint’s annual Human Factor report showed BEC email attacks rose from 1% of message volume to 42% of message volume relative to emails bearing Trojans. Those attacks have cost businesses $5 billion worldwide.
These studies clearly show that corporate phishing emails are on the rise, highlighting the need for organizations to improve their defenses. The best defense against phishing emails and ransomware attacks is to ensure messages are intercepted and blocked. It is therefore essential for organizations to implement a robust spam filtering solution to prevent malicious messages from reaching end users’ inboxes.
SpamTitan conducts more than 100 checks of incoming emails, ensuring more than 99.98% of spam and malicious emails are blocked. Dual anti-virus engines are used to ensure 100% of known malware and ransomware is intercepted and prevented from being delivered to end users’ inboxes.
If you have yet to implement an advanced spam filtering solution or you are unhappy with your current provider, contact TitanHQ today to find out more about SpamTitan and how it can be used to protect your business from email attacks. SpamTitan is also available on a no obligation, 30-day free trial, allowing you to try the solution for yourself before committing to a purchase.
by titanadmin | Jun 14, 2017 | Industry News, Internet Security, Network Security |
Microsoft took the decision to issue emergency Windows XP updates to prevent exploitation of the Windows Server Message Block (SMB) vulnerability used to infect worldwide computers with ransomware on May 12, 2017.
The move came as a surprise since the operating system is no longer supported. Extended support came to an end on April 8, 2014. Yesterday, saw further Microsoft Windows XP updates released. The patches prevent further flaws in the operating system from being exploited by cybercriminals in WannaCry ransomware-style attacks.
Microsoft’s Cyber Defense Operations Center head, Adrienne Hall, said “Due to the elevated risk for destructive cyber-attacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt.”
In total, nearly 100 vulnerabilities were patched this Patch Tuesday, including 18 critical flaws that can be remotely exploited by cybercriminals to take full control of vulnerable systems. In some cases, as was the case with the WannaCry ransomware attacks, no user interaction is required for the flaws to be exploited.
One of the flaws – tracked as CVE-2017-8543 – similarly affects the Windows Server Message Block service. Microsoft says CVE-2017-8543 is being actively exploited in the wild, with Windows Server 2008, 2012, and 2016 all affected as well as more recent versions of Windows – v7, 8.1 and Windows 10. It is this flaw that has been patched for Windows Server 2003 and Windows XP. As was the case on May 12, once the attackers infect one device, they can search for other vulnerable devices. Infection can spread incredibly quickly to many other networked devices.
Some security experts have criticized Microsoft for issuing yet more Windows XP updates, arguing that this sends a message to users of outdated operating systems that it is OK not to upgrade the OS. Windows XP has many unpatched flaws, but the recent Windows XP updates suggest that if a particularly serious vulnerability is discovered that is being actively exploited, patches will be issued.
While Microsoft Windows XP updates have been released, this should not be taken as signaling a change in Microsoft’s standard servicing policies. Further patches may not be released for unsupported Windows versions, so organizations should not delay upgrading their OS. Microsoft’s general manager of its Security Response Center, Eric Doerr, said “The best protection is to be on a modern, up-to-date system that incorporates the latest defense-in-depth innovations. Older systems, even if fully up-to-date, lack the latest security features and advancements.”
In total, there were 95 updates issued this patch Tuesday. Like CVE-2017-8543, a LNK remote code execution vulnerability (CVE-2017-8464) is also being exploited in the wild.
The latest round of updates also includes a patch for a serious flaw in Microsoft Outlook (CVE-2017-8507). Typically, in order to exploit vulnerabilities an end user would be required to open a specially crafted email attachment. However, if an attacker were to send a specially crafted message to an Outlook user, simply viewing the message would allow the attacker to take full control of the machine.
Adobe has also issued a slew of updates to address 21 vulnerabilities spread across four products (Flash, Shockwave Player, Captivate and Adobe Digital editions). 15 of those vulnerabilities have been marked as critical and would allow remote code execution.
As the WannaCry ransomware attacks clearly showed, the failure to apply patches promptly leaves the door wide open to cybercriminals. These updates should therefore not be delayed, especially since two of the flaws are being actively exploited.
by titanadmin | Jun 13, 2017 | Email Scams, Network Security, Phishing & Email Spam, Spam News |
Mac users are better protected from ransomware than Windows users, although they now face a new threat: MacRansom. The new ransomware variant may not be particularly advanced, although it is capable of encrypting files.
MacRansom is being offered under a ransomware-as-a-service (RaaS) model with the RaaS advertised to cybercriminals on a Tor network portal. In contrast to many RaaS offerings that require payment to be made before the RaaS can be used, the threat actors behind MacRansom are offering the RaaS free of charge.
Any would-be cybercriminal looking to conduct ransomware attacks can email the creators of the ransomware via a secure Protonmail email address and a version of MacRansom will be created according to the user’s specifications.
The authors of MacRansom claim they are professional engineers and security researchers with extensive experience in software development and a thorough understanding of the MacOS. They claim they have previously worked at Yahoo and Facebook.
The authors claim that MacRansom can be installed and will remain invisible to the victim until the scheduled execution time, when it will complete its encryption routine in under a minute. The ransomware variant uses a 128-bit industrial standard encryption algorithm that cannot be beaten unless the ransom is paid. The authors claim the ransomware leaves no digital traces and that it can be scheduled to run at a specific time set by the user. It can even be triggered when an individual plugs in an external drive into an infected machine to maximize the number of files that are encrypted. However, the ransomware is only capable of encrypting a maximum of 128 files.
The Ransomware is capable of checking if it is in a virtual environment, whether it is being debugged or if it has been installed in a non-Mac environment, in which case it will exit.
Security researchers at Fortinet – Rommel Joven and Wayne Chin Low – signed up for the RaaS and obtained a sample, but noted that under some circumstances it may not be possible to decrypt encrypted files even if the ransom is paid. They said, “A remarkable thing we observed when reverse-engineering the encryption/decryption algorithm is that the TargetFileKey is permuted with a random generated number. In other words, the encrypted files can no longer be decrypted once the malware has terminated.” However, to find out, victims will be required to pay a ransom payment of 0.25 Bitcoin – around $700.
Fortunately, infection requires the victim to run a file with an unidentified developer. They will therefore need to confirm they wish to do that before the file is run. This warning should be sufficient to prevent many end users from proceeding.
by titanadmin | May 30, 2017 | Industry News, Internet Security, Network Security |
A critical Samba flaw has been discovered that has potential to be exploited and used for network worm attacks similar to those that resulted in more than 300,000 global WannaCry ransomware infections.
Samba is used to provide Windows-like file and print services on Unix and Linux servers and is based on the Windows Server Message Block (SMB) protocol that was exploited in the recent WannaCry ransomware attacks. The wormable remote code execution vulnerability has been identified in versions 3.5.0 an above.
The Samba flaw – tracked as CVE-2017-7494 – has existed for around 7 years, although no known attacks are understood to have occurred. That may not remain the case for long.
Samba is commonly installed on enterprise Linux servers, with around 104,000 machines believed to be vulnerable, per a recent search conducted by Rapid7 researchers. The Samba flaw can be exploited easily, requiring just a single line of code.
The Samba vulnerability has been rated as critical, although the good news is Samba has already issued an update that addresses the vulnerability. The patch can be applied to versions 4.4 and above. Any organization that is using an unsupported version of Samba, or is unable to apply the patch, can use a workaround to address the Samba vulnerability and secure their Linux and Unix servers.
The workaround is straightforward, requiring the addition of the following parameter to the [global] section of your smb.conf
nt pipe support = no
After the parameter has been added, the smbd daemon must be restarted. This will prevent clients from accessing any named pipe endpoints.
US-CERT has advised all organizations to apply the patch or use the workaround as soon as possible to prevent the vulnerability from being exploited.
If a threat actor were to exploit the Samba flaw, it would allow them to “upload a shared library to a writable share, and then cause the server to load and execute it.” A malicious file could be remotely uploaded on any vulnerable device. That could be ransomware, a network worm, or any other malicious file. That file could then be executed with root access privileges.
NAS devices also use Samba and may also be vulnerable to attack. Malicious actors could target NAS devices and access or encrypt stored data. Many organizations use NAS devices to store backups. An attack on those devices, using ransomware for instance, could be devastating. Bob Rudis, chief data scientist at Rapid7, said “A direct attack or worm would render those backups almost useless. Organizations would have little choice but to pay the ransom demand.
A proof-of-concept exploit for the Samba vulnerability is available to the public. It is therefore only a matter of time before the vulnerability is exploited. The patch or workaround should therefore be applied ASAP to mitigate risk.
by titanadmin | May 25, 2017 | Email Scams, Network Security, Phishing & Email Spam, Spam Advice, Spam Software |
In the United States, the healthcare industry is being targeted by cybercriminals, with phishing attacks on healthcare organizations one of the easiest and most common methods of gaining access to email accounts and protected health information. A phishing email is sent to a healthcare employee along with a seemingly legitimate reason for revealing their login credentials. Doing so will give the attackers access to an email account and the protected health information of patients in those emails. Emails accounts contain a wealth of information that can be used for further attacks. A compromised email account can be used to send further phishing emails within a company. One response to a phishing email can see many email accounts compromised. A single phishing email can result in a major security incident and costly data breach.
There have been many phishing attacks on healthcare organizations this year and the past 12 months has seen numerous phishing-related data breaches added to the Department of Health and Human Services’ Office for Civil Rights (OCR) Breach Portal. Any breach of protected health information that results in more than 500 records being exposed is investigated by OCR. During investigations of phishing attacks on healthcare organizations, OCR often finds that Health Insurance Portability and Accountability Act Rules have been violated. Healthcare organizations are discovered not to have performed risk assessments – as is required by the HIPAA Security Rule – and have failed to identify the risk of phishing and take appropriate steps to reduce risk to an acceptable level.
When organizations are found to have violated HIPAA Rules, heavy fines may follow. Recently, OCR has investigated several healthcare phishing attacks and has taken some cases forward to settlement. The HIPAA fines can be considerable.
In 2015, OCR announced its first HIPAA settlement for a phishing attack. University of Washington Medicine was fined $750,000 as a result of a malware installation that occurred when an employee responded to a phishing email. In that case, 90,000 patients had their information revealed to the attackers. A HIPAA penalty for a phishing attack was also announced last month, with the Colorado based Metro Community Provider Network (MCPN) having to pay OCR $400,000 to resolve HIPAA violations discovered during the investigation of the phishing attack. The phishing attack resulted in an email account being compromised, and along with it, the protected health information of 3,200 patients. The employee did not reveal their email credentials in that case, at least not directly. Instead, the response to the email resulted in a malware installation that gave the attacker access to the email account. Phishing attacks on healthcare organizations are to be expected. OCR is aware that it may not be possible to prevent 100% of phishing attacks, 100% of the time. Not all phishing attacks on healthcare organizations will therefore result in a HIPAA fine. However, failing to reduce risk to an acceptable level is another matter. If healthcare organizations do not do enough to prevent phishing attacks, fines are likely to result.
So, how can phishing attacks on healthcare organizations be prevented and what can healthcare organizations do to reduce risk to a level that will be deemed acceptable by OCR? The HIPAA Security Rule requires protections to be put in place to safeguard the confidentiality, integrity, and availability of PHI. While the Security Rule does not specify exactly which security solutions should be used, there are two essential anti-phishing controls that should be employed.
A spam filtering solution should be used to prevent phishing and other malicious emails from being delivered to end users’ inboxes. It would be hard to argue that the threat from phishing has been reduced to an acceptable level if no controls are in place to block phishing emails from being delivered. Healthcare employees must also receive security awareness training. All employees should be informed of the risk of phishing and the methods used by cybercriminals to gain access to computers and data. They should be taught best practices and shown how to identify phishing emails and other malicious email threats. By blocking phishing emails and training end users, the risk from phishing can be significantly reduced.
by titanadmin | May 25, 2017 | Email Scams, Internet Security, Network Security, Phishing & Email Spam, Spam Advice, Spam News, Spam Software |
Cybercriminals have started sending WannaCry phishing emails, taking advantage of the fear surrounding the global network worm attacks.
An email campaign has been identified in the United Kingdom, with BT customers being targeted. The attackers have spoofed BT domains and made their WannaCry phishing emails look extremely realistic. BT branding is used, the emails are well written and they claim to have been sent from Libby Barr, Managing Director, Customer Care at BT. A quick check of her name on Google will reveal she is who she claims to be. The WannaCry phishing emails are convincing, cleverly put together, and are likely to fool many customers.
The emails claim that BT is working on improving its security in the wake of the massive ransomware campaign that affected more than 300,000 computers in 150 countries on May 12, 2017. In the UK, 20% of NHS Trusts were affected by the incident and had data encrypted and services majorly disrupted by the ransomware attacks. It would be extremely hard if you live in the UK to have avoided the news of the attacks and the extent of the damage they have caused.
The WannaCry phishing emails provide a very good reason for taking prompt action. BT is offering a security upgrade to prevent its customers from being affected by the attacks. The emails claim that in order to keep customers’ sensitive information secure, access to certain features have been disabled on BT accounts. Customers are told that to restore their full BT account functionality they need to confirm the security upgrade by clicking on the upgrade box contained in the email.
Of course, clicking on the link will not result in a security upgrade being applied. Customers are required to disclose their login credentials to the attackers.
Other WannaCry phishing emails are likely to be sent claiming to be from other broadband service providers. Similar campaigns could be used to silently download malware or ransomware.
Cybercriminals often take advantage of global news events that are attracting a lot of media interest. During the Olympics there were many Olympic themed spam emails. Phishing emails were also rife during the U.S. presidential elections, the World Cup, the Zika Virus epidemic, and following every major news event.
The golden rule is never to click on links sent in email from individuals you do not know, be extremely careful about clicking links from people you do know, and assume that any email you receive could be a phishing email or other malicious message.
A single phishing email sent to an employee can result in a data breach, email or network compromise. It is therefore important for employers to take precautions. Employees should be provided with phishing awareness training and taught the tell-tale signs that emails are not genuine. It is also essential that an advanced spam filtering solution is employed to prevent the vast majority of phishing emails from reaching end users inboxes.
On that front, TitanHQ is here to help. Contact the team today to find out how SpamTitan can protect your business from phishing, malware and ransomware attacks.
by titanadmin | May 24, 2017 | Email Scams, Internet Security, Network Security, Phishing & Email Spam, Spam Software |
The cost of ransomware attacks cannot be totaled by the amounts illegally earned by cybercriminals through ransom payments. In fact, the ransom payments are just a tiny fraction of the costs experienced by businesses that have been attacked with ransomware.
Take the recent WannaCry ransomware attacks as an example. The individuals behind that campaign were charging $300 per infected device to supply the keys to decrypt data. The amount gathered by those individuals was a little over $100,000 on Monday this week, even though the attacks involved data being encrypted on approximately 300,000 devices.
However, the cost of ransomware attacks is far higher. The biggest cost of ransomware attacks for most businesses is downtime while the infection is dealt with. Even if the ransom is paid, businesses often lose a week or more while the infection is removed and systems are brought back online. One Providence law firm suffered 3 months of downtime while systems remained locked!
Then there is the continued disruption while businesses catch up from the loss of productivity in the aftermath following the attack. The NHS was still experiencing disruption more than a week after the attacks on Friday 12, May.
Ransomware attacks can also involve loss of data and damage a company’s reputation. Typically, following a ransomware attack, a forensic analysis of IT systems must be conducted to ensure all traces of malware have been removed. Checks also must be performed to look for backdoors that may have been installed. Many businesses do not have the staff to perform those tasks. Cybersecurity experts must therefore be brought in. Additional cybersecurity solutions must also be purchased to ensure further attacks are prevented. The cost of ransomware attacks is therefore considerable.
The WannaCry ransomware attacks have been estimated to have cost businesses more than $1 billion. KnowB4 CEO Stu Sjouwerman said “The estimated damage caused by WannaCry in just the initial 4 days would exceed a billion dollars, looking at the massive downtime caused for large organizations worldwide.”
The cost of ransomware attacks in 2015 was an estimated $325 million, although figures from the FBI suggest that total was reached in the first quarter of the year. The final cost of ransomware attacks in the year was estimated to have reached $1 billion. Recently, Cybersecurity Ventures predicted the cost of ransomware attacks in 2017 will reach an incredible $5 billion. Given the expected costs of the recent WannaCry ransomware attacks, that could turn out to be an incredibly conservative estimate.
Cybercriminals are not concerned about the damage caused by the attacks, only the amount they can extort from businesses. The returns may be relatively low, but they are sufficiently high to make the attacks profitable. More and more individuals are also getting in on the act by using ransomware-as-a-service. Not only are ransomware attacks likely to continue, major cybercriminal gangs are likely to increase the scale of the attacks.
Businesses should be aware of the huge cost of ransomware attacks and take appropriate action to prevent those attacks from occurring. Having a backup of data may ensure that a ransom payment does not need to be made, but it will do little to prevent huge losses from being suffered if ransomware is installed.
Preventing ransomware attacks requires security awareness training for employees, advanced spam filters to stop ransomware from being delivered to end users’ inboxes, web filters to block individuals from accessing malicious URLs, endpoint protection systems to detect and block ransomware downloads, advanced firewalls and antivirus and antimalware solutions.
Fortunately, with appropriate defenses in place, it is possible to block ransomware attacks. Those solutions do come at a cost, but considering the losses from a successful ransomware attack, they are a small price to pay.
by titanadmin | May 16, 2017 | Industry News, Internet Security, Network Security, Spam News |
Who Conducted the WannaCry Ransomware Attacks?
The WannaCry ransomware attacks that started on Friday May 12 rapidly spread to more than 150 countries. While the attacks have been halted, IT security professionals are still scrambling to secure their systems and the search is now on for the perpetrators.
Malware researchers are analyzing the ransomware code and attack method to try to find clues that will reveal who conducted the WannaCry ransomware attacks.
At this stage in the investigation, no concrete evidence has been uncovered that links the attacks to any individual or hacking group, although a Google security researcher, Neel Mehta, has found a possible link to the Lazarus Group; a hacking organization believed to be based in China with links to North Korea.
The Lazarus Group is thought to be behind the attack on Sony Pictures in 2014 and the major heist on the Bangladesh central bank in February this year. While the link between the Lazarus Group and North Korea has not been comprehensively proven, the U.S. government is sure the group has been backed by North Korea in the past.
WannaCry Ransomware Code has been Reused
Mehta discovered parts of the ransomware code from the latest attacks were the same as code in a 2015 backdoor used by the Lazarus Group, suggesting the WannaCry ransomware attacks were conducted either by the Lazarus Group or by someone who has access to the same code.
Mehta also compared the code from the latest WannaCry ransomware variant and the backdoor to an earlier version of WannaCry ransomware from February and found code had been shared between all three. Symantec’s researchers have confirmed the code similarities.
Whether the Lazarus Group conducted the attacks is far from proven, and there is no evidence to suggest that were that to be the case, that the group had any backing from North Korea. The group could have been acting independently.
While some have called this link ‘strong evidence’, it should be explained that comparing code between malware samples does not confirm origin. Code is often reused and it is possible that the actors behind this campaign may have put in a false flag to divert attention from themselves onto the Lazarus Group and North Korea.
While the false flag idea is possible and plausible, Kaspersky Lab believes it is improbable and that the similarities in the source code point the finger of blame at the Lazarus Group.
Many Questions Remain Unanswered
The link with the Lazarus Group/North Korea is now being investigated further, but there are currently many questions unanswered.
The ransomware included a self-replicating function making it act like a worm, allowing it to rapidly spread to all vulnerable computers on a network. The sophistication of the attack suggests it was the work of a highly capable organization rather than an individual. However, the kill switch in the ransomware that was discovered by UK researcher ‘Malware Tech,’ allowed the infections to be halted. Such an ‘easily found’ kill switch would be atypical of such a sophisticated hacking group.
Previous attacks linked with the Lazarus Group have also been highly targeted. The WannaCry ransomware attacks over the weekend were purposely conducted in multiple countries, including China and Russia. The widespread nature of the attacks would be a departure from the typical attack methods used by Lazarus.
There are doubts as to whether North Korea would back an attack on its neighbours and allies, and while financially motivated attacks cannot be ruled out, past state-sponsored attacks have had a political purpose.
At this stage, it is not possible to tell who conducted the WannaCry ransomware attacks, but the latest discovery is an important clue as to who may be responsible.
by titanadmin | May 15, 2017 | Internet Security, Network Security, Phishing & Email Spam, Spam News |
On Friday May 12, a massive WannaCry ransomware campaign was launched, with the UK’s National Health Service (NHS) one of the early victims. The ransomware attack resulted in scores of NHS Trusts having data encrypted, with the infection rapidly spreading to networked devices. Those attacks continued, with 61 NHS Trusts now known to have been affected. Operations were cancelled and doctors were forced to resort to pen and paper while IT teams worked around the clock to bring their systems back online.
Just a few hours after the first reports of the WannaCry ransomware attacks emerged, the scale of the problem became apparent. The WannaCry ransomware campaign was claiming tens of thousands of victims around the world. By Saturday morning, Avast issued a statement confirming there had been more than 57,000 attacks reported in 100 countries. Now the total has increased to more than 200,000 attacks in 150 countries. While the attacks appear to now be slowing, security experts are concerned that further attacks will take place this week.
So far, in addition to the NHS, victims include the Spanish Telecoms operator Telefonica, Germany’s rail network Deutsche Bahn, the Russian Interior ministry, Renault in France, U.S. logistics firm FedEx, Nissan and Hitachi in Japan and multiple universities in China.
The WannaCry ransomware campaign is the largest ever ransomware attack conducted, although it does not appear that many ransoms have been paid yet. The BBC reports that the WannaCry ransomware campaign has already resulted in $38,000 in ransom payments being generated. That total is certain to rise over the next few days. WannaCry ransomware decryption costs $300 per infected device with no free decryptor available. The ransom amount is set to double in 3 days if payment is not made. The attackers threaten to delete the decryption keys if payment is not made within 7 days of infection.
Ransomware attacks usually involve malware downloaders sent via spam email. If emails make it past anti-spam solutions and are opened by end users, the ransomware is downloaded and starts encrypting files. WannaCry ransomware has been spread in this fashion, with emails containing links to malicious Dropbox URLs. However, the latest WannaCry ransomware campaign leverages a vulnerability in Server Message Block 1.0 (SMBv1). The exploit for the vulnerability – known as ETERNALBLUE – has been packaged with a self-replicating payload which can spread rapidly to all networked devices. The vulnerability is not a new zero day however. In fact, Microsoft patched the vulnerability in its MS17-010 security bulletin almost two months ago. The problem is many organizations have not installed the update and are vulnerable to attack.
The ETERNALBLUE exploit was reportedly stolen from the National Security Agency by Shadow Brokers, a cybercriminal gang with links to Russia. ETERNALBLUE was allegedly developed as a hacking weapon to gain access to Windows computers used by enemy states and terrorists. Shadow Brokers managed to steal the tool and published the exploit online in mid-April. While it is not known whether Shadows Brokers is behind the attack, the publication of the exploit allowed the attacks to take place.
The exploit allows the attackers to drop files on a vulnerable system, with that file then executed as a service. The dropped file then downloads WannaCry ransomware, which searches for other available networked devices. The infection spreads before files are encrypted. Any unpatched device with port 445 open is vulnerable.
The WannaCry ransomware campaign would have resulted in far more infections had it not been for the actions of a security researcher in the UK. The researcher –@MalwareTechBlog – found a kill switch to prevent encryption. The ransomware attempts to communicate with a specific domain. If communication is possible, the ransomware does not proceed with encryption. If the domain cannot be contacted, files are encrypted.
@MalwareTechBlog discovered the reference to the nonsense domain, saw that it was unregistered and bought it. By doing so, the ransomware attack was thwarted. The domain checking mechanism was presumably added to prevent the ransomware from running in a sandbox environment.
However, a new version of the ransomware without the kill switch has reportedly already been released, which could see the victim count increase substantially over the next few days. Organizations that have not applied Microsoft’s patch are advised to do so as a priority to block the attack.
The massive ransomware attack should serve as reminder to all organizations of the importance of applying patches promptly. That will be a particularly painful reminder for many organizations that fell victim to this preventable ransomware attack.
by titanadmin | May 12, 2017 | Email Scams, Internet Security, Network Security, Phishing & Email Spam, Spam Advice, Spam Software, Website Filtering |
A new email-borne threat has recently been discovered. Fatboy ransomware is a new ransomware-as-a-service (RaaS) being offered on darknet forums in Russia. The RaaS offers would-be cybercriminals the opportunity to conduct ransomware campaigns without having to develop their own malicious code.
RaaS has proven incredibly popular. By offering RaaS, malicious code authors can infect more end users by increasing the number of individuals distributing the ransomware. In the case of Fatboy ransomware, the code author is offering limited partnerships and is dealing with affiliates directly via the instant messaging platform Jabber.
Fatboy ransomware encrypts files using AES-256, generating an individual key for the files and then encrypting those keys using RSA-2048. A separate bitcoin wallet is used for each client and a promise is made to transfer funds to the affiliates as soon as the money is paid. By offering to deal directly with the affiliates, being transparent about the RaaS and offering support, it is thought that the code author is trying to earn trust and maximize the appeal of the service.
Further, the ransomware interface has been translated into 12 languages, allowing campaigns to be conducted in many countries around the world. Many RaaS offerings are limited geographically by language.
Fatboy ransomware also has an interesting new feature that is intended to maximize the chance of the victim paying the ransom demand. This RaaS allows attackers to set the ransom payment automatically based on the victim’s location. In locations with a high standard of living, the ransom payment will be higher and vice versa.
To determine the cost of living, Fatboy ransomware uses the Big Mac Index. The Big Mac Index was developed by The Economist as a method of determining whether currencies were at their correct values. If all currencies are at their correct value, the cost of a product in each country should be the same. The product chosen was a Big Mac. In short, the higher the cost of a Big Mac in the victim’s country, the higher the ransom demand will be.
So far, Recorded Future – the firm that discovered the ransomware variant – says the code author has generated around $5,000 in ransom payments since February. That total is likely to rise considerably as more affiliates come on board and more end users are infected. There is no known decryptor for Fatboy ransomware at this time.
New ransomware variants are constantly being developed and RaaS allows many more individuals to conduct ransomware campaigns. Unsurprisingly, the number of ransomware attacks has grown.
The cost of resolving a ransomware infection can be considerable. Businesses therefore need to ensure they have defenses in place to block attacks and ensure they can recover fast.
Backups need to be made regularly to ensure files can be easily recovered. Staff need to be trained on security best practices to prevent them inadvertently installing ransomware. Antispam solutions should also be implemented to prevent malicious emails from reaching end users’ inboxes. Fortunately, even with a predicted increase in ransomware attacks, businesses can effectively mitigate risk if appropriate defenses are implemented.
For advice on security solutions that can block ransomware attacks, contact the TitanHQ team today.
by titanadmin | May 5, 2017 | Email Scams, Internet Security, Network Security, Spam Advice, Spam News, Spam Software |
The Internet Crime Complaint Center (IC3) has issued a new alert to businesses warning of the risk of business email compromise scams.
The businesses most at risk are those that deal with international suppliers as well as those that frequently perform wire transfers. However, businesses that only issue checks instead of sending wire transfers are also at risk of this type of cyberattack.
In contrast to phishing scams where the attacker makes emails appear as if they have come from within the company by spoofing an email address, business email compromise scams require a corporate email account to be accessed by the attackers.
Once access to an email account is gained, the attacker crafts an email and sends it to an individual responsible for making wire transfers, issuing other payments, or an individual that has access to employees PII/W-2 forms and requests a bank transfer or sensitive data.
The attackers often copy the format of emails previously sent to the billing/accounts department. This information can easily be gained from the compromised email account. They are also able to easily identify the person within the company who should be sent the request.
Not all business email compromise scams are concerned with fraudulent bank transfers. IC3 warns that the same scam is also used to obtain the W-2 tax statements of employees, as has been seen on numerous occasions during this year’s tax season.
Phishing scams are often sent out randomly in the hope that some individuals click on malicious links or open infected email attachments. However, business email compromise scams involve considerable research on the company to select victims and to identify appropriate protocols used by the company to make transfer requests.
Business email compromise scams often start with phishing emails. Phishing is used to get end users to reveal their login credentials or other sensitive information that can be used to gain access to business networks and perform the scam. Malware can also be used for this purpose. Emails are sent with links to malicious websites or with infected email attachments. Opening the attachments or clicking on the links downloads malware capable of logging keystrokes or provides the attackers with a foothold in the network.
IC3 warns that business email compromise scams are a major threat for all businesses, regardless of their size. Just because your business is small, it doesn’t mean that you face a low risk of attack.
Between January 2015 and December 2016, IC3 notes there was a 2,370% increase in BEC scams. While funds are most commonly sent to bank accounts in China and Hong Kong, IC3 says transfers have been made to 103 countries in the past two years.
The losses reported by businesses are staggering. Between October 2013 and December 2016, more than $5 billion has been obtained by cybercriminals. United States businesses have lost $1,594,503,669 in more than 22,000 successful scams. The average loss is $71,528.
IC3 lists the five most common types of business email compromise scams as:
- Businesses receiving requests from frequently used suppliers requesting transfers be made to a new bank account.This is also known as a bogus invoice scam.
- An executive within the company (CFO or CTO for example) requests a transfer be made by a second employee in the company. This is also known as a business executive scam.
- A compromised email account is used to send a payment request/invoice to a vendor in the employees contact list.
- The attackers impersonate an attorney used by the firm and request the transfer of funds. These scams are common at the end of the week or end of the business day. They are also known as Friday afternoon scams.
- A request is sent from a compromised email account to a member of the HR department requesting information on employees such as W-2 Forms or PII. These scams are most common during tax season.
There are a number of strategies that can be adopted to prevent business email compromise attacks from being successful.
IC3 recommends:
- Using a domain-based email account rather than a web-based account for business email accounts
- Exercising caution about the information posted to social media accounts. This is where the attackers do much of their research
- Implement a two-step verification process to validate all transfer requests
- Use two-factor authentication for corporate email accounts
- Never respond to an email using the reply option. Always use forward and type in the address manually
- Register all domains that are similar to the main domain used by the company
- Use intrusion detection systems and spam filters that quarantine or flag emails that have been sent with extensions similar to those used by the company – Blocking emails sent from xxx_company.com if the company uses xxx-company.com for example
- Be wary of any request that seems out of the ordinary or requires a change to the bank account usually used for transfers
by titanadmin | May 4, 2017 | Email Scams, Internet Security, Network Security, Phishing & Email Spam, Spam Advice, Spam News |
A Google phishing scam has been spreading like wildfire over the past couple of days. Emails have been sent in the millions inviting people to edit Google Docs files. The emails appear to have been sent by known individuals, increasing the likelihood of the messages being opened and the links being clicked.
In contrast to many email scams that include a link to a spoofed website, this scam directs the recipient to Google Docs. When the user arrives at the site they will be presented with a legitimate Google sign-in screen.
The Google phishing scam works within the Google platform, taking advantage of the fact that individuals can create a third-party app and give it a misleading name. In this case, the app has been named ‘Google Docs.’
This makes it appear that Google Docs is asking for permission to read, send, delete, and manage emails and access the user’s contacts. However, it is the creator of the app that is asking to be granted those permissions. If users check the developer name, they will see that all is not as it seems. Many individuals will not check, since the permission screen also includes Google logos.
Signing in will give the attacker access to the user’s Google account, including their emails, Google Docs files, and contact list. Further, signing in on the website will also result in the victim’s contact list being sent similar invitations. Unsurprisingly, many have fallen for the Google phishing scam and countless emails are still circulating.
The scam appears to have started at some point on Wednesday. Google has now issued an official statement saying it is taking action to protect users and has disabled the accounts that are being used to conduct the scam.
Google confirmed the actions it has taken in response to the phishing scam, saying “We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.”
Anyone who receives a request to edit a Google Doc should treat the request with suspicion, even if it has been sent from someone known to the recipient.
If you think you may have fallen for this phishing scam it is likely that emails will already have been generated and sent to your contacts. However, you can take action to block the threat by revoking the access rights you have given to the app through the Connected Apps and Sites page.
The Google phishing scam is highly convincing and clearly shows how sophisticated cybercriminals are getting in their attempts to gain access to sensitive information and why it is imperative that email users be permanently on their guard.
by titanadmin | Apr 30, 2017 | Industry News, Internet Security, Network Security |
The General Data Protection Regulation (GDPR) is a new data privacy and security law in Europe that comes into force next year, but does GDPR apply to American companies? As many U.S. companies have recently discovered, not only does GDPR apply to American companies, doing business within the EU is likely to be extremely costly for companies that do not comply with GDPR.
Any organization or individual that does business within any of the 28 EU member states (Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Romania, Slovakia, Spain, Sweden and the United Kingdom) must comply with GDPR or face heavy penalties.
The penalty for non-compliance with GDPR for enterprises is up to 20,000,000 Euros ($23,138,200) or 4% of the annual global turnover of the company for the previous fiscal year, whichever is the greatest. An enterprise found not to have complied with GDPR will also be subjected to regular, periodic data protection audits to ensure its policies and procedures are updated and the firm continues to comply with GDPR.
So, what is the regulation and how does GDPR apply to American companies? What do U.S firms need to do to comply with GDPR?
How Does GDPR Apply to American Companies?
The main purpose of GDPR is to give EU citizens greater control over how their personal data is collected, protected and used. While the legislation applies to EU companies, it also applies to any company that chooses to do business in the EU. That includes any online business that owns a website that is accessible by EU citizens if that website collects user data.
Since the definition of personal information includes online identifiers such as cookies, GDPR has implications for huge numbers of U.S businesses. GDPR applies to all companies that do business with persons based in EU member states, with the exception of law enforcement agencies or when data are collected for national security activities.
To continue to do business in the EU, most companies will have to implement additional privacy protections and adopt end-to-end data protection strategies.
The EU classes personal data as “Any information relating to an identified or identifiable natural person,” which includes a wide range of information from names, addresses, telephone numbers and email addresses to bank information and credit card details, photos, posts on social media websites, medical information, and even an individuals IP address.
Even when controls have been implemented to keep data secure, it may still be necessary to overhaul systems to ensure sufficient protections are in place. Companies must be aware where data are stored and employees must be trained to ensure they are aware of their responsibilities with regards to the use of data.
Organizations will need to provide customers – and website visitors – with detailed information on data that are collected and how data will be used. Consent must be obtained before any data are collected and consent must be obtained from a parent or custodian of a minor.
There must be a legitimate and lawful reason for collecting data and limited to the minimum necessary information for the purpose for which data are collected. Data must be deleted when that purpose has been achieved.
Organizations must appoint a Data Protection Officer who is knowledgeable about GDPR and will oversee compliance if their core activities are data collection, storage or data processing. That individual must also have a thorough understanding of the company’s organizational and technical infrastructure.
Organizations also need to implement appropriate policies, procedures and technologies to ensure that the data of EU citizens can be permanently erased. GDPR includes the right to be forgotten – termed ‘Right to Erasure’.
The legislation that GDPR replaces only required data to be deleted when it caused substantial damage or distress. However, from next year, an EU citizen can request that all data collected on them be permanently deleted if the information is no longer needed for the purpose that it was originally collected. Data must also be deleted if consent to use the data is withdrawn or if the processing of data is unlawful and breaches GDPR.
Many U.S. companies already have technologies in place that will comply with the data protection requirements of GDPR, but the right to erasure requirement could pose problems.
Symantec recently conducted a survey that revealed 9 out of 10 businesses were concerned that they would not be able to comply with the right to erasure requirement of GDPR, with only 4 out of 10 businesses already having a system in place that could potentially allow all data to be deleted.
Compliance with GDPR in the United States
A recent survey conducted by PricewaterhouseCoopers on large multinational companies in the United States shows efforts are already underway to ensure compliance with the EU regulation. More than half of surveyed firms said GDPR is now their main data protection priority, with 92% saying compliance with GDPR is a top priority this year. The cost of compliance is considerable. 77% of surveyed firms said they are planning to spend more than $1 million on GDPR compliance, with one of the main spending priorities being improving their information security defenses.
Many companies are starting to ask how how does GDPR apply to American companies, but a study conducted by NTT Security suggests that three quarters of U.S. businesses are ignoring GDPR because they do not believe the regulation applies to them. Ignorance could prove very costly indeed. Further, time is running out. For many companies, compliance with GDPR will not be a quick process and the deadline is fast approaching. GDPR comes into effect on May 25, 2018. Miss the deadline and fines await.
Further Reading: Read a more detailed explanation of the GDPR regulations for US companies here.
by titanadmin | Apr 29, 2017 | Internet Security, Network Security, Phishing & Email Spam |
A law firm ransomware attack has resulted in business files being left encrypted and inaccessible for three months, causing considerable billing losses for the firm.
Why did the law firm not simply pay the ransom demand to regain access to their files? Well, they did. Unfortunately, the attackers took the money and did not supply viable keys to unlock the encrypted files. Instead, they had a much better idea. To issue another ransom demand to try to extort even more money from the law firm.
The law firm, Providence, RI- based Moses Afonso Ryan Ltd, was forced to negotiate with the attackers to gain access to its data. It took more than three months and ransomware payments of $25,000 to finally regain access to its files. However, the ransomware payment represented only a tiny proportion of the cost of the attack. During the three months that data were locked, the firm’s lawyers struggled to work.
Moses Afonso Ryan made a claim against its insurance policy for lost billings as a result of the attack; however, the insurer, Sentinel Insurance Co., has refused to pay the bill. The law firm claims to have lost $700,000 as a result of the attack in lost billings alone. The firm has recently filed a U.S. District Court lawsuit against its insurer claiming breach of contract and bad faith for denying the claim.
The law firm ransomware attack involved a single phishing email being opened by one of the firms’ lawyers. That email has so far cost the firm more than $725,000 and the losses will continue to rise.
Important lessons can be learned from this law firm ransomware attack. First, the importance of training all staff members on the risk of ransomware attacks and teaching security best practices to reduce the risk of attacks being successful.
Since phishing emails are now highly sophisticated and difficult to identify, technical solutions should be implemented to prevent emails from reaching employees’ inboxes. Endpoint protection systems can reduce the risk of ransomware being installed and can detect infections rapidly, limiting the damage caused.
All businesses should take care to segment their networks to ensure that a ransomware infection on a single computer does not result in an entire network being impacted.
It is also essential for backups to be performed regularly and for those backups to be tested to ensure data can be recovered. This law firm cyberattack clearly demonstrated that organizations cannot rely on attackers making good on their promise to unlock data if the ransom is paid.
There have been cases where the attackers have not been able to supply a functional key to unlock data, and numerous examples of attackers issuing further ransom demands in an attempt to extort even more money out of companies.
by titanadmin | Apr 28, 2017 | Email Scams, Industry News, Network Security, Phishing & Email Spam, Spam News, Spam Software, Website Filtering |
Hackers are continuing to attack healthcare organizations, but healthcare ransomware attacks are the biggest cause of security incidents, according to the NTT Security 2017 Global Threat Intelligence Report.
Healthcare ransomware attacks accounted for 50% of all security breaches reported by healthcare organizations between October 2015 and September 2016 and are the largest single cause of security breaches.
However, healthcare is far from the only sector to be targeted. Retail, government, and the business & professional services sector have also suffered many ransomware attacks during the same period. Those four sectors accounted for 77% of global ransomware attacks. The worst affected sector was business & professional services, with 28% of reported ransomware attacks, followed by the government (19%), healthcare (15%) and retail (15%).
NTT Security reports that phishing emails are the most common mechanism for ransomware delivery, being used in 73% of ransomware and malware attacks. Poor choices of password are also commonly exploited to gain access to networks and email accounts. NTT says just 25 passwords were used in 33% of all authentication attempts on its honeypots, while 76% of authentication attempts used a password known to have been implemented in the Mirai botnet.
Zero-day exploits tend to attract considerable media attention, but they are used in relatively few attacks. Web-based attacks have fallen but they still pose a significant threat. The most commonly attacked products were Microsoft Internet Explorer, Adobe Flash Player, and Microsoft Silverlight. Exploit kit activity has fallen throughout the year as cybercriminals have turned to phishing emails to spread malware and ransomware. There was a steady decline in exploit kit attacks throughout the year.
With phishing posing the highest risk, it is essential that organizations ensure they have adequate defenses in place. Phishing attacks are sophisticated and hard to distinguish from genuine emails. Security awareness training is important, but training alone will not prevent some attacks from being successful. It is also important to ensure that training is not just a one time exercise. Regular training sessions should be conducted, highlighting the latest tactics used by cybercriminals and recent threats.
The best form of defense against phishing attacks is to use anti-phishing technologies such as spam filters to prevent phishing emails from reaching end users. The more phishing emails that are blocked, the less reliance organizations place on end users being able to identify phishing emails. Solutions should also be implemented to block users from visiting phishing websites via hyperlinks sent via email.
by titanadmin | Apr 26, 2017 | Internet Security, Network Security, Phishing & Email Spam, Spam News, Spam Software |
There was some good news in the latest installment of the Symantec Internet Security Threat Report. Web-based attacks have fallen year on year, but ransomware attacks on businesses have sky rocketed. Sabotage and subversion attacks have also risen sharply in the past 12 months.
The Internet Security Threat Report shows that exploit kit and other web-based attacks fell by 30% in 2016, but over the same period, ransomware attacks on businesses increased by 36%.
Ransomware has proved popular with cybercriminals as attacks are easy to perform and money can be made quickly. If an attacker succeeds in encrypting business data, a ransom must be paid within a few days. In the United States, where the majority of ransomware attacks occur, 64% of businesses pay the ransom.
Web-based attacks on the other hand typically take longer and require considerably more technical skill. Cybercriminals must create and host a malicious site and direct end users to the site. Once malware has been downloaded, the attackers must move laterally within the network and find and exfiltrate sensitive data. The data must then be sold.
Ransomware attacks on businesses are far easier to conduct, especially using ransomware-as-a-service. All that is required is for criminals to pay to rent the ransomware, set their own terms, and distribute the malware via spam email. Many ransomware authors even provide kits with instructions on how to customize the ransomware and conduct campaigns. The appeal of ransomware is clear. It is quick, easy and profitable to conduct attacks.
The Symantec Internet Security Threat Report charts the rise in popularity of ransomware. Symantec detected 101 separate ransomware families in 2016. In 2014 and 2015 the count was just 30. Symantec’s ransomware detections increased from 340,665 in 2015 to 463,841 in 2016. Ransomware as a service has played a major role in the increase in attacks.
Ransom demands have also increased in the past year. In 2015, the average ransom demand was $294 per infected device. In 2016, the average ransomware demand had increased to $1,077.
Fortunately, good data backup policies will ensure businesses do not have to pay to unlock their data. Unfortunately, even if data can be recovered from backups, ransomware attacks on businesses are costly to resolve. Cybersecurity firms need to be hired to conduct analyses of networks to ensure all traces of ransomware (and other malware) have been removed. Those firms must also check to make sure no backdoors have been installed.
Ransomware attacks on businesses typically see computers locked for several days, causing considerable loss of revenue for companies. Customer breach notifications may also need to be issued. Ransomware attacks can cost tens or hundreds of thousands of dollars to resolve, even if no ransom is paid.
Since ransomware is primarily distributed via spam email, businesses need to ensure they have appropriate email defenses in place. An advanced spam filter with an anti-phishing component is essential, along with other endpoint protection systems.
Symantec’s figures show that spam email volume has remained constant year on year, with spam accounting for 53% of email volume in 2016.
In 2016, one in 2,596 emails involved a phishing component, down from one in 965 in 2014. Phishing attacks may be down, but malware attacks increased over the same period.
Malware-infected email attachments and malicious links to malware-infected websites accounted for one in every 131 emails in 2016, up from 1 in 220 in 2015 and 1 in 244 in 2014. In 2016, 357 million new malware variants were detected, up from 275 million in 2014.
The decline in web-based attacks is certainly good news, but it doesn’t mean the threat can be ignored. Last year there were 229,000 web-based attacks tracked by Symantec. While that is a considerable decrease from the previous year, web-based attacks still pose a significant threat to businesses.
Web-based attacks could also increase this year. The Symantec Internet Security Threat Report indicates 9% of websites have critical bugs that could be easily exploited by cybercriminals allowing them to hijack the websites. Worryingly, Symantec reports that 76% of websites contain bugs that could potentially be exploited.
The Symantec Internet Security Threat Report shows data breaches have remained fairly constant over the past two years. In 2014, widely reported to be ‘the year of the data breach’, Symantec recorded 1,523 data breaches. The following year that fell to 1,211 breaches. Last year, there was little change, with 1,209 breaches reported.
The halt in the rise in data breaches suggests organizations are getting better at protecting their networks and data. However, large data breaches are increasing. Last year there were 15 data breaches that involved the theft of more than 10 million records, up from 11 in 2014.
Protecting against data breaches and cyberattacks requires comprehensive, multi-layered security defenses. TitanHQ offers a range of cybersecurity solutions for SMEs to help them improve their security posture and protect against web-based and email-based security threats.
For more information on how you can improve your security posture, and information on the best spam filter for business use, contact the TitanHQ team today.
by titanadmin | Apr 18, 2017 | Email Scams, Internet Security, Network Security, Phishing & Email Spam, Spam Advice, Spam News, Spam Software, Website Filtering |
In the United States, phishing attacks on schools and higher education institutions have soared in recent months, highlighting the need for improvements to be made to staff education programs and cybersecurity defenses.
Phishing refers to the practice of sending emails in an attempt to get the recipients to reveal sensitive information such as logins to email accounts, bank accounts, or other computer systems. Typically, a link is included in the email which will direct the user to a website where information must be entered. The sites, as well as the emails, contain information to make the request look genuine.
Phishing is nothing new. It has been around since the 1980’s, but the extent to which sensitive information is stored electronically and the number of transactions that are now conducted online has made attacks much more profitable for cybercriminals. Consequently, attacks have increased. The quality of phishing emails has also improved immeasurably. Phishing emails are now becoming much harder to identify, especially by non-technical members of staff.
No organization is immune to attack, but attackers are no longer concentrating on financial institutions and healthcare organizations. The education sector is now being extensively targeted. Phishing attacks on schools are being conducted far more frequently, and all too often those attacks are succeeding.
Such is the scale of the problem that the IRS recently issued a warning following a massive rise in phishing attacks on schools. Campaigns were being conducted by attackers looking for W-2 Form data of school employees. That information was then used to submit fraudulent tax returns in school employees’ names.
Recent Phishing Attacks on Schools, Colleges, and Universities
Westminster College is one of the latest educational institutions to report that an employee has fallen for the W-2 Form phishing scam, although it numbers in dozens of schools, colleges and universities that have been attacked this year.
Phishing emails are not only concerned with obtaining tax information. Recently, a phishing attack on Denver Public Schools gave the attackers the information they needed to make a fraudulent bank transfer. More than $40,000 intended to pay staff wages was transferred to the criminal’s account.
This week, news emerged of a listing on a darknet noticeboard from a hacker who had gained access to school email accounts, teacher’s gradebooks, and the personal information of thousands of students. That individual was looking for advice on what to do with the data and access in order to make money.
Washington University School of Medicine was targeted in a phishing attack that saw the attackers gain access to patient health information. More than 80,000 patients potentially had their health information stolen as a result of that attack.
Last week, news emerged of an attempted phishing attack on Minnesota schools, with 335 state school districts and around 170 charter schools potentially attacked. In that case, the phishing attack was identified before any information was released. The attack involved an email that appeared to have been sent from the Education Commissioner. The attackers were trying to gain access to financial information.
How to Improve Defenses Against Phishing Attacks
Fortunately, there are a number of technological controls that can be implemented cheaply to reduce the risk of phishing attacks on schools being successful.
An advanced spam filtering solution with a powerful anti-phishing component is now essential. A spam filter looks for the common spam and phishing signatures and ensures suspect messages are quarantined and not delivered to end users.
It must be assumed that occasionally, even with a spam filter, phishing emails may occasionally be delivered. To prevent employees and students from visiting phishing websites and revealing their information, a web filtering solution can be used. Web filters block end users from visiting websites that are known to be used for phishing. As an additional benefit, web filters can stop individuals from accessing websites known to contain malware or host illegal or undesirable material – pornography for instance.
Those solutions should be accompanied by training for all staff members on the risk from phishing and the common identifiers that can help staff spot a phishing email. Schools should also implement policies for reporting threats to the organization’s IT department. Fast reporting can limit the harm caused and prevent other staff members from responding.
IT departments should also have policies in place to ensure thwarted attacks are reported to law enforcement. Warnings should also be sent to other school districts following an attack to allow them to take action to protect themselves against similar attacks.
Any school or higher educational institution that fails to implement appropriate defenses against phishing attacks will be at a high risk of a phishing attack being successful. Not only do phishing attacks place employees at risk of fraud, they can prove incredibly costly for schools to mitigate. With budgets already tight, most schools can simply not afford to cover those costs.
Improve Your Phishing Defenses with TitanHQ
The TitanHQ team have worked on email anti-spam solutions for schools, web filtering for the education sector, and email archiving for schools for over 20 years. We have a deep understanding of the security issues that all schools and colleges face when trying to protect students, school staff and visitors. TitanHQ has developed products to address the needs of schools and block threats such as phishing, malware, and ransomware, while ensuring compliance with federal and state laws.
TitanHQ offers schools a powerful and highly effective email security solution – SpamTitan – which blocks in excess of 99.9% of spam and 100% of known malware threats. The award-winning solution is the single-most important measure to block phishing and malware threats, the majority of which are delivered via email.
WebTitan offers safe internet browsing for children, providing protection from harmful and obscene web content whether students are studying at school or at home. Web security is available for all devices, and in addition to blocking age-inappropriate web content, will prevent access to known phishing websites and will block malware and ransomware downloads.
If you want to improve your defenses against phishing and malware in the most cost effective way possible, give the TitanHQ team a call today. Both solutions are available to schools and other educational institutions on a 30-day 10% free trial, which will allow you to see for yourself the difference each makes and why so many schools have already implemented these solutions.
by titanadmin | Apr 13, 2017 | Email Scams, Network Security, Phishing & Email Spam, Spam Advice, Spam Software |
A phishing attack on a HIPAA-covered entity has resulted in a $400,000 penalty for non-compliance with HIPAA Rules. This is not the first time a phishing attack has attracted a penalty from OCR for non-compliance.
The failure to prevent phishing attacks does not necessarily warrant a HIPAA penalty, but failing to implement sufficient protections to prevent attacks could land HIPAA-covered entities in hot water.
HIPAA Compliance and Phishing
The U.S. Department of Health and Human Services’ Office for Civil Rights is tasked with enforcing Health Insurance Portability and Accountability Act Rules. While OCR conducts audits of covered entities to identify aspects of HIPAA Rules that are proving problematic for covered entities, to date, no financial penalties have been issued as a result of HIPAA violations discovered during compliance audits. The same is certainly not the case when it comes to investigations of data breaches.
OCR investigates each and every data breach that impacts more than 500 individuals. Those investigations often result in the discovery of violations of HIPAA Rules. Any HIPAA-covered entity that experiences a phishing attack that results in the exposure of patients’ or health plan members’ protected health information could have historic HIPAA violations uncovered. A single phishing attack that is not thwarted could therefore end up in a considerable fine for non-compliance.
What HIPAA Rules cover phishing? While there is no specific mention of phishing in HIPAA, phishing is a threat to the confidentiality, integrity, and availability of ePHI and is covered under the administrative requirements of the HIPAA Security Rule. HIPAA-covered entities are required to provide ongoing, appropriate training to staff members. §164.308.(a).(5).(i) requires security awareness training to be provided, and while these are addressable requirements, they cannot be ignored.
These administrative requirements include the issuing of security reminders, protection from malicious software, password management and login monitoring. Employees should also be taught how to identify potential phishing emails and told about the correct response when such an email is received.
The HIPAA Security Rule also requires technical safeguards to be implemented to protect against threats to ePHI. Reasonable and appropriate security measures, such as encryption, should be employed to protect ePHI. Since ePHI is often available through email accounts, a reasonable and appropriate security measure would be to employ a spam filtering solution with an anti-phishing component.
Given the frequency of attacks on healthcare providers, and the extent to which phishing is involved in cytberattacks – PhishMe reports 91% of cyberattacks start with a phishing email – a spam filtering solution can be classed as an essential security control.
The risk from phishing should be highlighted during a risk analysis: A required element of the HIPAA Security Rule. A risk analysis should identify risks and vulnerabilities that could potentially result in ePHI being exposed or stolen. Those risks must then be addressed as part of a covered entity’s security management process.
HIPAA Penalties for Phishing Attacks
OCR has recently agreed to a settlement with Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC) based in Denver, Colorado following a phishing attack that occurred in December 2011. The attack allowed the attacker to gain access to the organization’s email accounts after employees responded by providing their credentials. The ePHI of 3,200 individuals was contained in those email accounts.
The fine was not exactly for failing to prevent the attack, but for not doing enough to manage security risks. MCPN had failed to conduct a risk analysis prior to the attack taking place and had not implemented security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. OCR settled with MCPN for $400,000.
In 2015, another covered entity ended up settling with OCR to resolve violations of HIPAA Rules following a phishing attack. University of Washington Medicine paid OCR $750,000 following the exposure of 90,000 individual’s ePHI. In that case, the phishing attack allowed attackers to install malware. OCR Director at the time, Jocelyn Samuels, pointed out “An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.” She also said, “All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical records or that fails to provide appropriate oversight and accountability for all parts of the enterprise.”
Covered entities are not expected to prevent all phishing attacks, but they must ensure the risk of phishing has been identified and measures put in place to prevent phishing attacks from resulting in the exposure of theft of ePHI. If not, a HIPAA fine may be issued.
by titanadmin | Apr 12, 2017 | Internet Security, Network Security, Phishing & Email Spam, Spam News |
Microsoft has finally patched a zero-day vulnerability in Microsoft Word that has been exploited by cybercriminals for months. Recently, the vulnerability has been exploited by the gang behind the Dridex banking Trojan.
The remote code execution vulnerability (CVE-2017-0199) affects the Windows Object Linking and Embedding (OLE) application programming interface. The vulnerability is a logic flaw rather than a programming error, which makes defending against attacks difficult.
The bug affects RTF files. The spam email campaigns use RTF files containing an embedded OLE2Link object, which downloads an HTA (HTML Application) file containing malicious code when the document is opened. No user interaction other than opening the file is required to infect the end user’s device.
There is some debate as to how long the vulnerability has been actively exploited in the wild. Attacks may have been occurring as early as November 2016 according to SophosLabs, although certainly since the start of 2017. Over the past two months, the vulnerability has been extensively exploited to deliver the Dridex banking Trojan.
The zero-day vulnerability in Microsoft Word has been exploited for espionage purposes in Russian speaking countries, while FireEye observed the exploit being used to distribute Latentbot malware. Latentbot is an information stealer with the ability to corrupt hard drives.
Many security companies have been tracking the vulnerability, although it was McAfee that announced the existence of the actively exploited flaw on Friday last week. The flaw exists in virtually all Microsoft Word versions and does not require macros to be enabled in order for malicious code to run.
Employees are advised never to enable macros on documents unless they are 100% certain that a document is legitimate; however, this zero-day exploit does not rely on macros. Simply opening the Word document on an unpatched Office installation is likely to result in infection.
This makes the vulnerability particularly dangerous. Any end user that opens a specially crafted Word document would automatically run the code which would see the Dridex Trojan (or another malware) downloaded. One protection that can prevent the malicious code from running is to enable Protected View mode. However, the code will run when Protected View is turned off.
The malicious emails sent out in at least one campaign have the subject line “scanned data” with the RFT file attachments containing the word ‘scan’ followed by a random string of numbers, according to Proofpoint.
To protect against this exploit, the patches for both Office and Windows that were released by Microsoft on Tuesday April 11, 2017 should be applied. However, in order to apply the security update, Service Pack 2 for Office 2010 must be installed.
If it is not possible to apply the Microsoft updates immediately, you can configure your spam filter to block RTF files or add RTF files to the list of documents to block in the Microsoft Office Trust Center.
by titanadmin | Mar 31, 2017 | Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam News |
The 2017 IBM X-Force Threat Intelligence Index has been released this week. The report provides an insight into the main cybersecurity threats faced by all industries and major cyberattack trends, data breaches and security incidents experienced by U.S. organizations in 2016.
Last year’s IBM X-Force Threat Intelligence Index showed healthcare was the industry most heavily targeted by cybercriminals. However, the 2017 IBM X-Force Threat Intelligence Index shows cybercriminals changed their focus in 2016. Last year, the financial services was hit the hardest. The healthcare dropped down to fifth place.
The healthcare industry did not suffer mega data breaches of the same scale as 2015 – which saw a 78.8 million-record cyberattack on Anthem Inc., and 10 million record+ data breaches at Premera Blue Cross and Excellus BlueCross BlueShield. However, there were security breaches aplenty. 2016 was the worst ever year for healthcare industry breaches, with more incidents reported than any other year in history.
Those breaches resulted in far fewer records being exposed or stolen. The 2017 IBM X-Force Threat Intelligence Index indicates there was an 88% drop in exposed or stolen healthcare records in 2016 compared to the previous year. Around 12 million healthcare records were exposed or stolen in 2016.
The 2017 IBM X-Force Threat Intelligence Index also shows that there was a shift in the nature of attacks, with cybercriminals targeting unstructured data rather than structured data. Data breaches involving email archives, intellectual property, and business documents all rose in 2016.
The healthcare industry may not have seen so many records exposed, but that was certainly not the case across all industry sectors. 2016 was a very bad year for cyberattacks. In 2015, around 600 million records were exposed or stolen. In 2016 the total jumped to an incredible 4 million records, helped in no small part by the 1.5 billion record breach at Yahoo and the discovery of massive data breaches at LinkedIn, MySpace, and Dropbox. It is therefore no surprise that IBM called 2016 The Year of the Mega Data Breach.
Top of the list of attacked industries in 2016 was financial services. Both the financial services and healthcare sectors saw a fall in attacks by outsiders, but attacks by malicious insiders and inadvertent actors increased in both industry sectors.
In the financial services, 5% of attacks involved malicious insiders and 53% involved inadvertent actors. In healthcare, 25% of attacks involved malicious insiders and 46% involved inadvertent actors. The financial services saw 42% of attacks conducted by outsiders. Healthcare cyberattacks by outsiders accounted for 29% of the annual total.
According to the 2017 IBM X-Force Threat Intelligence Index, the second most targeted industry was information and communications, followed by manufacturing and retail. All three industries saw increases in attacks by outsiders, which accounted for the vast majority of attacks. 96% of attacks on information and communications were by outsiders, with 91% apiece for manufacturing and retail.
The financial services sector saw a substantial rise in SQLi and OS CMDi attacks in 2016 – The most common attack method for the industry. The main attack method on the information and communications sector involved exploitation of vulnerabilities allowing attackers to trigger buffer overflow conditions. The main attack method on the manufacturing, retail and healthcare industries was also SQLi and OS CMDi attacks, which accounted for 71% of manufacturing industry cyberattacks, 50% of retail cyberattacks, and 48% of healthcare cyberattacks.
The 2017 IBM X-Force Threat Intelligence Index indicates cybercriminals favored older attack methods in 2016 such as ransomware, malware toolkits, and command injection to gain access to valuable data and resources.
Ransomware was big news in 2016. Many cybercriminals turned to ransomware as a quick and easy source of income. Figures from the FBI indicate $209 million in ransom payments were made in the first three months of 2016 alone.
Malware was also extensively used in attacks, with Android malware and banking Trojans big in 2016. Not all attacks targeted organizations for their data. DDoS attacks increased, both in frequency and severity. While attacks of 300+ Mbps were unusual in 2015, they became the norm in 2016. One attack in excess of 1 Tbps was reported.
While 2015 saw exploit kits extensively used to infect endpoints with malware, in 2016 spam email was favored. Spam was a primary attack tool of cybercriminals, especially in the second half of the year. While the first half of the year saw spam email volume remain steady, the 2017 IBM X-Force Threat Intelligence Index indicates there was a significant increase in spam volume in the second half of the year and a massive rise in the number of malicious email attachments.
The 2017 IBM X-Force Threat Intelligence Index shows the vast majority of malicious attachments were ransomware or ransomware downloaders, which accounted for 85% of malicious email attachments.
The increase in the use of spam email as an attack vector shows how important it is for organizations to improve their defenses against email attacks. An advanced spam filter is essential as is training of employees on security best practices and phishing attack prevention.
by titanadmin | Mar 24, 2017 | Internet Security, Network Security |
Security researchers in Israel have developed a proof-of-concept exploit called DoubleAgent that takes advantage of vulnerabilities in antivirus products to turn them against users. The exploit could potentially be incorporated into DoubleAgent malware, although there have been no known attacks that take advantage of the flaws in AV products to the researchers’ knowledge.
The proof-of-concept was developed by Cybellum researchers, who say that most third-party Windows antivirus products are susceptible and could potentially be hijacked. To date only three AV companies have confirmed that they are developing patches to block potential DoubleAgent malware attacks – AVG, Trend Micro and Malwarebytes.
The attack involves the Microsoft Application Verifier, which is used to check for bugs in programs that run on Windows. The researchers use DLL hijack techniques to fool the verifier using a malicious DLL. They claim the technique could be used to insert a custom verifier into any application.
DoubleAgent malware may not yet have been developed to exploit the zero-day vulnerability, although the researchers say they have used their proof-of-concept to take full control of the Norton Security AV program – many other AV products are also susceptible to this type of attack.
The Cybellum-developed DoubleAgent malware could be used in a number of different attack scenarios, all of which are particularly chilling.
Since the antivirus program can be pwned by an attacker, it could be turned on the user and used as malware. Antivirus software is trusted, so any actions taken by the AV program would be treated as legitimate. The researchers warn that the AV program could be turned into a double agent and do anything the attackers wanted.
The AV solution could be instructed to whitelist certain other programs allowing an attacker to install any malware undetected. Once installed, the malware would run totally undetected and the user would be unaware that their AV software had been rendered virtually useless. The AV software would also be prevented from flagging data exfiltration or communications with the attacker’s C&C.
An attacker could cripple a company’s applications using the DoubleAgent malware. If a legitimate program used by the company is marked as malicious by its antivirus software program, it would be prevented from running. It would therefore be possible to perform Denial of Service attacks. Also, since AV software has the highest level of privileges, it could be used to perform any number of malicious actions, such as deleting data or formatting a hard drive. That means a ransomware-style attack could be performed or the company’s computer systems could be sabotaged.
Fortunately, only Cybellum has the code and AV companies that have been found to be susceptible to such an attack have been notified. Patches are therefore likely to be developed to prevent such an attack.
by titanadmin | Mar 22, 2017 | Industry News, Internet Security, Network Security |
A recent survey conducted by CBT Nuggets has revealed that even tech savvy people are prone to commit cybersecurity howlers and place themselves, and their organization, at risk. In fact, far from intelligence preventing individuals from suffering online identity theft and fraud, it appears to make it far more likely.
The survey, which was conducted on 2,000 respondents, showed that people who believed they were tech savvy were actually 18 times more likely to become victims of online identity theft.
The more educated individuals were, the more likely they were to become victims of cybercrime. The survey revealed that high school graduates were less likely to be victims of cybercrime than individuals who had obtained a Ph.D.
24% of respondents with a Ph. D said they were a victim of identity theft compared to 14% who had a Bachelor’s degree, 13% who were educated to college level and 11% who had been educated only to high school level.
Women were found to be 14% more likely to have their identities stolen than men, and millennials were less likely to suffer identity theft than Baby Boomers and Generation X.
Interestingly, while the vast majority of malware targets Windows users, the survey revealed that users of Apple devices were 22% more likely to be victims of identity theft than Windows users, although Android phone users were 4.3% more likely than iPhone users to suffer identity theft.
There were some interesting results about the level of care used when venturing online. Even though the risk of cyberattacks on law firms has increased in recent years and law firms are a major target for cybercriminals, lawyers were less likely than other professionals to follow online security best practices.
69% of respondents from the legal profession did not follow online security best practices because they were too lazy to do so. Only people in ‘religious industries’ fared worse on the laziness scale (70%).
46% of healthcare industry professionals said they were too lazy when it came to cybersecurity, a particular worry considering the value of healthcare data and the extent to which cybercriminals are conducting attacks on the healthcare industry. The most common reason given for lax security and taking risks online was laziness, being too busy and it being inconvenient to follow security best practices.
65.9% of respondents believed they faced a medium or high risk of being hacked, yet only 3.7% of respondents said they followed all of the basic security recommendations. Perhaps that’s why so many people felt they faced a medium or high risk of being hacked!
One of the biggest risks taken by respondents was avoiding using public Wi-Fi networks. Only 11.8% of respondents said they avoided connecting to the Internet on public Wi-Fi networks. However, when it comes to divulging sensitive information while connected to a public Wi-Fi network, people were more savvy. 83.3% said they avoided transmitting sensitive information when connected to public Wi-Fi networks. Only 40.6% of respondents said they updated their devices every time they were prompted to do so.
The survey also showed which states were the worst for identity theft. While Florida often makes the headlines, the state ranked in the bottom ten for identity theft, with just 11% of respondents from the state saying they had suffered identity theft. The worst states were Maryland with 28% of respondents saying they were victims of identity theft, followed by Alabama with 26% and Kentucky with 22%. The safest states were Alabama (6%) and Louisiana (5%).
by titanadmin | Mar 6, 2017 | Network Security, Phishing & Email Spam, Website Filtering |
Free Dharma ransomware decryption is now possible following the publication of the decryption keys used by the cybercriminal gang behind the ransomware.
The Dharma ransomware decryption keys have now been used to develop a decryptor to unlock Dharma-encrypted files. If your organization has been attacked with Dharma ransomware, you can unlock your files by using the Dharma ransomware decryptor developed by Kaspersky Lab or ESET. A ransom no longer needs to be paid.
The decryptor available from ESET will unlock files encrypted by Dharma and its predecessor, Crysis. Kaspersky Lab has added the keys to its Rakhni ransomware decryptor.
It is easy to determine which ransomware variant has been used by checking the file extension on ransomware-encrypted files. Dharma ransomware adds the ‘.dharma’ extension to files after they have been encrypted.
The keys to unlock the encryption were posted on a BleepingComputer tech support forum last week by an individual with the username ‘gektar’. Where that individual obtained the decryption keys is unknown, although both Kaspersky Lab and ESET have confirmed that the decryption keys are genuine. The decryption keys will work for all variants of Dharma ransomware.
The name gektar is not known to security researchers. No other online posts are believed to have been made with that username. The username seems to have been created solely to post the decryption keys. It would appear the individual responsible wants to keep a low profile.
Unfortunately, there are now more than 200 ransomware families, with many different ransomware variants within each of those families. Dharma may be no more, but the ransomware threat is still severe. There are still no decryptors available for the biggest ransomware threats: Locky, Samsa (Samsam) and CryptXXX, which are still being extensively used by cybercriminal gangs to extort money out of businesses.
The best defense that businesses can adopt to ensure ransomware-encrypted files can be recovered for free is to ensure that backups of critical files are made on a daily basis. Those backups should be stored on an air-gapped device and also in the cloud.
Recovery from backups and removing ransomware infections can be a labor-intensive and time-consuming process, so anti-ransomware defenses should also be employed to prevent infection. We recommend using SpamTitan to block ransomware emails from being delivered to end users’ inboxes and WebTitan to prevent drive-by ransomware downloads.
by titanadmin | Mar 2, 2017 | Internet Security, Network Security |
Law firms are prime targets for cybercriminals, so it is perhaps unsurprising that there has been an increase in law firm cyberattacks in recent months. With the threat level now at unprecedented levels, protections must be increased to keep data secure.
Many law firm cyberattacks are targeted, with hackers seeking access to highly sensitive data, although law firms can just as easily fall victim to random attacks. Those attacks still have potential to cause considerable harm.
A recent security incident has showed just how easy it is for cybercriminals to conduct attacks and take advantage of unpatched vulnerabilities.
Zero-Day WordPress Vulnerability Discovered
WordPress is a flexible website content management system. It requires relatively little skill to update and WordPress sites can be easily managed. It is therefore no surprise that it has become one of the most popular website content management systems. There are more than 60 million websites running WordPress, with the platform popular with many SMBs, including law firms.
However, the popularity of the platform makes it a target for cybercriminals. Zero-day WordPress vulnerabilities provide cybercriminals with access to the sites and their associated databases.
When a new zero-day vulnerability is discovered, WordPress rapidly issues a patch. One zero-day WordPress vulnerability was recently discovered and the platform was updated rapidly as usual. Users of the site were urged to update to version 4.7.2 as a matter of urgency.
The reason for urgency was not announced until a week later after a significant proportion of WordPress sites had been updated. However, once the vulnerability was disclosed, hackers were quick to take advantage. Within 48 hours of the REST API vulnerability being disclosed, hackers started exploiting it on a grand scale. Sucuri was tracking the attacks and monitoring its WAF network and honeypots closely to see if hackers were actively exploiting the flaw.
The cybersecurity firm reports that it identified four different hacking groups that were exploiting the WordPress vulnerability. They were performing scans to find sites still running outdated WordPress versions and once vulnerable sites were identified they were attacked.
Law Firm Cyberattacks See Websites Defaced
The failure to update WordPress promptly resulted in more than 100,000 websites being attacked, according to figures from Google. Websites were defaced, additional pages added and the sites used for SEO spam. In this case, the aim was not to gain access to data nor to load malware onto the sites, although that is not always the case.
The speed at which the WordPress flaw was exploited shows how important it is to keep WordPress sites updated. Due to the popularity of the platform, had the hacking groups loaded malware onto sites, the number of individuals who could have been infected with malware would have been considerable.
The potential fallout from a website being hacked and defaced, or worse, from malware being loaded, can be considerable. Many small law firms were attacked as a result of failing to update their WordPress site within a week of the update being issued.
A defaced website, in the grand scheme of things, is a relatively quick fix, although such an attack does not inspire confidence in a company’s ability to keep sensitive data protected. For a law firm, that could mean the difference between getting a new client and that individual seeking another law firm.
In this case, the law firm cyberattacks could have been prevented with a quick and simple update. In fact, WordPress updates can be scheduled to occur automatically to keep them secure.
The take home message is not to ignore security warnings, to ensure that someone reads the messages sent from WordPress, and better still, to set updates to occur automatically.
by titanadmin | Feb 22, 2017 | Network Security, Phishing & Email Spam, Spam News |
BugDrop malware is a new and highly advanced email-borne threat detected in the past few days. While attacks are currently concentrated on companies in Ukraine, BugDrop malware attacks have already started in other countries. Companies in Austria, Russia and Saudi Arabia have also been attacked.
Due to the nature of the attacks, it is clear that the actors behind the new malware have access to significant resources. So far, BugDrop malware is known to have stolen an incredible 600 GB of data from around 70 confirmed targets. At the rate that the malware is stealing data, the storage required will be considerable. This is therefore unlikely to the work of an isolated hacker. A significant cybercriminal group or most likely, a foreign-government backed hacking group, is likely to be responsible for the attacks.
Companies involved in scientific research, critical infrastructure, news media, engineering, and even human rights organizations have been targeted.
The malware will steal documents stored on infected computers and networks to which the computer connects. Passwords are stolen and screenshots are taken. However, rather than simply gain access to intellectual property and other sensitive data, the malware has another method of obtaining information. BugDrop malware, as the name suggests, bugs organizations and records audio data.
The malware turns on the microphone on an infected computer and records conversations, which accounts for the huge volume of data stolen. The stolen files are then encrypted and uploaded to the attackers’ Dropbox account. Files are retrieved from the Dropbox account and are decrypted. The resources required for analyzing such huge volumes of data – including audio data – are considerable, as are the storage requirements.
The CyberX researchers who discovered the malware suggest that Big Data analytics are likely used rather than manually checking the stolen data. Either way, such an operation must be heavily staffed, which points to a state-sponsored group. CyberX says “Given the sophistication of the code and how well the operation was executed, we have concluded that those carrying it out have previous field experience.”
Since data exfiltration occurs via Dropbox, data exfiltration may not be detected. Many companies allow their employees to access Dropbox and connections to the storage service are often not monitored. Encryption is used, preventing many anti-virus solutions from detecting attacks or sandboxing the malware. The attacks also involve reflective DLL injection – since code is run in the context of other processes, detection is made more difficult.
BugDrop malware is being distributed via spam email using malicious macros in Word documents. If macros are enabled, the malware will be installed when the document is opened. Since many companies now automatically block macros and require them to be enabled on each document, the attackers prompt the user to enable macros by saying the document was created in a newer version of Microsoft Office. To view the contents of the document, macros must be enabled. The Word documents contains a professional image from Microsoft, including branding and Office logos, to make the warning appear genuine.
by titanadmin | Feb 22, 2017 | Network Security, Phishing & Email Spam, Spam News, Spam Software |
Google has released its latest statistics on the main corporate email security threats, with the search engine giant’s report also delving into the latest email-borne attacks on corporate Gmail account users. The report follows on from a presentation at the RSA Conference, which provided more detail on the biggest corporate email security threats that now have to be blocked.
According to Google’s data, spam is still a major problem for businesses. While the barrage of unsolicited emails is a nuisance that results in many hours of lost productivity, corporate users face a much bigger threat from spam. Malicious messages are a major menace.
Cybercriminals are targeting corporate users to a much higher extent than personal email account holders. The reason is clear. There is more to be gained from infecting corporate computers with malware than personal computers. Businesses are much more likely to pay ransoms if data are encrypted by ransomware. The data stored by businesses has much higher value on the darknet, and plundering business bank accounts nets far higher rewards.
It is therefore no surprise to hear that Google’s stats show that businesses are 6.2 times as likely to receive phishing emails and 4.3 times as likely to be targeted with malware-infected emails. Spam on the other hand is more universal, with business emails accounts 0.4 times as likely to be spammed than personal accounts.
Main Corporate Email Security Threats by Business Sector
Corporate email security threats are not spread evenly. Cybercriminals are conducting highly targeted attacks on specific industry sectors. Google’s data show that nonprofits are most commonly targeted with malware, receiving 2.3 times as many malware-infected emails as business accounts. The education sector is also being extensively targeted. Schools, colleges and universities are 2.1 times as likely to be sent malware-infected emails, followed by government industries, which are 1.3 times as likely to be targeted than businesses.
However, when it comes to email spam and phishing attacks, it is the business sector which is most commonly targeted. Currently, email spam is the biggest problem for businesses in the IT, housing, and entertainment industries, while phishing attacks are much more commonly conducted on IT companies, arts organizations and the financial sector.
Malicious Spam Poses a Major Risk to Corporations
As we have seen on so many occasions in the past two years, email is a major attack vector for businesses. Cybercriminals use spam email to infect end users with information-stealing malware, file-encrypting ransomware, and conduct credential-stealing phishing attacks. Email-borne attacks are still highly profitable. The attacks require little effort and criminals are able to bypass security controls by targeting end users.
Given the massive increase in malware and ransomware variants in the past two years, blocking spam and malicious messages is now more important than ever. Additionally, the cost of mitigating data breaches is rising year on year (According to the Ponemon Institute). Malware and ransomware infections can be extremely costly to resolve, while successful phishing attacks can net cybercriminals huge sums from selling stolen corporate data and making fraudulent bank transfers. Those costs must be absorbed by businesses.
Protecting Your Organization from Email-Borne Threats
Fortunately, it is possible to mitigate corporate email security threats by using an advanced spam filtering solution such as SpamTitan. SpamTitan blocks 99.97% of spam messages and boasts a low false positive rate of just 0.03%. A powerful anti-phishing component prevents phishing emails from being delivered to end users, while dual anti-virus engines (Bitdefender/ClamAV) are used to scan all incoming (and outgoing) messages for malicious links and attachments.
If you want to improve your defenses against the latest corporate email security threats, contact the TitanHQ team today. Since SpamTitan is available on a 30-day free trial, you can also see for yourself how effective our product is at protecting your organization from email-borne threats before committing to a purchase.
by titanadmin | Feb 16, 2017 | Email Scams, Internet Security, Network Security, Spam News |
Cyberattacks on law firms have been steadily increasing over the past three years. According to data from PwC’s annual Law Firms Survey last year, 73% of the UK’s top 100 law firms have been attacked by cybercriminals in the past year. In 2014/2015, 62% of the top 100 law firms were attacked. The previous year the figure stood at 45%. In the past two years, cyberattacks on law firms have increased by a staggering 60%.
According to PwC’s figures, large law firms are the most frequently targeted. 90% of the top 25 legal firms had experienced a cyberattack in the past 12 months. The types of attacks are highly varied, although the most common way attacks occur is via the firm’s email system.
Spear phishing emails are sent to solicitors in an attempt to obtain banking credentials and access to email accounts. When solicitors respond to these phishing emails and divulge their banking credentials, client funds are transferred to the criminals’ accounts. According to the survey, 84% of legal firms said they had experienced a phishing attack in the past year.
Solicitors in the UK and Ireland and attorneys in the United States are also being sent bogus emails that claim to be from home buyers or sellers. Instructions are provided asking for funds to be transferred to alternate accounts. Hackers eavesdrop on email conversations and are aware when funds are about to be transferred. They then sent an email to an attorney/solicitor posing as the buyer/seller of a property and provide alternate bank accounts asking for the funds to be transferred to the new account.
Buyers and sellers of properties are also targeted in a similar fashion. They are sent emails with the hacker claiming to be their solicitor. Alternate bank account details are provided for transfers. This is now one of the main types of cyberattacks on law firms and their clients.
Direct attacks on networks still occur, with hackers taking advantage of vulnerabilities in security defenses. However, law firm hacking only accounts for around 16% of incidents. Malware is a much bigger threat. Malware is delivered via spam email or drive-by downloads from the Web. 55% of legal firms say they have experienced a malware attack in the past 12 months. Malware can be ransomware – which locks computers with powerful encryption until a ransom payment is made or keyloggers that record sensitive data such as usernames and passwords. Malware can also enable criminals to gain access to systems to steal sensitive data and extort money out of law firms.
Law firm cyberattacks can be costly to resolve; however, the biggest cost can be loss of reputation. If law firms suffer cyberattacks and client data is stolen or exposed, reputations can be permanently damaged. Legal firms that are unable to ensure that their clients’ information remains confidential may find the cost of removing malware the least of their problems.
To prevent phishing emails and malware from being delivered to inboxes, an advanced spam filter is required. SpamTitan includes a powerful anti-phishing component that recognizes the common signatures of phishing emails and ensures they are not delivered. SpamTitan also blocks 100% of known malware and ransomware, ensuring end users do not receive malicious email attachments and links to malware-ridden websites.
To find out how SpamTitan can improve your security posture, contact the TitanHQ team today and take the first step toward preventing your law firm from being added to next year’s PwC’s law firm cyberattack statistics.
by titanadmin | Jan 23, 2017 | Internet Security, Network Security |
Take a look at the list of the worst passwords of 2016 and you would be forgiven for thinking you are looking at the worst password list for 2015. Or 2014 for that matter. Little appears to have changed year on year, even though the risk to network and data security from the use of weak passwords is considerable.
Every year, SplashData compiles a list of the worst 25 passwords of the year. 2017 is the sixth consecutive year when the company has produced its list. Given the number of largescale data breaches that occurred in 2016, it would be reasonable to assume that organizations would take a proactive step and introduce restrictions on the passwords that can be used to secure corporate networks, computers, and email accounts. Many still don’t. It is still possible for end users to use passwords with no capital letters (or no letters at all), no symbols, and consecutive number strings are still permitted.
Should a hacker attempt a brute force attack – attempting to gain access using an automated system that guesses potential password combinations – a weak password would allow access to be gained incredibly quickly.
If any of the passwords from the list of the worst passwords of 2016 were used, it would be like there was no password required at all. How quickly can a hacker crack one of these passwords? According to Random ize, most of the passcodes on the list of the worst passwords of 2016 could be guessed in under a second. BetterBuys is more pessimistic, claiming most could be guessed in about 0.25 milliseconds.
To compile its list, SplashData scraped data dumps that included passwords. 2016 saw a great deal of data published on darknet sites by cybercriminals that had succeeded in breaching company defenses. For its list, SplashData analyzed more than 5 million credentials, most of which came from data breaches in North America and Europe.
The most commonly used password in 2016 was 123456, as it was in 2015. Password was the second most common password in 2016. There was no change in the top two worst passwords even though cybersecurity awareness has increased. As we saw last year, even John Podesta, chairman of Hillary Clinton’s 2016 presidential campaign, allegedly used a variation of the word password to “secure” his accounts. That poor choice clearly demonstrated that the use of poor passwords offers very little protection against hackers.
The worst password of 2016 was used on an incredible 4% of user accounts, and almost as many individuals used password. SplashData says around 10% of individuals use a password that was on the list of the 25 worst passwords of 2016.
Some individuals have got clever, or so they think. They use a variation of ‘password’. However, password1 and passw0rd are barely any better. The small change would not delay a hacker by any noticeable degree. Hackers are well aware of the use of numbers to replace letters and other techniques to make passwords more secure, such as adding a digit to the end of a word. – Password1 for example.
SplashData’s List of the Worst Passwords of 2016
- 123456
- password
- 12345
- 12345678
- football
- qwerty
- 1234567890
- 1234567
- princess
- 1234
- login
- welcome
- solo
- abc123
- admin
- 121212
- flower
- passw0rd
- dragon
- sunshine
- master
- hottie
- loveme
- zaq1zaq1
- password1
If you were wondering how the list has changed year on year, take a look at last year’s list and you will see a number of similarities.
List of the Worst Passwords of 2015
- 123456
- password
- 12345678
- qwerty
- 12345
- 123456789
- football
- 1234
- 1234567
- baseball
- welcome
- 1234567890
- abc123
- 111111
- 1qaz2wsx
- dragon
- master
- monkey
- letmein
- login
- princess
- qwertyuiop
- solo
- passw0rd
- starwars
In order to make it harder for hackers, complex passwords should be chosen. Passwords should be at least 9 characters, contain numbers, letters (lower and upper case), and symbols. They should not be words, although pass phrases of 15 or more characters would be acceptable. Passwords should also be changed frequently. The use of a password manager is recommended to ensure that these complex passwords can be remembered.
by titanadmin | Jan 16, 2017 | Internet Security, Network Security, Phishing & Email Spam |
A Barts Health malware attack forced the shutdown of hospital IT systems on Friday last week as the UK NHS Trust attempted to limit the damage caused and contain the infection.
Barts Health is the largest NHS Trust in the United Kingdom, operating six hospitals in the capital: Mile End Hospital, Newham University Hospital, St Bartholomew’s Hospital, The London Chest Hospital, The Royal London Hospital, and Whipps Cross University Hospital.
The Barts Health malware attack occurred on Friday 13, 2016. Given the number of ransomware attacks on healthcare organizations in recent months, rumors started to quickly circulate that this was another healthcare ransomware attack.
A statement was released on Friday claiming the Trust had experienced an ‘IT attack,’ and that as a precaution, a number of drives were taken offline to prevent the spread of the infection. The type of malware that had been installed was not known, although the NHS trust did say in its statement that it did not believe ransomware was involved.
Multiple drives were shut down following the discovery of the malware including those used by the pathology department, although patient data were unaffected and the NHS Trust’s Cerner Millennium patient administration system remained operational, as did the systems used by the radiology department.
Today, Barts Health reports that all of its systems are back online and the infection has been removed. Medical services for patients were not affected, although Barts Health said due to the need for requests to be processed manually, it may take a few days for the pathology department to deal with the backlog.
Barts Health also reiterated that at no point were patient medical records compromised. No mention has been made about how the malware was installed and the type of malware involved was not announced. However, the Barts Health malware attack involved a form of malware that had not previously been seen and was a ‘Trojan Malware.’
The Trust said “whilst it had the potential to do significant damage to computer network files, our measures to contain the virus were successful”.
Ransomware Attacks on UK Hospitals
In November last year, the Northern Lincolnshire and Goole NHS Trust was attacked with ransomware which resulted in IT systems at three hospitals being crippled. As a result of that attack, the NHS Trust was forced to cancel 2,800 operations and appointments while the infection was removed and systems restored. The majority of IT systems had to be taken offline, hence the major disruption to medical services.
While Locky and Samas have been used extensively in attacks on U.S. hospitals, the Northern Lincolnshire and Goole NHS Trust ransomware attack involved a ransomware variant known as Globe2 – A relativity new variant that was first identified in August 2016.
Globe ransomware has been spread primarily via spam email and malicious file attachments. Opening the file attachment triggers the downloading of the ransomware. As with other ransomware variants, the attachments appear to be files such as invoices or medical test results.
Malicious links are also used to spread ransomware infections. Clicking a link directs users to malicious websites where ransomware is automatically downloaded. Fortunately for organizations attacked with Globe ransomware, a decryptor has been developed by Emisoft, which is available for free download.
However, relatively few ransomware variants have been cracked. Recovery can also take time resulting in considerable disruption to business processes. Ensuring backups of all critical data are regularly made will ensure that files can be recovered without giving in to attackers’ demands.
Preventing malware and ransomware attacks requires multi-layered defenses. Since many infections occur as a result of infected email attachments and links, organizations should employ an advanced spam filtering solution such as SpamTitan. SpamTitan has been independently tested and shown to block 99.97% of spam email. SpamTitan will also block 100% of known malware.
by titanadmin | Jan 10, 2017 | Network Security, Spam Software, Website Filtering |
A Los Angeles Valley College ransomware attack has resulted in file systems being taken out of action for seven days and considerable costs being incurred to resolve the infection.
Attackers succeeded in taking control of one of the college’s servers on December 30, 2016. When staff returned after the Christmas break they discovered the computer system to be out of action and essential files locked with powerful encryption.
The attackers had succeeded in locking a wide range of file types on network drives and computers. Unfortunately, the college was unable to recover the files from a backup. Administrators therefore faced a tough decision. To try to recover from the attack without paying the ransom and risk file loss or to give in to the attacker’s demands and pay for the keys to unlock the encryption.
Los Angeles Valley College Ransomware Attack Nets Criminal Gang $28,000
Due to the extent of the infection and the number of devices affected, the ransom payment was considerable. The attackers set the price at $28,000 for the decryption keys. The ransom demand was high but the college had little in the way of options.
The ransom note that was loaded onto the college’s X-drive said if the ransom was not paid within 7 days, the unique keys to unlock the encryption would be permanently deleted. That would likely have resulted in all of the locked files being permanently lost.
The college enlisted help from cybersecurity experts to determine the likelihood of files being recovered without paying the ransom. However, college administrators were advised to dig deep and pay the attackers for the key. While there is no guarantee that paying the ransom would result in viable keys being supplied, the college’s cybersecurity experts said there was a high probability of data recovery if the ransom was paid and a very low probability of data being recovered if the ransom demand was ignored. The likely cost of resolving the infection without paying the ransom was also estimated to be higher than attempting to remove the infection. The decision was therefore made to pay the attackers in Bitcoin as requested.
The attackers made good on their promise and supplied the keys to unlock the data. Now IT staff must apply those keys and remove the encryption on the server, network drives, and the many infected computers. Fortunately for the college, a cyber insurance policy will pay out and cover the cost of the ransom and resetting systems. However, there will be other costs that need to be covered, which will must be paid by the district.
Recovery from the Los Angeles Valley College ransomware attack will not be a quick and simple process, even though the decryption keys have been supplied by the attackers. The district’s Chief Information Officer Jorge Mata said “There are often a lot of steps where there’s no coming back, and if you pick the wrong path, there’s no return.” The recovery process therefore requires care and precision and cannot be rushed. The process could well take a number of weeks. The main priority is to recover the email system. Other systems and devices will then be methodically restored.
Los Angeles Valley College Ransomware Attack One of Many Such Attacks on Educational Institutions
The Los Angeles Valley College ransomware attack has hit the headlines due to the extent of the infection and high ransom demand, but it is one of many such attacks to have occurred over the past 12 months. Educational institutions have been heavily targeted by attackers due to the value of college and school data. Educational establishments cannot risk data loss and are therefore likely to pay the ransom to regain access to files.
In the past few months, other educational institutions in the United States that have been attacked with ransomware include M.I.T, University of California-Berkeley, and Harvard University as well as many K-12 schools throughout the country. Figures from Malwarebytes suggest that 9% of ransomware attacks targeted educational establishments.
How Can Educational Institutions Protect Against Ransomware Attacks?
There are a number of steps that educational institutions can take to reduce the risk of ransomware attacks and ensure that recovery is possible without having to resort to paying a ransom. The most important step to take is to ensure that all data is backed up regularly, including the email system. Backups should be stored on air-gapped devices, not on network drives. A separate backup should be stored in the cloud.
However, backups can fail and files can be corrupted. It is therefore important that protections are implemented to prevent ransomware from being delivered via the two most common attack vectors: Email and the Internet.
Email is commonly used to deliver ransomware or malicious code that downloads the file-encrypting software. Preventing these malicious emails from being delivered to staff and students’ inboxes is therefore essential. An advanced spam filter such as SpamTitan should therefore be installed. SpamTitan blocks 99.97% of spam emails and 100% of known malware.
To protect against web-borne attacks and prevent exploit kit activity and drive-by downloads, schools and colleges should use a web filter such as WebTitan. WebTitan uses a variety of methods to block access to malicious webpages where malware and ransomware is downloaded. WebTitan can also be configured to prevent malicious third-party adverts from being displayed. These adverts – called malvertising – are commonly used to infect end users by redirecting their browsers to websites containing exploit kits.
For further information on SpamTitan and WebTitan, to find out more about how both anti-ransomware solutions can prevent infection, and to register for a free 30-day trial of both products, contact TitanHQ today.
by titanadmin | Dec 30, 2016 | Email Scams, Internet Security, Network Security, Phishing & Email Spam |
2016 was a particularly bad year for data breaches. A large number of huge data breaches from years gone by were also discovered in 2016.
The largest breach of 2016 – by some distance – affected Yahoo. The credentials of more than 1 billion users were obtained by the gang behind the attack. A massive cyberattack on MySpace was discovered, with the attackers reportedly obtaining 427 million passwords. 171 million vk.com account details were stolen, including usernames, email addresses, and plaintext passwords. 2016 also saw the discovery of a massive cyberattack on the professional networking platform LinkedIn. The credentials of more than 117 million users were stolen in the attack. Then there was the 51-million iMesh account hack, and 43 million Last.fm accounts were stolen….to name but a few.
The data stolen in these attacks are now being sold on darknet marketplaces to cybercriminals and are being used to commit a multitude of fraud.
One of the biggest threats for businesses comes from business email compromise (BEC) scams. BEC scams involve an attacker impersonating a company executive or vendor and requesting payment of a missed invoice. The attacker sends an email to a member of the accounts team and requests payment of an invoice by wire transfer, usually for several thousand dollars. All too often, even larger transfers are made. Some companies have lost tens of millions of dollars to BEC fraudsters.
Since the email appears to have been sent from a trusted email account, transfer requests are often not questioned. Cybercriminals also spend a considerable amount of time researching their targets. If access to corporate email accounts is gained, the attackers are able to look at previous emails sent by the targets and copy their writing style.
They learn about how transfer requests are usually emailed, the terms used by each company and executive, how emails are addressed, and the amounts of the transfers that have been made. With this information an attacker can craft convincing emails that are unlikely to arouse suspicion.
The scale of the problem was highlighted earlier this year when the FBI released figures as part of a public awareness campaign in June. The FBI reported that $3.1 billion had been lost as a result of BEC scams. Just four months earlier, the losses were $2.3 billion, clearly showing that the threat was becoming more severe.
This year also saw a huge increase in W-2 scams in the United States. W-2 data is requested from HR departments in a similar manner to the BEC scams. Rather than trying to fool email recipients into making fraudulent transfers, the attackers request W-2 data on employees in order to allow them to file fraudulent tax returns in their names. The IRS issued a warning earlier this following a huge increase in W2 attacks on organizations in the United States.
Companies large and small were targeted, with major attacks conducted on Seagate, Snapchat, Central Concrete Supply Co. Inc, and Mainline Health. Between January and March 2016, 55 major – and successful – W-2 scams were reported to the IRS.
Attackers do not even need email account passwords to conduct these attacks. Email addresses of CEOs and executives can easily be spoofed to make them appear that they have been sent internally. The sheer number of stolen email addresses – and in many cases also passwords – makes the threat of BEC and W-2 attacks even greater. Security experts predict next year will be even tougher for businesses with even more cyberattacks than in 2016.
Improve Your Defenses Against Email-Borne Threats in 2017
Reducing the risk of these attacks requires multi-layered defenses. It is essential that all employees authorized to make corporate bank transfers receive training on email security and are alerted to the risk of BEC scams. Policies should be introduced that require bank transfer requests to be authorized by a supervisor and/or authenticated by phone prior to the transfer being made.
All employees should be instructed to use strong passwords and never to share work passwords anywhere else online. Many employees still use the same password for work as for personal accounts. However, if one online platform is breached, it can give the attackers access to all other platforms where the same password has been used – including corporate email accounts.
Organizations should also implement controls to block phishing and spear phishing attacks. Blocking phishing emails reduces reliance on the effectiveness of anti-phishing training for employees.
SpamTitan is a highly effective tool for blocking malicious spam emails, including phishing and spear phishing emails. SpamTitan uses a range of techniques to identify spam and scam emails including Bayesian analyses, greylisting and blacklists. SpamTitan incorporates robust anti-malware and anti-phishing protection, as well as outbound email scanning to block spam and scams from corporate email accounts. SpamTitan is regularly tested by independent experts and is shown to block 99.97% of spam email with a low false positive rate of just 0.03%.
2016 may have been a particularly bad year for data breaches and the outlook doesn’t look good for 2017, but by taking affirmative action and implementing better defenses against email-borne attacks, you could ensure that your company is not added to the 2017 list of data breach and scam statistics.
by titanadmin | Nov 18, 2016 | Email Scams, Network Security, Phishing & Email Spam, Spam News |
Malicious email spam volume has increased again. According to the latest figures from Kaspersky Lab, malicious email spam volume in Q3, 2016 reached a two-year high.
In Q3 alone, Kaspersky Lab’s antivirus products identified 73,066,751 malicious email attachments which represents a 37% increase from the previous quarter. Malicious spam email volume has not been at the level seen in Q3 since the start of 2014. Kaspersky Lab’s figures show that six out of ten emails (59.19%) are spam; a rise of around 2% from Q2, 2016. September was the worst month of the year to date, with 61.25% of emails classified as unsolicited spam.
Spam includes a wide range of unsolicited emails including advertising and marketing by genuine companies, although cybercriminals extensively use email to distribute malware such as banking Trojans, keyloggers, and ransomware. The use of the latter has increased considerably throughout the year. In Q3, the majority of malicious emails contained either ransomware or downloaders that are used to install ransomware on personal computers and business networks.
Ransomware is a form of malware that locks files on a computer with powerful encryption, preventing the victim from gaining access to their data. Many ransomware variants are capable of spreading laterally and can encrypt files on other networked computers. All it takes is for one individual in a company to open an infected email attachment or click on a malicious link in an email for ransomware to be downloaded.
Spammers often use major news stories to trick people into opening the messages. The release of the iPhone 7 in Q3 saw spammers take advantage. Spam campaigns attempted to convince people that they had won an iPhone 7. Others offered the latest iPhone at rock bottom prices or offered an iPhone 7 for free in exchange for agreeing to test the device. Regardless of the scam, the purpose of the emails is the same. To infect computers with malware.
There was an increase in malicious email spam volume from India in Q3. India is now the largest source of spam, accounting for 14.02% of spam email volume. Vietnam was second with 11.01%, with the United States in third place, accounting for 8.88% of spam emails sent in the quarter.
Phishing emails also increased considerably in Q3, 2016. Kaspersky Lab identified 37,515,531 phishing emails in the quarter; a 15% increase compared to the Q2.
Business email compromise (BEC) attacks and CEO fraud are on the rise. These scams involve impersonating a CEO or executive and convincing workers in the accounts department to make fraudulent bank transfers or email sensitive data such as employee tax information. Some employees have been fooled into revealing login credentials for corporate bank accounts. Cybercriminals use a range of social engineering techniques to fool end users into opening emails and revealing sensitive information to attackers.
Security awareness training is important to ensure all individuals – from the CEO down – are aware of email-borne threats; although all it takes is for one individual to be fooled by a malicious email for a network to be infected or a fraudulent bank transfer to be made.
The rise in malicious email spam volume in Q3, 2016 shows just how important it is to install an effective spam filter such as SpamTitan.
SpamTitan has been independently tested by VB Bulletin and shown to block 99.97% of spam emails. SpamTitan has also been verified as having a low false positive rate of just 0.03%. Dual antivirus engines (Bitdefender and ClamAV) make SpamTitan highly effective at identifying malicious emails and preventing them from being delivered to end users.
If your end users are still receiving spam emails you should consider switching antispam providers. To find out the difference that SpamTitan can make, contact the Sales Team today and register for a free, no obligation 30-day trial.
by titanadmin | Sep 13, 2016 | Network Security, Phishing & Email Spam |
In response to the massive rise in ransomware attacks on healthcare organizations, the Department of Health and Human Services’ Office for Civil Rights has developed new HIPAA guidance on ransomware for covered entities.
The guidance covers best practices that can be adopted to prevent cybercriminals from installing ransomware, along with helpful advice on how to prepare for ransomware attacks and how to respond when critical files are encrypted by malicious software. Importantly, the new HHS guidance on ransomware also confirms how these security breaches are classified under the Health Insurance Portability and Accountability Act. Many healthcare security professionals feel that HIPAA guidance on ransomware has been long overdue due to the uncertainty about maintaining HIPAA compliance following a ransomware attack. .
HIPAA Guidance on Ransomware Clarifies Attacks ARE Reportable Data Breaches
In the new HIPAA guidance on ransomware, OCR has clarified the reporting requirements for ransomware attacks under HIPAA. Over the past few months, as ransomware attacks on healthcare organizations have soared, there has been much confusion over whether these attacks are classed as security incidents under HIPAA Rules.
It has been argued that since ransomware blindly encrypts files and does not usually involve the attackers actually gaining access to data, the incidents should not be reportable to the HHS. Also, it has been argued that there is no need to issue breach notification letters to patients whose data are temporarily encrypted.
The OCR has now confirmed that ransomware attacks are reportable and require a full breach response, including the mailing of breach notification letters to affected patients and health plan members.
A ransomware attack is considered to be a data breach unless the covered entity can demonstrate that there was only a “low probability that PHI has been compromised.” The OCR considers a breach to have occurred if “unauthorized individuals have taken possession or control of the information.”
How HIPAA Covered Entities Must Respond to Ransomware Attacks
Any HIPAA covered entity that experiences a ransomware attack must orchestrate a full breach response and proceed as they would for a malware attack or if a hacker gained access to PHI.
An accurate and thorough risk assessment must be conducted to determine whether there is any risk to the confidentiality, integrity, or availability of electronic protected health information (ePHI). HIPAA requires the infection to be contained and data must be restored to allow normal operations to continue. Security measures must be implemented to mitigate risks and prevent future attacks.
The Office for Civil Rights must be notified of the breach within 60 days of the discovery of the attack if the breach impacts 500 or more patients, or at the end of the year in the case of a smaller breach of patient records. Breach notification letters must also be mailed to patients within 60 days, in accordance with the HIPAA Breach Notification Rule. A breach notice must also be submitted to the media if the breach impacts 500 or more individuals.
Preparing for a Ransomware Attack
The new HIPAA guidance on ransomware explains that organizations must be prepared to deal with ransomware attacks.
Healthcare organizations should implement cybersecurity protection measures to prevent ransomware attacks, such as installing a robust spam filtering solution such as SpamTitan. Spam filters can prevent the majority of malicious emails from being delivered to end users. Staff members should also be trained on the risk of ransomware and advised how to identify phishing emails and malicious websites.
A risk analysis should be conducted to identify potential cybersecurity vulnerabilities that could be exploited by hackers to install ransomware. Any vulnerabilities that could increase the risk of a ransomware attack being successful should be addressed in a timely fashion.
An emergency operation plan must also be developed that can be immediately put in place upon discovery of a ransomware attack. The new HIPAA guidance on ransomware also states that emergency response plans should be regularly tested to ensure that they are effective.
Ransomware Attacks on Healthcare Organizations Soar
This year has seen an extraordinary number of ransomware attacks on healthcare organizations. In February, ransomware was installed on computers at Hollywood Presbyterian Medical Center in California and a ransom demand of $17,000 was issued. Hollywood Presbyterian Medical Center felt the best course of action to minimize damage was to pay the ransom and obtain the decryption keys to unlock data. On receipt of the funds, the attackers made good on their promise and supplied the keys to unlock the encryption.
However, some organizations have discovered that simply paying a ransom demand does not spell the end of the problem. There have been cases – notably Kansas Heart Hospital – where a ransom has been paid, only for a second ransom demand to be issued. Other companies have paid and not been supplied with working keys. Paying a ransom is no guarantee that data can be decrypted.
The FBI advises against paying ransom demands. Not only is there no guarantee that the attackers will supply working keys, but payment of ransoms only encourages the attackers to continue with their ransomware campaigns. Only by preparing for ransomware attacks can organizations ensure that in the event of ransomware being installed, they will be able to recover their files quickly without giving in to attackers’ demands.
The Ransomware Threat Should Not Be Ignored
The threat to healthcare organizations is severe. Research conducted by anti-phishing company PhishMe showed that in Q1, 2016, 93% of phishing emails contained ransomware. Figures from Symantec Security Response show that on average, 4,000 ransomware attacks have occurred every day since January 1, 2016. A report from security firm Solutionary, shows that in 2016, 88% of ransomware detections were by healthcare organizations.
So far this year, in addition to the attack on Hollywood Presbyterian Medical Center, ransomware attacks have been reported by MedStar Health and DeKalb Health, while Prime Healthcare reported that three of its hospitals – Desert Valley Hospital, Chino Valley Medical Center and Alvarado Hospital Medical Center – were attacked with ransomware. Methodist Hospital in Kentucky, Massachusetts General Hospital, and Yuba Sutter Medical Clinic in California have also reported ransomware attacks this year, to name but a few.
It may not be possible to prevent ransomware attacks, but if healthcare organizations invest in better security protections, the majority of attacks can be prevented. Provided that adequate preparations are made for ransomware attacks, in the event that the malicious software is installed, damage can be limited.
The HIPAA guidance on ransomware can be downloaded from the HHS website.
by titanadmin | Jul 27, 2016 | Internet Security, Network Security, Phishing & Email Spam, Spam News |
According to the latest threat report from Proofpoint the top email security threat is now Locky ransomware. Locky, which is primarily distributed via spam email, has become the biggest threat to businesses in the past quarter. Locky is delivered via JavaScript email attachments which download the malicious file encrypter onto the computers of unsuspecting users.
Locky Ransomware Replaces Dridex as the Top Email Security Threat
Locky was first identified in February 2016 and is believed to have been released by the criminal gang behind the Dridex banking malware. In fact, Locky is distributed using the infamous Necurs botnet, one of the largest botnets currently in operation. Necurs was also used to deliver Dridex malware, which was the top email security threat in Q1. Figures from Proofpoint suggest Locky has been used in 69% of email attacks involving malicious documents in Quarter 2, 2016.
Not only is Locky now the top email security threat, malicious message volume also increased significantly in quarter 2. Proofpoint charted the rise in malicious email volume and the Quarterly Threat Summary shows volume has increased by 230% since Q1, 2016.
Bear in mind that the huge rise in malicious emails occurred even though the Necurs botnet went silent in early June and Locky emails essentially stopped being delivered. However, the botnet did not remain inactive for long. By the end of June it was back with a vengeance, with huge volumes of Locky emails delivered as part of a massive new campaign.
Malicious emails are now being sent at rates that have never before been seen, with JavaScript email attachments the delivery method of choice. Stopping these messages from being delivered now requires automated anti-spam solutions. According to Proofpoint, “Organizations must have a scalable, automated defense against email-based advanced threats that can adapt to new techniques and approaches.”
Exploit Kits Are Mostly Delivering CryptXXX Crypto-Ransomware
While Locky may be the top email security threat, exploit kits still pose a major risk to businesses and personal computer users. The Angler exploit kit may have died a death in early June, but Neutrino has now taken over as the EK of choice. Neutrino is targeting numerous vulnerabilities and CryptXXX crypto-ransomware is the main threat. The ransomware variant only appeared in Q2, but it has fast become a major problem and the most common EK threat.
CryptXXX may now be the most prevalent EK ransomware variant in use; however, there has been an explosion in the number of ransomware variants in 2016. Since the final quarter of 2015, the number of ransomware variants has increased by a factor of between 5 and 6 according to Proofpoint. The majority of ransomware is delivered via exploit kits, although many users are directed to malicious websites via links delivered by spam email.
Fortunately, EK activity has fallen considerably since April. Angler EK activity started to decline in late April and by the start of June EK activity had dropped by around 96%. Since the end of June, EK activity has started to increase with Neutrino the main EK now in use. Fortunately, EK activity has not returned to pre April levels. So far at least.
