Our website filtering category includes the latest news and advice on content filtering: Restricting access to inappropriate online content such as pornography, blocking illegal activities such as copyright-infringing file downloads and blocking other potentially harmful or productivity-draining web content.
This news section also includes updates on web-based threats including ransomware, malware and phishing websites. While spam email is the current number one attack vector and the most common medium used for phishing, organizations should not neglect Internet threats such as exploit kits and malvertising. Articles on the latest threats and possible mitigations are also included in this category.
You will also find useful tips and advice on Internet content filtering and how best to protect your organizations using a web filtering solution. Many of the news items in this section are particularly relevant to Managed Service Providers (MSPs) looking to increase revenue and provide a more comprehensive range of security solutions to their clients.
TitanHQ announced a new partnership with Purple, the intelligent spaces company, which is now using the WebTitan WiFi filtering solution to control the content that can be accessed through its WiFi networks.
Businesses are now realizing they can attract more customers by providing free WiFi access, with Purple allowing businesses to get something back from providing free WiFi access to customers.
Purple provides WiFi analytics and marketing solutions allowing businesses to get more out of their WiFi networks. Those services have proven incredibly popular, with Purple rapidly expanding its business to serve clients in more than 70 countries.
Businesses are facing increasing pressure not only to provide Internet access to customers, but also to ensure that the Internet can be accessed safely and securely. The recent WannaCry ransomware attacks have highlighted just how important Internet security has now become. An Internet content filtering solution is therefore necessary to ensure inappropriate website content can be filtered out and malicious websites are blocked.
TitanHQ’s website content filtering solution – WebTitan – is the global leading content filtering solution for WiFi networks. Each day, WebTitan detects and blocks more than 60,000 different types of malware and ransomware, preventing users from infecting their devices. The solution is managed from a web-based control panel and can instantly be applied to any number of global WiFi access points.
The solution can be easily configured, has no latency, and allows precise control over the types of content that can be accessed through WiFi networks.
Following the rollout of WebTitan, which took just a few days, Purple customers have started benefitting from the industry-leading WiFi filtering solution.
James Wood, Head of Integration at Purple, communicated Purple’s unique requirements to TitanHQ which was able to provide a solution that exactly matched the company’s needs. Wood said, “From day one it was evident that they were capable of not only providing what we needed but were very responsive and technically adept.”
The solution was ideal for Purple. Woods explained that “Along with superior protection, WebTitan also allows us to extend the control to our customers via their API. Our customers can now manage their own filtering settings directly from the Purple Portal.”
More and more companies are realizing that it is no longer sufficient to just offer free WiFi access to customers. Customers now want to be reassured that they can access the Internet securely. TitanHQ CEO Ronan Kavanagh said “Content filtering for Wi-Fi will be a given in service terms over the next few years. Purple again is leading the way with their focus on this area.”
A new email-borne threat has recently been discovered. Fatboy ransomware is a new ransomware-as-a-service (RaaS) being offered on darknet forums in Russia. The RaaS offers would-be cybercriminals the opportunity to conduct ransomware campaigns without having to develop their own malicious code.
RaaS has proven incredibly popular. By offering RaaS, malicious code authors can infect more end users by increasing the number of individuals distributing the ransomware. In the case of Fatboy ransomware, the code author is offering limited partnerships and is dealing with affiliates directly via the instant messaging platform Jabber.
Fatboy ransomware encrypts files using AES-256, generating an individual key for the files and then encrypting those keys using RSA-2048. A separate bitcoin wallet is used for each client and a promise is made to transfer funds to the affiliates as soon as the money is paid. By offering to deal directly with the affiliates, being transparent about the RaaS and offering support, it is thought that the code author is trying to earn trust and maximize the appeal of the service.
Further, the ransomware interface has been translated into 12 languages, allowing campaigns to be conducted in many countries around the world. Many RaaS offerings are limited geographically by language.
Fatboy ransomware also has an interesting new feature that is intended to maximize the chance of the victim paying the ransom demand. This RaaS allows attackers to set the ransom payment automatically based on the victim’s location. In locations with a high standard of living, the ransom payment will be higher and vice versa.
To determine the cost of living, Fatboy ransomware uses the Big Mac Index. The Big Mac Index was developed by The Economist as a method of determining whether currencies were at their correct values. If all currencies are at their correct value, the cost of a product in each country should be the same. The product chosen was a Big Mac. In short, the higher the cost of a Big Mac in the victim’s country, the higher the ransom demand will be.
So far, Recorded Future – the firm that discovered the ransomware variant – says the code author has generated around $5,000 in ransom payments since February. That total is likely to rise considerably as more affiliates come on board and more end users are infected. There is no known decryptor for Fatboy ransomware at this time.
New ransomware variants are constantly being developed and RaaS allows many more individuals to conduct ransomware campaigns. Unsurprisingly, the number of ransomware attacks has grown.
The cost of resolving a ransomware infection can be considerable. Businesses therefore need to ensure they have defenses in place to block attacks and ensure they can recover fast.
Backups need to be made regularly to ensure files can be easily recovered. Staff need to be trained on security best practices to prevent them inadvertently installing ransomware. Antispam solutions should also be implemented to prevent malicious emails from reaching end users’ inboxes. Fortunately, even with a predicted increase in ransomware attacks, businesses can effectively mitigate risk if appropriate defenses are implemented.
For advice on security solutions that can block ransomware attacks, contact the TitanHQ team today.
Hackers are continuing to attack healthcare organizations, but healthcare ransomware attacks are the biggest cause of security incidents, according to the NTT Security 2017 Global Threat Intelligence Report.
Healthcare ransomware attacks accounted for 50% of all security breaches reported by healthcare organizations between October 2015 and September 2016 and are the largest single cause of security breaches.
However, healthcare is far from the only sector to be targeted. Retail, government, and the business & professional services sector have also suffered many ransomware attacks during the same period. Those four sectors accounted for 77% of global ransomware attacks. The worst affected sector was business & professional services, with 28% of reported ransomware attacks, followed by the government (19%), healthcare (15%) and retail (15%).
NTT Security reports that phishing emails are the most common mechanism for ransomware delivery, being used in 73% of ransomware and malware attacks. Poor choices of password are also commonly exploited to gain access to networks and email accounts. NTT says just 25 passwords were used in 33% of all authentication attempts on its honeypots, while 76% of authentication attempts used a password known to have been implemented in the Mirai botnet.
Zero-day exploits tend to attract considerable media attention, but they are used in relatively few attacks. Web-based attacks have fallen but they still pose a significant threat. The most commonly attacked products were Microsoft Internet Explorer, Adobe Flash Player, and Microsoft Silverlight. Exploit kit activity has fallen throughout the year as cybercriminals have turned to phishing emails to spread malware and ransomware. There was a steady decline in exploit kit attacks throughout the year.
With phishing posing the highest risk, it is essential that organizations ensure they have adequate defenses in place. Phishing attacks are sophisticated and hard to distinguish from genuine emails. Security awareness training is important, but training alone will not prevent some attacks from being successful. It is also important to ensure that training is not just a one time exercise. Regular training sessions should be conducted, highlighting the latest tactics used by cybercriminals and recent threats.
The best form of defense against phishing attacks is to use anti-phishing technologies such as spam filters to prevent phishing emails from reaching end users. The more phishing emails that are blocked, the less reliance organizations place on end users being able to identify phishing emails. Solutions should also be implemented to block users from visiting phishing websites via hyperlinks sent via email.
In the United States, phishing attacks on schools and higher education institutions have soared in recent months, highlighting the need for improvements to be made to staff education programs and cybersecurity defenses.
Phishing refers to the practice of sending emails in an attempt to get the recipients to reveal sensitive information such as logins to email accounts, bank accounts, or other computer systems. Typically, a link is included in the email which will direct the user to a website where information must be entered. The sites, as well as the emails, contain information to make the request look genuine.
Phishing is nothing new. It has been around since the 1980’s, but the extent to which sensitive information is stored electronically and the number of transactions that are now conducted online has made attacks much more profitable for cybercriminals. Consequently, attacks have increased. The quality of phishing emails has also improved immeasurably. Phishing emails are now becoming much harder to identify, especially by non-technical members of staff.
No organization is immune to attack, but attackers are no longer concentrating on financial institutions and healthcare organizations. The education sector is now being extensively targeted. Phishing attacks on schools are being conducted far more frequently, and all too often those attacks are succeeding.
Such is the scale of the problem that the IRS recently issued a warning following a massive rise in phishing attacks on schools. Campaigns were being conducted by attackers looking for W-2 Form data of school employees. That information was then used to submit fraudulent tax returns in school employees’ names.
Recent Phishing Attacks on Schools, Colleges, and Universities
Westminster College is one of the latest educational institutions to report that an employee has fallen for the W-2 Form phishing scam, although it numbers in dozens of schools, colleges and universities that have been attacked this year.
Phishing emails are not only concerned with obtaining tax information. Recently, a phishing attack on Denver Public Schools gave the attackers the information they needed to make a fraudulent bank transfer. More than $40,000 intended to pay staff wages was transferred to the criminal’s account.
This week, news emerged of a listing on a darknet noticeboard from a hacker who had gained access to school email accounts, teacher’s gradebooks, and the personal information of thousands of students. That individual was looking for advice on what to do with the data and access in order to make money.
Washington University School of Medicine was targeted in a phishing attack that saw the attackers gain access to patient health information. More than 80,000 patients potentially had their health information stolen as a result of that attack.
Last week, news emerged of an attempted phishing attack on Minnesota schools, with 335 state school districts and around 170 charter schools potentially attacked. In that case, the phishing attack was identified before any information was released. The attack involved an email that appeared to have been sent from the Education Commissioner. The attackers were trying to gain access to financial information.
How to Improve Defenses Against Phishing Attacks
Fortunately, there are a number of technological controls that can be implemented cheaply to reduce the risk of phishing attacks on schools being successful.
An advanced spam filtering solution with a powerful anti-phishing component is now essential. A spam filter looks for the common spam and phishing signatures and ensures suspect messages are quarantined and not delivered to end users.
It must be assumed that occasionally, even with a spam filter, phishing emails may occasionally be delivered. To prevent employees from visiting phishing websites and revealing their information, a web filtering solution can be used. Web filters can be configured to block end users from visiting websites that are known to be used for phishing. As an additional benefit, web filters can stop individuals from accessing websites known to contain malware or host illegal or undesirable material – pornography for instance.
Those solutions should be accompanied by training for all staff members on the risk from phishing and the common identifiers that can help staff spot a phishing email. Schools should also implement policies for reporting threats to the organization’s IT department. Fast reporting can limit the harm caused and prevent other staff members from responding.
IT departments should also have policies in place to ensure thwarted attacks are reported to law enforcement. Warnings should also be sent to other school districts following an attack to allow them to take action to protect themselves against similar attacks.
Any school or higher educational institution that fails to implement appropriate defenses against phishing attacks will be at a high risk of a phishing attack being successful. Not only do phishing attacks place employees at risk of fraud, they can prove incredibly costly for schools to mitigate. With budgets already tight, most schools can simply not afford to cover those costs.
If you would like further information on the range of cybersecurity protections that can be put in place to prevent phishing attacks on schools and other educational institutions, call TitanHQ today for an informal chat.
The Solicitors Regulation Authority in the United Kingdom has recently issued a warning about law firm email scams following a sharp rise in law firm cyberattacks.
According to SRA figures, almost 500 UK law firms have been targeted by cybercriminals. One of the most common law firm email scams seen in recent weeks involves an attacker sending an email to a solicitor pretending to be a new client. While the attacker could claim to have any number of legal problems in the initial email, one of the favored themes is a property or business that is about to be purchased or sold.
Legal services are requested and, when the solicitor replies, the attacker sends an email containing a malicious email attachment. The email attachment does not contain the malware, instead a malicious macro is embedded in the document. A believable explanation for the inclusion of the macro is provided in the document to allay suspicion. If the macro is enabled, a script is run that downloads the malicious payload. The download occurs silently so the solicitor is unlikely to be aware that their computer has been infected.
The malware then collects and exfiltrates sensitive data, or provides access to the solicitor’s computer allowing the attacker to search for any useful data. Keyloggers can also be installed to log keystrokes on the infected computer and collect login information for email and bank accounts.
The SRA has emphasized there is a high risk of attack, suggesting UK solicitors should treat cybercrime as a priority risk. Action should be taken promptly to mitigate the risk and ensure that the firm’s data are secured. The SRA warns that a cyberattack can cause considerable damage to a firm’s reputation and could result in significant harm to clients. Clients and the law firm can suffer considerable financial losses as a result of these scams.
Not all cyberattacks on law firms involve malware. Phishing is also a major risk. Many law firm email scams attempt to get solicitors to reveal sensitive information such as login credentials, passwords, or other confidential information. These law firm email scams are not easy to identify. Cybercriminals invest considerable time and effort into building up relationships with solicitors via email or over the telephone to build trust. Once a personal relationship has been established it is far easier for the scammers to fool solicitors into revealing sensitive information.
The seriousness of the threat is clear from the reports of cybercrime received by the SRA from solicitors over the past year. The SRA says more than £7 million of clients’ money has been stolen from solicitors in 2016.
The advice to law firms on reducing cybersecurity risk is:
- Make sure all data are backed up and stored securely on a drive that is not connected to a computer
- Make use of secure cloud services for storing sensitive data and accessing and processing information
- Keep software up to date. Patches and software/system updates should be applied promptly
- Solicitors should consider using encryption services for all stored data, especially on mobile devices
- Antivirus and antimalware systems should be installed and set to update definitions automatically. Regular scans of systems should also be scheduled.
As an additional protection against law firm email scams, solicitors should implement an advanced antispam solution to prevent phishing and other malicious emails from being delivered.
To protect against malicious links and redirects from malvertising, solicitors should consider implementing a web filtering solution. A web filter can be used to block visits to webpages known to contain malware.
Free Dharma ransomware decryption is now possible following the publication of the decryption keys used by the cybercriminal gang behind the ransomware.
The Dharma ransomware decryption keys have now been used to develop a decryptor to unlock Dharma-encrypted files. If your organization has been attacked with Dharma ransomware, you can unlock your files by using the Dharma ransomware decryptor developed by Kaspersky Lab or ESET. A ransom no longer needs to be paid.
The decryptor available from ESET will unlock files encrypted by Dharma and its predecessor, Crysis. Kaspersky Lab has added the keys to its Rakhni ransomware decryptor.
It is easy to determine which ransomware variant has been used by checking the file extension on ransomware-encrypted files. Dharma ransomware adds the ‘.dharma’ extension to files after they have been encrypted.
The keys to unlock the encryption were posted on a BleepingComputer tech support forum last week by an individual with the username ‘gektar’. Where that individual obtained the decryption keys is unknown, although both Kaspersky Lab and ESET have confirmed that the decryption keys are genuine. The decryption keys will work for all variants of Dharma ransomware.
The name gektar is not known to security researchers. No other online posts are believed to have been made with that username. The username seems to have been created solely to post the decryption keys. It would appear the individual responsible wants to keep a low profile.
Unfortunately, there are now more than 200 ransomware families, with many different ransomware variants within each of those families. Dharma may be no more, but the ransomware threat is still severe. There are still no decryptors available for the biggest ransomware threats: Locky, Samsa (Samsam) and CryptXXX, which are still being extensively used by cybercriminal gangs to extort money out of businesses.
The best defense that businesses can adopt to ensure ransomware-encrypted files can be recovered for free is to ensure that backups of critical files are made on a daily basis. Those backups should be stored on an air-gapped device and also in the cloud.
Recovery from backups and removing ransomware infections can be a labor-intensive and time-consuming process, so anti-ransomware defenses should also be employed to prevent infection. We recommend using SpamTitan to block ransomware emails from being delivered to end users’ inboxes and WebTitan to prevent drive-by ransomware downloads.
Ransomware attacks on British schools have soared in recent weeks. The problem has become so serious that the British National Fraud and Cyber Crime Reporting Center, also known as Action Fraud, has issued a new ransomware warning to British schools.
Ransomware has grown in popularity with cybercriminals over the past 2 years, with attacks on organizations around the world soaring in 2016. 2017 may only be a few weeks old, but ransomware attacks are continuing at the high levels seen in 2016. Security experts predict that 2017 will see even more cyberattacks on schools and other educational institutions. Ransomware the attack method of choice.
Ransomware is a form of malware that encrypts data on a compromised system. A wide range of file types are locked with powerful encryption and a ransom demand is issued. If payment is made, the attackers claim they will supply the key to unlock the encryption. Without the key – the sole copy is held by the attackers – data will remain locked forever.
Some forms of ransomware have been cracked and free decryptors made available, but they number in the few. The majority of ransomware variants have yet to be cracked. Recovery depends on payment of the ransom or the wiping of the attacked system and restoration of files from backups.
While a standard charge per encrypted device was the norm early last year, ransomware is now more sophisticated. The attackers are able to set their payment demand based on the types of files encrypted, the extent of the infection, and the perceived likelihood of the victim paying up. Ransomware attacks on British schools have seen ransom demands of an average of £8,000 issued.
Ransomware Attacks on British Schools are Targeted, Not Random
Many ransomware attacks are random – Spam emails are sent in the millions in the hope that some of them reach inboxes and are opened by employees. However, ransomware attacks on British schools have seen a different approach used. Recent attacks have been highly targeted.
Rather than send emails out en masse, the spate of recent ransomware attacks on British schools start with a phone call. In order to find their target, the attackers call the school and ask for the email address of the head teacher. The email address is required because sensitive information needs to be sent that should only be read by the head teacher. Information such as mental health assessment forms and teacher guidance forms.
An email is then crafted and sent to the head teacher; addressed to that individual by name. While there are many types of ransomware emails, a number of recent ransomware attacks on British schools involved an email that appears to have been sent by the Department of Education. Other cases have involved the impersonation of the Department of Work and Pensions and telecom providers.
In the text of the email the attacker explains that they have sent some information in an attached file which is important and needs to be read. The attached file, usually in compressed format such as .ZIP or .RAR, contains files that install ransomware if opened.
How to Prevent Ransomware Attacks
Ransomware attacks on British schools can be highly sophisticated, although risk can be effectively mitigated.
- Ensure all staff with computer access are made aware of the risk of ransomware attacks
- Provide cybersecurity training to all staff, including how to identify ransomware and phishing emails
- Never open attachments or visit links in emails sent from unknown senders
- Implement a spam filter to capture and quarantine malicious spam emails
- Use a web filtering solution to prevent staff members from visiting malicious links and from downloading ‘risky’ files
- Ensure all software is kept up to date and patches are applied promptly
- Keep all anti-virus and anti-malware solutions up to date, setting updates to occur automatically
- Restrict the use of administrator accounts – Only use accounts with high levels of privileges for specific tasks
It is also essential to ensure that backups of all data are made on a daily basis and backup devices are disconnected after backups have been performed. Data should ideally be backed up to the cloud and on a physical backup device. In the event of an attack, data can then be recovered without paying the ransom.
A Los Angeles Valley College ransomware attack has resulted in file systems being taken out of action for seven days and considerable costs being incurred to resolve the infection.
Attackers succeeded in taking control of one of the college’s servers on December 30, 2016. When staff returned after the Christmas break they discovered the computer system to be out of action and essential files locked with powerful encryption.
The attackers had succeeded in locking a wide range of file types on network drives and computers. Unfortunately, the college was unable to recover the files from a backup. Administrators therefore faced a tough decision. To try to recover from the attack without paying the ransom and risk file loss or to give in to the attacker’s demands and pay for the keys to unlock the encryption.
Los Angeles Valley College Ransomware Attack Nets Criminal Gang $28,000
Due to the extent of the infection and the number of devices affected, the ransom payment was considerable. The attackers set the price at $28,000 for the decryption keys. The ransom demand was high but the college had little in the way of options.
The ransom note that was loaded onto the college’s X-drive said if the ransom was not paid within 7 days, the unique keys to unlock the encryption would be permanently deleted. That would likely have resulted in all of the locked files being permanently lost.
The college enlisted help from cybersecurity experts to determine the likelihood of files being recovered without paying the ransom. However, college administrators were advised to dig deep and pay the attackers for the key. While there is no guarantee that paying the ransom would result in viable keys being supplied, the college’s cybersecurity experts said there was a high probability of data recovery if the ransom was paid and a very low probability of data being recovered if the ransom demand was ignored. The likely cost of resolving the infection without paying the ransom was also estimated to be higher than attempting to remove the infection. The decision was therefore made to pay the attackers in Bitcoin as requested.
The attackers made good on their promise and supplied the keys to unlock the data. Now IT staff must apply those keys and remove the encryption on the server, network drives, and the many infected computers. Fortunately for the college, a cyber insurance policy will pay out and cover the cost of the ransom and resetting systems. However, there will be other costs that need to be covered, which will must be paid by the district.
Recovery from the Los Angeles Valley College ransomware attack will not be a quick and simple process, even though the decryption keys have been supplied by the attackers. The district’s Chief Information Officer Jorge Mata said “There are often a lot of steps where there’s no coming back, and if you pick the wrong path, there’s no return.” The recovery process therefore requires care and precision and cannot be rushed. The process could well take a number of weeks. The main priority is to recover the email system. Other systems and devices will then be methodically restored.
Los Angeles Valley College Ransomware Attack One of Many Such Attacks on Educational Institutions
The Los Angeles Valley College ransomware attack has hit the headlines due to the extent of the infection and high ransom demand, but it is one of many such attacks to have occurred over the past 12 months. Educational institutions have been heavily targeted by attackers due to the value of college and school data. Educational establishments cannot risk data loss and are therefore likely to pay the ransom to regain access to files.
In the past few months, other educational institutions in the United States that have been attacked with ransomware include M.I.T, University of California-Berkeley, and Harvard University as well as many K-12 schools throughout the country. Figures from Malwarebytes suggest that 9% of ransomware attacks targeted educational establishments.
How Can Educational Institutions Protect Against Ransomware Attacks?
There are a number of steps that educational institutions can take to reduce the risk of ransomware attacks and ensure that recovery is possible without having to resort to paying a ransom. The most important step to take is to ensure that all data is backed up regularly, including the email system. Backups should be stored on air-gapped devices, not on network drives. A separate backup should be stored in the cloud.
However, backups can fail and files can be corrupted. It is therefore important that protections are implemented to prevent ransomware from being delivered via the two most common attack vectors: Email and the Internet.
Email is commonly used to deliver ransomware or malicious code that downloads the file-encrypting software. Preventing these malicious emails from being delivered to staff and students’ inboxes is therefore essential. An advanced spam filter such as SpamTitan should therefore be installed. SpamTitan blocks 99.97% of spam emails and 100% of known malware.
To protect against web-borne attacks and prevent exploit kit activity and drive-by downloads, schools and colleges should use a web filter such as WebTitan. WebTitan uses a variety of methods to block access to malicious webpages where malware and ransomware is downloaded. WebTitan can also be configured to prevent malicious third-party adverts from being displayed. These adverts – called malvertising – are commonly used to infect end users by redirecting their browsers to websites containing exploit kits.
For further information on SpamTitan and WebTitan, to find out more about how both anti-ransomware solutions can prevent infection, and to register for a free 30-day trial of both products, contact TitanHQ today.
‘Tis the season to be jolly, although ‘tis also the season to be infected with malware. The holiday season is an annual highlight for cybercriminals. Holiday season malware infections are to be expected as cybercriminals increase their efforts and try to infect as many users with malware as possible.
Malware is an ever-present threat, but the increase in online activity in the run up to the holiday season means easy pickings for cybercriminals. Consumers are starting to prepare for the holidays earlier, but not as early as the scammers. As consumers head online in their droves, scammers and other cybercriminals are lying in wait.
The advent of Black Friday and Cyber Monday – days where shoppers are offered amazing deals to prompt early Christmas purchases– see a frenzy of online activity. There are discounts aplenty and great deals to be had.
However, not all of those discounts are genuine. Many are scams that are used to phish for sensitive information or spread malware infections. As is the case every year, the holiday season sees a spike in malware infections, with the biggest spike over Thanksgiving weekend. This year has been no exception. Holiday season malware infections have increased significantly year on year.
Holiday Season Malware Infections Rise 118% Above Normal Levels
This year, over the first official shopping weekend of the holiday season, malware infections increased by 106% according to data compiled by the Enigma Software Group. On Cyber Monday, when even more great deals on online purchases are made available, malware infections were 118% higher than normal.
Those figures are only for Windows users. Add in smartphones and Apple devices and the figures would be higher still. The problem is also getting worse. Last year there was a spike of 84% over normal levels during the Thanksgiving weekend.
There have been a number of suggestions put forward as to why the figures are so high this year. One of the main reasons is simply due to the number of shoppers heading online. Each year sees more individuals choosing to go online shopping over Thanksgiving weekend. More online shoppers mean more opportunities to infect users with malware.
However, there are also more actors involved in online scams, malware-as-a-service and ransomware-as-a-service has also grown in popularity, and many cybercriminals have started up affiliate schemes to get more help spreading their malicious software. Individuals who succeed in infecting computers with ransomware are given a cut of the profits and there is no shortage of people willing to try the affiliate schemes to boost their own earnings.
Cybercriminals are also getting better at developing convincing scams and malicious email messages. The grammatical and spelling mistakes that were common in phishing emails in years gone by are largely gone. Now, almost perfect emails are sent and scammers are using a wide range of social engineering techniques to lure end users into clicking on malicious links or opening infected email attachments. Spoofed retail sites are also now commonplace – and extremely convincing.
The growth of social media has also helped boost cybercriminal activity. Malicious posts are being shared online offering discounts, special offers, and unmissable deals. However, all end users get is a malware download.
Avoiding a Bad Start to Holiday Season
To avoid becoming a victim of a scam or having to deal with a malware or ransomware infection, shoppers must be vigilant and exercise more caution. Offers that sound too good to be true usually are. Unsolicited emails should always be treated as suspicious and extra care should be taken when clicking on any link or visiting a retail site.
Businesses should also take extra precautions. A malware or ransomware infection can prove extremely costly to resolve. While warnings should be sent to end users about the risks of holiday season malware infections, technological solutions should also be in place to prevent malicious file downloads.
Antispam solutions are highly effective at blocking malicious messages such as phishing emails and emails containing malware. SpamTitan blocks 99.97% of spam messages, contains a powerful anti-phishing module, and blocks 100% of known malware.
Malicious links on social media sites and on third-party ad networks (malvertisting) are a very real risk. However, a web filter can be used to control access to social media sites, block malicious third-party adverts, and prevent end users from visiting websites known to contain malware.
If you want to keep your network free from malware this holiday season, if you have not already used these two solutions, now is the time. They will also help to keep your network malware free around the year. And with security experts predicting a massive increase in ransomware and malware attacks in 2017, there is no better time to start improving your defenses.
The Federal Trade Commission (FTC) in the United States has responded to the current ransomware epidemic by issuing ransomware advice for businesses and consumers. The FTC ransomware advice for businesses comes following a spate of high profile ransomware attacks on U.S businesses. The threat has prompted many U.S. government agencies to release ransomware advice for businesses in the past few months.
Ransomware is a form of malware that encrypts files on a victim’s computer and prevents them from being accessed. After a computer is infected, the attackers issue a ransom demand. In order to obtain the key to unlock the encryption the victim is required to pay a ransom. The ransom amount can be set by the attackers, although it is often around $500 per infected computer.
Ransomware has proved incredibly popular with cybercriminals as it offers a quick source of revenue. Since payment is made in an anonymous cryptocurrency such as Bitcoin, money can be collected without fear of being caught.
The scale of the problem has been shown by numerous reports by security firms. This month, SentinelOne released the results of a global survey that showed 48% of organizations had experienced at least one ransomware attack in the past 12 months. The companies that had been attacked had been forced to deal with an average of 6 ransomware incidents in the past year.
A report released by Beazley’s Breach Response Unit suggests ransomware attacks between January and September were four times higher than in 2015, while a report from Kaspersky Lab suggests there has been an eightfold increase in attacks in the past year.
Ransomware is installed via a number of different attack vectors. Ransomware gangs use exploit kits on websites that probe for vulnerabilities in browsers. Those vulnerabilities are leveraged to download ransomware. Malvertising is also used. This is the use of third party ad networks to spread malware. Adverts are created containing malicious code which directs users to websites that silently download ransomware. Ransomware downloaders were also allegedly sent out via Facebook Messenger this week.
While not all ransomware attacks result in files being encrypted, attacks carry a significant cost. SentinelOne suggests that in the United States, organizations spend an average of 38 man-hours restoring files from backups after a ransomware attack. Additional investment in security is also required after an attack.
Since ransomware can spread laterally across a network, a single infection can result in many computers being infected. Ransom demands of the order of tens of thousands of dollars are not uncommon. The recent ransomware attack on the San Francisco ‘Muni’ rail system saw a ransom demand of $73,000 issued.
Ransomware Advice for Businesses
Unfortunately, antivirus software can be ineffective at preventing ransomware attacks. Businesses looking to defend against ransomware must therefore use a range of techniques. These include:
- Ensuring all software is kept up to date and patches applied promptly
- Setting antivirus and antimalware programs to update definitions automatically
- Use endpoint security controls to prevent ransomware installations
- Implement a robust spam filter to prevent malicious emails from being delivered to end users
- Use a web filtering solution to prevent employees from visiting malicious websites and to monitor users’ online activities to identify high risk activities
- Use intrusion prevention software
- Train the workforce on security best practices and test knowledge to ensure training has been effective
- Ensure all members of staff are aware who to contact and what to do if they believe they have inadvertently installed malicious software
To avoid paying a ransom, it is essential to ensure that regular backups of data are performed. Multiple backups should be made to minimize the risk of data loss. Those backups should be stored on an air-gapped device to avoid backup files also being encrypted. A ransomware response plan should also be developed to reduce disruption to the business in the event of an attack.
After a period of quiet, the Necurs botnet is back in action. A number of security companies have reported a massive surge in botnet activity which started on June 21, 2016.
The Necurs botnet has previously been used to send out huge volumes of Dridex malware and Locky; a sophisticated ransomware variant that was first discovered in February 2016. It is too early to tell whether this is just a temporary spike in activity or whether the botnet will be sending emails at the levels seen before the recent lull.
Necurs botnet activity dropped off on May 31. The volume of malicious emails being sent using the botnet fell to as few as 3 million emails per day. However, the number of emails being sent surged on June 21, shooting up to around 80 million emails. 24 hours later the volume of malicious emails had doubled to 160 million. The surge in activity comes is linked to a massive spam email campaign that is delivering emails containing malicious attachments which install Locky ransomware.
It is unclear why there was a period of quiet. Security experts having been pondering this since the dramtic fall in activity on May 31.
The Necurs botnet is massive and is believed to contain approximately 1.7 million computers, spread over 7 separate botnets. It is clear that the botnet had not been taken down, although activity across all seven of the botnets stopped. In April and May of this year, spam email volume was regularly exceeding 150 million emails a day. Now the Necurs botnet appears to be back up to speed.
Around the same time as the pause in activity, Russia’s FSB security service conducted raids resulting in the arrests of approximately 50 hackers. The gang was using the Lurk Trojan to defraud banks and other targets in Russia. It is unclear whether some of those arrests resulted in a disruption to the botnet, or whether the pause was for some other reason. Numerous theories have been suggested for the three-week pause, including the sale or the botnet and issues the operators may have had with the C&C infrastructure. If the botnet has changed hands, a single organization would likely be in control as activity across all seven botnets resumed at the same time.
The resurrection of the Necurs botnet is bad news. According to Proofpoint, the resurrection of the botnet has been accompanied by a new Locky variant which has new capabilities. The latest form of Locky is better at evading detection and determining whether it is running in a sandbox. The new capabilities were detected by Proofpoint shortly before the Necurs botnet went dark.
A recent report issued by the Anti-Phishing Working Group highlights worrying phishing activity trends. According to the Phishing Activity Trends Report, the number of new phishing websites is growing at an alarming rate.
A recent report published by PhishMe showed that email phishing activity has now reached unprecedented levels. Phishing email volume increased by 789% quarter over quarter. The APWG report shows that cybercriminals are also increasingly conducting web-borne attacks. Phishing websites increased by 250% from the last quarter of 2015 through the first quarter of 2016.
APWG expected to see an increase in the number of phishing websites created in the run up to the holiday season. Every year, criminals take advantage of the increased number of online purchases being made around Christmas. Many new phishing websites are created in November and December and online fraud always increases in December.
However, typically, there is a drop in spamming an online fraud in January. This year that fall did not occur. In fact, the number of new phishing websites continued to rise in January. There was a slight fall in February, before a major increase in March. According to the Phishing Activity Trends Report, in December 2015, 65,885 unique phishing websites were detected. In January 2016, the total had risen to 86,557. By March the total had reached a staggering 123,555 unique phishing websites.
Cybercriminals are most commonly targeting the retail sector and are spoofing websites in an attempt to defraud consumers. 42.71% of phishing websites target the retail sector, with the financial sector in second place with 18.67% of sites. Payment services accounted for 14.74% of sites, ISPs 12.01%, and multimedia sites 3.3%.
The phishing activity trends report indicates an increase in the targeting of cloud-based or SAAS companies, which it is claimed is driving the attacks on the retail sector.
More than 55% of phishing websites contain the name of the target brand somewhere in the URL. Attackers are concentrating the attacks on the most popular brands. By March 2016, APWG reported that 418 different brands were being targeted using phishing websites.
Phishing email campaigns are known to be sent extensively from outside the United States, although when it comes to phishing websites they are usually hosted in the United States. 75.62% of phishing websites are hosted in the US.
The United States also hosts the most phishing-based Trojans and downloaders – 62.36%. China is also being extensively targeted. China hosted 5% of phishing-based Trojans and downloaders in January. By March, the figure had risen to 13.71%.
More than 20 million new malware samples were detected at the start of 2016 – That’s an average of 227,000 new malware samples every day. The majority of new malware are Trojans, which account for 66.81% of new samples. Viruses were second (15.98%) and worms third (11.01%).
The massive rise in phishing websites highlights how important it is for caution to be exercised when purchasing online. Businesses should also take additional precautions. Web filters can be used to block phishing websites from being visited by employees. A web filtering solution – WebTitan for example – can also be used to prevent drive-by downloads of malware and ransomware.
Vulnerabilities in Adobe Flash Player are discovered with such regularity that news of another raises few eyebrows, but the latest critical vulnerability – discovered in Adobe Flash Player 220.127.116.11 and earlier versions – is a cause for concern. It is already being exploited by hackers and is being used to infect users with ransomware.
Any device that is running Adobe Flash Player 18.104.22.168 (or earlier) is at risk of the vulnerability being exploited and malicious file-encrypting software being installed. The latest vulnerability can be used to attack Windows, Macs, Linux systems and Chromebooks, according to ProofPoint, although Adobe reports that the vulnerability only affects Windows 10 and earlier versions running the vulnerable versions.
Flash vulnerabilities are usually exploited by visiting malicious websites or webpages that have been compromised and infected with exploit kits. Those exploit kits probe for a range of weaknesses, such vulnerabilities in Adobe Flash Player, and exploit them to download malware or ransomware to the user’s device.
These drive-by attacks occur without users’ knowledge, as the downloaded file is not displayed in the browser and is not saved to the download folder. It is also difficult to determine whether a website has been compromised or is malicious in nature without software solutions that analyze the website content.
Vulnerabilities in Adobe Flash Player Exploited to Deliver Cerber and Locky Ransomware
The latest attack uses the Magnitude exploit kit. The fact that it is Magnitude suggests the latest ransomware attacks are the work of an individual cybercriminal gang. That gang has acted quickly to include the latest Flash vulnerability into Magnitude.
According to Trend Micro, the vulnerability is being used to deliver Locky ransomware – the malicious file-encrypting software that has been used to attack hospitals in the United States in recent weeks. Locky was reportedly the ransomware used in the attack on Hollywood Presbyterian Medical Center in February. That infection cost the healthcare organization $17,000 to remove, not to mention the cost of attempting to remove the infection and restore backup files prior to the ransom being paid.
ProofPoint suggests the vulnerability is being used to deliver Cerber ransomware. Cerber is a new ransomware that has was released in the past month. It can be used to encrypt files on all Windows versions, although not those in Russian.
Cerber and Locky are being downloaded via malicious websites, although these are typically not visited by the vast majority of Internet users. In order to get traffic to these sites the attackers are using spam email containing malicious attachments.
In contrast to many malicious spam emails that install malware using executable files and zip files, the attackers are using Word documents containing malicious macros. The macros do not download the ransomware directly, instead they direct the victim, via a number of redirects, to a malicious site where the drive-by download takes place.
The vulnerability, named as CVE-2016-1019, will crash Adobe Flash when it is exploited. Adobe reports that the vulnerability exists in 22.214.171.124. Trend Micro says the exploit will not work on versions 126.96.36.199 and 188.8.131.52, only on Flash 184.108.40.2066 and earlier versions due to mitigations put in place by Adobe.
ProofPoint’s Ryan Kalember said that the exploit has been engineered to only work on earlier versions of Flash and that attacks have been degraded to evade detection. All versions of Flash could potentially be used for the attack should the criminals behind the Magnitude exploit kit so wish.
Of course, this is just one of many vulnerabilities in Adobe Flash Player that can be exploited and used to deliver ransomware or other forms of malware. To prevent attacks, sysadmins should ensure that all devices are updated to the latest version of the software. Adobe said it was releasing a security update to address the vulnerability on April 7, 2016.
Vulnerabilities in Adobe Flash Player are addressed with updates, although there are two software solutions that can help to protect users from attack. Anti-spam solutions such as SpamTitan can be used to prevent spam email from being delivered, reducing the risk of end users opening Word documents infected with malicious macros.
WebTitan products tackle these attacks by blocking malicious websites, preventing users from visiting sites where drive-by downloads take place. There is usually a wait while vulnerabilities in Adobe Flash Player are addressed, and these two solutions can help keep devices malware free until updates are applied.
Each January, the PwC Annual Global CEO Survey is published detailing the major perceived threats to corporate growth. This year the results of the survey show that CEOs are more worried about the cost of dealing with cyberthreats, and believe that they can actually have a major negative impact on corporate growth.
Cost of dealing with cyberthreats a major impediment to 2016 growth
The global survey probed 1,409 CEOs about their concerns about impediments to growth, with cyberthreats ranking as one of the top ten major problems. 61% of respondents said they were worried about cyberthreats and the effect they will have on growth this year.
Over-regulation and geopolitical uncertainty were considered to be more pressing concerns, being cited by 79% and 74% or respondents, while the availability of key skills was mentioned as a major threat to growth by 72% of CEOs. The cost of dealing with cyberthreats was ranked as the eighth biggest impediment to growth in 2016.
While 60% of CEOs believe there are more opportunities for growth than 3 years ago, 66% said there were now more threats to growth. 26% said they only saw more opportunities, while 32% saying they only saw more threats.
The cost of dealing with cyberthreats is considerable, although nowhere near as high of the cost of failing to deal with them. Last year the Ponemon Institute calculated the cost of cyberthreats and determined the cost to businesses is soaring, with the IBM sponsored study determining the average cost of dealing with security breaches had risen to $3.8 million.
Some of the large organizations included in the study suffered cybercrime losses as high as $65 million, with the cost of cyberthreats having risen by 23% over the course of the past two years.
The IBM Cost of Data Breach Study determined the cost per stolen record to be between $145 and $154. When cybercriminals manage to steal millions of customer records, the cost to business can therefore be considerable.
Major cyberthreats of 2016
- Cloud computing
- Mobile devices
- State sponsored hacking
- Phishing attacks
- Medical devices
Cyberthreats may be an impediment to growth, but it doesn’t mean that those threats cannot be mitigated. Given the increasing risk it is imperative that adequate security defenses are put in place to repel attacks. Malware and ransomware are becoming more sophisticated and much more difficult to identify, as are the phishing campaigns that are used to deliver the malicious software. Anti-phishing strategies must therefore be implemented to block malicious emails and staff members must be trained how to identify phishing attacks when they do occur.
Implement SpamTitan to block emails from being delivered to employee’s inboxes, conduct regular staff training exercises to better educate employees, and perform phishing email tests to ensure that members of staff get practice at identifying dummy phishing emails.
It is also essential to develop policies and controls to limit the types of websites that employees are able to visit when using their work computers as well as for BYOD. Drive-by malware downloads are an increasing threat. Exploit kits are much more commonly used to probe for security vulnerabilities, such as out of date plugins. These can be exploited and used to download malware to devices without any interaction from the user.
To mitigate the risk, patch management policies must be developed. It is more essential than ever to ensure that all software is updated as soon as patches are released.
Following the recent news that Intel Security will be discontinuing McAfee SaaS Email Protection products, SpamTitan is preparing for 2016 when business customers start looking for a new email security vendor to ensure continued protection.
McAfee SaaS Email Protection to Come to an End
Intel Security, the new company name for McAfee, has taken the decision to exit the email security business. The company will be dropping McAfee SaaS Email Protection products and will be concentrating on other areas of business.
From January 11, 2016, McAfee SaaS Email Protection and Archiving and McAfee SaaS Endpoint will stop being sold by Intel Security. The news is not expected to trigger a mass exodus in early 2016, as Intel Security has announced that it will continue to provide support for the products for a further 3 years. Support for both McAfee SaaS Email Protection and Archiving and SaaS Endpoint will stop after January 11, 2019. However, many customers are expected to make the switch to a new email security provider in the new year.
SpamTitan Technologies Anti-Spam Solutions
SpamTitan Technologies offers a range of cost effective business email security appliances which keep networks protected from malware, malicious software, and email spam. Users benefit from dual AV engines from Kaspersky Lab and Clam Anti-Virus, offering excellent protection from email spam, phishing emails, and inbox-swamping bulk mail.
SpamTitan is a highly effective anti-spam solution that was first launched as an image solution. Following an agreement with VMware, SpamTitan was developed into a virtual appliance. The range of anti-spam products has since been developed to include SpamTitan OnDemand in 2011 and SpamTitan Cloud in 2013. In August 2015, SpamTitan blocked 2,341 billion emails and has helped keep business networks free from malware and viruses.
SpamTitan was the first Anti-Spam Appliance to be awarded with two Virus Bulletin VBSPAM+ awards and has also received 22 consecutive VBSpam Virus Bulletin certifications. Additionally, SpamTitan was awarded the Best Anti-Spam Solution prize at the Computing Security Awards in 2012.
Companies in over 100 countries around the world have chosen SpamTitan as their anti-email spam partner. The email security appliance stops 99.98% of email spam from being delivered.
WebTitan Web Filtering Solutions from SpamTitan Technologies
WebTitan Gateway offers small to medium businesses a cost effective method of blocking malware and malicious websites, with highly granular controls allowing individual, group, and organization-wide privileges to be set. Delivered as a software appliance that can be seamlessly integrated into existing networks, it is an essential tool to protect all business users and allow the Internet to be viewed securely.
WebTitan Cloud is a cloud-based web filtering solution requiring no software installations. Create your own web usership policies and block malware-infected websites, objectionable websites, and restrict Internet access to work-related content with ease. Benefit from a comprehensive set of reporting tools which allow the browsing activity of every end user in the organization to be easily monitored.
WebTitan Wi-Fi has been developed for Wi-Fi providers and MSPs to allow easy control of Internet access. WebTitan Wi-Fi allows users to easily block objectionable content and malicious websites, with controls able to be applied by location. The cloud solution requires no software installations. All that is required to start protecting your business is a simple DNS redirect to WebTitan cloud servers.
WebTitan web filtering solutions blocked 7,414 malware-infected webpages in August 2015, and have helped keep businesses better protected from malicious website content, phishing campaigns, and drive-by malware downloads.
A recent study conducted by CyberArk has revealed that enterprises now face a high level of risk of privileged account hacking. In fact, the majority of enterprises are at risk of being hacked. Many companies are underestimating the risk, although IT professionals have long been aware of the danger of privileged account hacking.
The study suggests 88% of enterprise networks are susceptible to attack. A complete compromise of the corporate network is possible via 40% of Windows machines. The researchers predict that all it would usually take is for one privileged account to be hacked to allow the attackers to gain access to most accounts and systems. The researchers also determined that any enterprise that has Windows hosts is susceptible to attack via privileged account hacking.
To produce the report “Analyzing Real-World Exposure to Windows Credential Theft Attacks” CyberArk surveyed 51 organizations of varying sizes to determine the level of risk faced from privileged account hacking and the extent to which networks could be compromised should hackers manage to gain access to super-user and/or service accounts.
The results of the survey paint an incredibly worrying picture. The hacking of privileged accounts is not just a problem that must be dealt with by large corporations. Small to medium-sized businesses are also being targeted. Hackers are gaining access to their systems and are using them to launch attacks on their supply chain partners.
The privileged account hacking risk is often underestimated
Many organizations are not even aware how substantial the privileged account hacking risk is. An organization employing 500 individuals may have 1500 or more privileged accounts according to the researchers. The risk of attack is greatest with servers and lower with workstations. This is because servers can be used to gain access to a much wider range of systems and data than workstations. If any one server is compromised, attackers can use that machine for privileged account hacking and can gain access to many other Windows hosts on the network.
Attackers have months to analyze the network infrastructure and exfiltrate data
Mandiant recently estimated the median number of days for enterprises to discover their networks have been compromised is 229 days. The latest report from CyberArk also suggests a similar timescale for detection – placing the time frame at between 6 to 8 months. Once attackers have gained access to a network, they are exceptionally good at hiding and covering their tracks, and have months to browse the network.
How are hackers gaining access to privileged account login credentials?
In many cases, user credentials are stolen via phishing campaigns. Oftentimes, the attacks are highly sophisticated and highly targeted. Individual users are selected and a campaign is developed to fool them into visiting a malicious website and downloading malware or opening an infected email attachment.
Information about the target is obtained via social media networks such as Facebook, Twitter, or LinkedIn. Their contacts are identified, and a phishing email is either sent from a hacked colleagues account or is masked to make it appear that it has been sent from a trusted individual.
All too often a sophisticated attack is not necessary. If malware can be installed on just one single computer, shared-privilege accounts can be used to gain access to a wide range of systems.
What can enterprises do to protect their networks from privileged account hacking?
Protecting against the hacking of privileged accounts is difficult. It is not possible to eliminate privileged accounts as they essential to the functioning of the business. Since these accounts cannot be eliminated, efforts must be made to make accounts more secure. Unfortunately, the management of privileged accounts is complicated and is difficult to automate.
A survey recently conducted by Dimensional Research/Dell highlights the extent of the current problem. 560 IT professionals were asked about privileged access management and 41% revealed that they did not use any software at all or rely on Excel or other spreadsheet software packages to manage their accounts.
Fewer than half of respondents did not log or monitor privileged account access. 23% did not have a defined account management process. 28% did not have a defined process for changing default passwords on new equipment and software. Passwords were also found not to be changed frequently. Only a quarter of organizations changed admin passwords every month.
Make it harder for networks to be compromised by privileged account hacks
In order to improve security and prevent the hacking of privileged accounts, IT professionals should:
- Develop a defined process for managing privileged accounts
- Conduct a full audit of the network to locate all privileged accounts
- Ensure all passwords are unique, complex, and very difficult to guess
- Monitor and audit account passwords
- Use different passwords for different systems
- Change default passwords on all new devices and software
- Change passwords at least once a month
- Implement an automated solution to manage privileged accounts
- Ensure that a full risk assessment is conducted and any security holes are plugged rapidly (Hours rather than weeks or months)
- Conduct an audit of all suppliers and business partners to ensure they have sufficient security in place
- Implement solutions to protect users from phishing and spear phishing attacks, such as anti-spam software with anti-phishing controls
- Implement a web filter to reduce the probability of a user downloading malware to the network from malicious websites.
Fail to secure your login credentials, and privileged account hacking will not be only be a risk; it will be a reality.
If you are a network decision maker, what should be your main focus? Which issues should demand your attention? This post covers five important considerations if you want to protect your critical assets.
The current threat landscape has become very serious
If you work in a large corporation, chances are you will not need to be reminded about the seriousness of the current threat landscape. However, if you work in an SME, the severity of the current situation may not be so apparent. According to the results of the 2012 Verizon Data Breach Investigations Report (DBIR), the main threat of data theft comes not from hackers intent on profiting from selling stolen data, but from hacktivist groups. In 2011, hacktivists were behind 58% of data breaches. Hackers were involved in 81% of all data breaches reported throughout the year.
One of the main issues in 2014 are what Verizon calls “low and slow attacks.” These are authentication attacks, web exploits and social engineering-based attacks. Malware is evolving and carries a much higher risk than when many companies deployed their security systems. The threat landscape is constantly changing and you must stay alert to the changing risks.
Corporate data is one of your biggest assets – Protect data like you protect your financial assets
Company data is incredibly valuable to cybercriminals. Credit card numbers (with expiry dates, holder names and CSCs) sell for up to $6 a set. If hackers obtain several hundred or several thousand, they can make a tidy profit. If Social Security numbers can be obtained, in particular those of minors, they can sell for up to $200 a set, especially if accompanied by medical records. Bank account information is also valuable. Account information can be sold for up to 10% of the balance of the account. As for proprietary company data, to the right person that could be sold for millions of dollars. Data is highly valuable and criminals will attempt to steal it. You must therefore ensure it is appropriately protected.
End users are actually the first line of defense
Firewalls and other systems designed to repel DDoS attacks and stop malware from being installed may be seen as the first line of defense; however, your end users are actually the first line. They are also the weakest link in the security chain, and cybercriminals know it. Many criminals target end users as it is easier to get them to download malware or reveal login credentials than to break through a firewall.
If you want to keep your network secure you must provide training and make end users more security aware. They must be instructed how to identify phishing campaigns, be shown good practices to adopt when surfing the Internet or using email. Social media best practices must also be taught, especially if access to the websites is not blocked.
Application and platform management policies need to be developed
In order to protect networks and connected devices from being infected with malware and viruses, policies must be developed covering the permitted uses of computer equipment, applications, Smartphones and other BYOD devices.
Even some companies that have adopted BYOD have not issued staff members with detailed policies on the allowable uses of their devices in the workplace. SpamTitan recently conducted a research study that showed a third of organizations have not covered the use of messaging and collaboration tools in their corporate policies. Make sure the use of Smartphones, tablets, portable storage devices, collaboration tools, email, Social media, and web 2.0 applications are all covered. This will help to ensure staff do not take unnecessary risks.
Prohibition didn’t work – Neither do blanket bans
Total bans on the use of Smartphones, laptops, social media, or online shopping at work will not prevent end users from bringing their devices to work or using the Internet for personal use. Controls such of these may actually have a negative impact on staff happiness and productivity. Many employers believe the reverse is the case and issue total bans. Controls must be implemented to prevent theft of data, but carefully consider blanket bans. They may sometimes be effective at protecting networks, but they are rarely good for the business.
How long are computer viruses active before they are discovered? A few months? A year? In the case of the Russian Snake Virus, Uroboros, it has been stealing data for 8 years. It has been detected, but that doesn’t mean that the threat is over. The virus will be present on many systems, and will continue to steal data as it is incredibly difficult to detect.
Where did the virus come from?
It has been called the Russian Snake Virus, as many researchers believe the virus was created in Russia. Snake because some believe the Russian government had a hand in its creation. Why? Because of the sophisticated nature of the virus. A malicious program as complex as Uroboros is believed to have required state sponsorship. Foreign governments have been known to create viruses before. China was behind the APT1 virus. Links have been uncovered that tie the virus to the Chinese military. However, so far no link has been proven between the Russian government and Uroboros.
The virus was not created to steal data from individuals. The creators had other loftier aims. The International Business Times reported that the virus was created to steal government secrets and strike at telecoms systems.
The exact targets have not all been announced by the researchers who discovered the virus, but another link to Russia comes from the fact that Ukraine was attacked 14 times by Uroboros. It would appear that the Department of Defense of the United States was also attacked by the Russian Snake Virus in 2010.
The virus is currently being analyzed by UK firm BAE and German company Gdata. As for the level of sophistication, it is reportedly equivalent to Stuxnet. For anyone unaware of Stuxnet, it was developed and used by the U.S. and Israel to destroy Iranian nuclear reactors. It caused them to spin out of control until they were destroyed. Very James Bond, but in this case very real.
Uroboros is a rootkit and hides inside kernel-level processes. Because of this it has remained undetected. Anti-Virus engines do not scan there, allowing it to remain undetected for so long.
The analysis of Uroboros by BAE is secret and, while more is now known, since the virus is part of an ongoing operation few details have been released. The virus is still in operation and may be attacking or monitoring foreign government systems right now. What is known is Uroboros targets a vulnerability in Windows in addition to software running on the Windows platform. The virus has managed to continue working despite new security features being incorporated into the operating system.
How does Uroboros work?
From the information released so far it is known that Uroboros hijacks a running process. It hides inside of processes that are part of Windows so evades detection. Because of this, AV engines do not detect it. The AV software assumes it is part of Windows, and fails to flag the virus or hijacked service as being malicious. The virus is understood to inject DLLs into the running process.
It sends data at the user and kernel level. When a user fires up their browser, the virus launches a GET request and obtains instructions from the hacker’s command and control center. Since hundreds of legitimate requests are usually made, the GET request from the virus remains hidden. The use of HTTP also allows it to bypass firewalls. Uroboros is not always active either. It may be for a short period of time before going to sleep. It is told to do this by the hacker in control of the virus, and may sleep for months if required.
One question that has not been answered is how the Russian Snake Virus infects a computer. According to BAE, Uroboros is installed by a USB plugged into a computer, but it may also be installed via a phishing email. It is known to hack network processes, and monitor and intercept inbound and outbound traffic. It is capable of exfiltrating data and logs and can receive inbound commands.
A security vulnerability in Oracle Virtualbox has been exploited by the virus, allowing access to be gained to the kernel memory. It updates a variable indicating Windows was started in WinPE mode. Unsigned DLL files can then be loaded. These files do not have their owner and integrity verified. The Russian Snake Virus is capable of mounting virtual and physical drives, and different versions exist allowing it to be installed on different operating systems.
How can an attack of this nature be avoided?
Unfortunately, with malicious software such as the Russian Snake Virus it is difficult to totally protect a computer. There are steps that can be taken to reduce the likelihood of infection:
- The virus may be transmitted via phishing and spam emails: Block these using Anti-Spam software
- Issue training on anti-phishing strategies to employees
- Ban the use of all USB drives in your organization
- Keep software systems up to date with patches and, better still, upgrade Windows to the latest version
- Use diskless devices such as Chromebooks as much as possible
- Ensure packet-level inspections read HTTP traffic to look for signals that malware or viruses are communicating with command and control servers
- Data encryption can be used to protect stored data, but unfortunately not the memory
The Russian Snake virus: A risk for everyone or just foreign governments?
At present, the virus is believed to be used to attack foreign governments. Unfortunately, when details are released they can be used to create variants. Non state-sponsored hackers may not have been able to create the virus, but the techniques used to exploit computers and networks can be copied. This may already have occurred.
The next few years may see a number of different versions of the virus discovered, which may be used for many different reasons. Specific data may be targeted and stolen, or systems sabotaged. Only time will tell.
The discovery shows the lengths that some individuals and groups will go to in order to steal data, and why it is essential to implement multi-layered security systems to protect computers and computer networks, and always to use controls to prevent phishing emails from being delivered, and responded to.
Phishing is not a problem that must only be dealt with by consumers. Businesses are being targeted based on the financial organizations they use, according to the latest research conducted by Kaspersky Labs. The Anti-Virus software provider has been investigating the evolution of phishing. The study looked at the attacks that had taken place between May 2012 and April 2013. The survey revealed that phishers are changing tactics, and are attempting to obtain bank account information. If business bank accounts can be obtained, so much the better. They usually contain much more money than personal accounts.
Hackers often target businesses they despise. Their intention is not always to make money but to cause harm. If bank accounts can be obtained they can be sold to cybercriminals. Accounts are plundered, and sometimes businesses go bust as a result. You may not have offended any hackers, but that doesn’t put you in the clear. Some hackers are involved in organized crime and they will not care who they target as long as money can be obtained.
If a bank is targeted and you lose funds, can you sue them?
A bank is attacked and a business loses money from its account. Can a business sue a bank for a cyberattack? Some are now trying.
EMI has filed a lawsuit against Comerica, in which it claims that the financial institution failed to implement appropriate security defenses which directly led to one EMI employee falling for a phishing campaign. An employee was tricked into revealing EMIs bank account details. As a result, over $500,000 was rapidly transferred out of EMIs accounts. Protections were not in place at the bank to stop this.
Unsurprisingly, the bank has claimed that this was the fault of EMI. It is EMIs responsibility to ensure its employees are trained, and do not fall for phishing campaigns. The bank could have done nothing to prevent that employee from falling for the phishing scam. EMI could have taken action though. It is unlikely that the lawsuit will result in the bank having to cover the losses of EMI.
Phishing prevention starts with staff training
If you want to protect your company’s bank balance, and stop phishers making transfers, the first step to take is to provide all staff members with cybersecurity training. One response to a phishing email is all it takes to see a bank account emptied. It therefore makes a great deal of sense to instruct members of staff about phishing emails. In the above case, the provision of such training may have saved $500,000.
The FBI estimates that these schemes, and other cyberattacks, net online criminals around $100 billion a year. These funds are obtained from large corporations and individuals, but small businesses are now being increasingly targeted. They lack the security software used by large corporations and their bank accounts contain more money than consumer accounts.
Unfortunately for SMEs, the same protections are needed as those used by large corporations. Unfortunately, IT budgets are not nearly as large. SMEs must therefore choose the best protections to put in place that will offer the greatest protection for the least outlay. Many do not even employ dedicated cybersecurity staff, so the products they choose must be easy to install, operate and maintain.
To protect against phishing, businesses must concentrate not on protecting their network with firewalls, but protecting end users. They are the ones who will be targeted by a phishing attack.
There are two methods that can be used in this regard (apart from staff training): The use of a spam filter to prevent phishing emails from being delivered, and a web filter to stop users visiting phishing websites.
The number of phishing attacks has increased significantly over the course of the past year. Because the tactic is proving to be so profitable, 2013 and 2014 are likely to see even more attacks take place. Any business that fails to take action to address the risk is likely to become a victim. Maybe not today, maybe not tomorrow, but soon.
Being forewarned is being forearmed, which is why SpamTitan has issued five network and email security predictions for 2013. Over the course of the next 12 months, mobile applications and social media networks are likely to have a major impact on businesses, especially small to medium-sized enterprises. However, both have potential to introduce new security risks. These will need to be addressed.
Last year the volume of cyberattacks increased, as did the variety of new malware identified. More sophisticated cyberattacks were conducted in 2013 than in previous years, and they have proven to be even more damaging.
Last year was difficult for IT security professionals. Unfortunately, the coming year is unlikely to be any easier. If you want to keep your network secure and your data protected, a considerable effort will be required over the next 12 months!
SpamTitan Network and Email Security Predictions for 2013
1. Social media monitoring will become essential to keep networks secure and staff productive
The popularity of social media websites is growing, and people are now spending an extraordinary amount of time connecting with people online, sending messages, reading and writing posts, uploading photographs, friending and poking. People crave interaction so this should be no surprise. With even more social media sites to choose from, and the use of the sites now ingrained, employees will want to use the sites more frequently at work. It is up to employers to harness the power of social media and prevent abuse.
Managers who have yet to tackle the issue of social media website use at work will need to take action in 2013. Whether it is implementing a ban or policies covering usage, the issue will not be able to be ignored any more. Since employees will use the sites even if a ban is implemented, we expect more companies to start adopting ways to curb usage, as well as taking action to address the network security risks the sites pose.
2. BYOD is here to stay and the trend will continue
BYOD is driven by employees, not by employers. Employees want to bring their own devices to work, and employers can reap the benefits. The problem that must be addressed is how to manage the considerable security risks. Many companies will decide the risks posed by the devices outweigh the benefits, and many will look to harness the power of web tools and cloud based applications.
We expect security polices will need to be put in place by organizations in 2013. Employees who are permitted to bring their own devices to work are likely to have more restrictions put in place on the use of those devices. Additional security measures to enforce policies will also be installed.
3. Cybercriminals will start to use social media as the main way of profiling targets
As the use of social media networks grows and consumers spend more time on the sites, cybercriminals will start to use the websites as a way of identifying and profiling their targets for spear phishing campaigns. Malware attacks via Facebook and other social media platforms are also likely to increase over the next 12 months. Criminals will also become more skilled at using social media networks to obtain the information necessary to defraud their targets.
Email spam volumes should continue to fall as criminals find it harder to profit from spamming campaigns. The past 2-3 years have seen spam volume decline and this is likely to continue in 2013. 3 years ago, the volume of spam emails stood at around 90% of all emails sent. Now the figure is around 70%. We expect the total to fall to around 60% this year.
4. Phishing attacks will primarily be conducted via social media websites
Phishing campaigns have been found to be highly effective on Facebook and Twitter. These two social media platforms were the most popular with phishers last year, and that is likely to continue in 2013. Social media campaigns can be conducted rapidly, and require little outlay. As the threat grows, we expect organizations to take action and implement defenses to reduce the risk of their employees falling for phishing schemes. They will be given little choice if they want to keep their networks protected.
5. Market consolidation to continue and businesses will increasingly consider alternative solution providers
The information security industry is likely to see even more market consolidation in 2013. Smaller companies will merge, with numerous takeovers expected. Last year, Trustwave bought out M86 Security, and Eleven GmbH was acquired by Commtouch.
However, end user businesses should find they can stay competitive if they concentrate on niche products. Specialist products will continue to be developed and fine-tuned, offering consumers more powerful security solutions for specific areas of network security.
Do you agree with our network and email security predictions for 2013? We expect, as an IT professional, you will have your own security predictions for 2013. What do you think the next 12 months have in store for IT security pro’s?