Our website filtering category includes the latest news and advice on content filtering: Restricting access to inappropriate online content such as pornography, blocking illegal activities such as copyright-infringing file downloads and blocking other potentially harmful or productivity-draining web content.
This news section also includes updates on web-based threats including ransomware, malware and phishing websites. While spam email is the current number one attack vector and the most common medium used for phishing, organizations should not neglect Internet threats such as exploit kits and malvertising. Articles on the latest threats and possible mitigations are also included in this category.
You will also find useful tips and advice on Internet content filtering and how best to protect your organizations using a web filtering solution. Many of the news items in this section are particularly relevant to Managed Service Providers (MSPs) looking to increase revenue and provide a more comprehensive range of security solutions to their clients.
2017 has seen a major rise in malicious spam email volume. As the year has progressed, the volume of malicious messages sent each month has grown. A new report from Proofpoint shows malicious spam email volume rose by 85% in Q3, 2017.
A deeper dive into the content of those messages shows cybercriminals’ tactics have changed. In 2017, there has been a notable rise in the use of malicious URLs sent via email compared to malicious attachments containing malware. URL links to sites hosting malware have jumped by an astonishing 600% in Q3, which represents a 2,200% increase since this time last year. This level of malicious URLs has not been seen since 2014.
The links direct users to malicious websites that have been registered by cybercriminals, and legitimate sites that have been hijacked and loaded hacking toolkits. In many cases, simply clicking on the links is all that is required to infect the user’s computer with malware.
While there is a myriad of malware types now in use, the biggest threat category in Q3 was ransomware, which accounted for 64% of all email-based malware attacks. There are many ransomware variants in use, but the undisputed king in Q3 was Locky, accounting for 55% of total message volume and 86% of all ransomware attacks. There was also a rising trend in destructive ransomware – ransomware that encrypts files but does not include the option of letting victims’ recover their files.
The second biggest malware threat category was banking Trojans, which accounted for 24% of malicious spam email volume. Dridex has long been a major threat, although in Q3 it was a Trojan called The Trick that become the top banking Trojan threat. The Trick Trojan was used in 70% of all banking Trojan attacks.
Unsurprisingly, with such as substantial rise in malicious spam email volume, email fraud has also risen, up 12% quarter over quarter and up 32% from this time last year.
Cybercriminals are constantly changing tactics and frequently switch malware variants and attack methods, but for the time being at least, exploit kits are still not favored. Exploit kit attacks are at just 10% of the level of last year’s high, with spam email now the main method of malware delivery.
With malicious spam email volume having increased once again, and a plethora of new threats and highly damaging malware attacks posing a very real risk, it is essential that businesses double down on their defenses. The best way to defend against email threats is to improve spam defenses. An advanced spam filtering solution is essential for blocking email threats. The more malicious emails that are captured and prevented from being delivered, the lower the chance of end users clicking on malicious links and downloading malware.
SpamTitan blocks more than 99.9% of spam emails, helping to keep inboxes free from malware threats. No single solution can block all email threats, so a spam filtering solution should be accompanied with endpoint security solutions, web filters to block malicious links from being visited, antimalware and antivirus solutions, and email authentication technology.
While it is easy to concentrate on technology to protect against email threats, it is important not to forget to train employees to be more security aware. Regular training sessions, cybersecurity newsletters and bulletins about the latest threats, and phishing simulation exercises can help employees improve their threat detection skills and raise cybersecurity awareness.
Bad Rabbit ransomware attacks have been reported throughout Russia, Ukraine, and Eastern Europe. While new ransomware variants are constantly being developed, Bad Rabbit ransomware stands out due to the speed at which attacks are occurring, the ransomware’s ability to spread within a network, and its similarity to the NotPetya attacks in June 2017.
Bad Rabbit Ransomware Spreads via Fake Flash Player Updates
While Bad Rabbit ransomware has been likened to NotPetya, the method of attack differs. Rather than exploit the Windows Server Message Block vulnerability, the latest attacks involve drive-by downloads that are triggered when users respond to a warning about an urgent Flash Player update. The Flash Player update warnings have been displayed on prominent news and media websites.
The malicious payload packed in an executable file called install_flash_player.exe. That executable drops and executes the file C:\Windows\infpub.dat, which starts the encryption process. The ransomware uses the open source encryption software DiskCryptor to encrypt files with AES, with the keys then encrypted with a RSA-2048 public key. There is no change to the file extension of encrypted files, but every encrypted file has the .encrypted extension tacked on.
Once installed, it spreads laterally via SMB. Researchers at ESET do not believe bad rabbit is using the ETERNALBLUE exploit that was incorporated into WannaCry and NotPetya. Instead, the ransomware uses a hardcoded list of commonly used login credentials for network shares, in addition to extracting credentials from a compromised device using the Mimikatz tool.
Similar to NotPetya, Bad Rabbit replaces the Master Boot Record (MBR). Once the MBR has been replaced, a reboot is triggered, and the ransom note is then displayed.
Victims are asked to pay a ransom payment of 0.5 Bitcoin ($280) via the TOR network. The failure to pay the ransom demand within 40 hours of infection will see the ransom payment increase. It is currently unclear whether payment of the ransom will result in a valid key being provided.
So far confirmed victims include the Russian news agencies Interfax and Fontanka, the Ministry of Infrastructure of Ukraine, the Odessa International Airport, and the Kiev Metro. In total there are believed to have been more than 200 attacks so far in Russia, Ukraine, Turkey, Bulgaria, Japan, and Germany.
How to Block Bad Rabbit Ransomware
To prevent infection, Kaspersky Lab has advised companies to restrict the execution of files with the paths C:\windows\infpub.dat and C:\Windows\cscc.dat.
Alternatively, those files can be created with read, write, and execute permissions removed for all users.
On Friday, the U.S. Department of Homeland Security’s (DHS) computer emergency readiness team (US-CERT) issued a new warning about phishing attacks on energy companies and other critical infrastructure sectors.
Advanced persistent threat (APT) actors are conducting widespread attacks on organizations in the energy, aviation, nuclear, water, and critical manufacturing sectors. Those attacks, some of which have been successful, have been occurring with increasing frequency since at least May 2017. The group behind the attack has been called Dragonfly by AV firm Symantec, which reported on the attacks in September.
DHS believes the Dragonfly group is a nation-state sponsored hacking group whose intentions are espionage, open source reconnaissance and cyberattacks designed to disrupt energy systems.
These cyberattacks are not opportunistic like most phishing campaigns. They are targeted attacks on specific firms within the critical infrastructure sectors. While some firms have been attacked directly, in many cases the attacks occur through a ‘staging’ company that has previously been compromised. These staging companies are trusted vendors of the targeted organization. By conducting attacks through those companies, the probability of an attack on the target firm succeeding is increased.
DHS warns that the attackers are using several methods to install malware and obtain login credentials. The phishing attacks on energy companies have included spear phishing emails designed to get end users to reveal their login credentials and malicious attachments that install malware.
In the case of the former, emails direct users to malicious websites where they are required to enter in their credentials to confirm their identity and view content. While some websites have been created by the attackers, watering hole attacks are also occurring on legitimate websites that have been compromised with malicious code. DHS warns that approximately half of the attacks have occurred through sites used by trade publications and informational websites “related to process control, ICS, or critical infrastructure.”
Phishing emails containing malicious attachments are used to directly install malware or the files contain hyperlinks that direct the user to websites where a drive-by malware download occurs. The links are often shortened URLS creating using the bit.ly and tinyurl URL shortening services. The attackers are also using email attachments to leverage Windows functions such as Server Message Block (SMB) protocol to retrieve malicious files. A similar SMB technique is also used to harvest login credentials.
The malicious attachments are often PDF files which claim to be policy documents, invitations, or resumés. Some of the phishing attacks on energy companies have used a PDF file attachment with the name “AGREEMENT & Confidential.” In this case, the PDF file does not include any malicious code, only a hyperlink to a website where the user is prompted to download the malicious payload.
US-CERT has advised companies in the targeted sectors that the attacks are ongoing, and action should be taken to minimize risk. Those actions include implementing standard defenses to prevent web and email-based phishing attacks such as spam filtering solutions and web filters.
Since it is possible that systems may have already been breached, firms should be regularly checking for signs of an intrusion, such as event and application logs, file deletions, file changes, and the creation of new user accounts.
Today is the start of the 14th National Cyber Security Month – A time when U.S. citizens are reminded of the importance of practicing good cyber hygiene, and awareness is raised about the threat from malware, phishing, and social engineering attacks.
The cybersecurity initiative was launched in 2004 by the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security (DHS) with the aim of creating resources for all Americans to help them stay safe online.
While protecting consumers has been the main focus of National Cyber Security Month since its creation, during the past 14 years the initiative has been expanded considerably. Now small and medium-sized businesses, corporations, and healthcare and educational institutions are assisted over the 31 days of October, with advice given to help develop policies, procedures, and implement technology to keep networks and data secure.
National Cyber Security Month Themes
2017 National Cyber Security Month focuses on a new theme each week, with resources provided to improve understanding of the main cybersecurity threats and explain the actions that can be taken to mitigate risk.
Week 1: Oct 2-6 – Simple Steps to Online Safety
It’s been 7 years since the STOP. THINK. CONNECT campaign was launched by the NCSA and the Anti-Phishing Workshop. As the name suggests, the campaign encourages users learn good cybersecurity habits – To assume that every email and website may be a scam, and to be cautions online and when opening emails. Week one will see more resources provided to help consumers learn cybersecurity best practices.
Week 2: Oct 9-13 – Cybersecurity in the Workplace
With awareness of cyber threats raised with consumers, the DHS and NCSA turn their attention to businesses. Employees may be the weakest link in the security chain, but that need not be the case. Education programs can be highly effective at improving resilience to cyberattacks. Week 2 will see businesses given help with their cyber education programs to develop a cybersecurity culture and address vulnerabilities. DHS/NCSA will also be promoting the NIST Cybersecurity Framework and explaining how its adoption can greatly improve organizations’ security posture.
Week 3: Oct 16-20 –Predictions for Tomorrow’s Internet
The proliferation of IoT devices has introduced many new risks. The aim of week three is to raise awareness of those risks – both for consumers and businesses – and to provide practical advice on taking advantage of the benefits of smart devices, while ensuring they are deployed in a secure and safe way.
Week 4: Oct 23-27 –Careers in Cybersecurity
There is a crisis looming – A severe lack of cybersecurity professionals and not enough students taking up cybersecurity as a profession. The aim of week 4 is to encourage students to consider taking up cybersecurity as a career, by providing resources for students and guidance for key influencers to help engage the younger generation and encourage them to pursue a career in cybersecurity.
Week 5: Oct 30-31 – Protecting Critical Infrastructure
As we have seen already this year, nation-state sponsored groups have been sabotaging critical infrastructure and cybercriminals have been targeting critical infrastructure to extort money. The last two days of October will see awareness raised of the need for cybersecurity to protect critical infrastructure, which will serve as an introduction to Critical Infrastructure Security and Resilience Month in November.
European Cyber Security Month
While National Cyber Security Month takes place in the United States, across the Atlantic, European Cyber Security Month is running in tandem. In Europe, similar themes will be covered with the aim of raising awareness of cyber threats and explaining the actions EU citizens and businesses can take to stay secure.
This year is the 5th anniversary of European Cyber Security Month – a collaboration between The European Union Agency for Network and Information Security (ENISA), the European Commission DG CONNECT and public and private sector partners.
As in the United States, each week of October has a different theme with new resources and reports released, and events and activities being conducted to educate the public and businesses on cybersecurity.
European Cyber Security Month Themes
This year, the program for European Cyber Security Month is as follows:
Week 1: Oct 2-6 – Cybersecurity in the Workplace
A week dedicated to helping businesses train their employees to be security assets and raise awareness of the risks from phishing, ransomware, and malware. Resources will be provided to help businesses teach their employees about good cyber hygiene.
Week 2: Oct 9-13 – Governance, Privacy & Data Protection
With the GDPR compliance date just around the corner, businesses will receive guidance on compliance with GDPR and the NIS Directive to help businesses get ready for May 2018.
Week 3: Oct 16-20 – Cybersecurity in the Home
As more IoT devices are being used in the home, the risk of cyberattacks has grown. The aim of week 3 is to raise awareness of the threats from IoT devices and to explain how to keep home networks secure. Awareness will also be raised about online fraud and scams targeting consumers.
Week 4: Oct 23-27 – Skills in Cyber Security
The aim in week 4 is to encourage the younger generation to gain the cyber skills they will need to embark upon a career in cybersecurity. Educational resources will be made available to help train the next generation of cybersecurity professionals.
Use October to Improve Your Cybersecurity Defenses and Train Your Workforce to Be Security Titans
This Cyber Security Month, why not take advantage of the additional resources available and use October to improve your cybersecurity awareness and train your employees to be more security conscious.
When the month is over, don’t shelve cybersecurity for another 12 months. The key to remaining secure and creating a security culture in the workplace is to continue training, assessments, and phishing tests throughout the year. October should be taken as a month to develop and implement training programs and to work toward creating a secure work environment and build a cybersecurity culture in your place of work.
Dropbox phishing attacks are relatively common and frequently fool employees into revealing their sensitive information or downloading malware.
Dropbox is a popular platform for sharing files and employees are used to receiving links advising them that files have been shared with them by their colleagues and contacts and phishers are taking advantage of familiarity with the platform.
There are two main types of Dropbox phishing attacks. One involves sending a link that asks users to verify their email address. Clicking the link directs them to a spoofed Dropbox website that closely resembles the official website. They are then asked to enter in their login credentials as part of the confirmation process.
Dropbox phishing attacks are also used to deliver malware such as banking Trojans and ransomware. A link is sent to users relating to a shared file. Instead of accessing a document, clicking the link will result in malware being downloaded.
Over the past few days, there has been a massive campaign using both of these attack methods involving millions of spam email messages. Last week, more than 23 million messages were sent in a single day.
Most of the emails were distributing Locky ransomware, with a smaller percentage used to spread Shade ransomware. There is no free decryptor available to unlock files encrypted by Locky and Shade ransomware. If files cannot be recovered from backups, victioms will have to dig deep.
Due to the rise in value of Bitcoin of late the cost of recovery is considerable. The malicious actors behind these attacks are demanding 0.5 Bitcoin per infected device – Around $2,400. For a business with multiple devices infected, recovery will cost tens if not hundreds of thousands of dollars.
According to F-Secure, the majority of malware-related spam messages detected recently – 90% – are being used to distribute Locky. Other security researchers have issued similar reports of a surge in Locky infections and spam email campaigns.
To prevent Locky ransomware attacks, businesses should install an advanced spam filtering solution to prevent malicious emails from being delivered to end users’ inboxes. Occasional emails are likely to make it past spam filtering defenses so it is important that all users receive security awareness training to help them identify malicious emails.
A web filter can be highly effective at blocking attempts to visit malicious websites where malware is downloaded, while up to date antivirus and anti-malware solutions can detect and quarantine malicious files before they are opened.
Backups should also be made of all data and systems and those backups should be stored on an air-gapped device. Ransomware variants such as Locky can delete Windows Shadow Volume Copies and if a backup device remains connected, it is probable that backup files will also be encrypted.
Best practices for backing up data involve three backup files being created, on two different media, with one copy stored offsite and offline. Backups should also be tested to make sure files can be recovered in the event of disaster.
The increase in ransomware attacks has prompted the National Institute of Standards and Technology (NIST) to develop new guidance (NIST SPECIAL PUBLICATION 1800-11) on recovering from ransomware attacks and other disasters. The draft guidance can be downloaded on this link.
The retail industry is under attack with cybercriminals increasing their efforts to gain access to PoS systems. Retail industry data breaches are now being reported twice as frequently as last year, according to a recent report from UK law firm RPC.
Retailers are an attractive target. They process many thousands of credit card transactions each week and store huge volumes of personal information of consumers. If cybercriminals can gain access to Point of Sale systems, they can siphon off credit and debit card information and stolen consumer data can be used for a multitude of nefarious purposes.
Many retailers lack robust cybersecurity defenses and run complex systems on aging platforms, making attacks relatively easy.
While cyberattacks are common, the increase in data breaches does not necessarily mean hacks are on the rise. RPC points out that there are many possible causes of data breaches, including theft of data by insiders. Retailers need to improve they defenses against attacks by third parties, although it is important not to forget that systems need to be protected from internal threats.
Preventing retail industry data breaches requires a range of cybersecurity protections, but technology isn’t always the answer. Errors made by staff can easily result in cybercriminals gaining easy access to systems, such as when employees respond to phishing emails.
Employees are the last line of defense and that defensive line is frequently tested. It is therefore essential to improve security awareness. Security awareness training should be provided to all employees to raise awareness of the threat from phishing, malware and web-based attacks.
Phishing emails are the primary method of spreading malware and ransomware. Training staff how to identify phishing emails – and take the correct actions when email-based threats are received – will go a long way toward preventing retail industry data breaches. Employees should be taught the security basics such as never opening email attachments or clicking hyperlinks in emails from unknown individuals and never divulging login credentials online in response to email requests.
Employees can be trained to recognize email-based threats, although it is important to take steps to prevent threats from reaching inboxes. An advanced spam filtering solution is therefore a good investment. Spam filters can block the vast majority of spam and malicious emails, ensuring employees security awareness is not frequently put to the test. SpamTitan blocks more than 99.9% of spam and malicious emails, ensuring threats never reach inboxes.
Web-based attacks can be blocked with a web filtering solution. By carefully controlling the types of websites employees can access, retailers can greatly reduce the risk of malware downloads.
As the recent WannaCry and NotPetya malware attacks have shown, user interaction is not always required to install malware. Both of those global attacks were conducted remotely without any input from employees. Vulnerabilities in operating systems were exploited to download malware.
In both cases, patches had been released prior to the attacks that would have protected organizations from the threat. Keeping software up to date is therefore essential. Patches must be applied promptly and regular checks conducted to ensure all software is kept 100% up to date.
This is not only important for preventing retail industry data breaches. Next year, the General Data Protection Regulation (GDPR) comes into force and heavy fines await retailers that fail to do enough to improve data security. Ahead of the May 25, 2018 deadline for compliance, retailers need to improve security to prevent breaches and ensure systems are in place to detect breaches rapidly when they do occur.
Ransomware attacks on small businesses can be devastating. Many small businesses have little spare capital and certainly not enough to be handing out cash to cybercriminals, let alone enough to cover the cost of loss of business while systems are taken out of action. Many small businesses are one ransomware attack away from total disaster. One attack and they may have to permanently shut their doors.
A recent research study commissioned by Malwarebytes – conducted by Osterman Research – has highlighted the devastating effect of ransomware attacks on small businesses.
1,054 businesses with fewer than 1,000 employees were surveyed and asked about the number of ransomware attacks they had experienced, the cost of mitigating those attacks and the impact of the ransomware attacks on their business.
Anyone following the news should be aware of the increase in ransomware attacks. Barely a week goes by without a major attack being announced. The latest study has confirmed the frequency of attacks has increased. More than one third of companies that took part in the survey revealed they had experienced at least one ransomware attack in the past 12 months.
22% of Small Businesses Shut Down Operations Immediately Following a Ransomware Attack
The survey also showed the devastating impact of ransomware attacks on small businesses. More than one fifth of small businesses were forced to cease operations immediately after an attack. 22% of businesses were forced to close their businesses.
Those companies able to weather the storm incurred significant costs. 15% of companies lost revenue as a result of having their systems and data locked by ransomware and one in six companies experienced downtime in excess of 25 hours. Some businesses said their systems were taken out of action for more than 100 hours.
Paying a ransom is no guarantee that systems can be brought back online quickly. Each computer affected requires its own security key. Those keys must be used carefully. A mistake could see data locked forever. A ransomware attack involving multiple devices could take several days to resolve. Forensic investigations must also be conducted to ensure all traces of the ransomware have been removed and no backdoors have been installed. That can be a long-winded, painstaking process.
Multiple-device attacks are becoming more common. WannaCry-style ransomware attacks that incorporate a worm component see infections spread rapidly across a network. However, many ransomware variants can scan neworks and self-replicate. One third of companies that experienced attack, said it spread to other devices and 2% said all devices had been encrypted.
Can Ransomware Attacks on Small Businesses be Prevented?
Can ransomware attacks on small businesses be prevented? Confidence appears to be low. Almost half of respondents were only moderately confident they could prevent a ransomware attack on their business. Even though a third of businesses had ‘anti-ransomware’ defenses in place, one third still experienced attacks.
Unfortunately, there is no single solution that can prevent ransomware attacks on small businesses. What organizations must do is employ multi-layered defenses, although that can be a major challenge, especially with limited resources.
A risk assessment is a good place to start. Organizations need to look at their defenses critically and assess their infrastructure for potential vulnerabilities that could be exploited.
Improving Defenses Against Ransomware
Ransomware attacks on small businesses usually occur via email with employees targeted using phishing emails. Organizations should consider implementing a spam filtering solution to reduce the number of malicious emails that reach inboxes.
Some emails will inevitably slip past these defenses, so it is important for staff to be security aware. Security awareness training should be ongoing and should involve phishing simulations to find out how effective training has been and to single out employees that need further training.
While ransomware can arrive as an attachment, it is usually downloaded via scripts of when users visit malicious websites. By blocking links and preventing end users from visiting malicious sites, ransomware downloads can be blocked. A web filtering solution can be used to block malicious links and sites.
Anti-virus solutions should be kept up to date, although traditional signature-based detection technology is not as effective as it once was. Alone, anti-virus software will not offer sufficient levels of protection.
As was clearly shown by the WannaCry and NotPetya attacks, malware can be installed without any user interaction if systems are not configured correctly and patches and software updates are not applied promptly. Sign up to alerts and regularly check for updated software and don’t delay patching computers.
A ransomware attack need not be devastating. If organizations back up their data to the cloud, on a portable (unplugged) local storage device and have a copy of data off site, in the event of an attack, data will not be lost.
TitanHQ announced a new partnership with Purple, the intelligent spaces company, which is now using the WebTitan WiFi filtering solution to control the content that can be accessed through its WiFi networks.
Businesses are now realizing they can attract more customers by providing free WiFi access, with Purple allowing businesses to get something back from providing free WiFi access to customers.
Purple provides WiFi analytics and marketing solutions allowing businesses to get more out of their WiFi networks. Those services have proven incredibly popular, with Purple rapidly expanding its business to serve clients in more than 70 countries.
Businesses are facing increasing pressure not only to provide Internet access to customers, but also to ensure that the Internet can be accessed safely and securely. The recent WannaCry ransomware attacks have highlighted just how important Internet security has now become. An Internet content filtering solution is therefore necessary to ensure inappropriate website content can be filtered out and malicious websites are blocked.
TitanHQ’s website content filtering solution – WebTitan – is the global leading content filtering solution for WiFi networks. Each day, WebTitan detects and blocks more than 60,000 different types of malware and ransomware, preventing users from infecting their devices. The solution is managed from a web-based control panel and can instantly be applied to any number of global WiFi access points.
The solution can be easily configured, has no latency, and allows precise control over the types of content that can be accessed through WiFi networks.
Following the rollout of WebTitan, which took just a few days, Purple customers have started benefitting from the industry-leading WiFi filtering solution.
James Wood, Head of Integration at Purple, communicated Purple’s unique requirements to TitanHQ which was able to provide a solution that exactly matched the company’s needs. Wood said, “From day one it was evident that they were capable of not only providing what we needed but were very responsive and technically adept.”
The solution was ideal for Purple. Woods explained that “Along with superior protection, WebTitan also allows us to extend the control to our customers via their API. Our customers can now manage their own filtering settings directly from the Purple Portal.”
More and more companies are realizing that it is no longer sufficient to just offer free WiFi access to customers. Customers now want to be reassured that they can access the Internet securely. TitanHQ CEO Ronan Kavanagh said “Content filtering for Wi-Fi will be a given in service terms over the next few years. Purple again is leading the way with their focus on this area.”
A new email-borne threat has recently been discovered. Fatboy ransomware is a new ransomware-as-a-service (RaaS) being offered on darknet forums in Russia. The RaaS offers would-be cybercriminals the opportunity to conduct ransomware campaigns without having to develop their own malicious code.
RaaS has proven incredibly popular. By offering RaaS, malicious code authors can infect more end users by increasing the number of individuals distributing the ransomware. In the case of Fatboy ransomware, the code author is offering limited partnerships and is dealing with affiliates directly via the instant messaging platform Jabber.
Fatboy ransomware encrypts files using AES-256, generating an individual key for the files and then encrypting those keys using RSA-2048. A separate bitcoin wallet is used for each client and a promise is made to transfer funds to the affiliates as soon as the money is paid. By offering to deal directly with the affiliates, being transparent about the RaaS and offering support, it is thought that the code author is trying to earn trust and maximize the appeal of the service.
Further, the ransomware interface has been translated into 12 languages, allowing campaigns to be conducted in many countries around the world. Many RaaS offerings are limited geographically by language.
Fatboy ransomware also has an interesting new feature that is intended to maximize the chance of the victim paying the ransom demand. This RaaS allows attackers to set the ransom payment automatically based on the victim’s location. In locations with a high standard of living, the ransom payment will be higher and vice versa.
To determine the cost of living, Fatboy ransomware uses the Big Mac Index. The Big Mac Index was developed by The Economist as a method of determining whether currencies were at their correct values. If all currencies are at their correct value, the cost of a product in each country should be the same. The product chosen was a Big Mac. In short, the higher the cost of a Big Mac in the victim’s country, the higher the ransom demand will be.
So far, Recorded Future – the firm that discovered the ransomware variant – says the code author has generated around $5,000 in ransom payments since February. That total is likely to rise considerably as more affiliates come on board and more end users are infected. There is no known decryptor for Fatboy ransomware at this time.
New ransomware variants are constantly being developed and RaaS allows many more individuals to conduct ransomware campaigns. Unsurprisingly, the number of ransomware attacks has grown.
The cost of resolving a ransomware infection can be considerable. Businesses therefore need to ensure they have defenses in place to block attacks and ensure they can recover fast.
Backups need to be made regularly to ensure files can be easily recovered. Staff need to be trained on security best practices to prevent them inadvertently installing ransomware. Antispam solutions should also be implemented to prevent malicious emails from reaching end users’ inboxes. Fortunately, even with a predicted increase in ransomware attacks, businesses can effectively mitigate risk if appropriate defenses are implemented.
For advice on security solutions that can block ransomware attacks, contact the TitanHQ team today.
Hackers are continuing to attack healthcare organizations, but healthcare ransomware attacks are the biggest cause of security incidents, according to the NTT Security 2017 Global Threat Intelligence Report.
Healthcare ransomware attacks accounted for 50% of all security breaches reported by healthcare organizations between October 2015 and September 2016 and are the largest single cause of security breaches.
However, healthcare is far from the only sector to be targeted. Retail, government, and the business & professional services sector have also suffered many ransomware attacks during the same period. Those four sectors accounted for 77% of global ransomware attacks. The worst affected sector was business & professional services, with 28% of reported ransomware attacks, followed by the government (19%), healthcare (15%) and retail (15%).
NTT Security reports that phishing emails are the most common mechanism for ransomware delivery, being used in 73% of ransomware and malware attacks. Poor choices of password are also commonly exploited to gain access to networks and email accounts. NTT says just 25 passwords were used in 33% of all authentication attempts on its honeypots, while 76% of authentication attempts used a password known to have been implemented in the Mirai botnet.
Zero-day exploits tend to attract considerable media attention, but they are used in relatively few attacks. Web-based attacks have fallen but they still pose a significant threat. The most commonly attacked products were Microsoft Internet Explorer, Adobe Flash Player, and Microsoft Silverlight. Exploit kit activity has fallen throughout the year as cybercriminals have turned to phishing emails to spread malware and ransomware. There was a steady decline in exploit kit attacks throughout the year.
With phishing posing the highest risk, it is essential that organizations ensure they have adequate defenses in place. Phishing attacks are sophisticated and hard to distinguish from genuine emails. Security awareness training is important, but training alone will not prevent some attacks from being successful. It is also important to ensure that training is not just a one time exercise. Regular training sessions should be conducted, highlighting the latest tactics used by cybercriminals and recent threats.
The best form of defense against phishing attacks is to use anti-phishing technologies such as spam filters to prevent phishing emails from reaching end users. The more phishing emails that are blocked, the less reliance organizations place on end users being able to identify phishing emails. Solutions should also be implemented to block users from visiting phishing websites via hyperlinks sent via email.
In the United States, phishing attacks on schools and higher education institutions have soared in recent months, highlighting the need for improvements to be made to staff education programs and cybersecurity defenses.
Phishing refers to the practice of sending emails in an attempt to get the recipients to reveal sensitive information such as logins to email accounts, bank accounts, or other computer systems. Typically, a link is included in the email which will direct the user to a website where information must be entered. The sites, as well as the emails, contain information to make the request look genuine.
Phishing is nothing new. It has been around since the 1980’s, but the extent to which sensitive information is stored electronically and the number of transactions that are now conducted online has made attacks much more profitable for cybercriminals. Consequently, attacks have increased. The quality of phishing emails has also improved immeasurably. Phishing emails are now becoming much harder to identify, especially by non-technical members of staff.
No organization is immune to attack, but attackers are no longer concentrating on financial institutions and healthcare organizations. The education sector is now being extensively targeted. Phishing attacks on schools are being conducted far more frequently, and all too often those attacks are succeeding.
Such is the scale of the problem that the IRS recently issued a warning following a massive rise in phishing attacks on schools. Campaigns were being conducted by attackers looking for W-2 Form data of school employees. That information was then used to submit fraudulent tax returns in school employees’ names.
Recent Phishing Attacks on Schools, Colleges, and Universities
Westminster College is one of the latest educational institutions to report that an employee has fallen for the W-2 Form phishing scam, although it numbers in dozens of schools, colleges and universities that have been attacked this year.
Phishing emails are not only concerned with obtaining tax information. Recently, a phishing attack on Denver Public Schools gave the attackers the information they needed to make a fraudulent bank transfer. More than $40,000 intended to pay staff wages was transferred to the criminal’s account.
This week, news emerged of a listing on a darknet noticeboard from a hacker who had gained access to school email accounts, teacher’s gradebooks, and the personal information of thousands of students. That individual was looking for advice on what to do with the data and access in order to make money.
Washington University School of Medicine was targeted in a phishing attack that saw the attackers gain access to patient health information. More than 80,000 patients potentially had their health information stolen as a result of that attack.
Last week, news emerged of an attempted phishing attack on Minnesota schools, with 335 state school districts and around 170 charter schools potentially attacked. In that case, the phishing attack was identified before any information was released. The attack involved an email that appeared to have been sent from the Education Commissioner. The attackers were trying to gain access to financial information.
How to Improve Defenses Against Phishing Attacks
Fortunately, there are a number of technological controls that can be implemented cheaply to reduce the risk of phishing attacks on schools being successful.
An advanced spam filtering solution with a powerful anti-phishing component is now essential. A spam filter looks for the common spam and phishing signatures and ensures suspect messages are quarantined and not delivered to end users.
It must be assumed that occasionally, even with a spam filter, phishing emails may occasionally be delivered. To prevent employees from visiting phishing websites and revealing their information, a web filtering solution can be used. Web filters can be configured to block end users from visiting websites that are known to be used for phishing. As an additional benefit, web filters can stop individuals from accessing websites known to contain malware or host illegal or undesirable material – pornography for instance.
Those solutions should be accompanied by training for all staff members on the risk from phishing and the common identifiers that can help staff spot a phishing email. Schools should also implement policies for reporting threats to the organization’s IT department. Fast reporting can limit the harm caused and prevent other staff members from responding.
IT departments should also have policies in place to ensure thwarted attacks are reported to law enforcement. Warnings should also be sent to other school districts following an attack to allow them to take action to protect themselves against similar attacks.
Any school or higher educational institution that fails to implement appropriate defenses against phishing attacks will be at a high risk of a phishing attack being successful. Not only do phishing attacks place employees at risk of fraud, they can prove incredibly costly for schools to mitigate. With budgets already tight, most schools can simply not afford to cover those costs.
If you would like further information on the range of cybersecurity protections that can be put in place to prevent phishing attacks on schools and other educational institutions, call TitanHQ today for an informal chat.
The Solicitors Regulation Authority in the United Kingdom has recently issued a warning about law firm email scams following a sharp rise in law firm cyberattacks.
According to SRA figures, almost 500 UK law firms have been targeted by cybercriminals. One of the most common law firm email scams seen in recent weeks involves an attacker sending an email to a solicitor pretending to be a new client. While the attacker could claim to have any number of legal problems in the initial email, one of the favored themes is a property or business that is about to be purchased or sold.
Legal services are requested and, when the solicitor replies, the attacker sends an email containing a malicious email attachment. The email attachment does not contain the malware, instead a malicious macro is embedded in the document. A believable explanation for the inclusion of the macro is provided in the document to allay suspicion. If the macro is enabled, a script is run that downloads the malicious payload. The download occurs silently so the solicitor is unlikely to be aware that their computer has been infected.
The malware then collects and exfiltrates sensitive data, or provides access to the solicitor’s computer allowing the attacker to search for any useful data. Keyloggers can also be installed to log keystrokes on the infected computer and collect login information for email and bank accounts.
The SRA has emphasized there is a high risk of attack, suggesting UK solicitors should treat cybercrime as a priority risk. Action should be taken promptly to mitigate the risk and ensure that the firm’s data are secured. The SRA warns that a cyberattack can cause considerable damage to a firm’s reputation and could result in significant harm to clients. Clients and the law firm can suffer considerable financial losses as a result of these scams.
Not all cyberattacks on law firms involve malware. Phishing is also a major risk. Many law firm email scams attempt to get solicitors to reveal sensitive information such as login credentials, passwords, or other confidential information. These law firm email scams are not easy to identify. Cybercriminals invest considerable time and effort into building up relationships with solicitors via email or over the telephone to build trust. Once a personal relationship has been established it is far easier for the scammers to fool solicitors into revealing sensitive information.
The seriousness of the threat is clear from the reports of cybercrime received by the SRA from solicitors over the past year. The SRA says more than £7 million of clients’ money has been stolen from solicitors in 2016.
The advice to law firms on reducing cybersecurity risk is:
- Make sure all data are backed up and stored securely on a drive that is not connected to a computer
- Make use of secure cloud services for storing sensitive data and accessing and processing information
- Keep software up to date. Patches and software/system updates should be applied promptly
- Solicitors should consider using encryption services for all stored data, especially on mobile devices
- Antivirus and antimalware systems should be installed and set to update definitions automatically. Regular scans of systems should also be scheduled.
As an additional protection against law firm email scams, solicitors should implement an advanced antispam solution to prevent phishing and other malicious emails from being delivered.
To protect against malicious links and redirects from malvertising, solicitors should consider implementing a web filtering solution. A web filter can be used to block visits to webpages known to contain malware.
Free Dharma ransomware decryption is now possible following the publication of the decryption keys used by the cybercriminal gang behind the ransomware.
The Dharma ransomware decryption keys have now been used to develop a decryptor to unlock Dharma-encrypted files. If your organization has been attacked with Dharma ransomware, you can unlock your files by using the Dharma ransomware decryptor developed by Kaspersky Lab or ESET. A ransom no longer needs to be paid.
The decryptor available from ESET will unlock files encrypted by Dharma and its predecessor, Crysis. Kaspersky Lab has added the keys to its Rakhni ransomware decryptor.
It is easy to determine which ransomware variant has been used by checking the file extension on ransomware-encrypted files. Dharma ransomware adds the ‘.dharma’ extension to files after they have been encrypted.
The keys to unlock the encryption were posted on a BleepingComputer tech support forum last week by an individual with the username ‘gektar’. Where that individual obtained the decryption keys is unknown, although both Kaspersky Lab and ESET have confirmed that the decryption keys are genuine. The decryption keys will work for all variants of Dharma ransomware.
The name gektar is not known to security researchers. No other online posts are believed to have been made with that username. The username seems to have been created solely to post the decryption keys. It would appear the individual responsible wants to keep a low profile.
Unfortunately, there are now more than 200 ransomware families, with many different ransomware variants within each of those families. Dharma may be no more, but the ransomware threat is still severe. There are still no decryptors available for the biggest ransomware threats: Locky, Samsa (Samsam) and CryptXXX, which are still being extensively used by cybercriminal gangs to extort money out of businesses.
The best defense that businesses can adopt to ensure ransomware-encrypted files can be recovered for free is to ensure that backups of critical files are made on a daily basis. Those backups should be stored on an air-gapped device and also in the cloud.
Recovery from backups and removing ransomware infections can be a labor-intensive and time-consuming process, so anti-ransomware defenses should also be employed to prevent infection. We recommend using SpamTitan to block ransomware emails from being delivered to end users’ inboxes and WebTitan to prevent drive-by ransomware downloads.
Ransomware attacks on British schools have soared in recent weeks. The problem has become so serious that the British National Fraud and Cyber Crime Reporting Center, also known as Action Fraud, has issued a new ransomware warning to British schools.
Ransomware has grown in popularity with cybercriminals over the past 2 years, with attacks on organizations around the world soaring in 2016. 2017 may only be a few weeks old, but ransomware attacks are continuing at the high levels seen in 2016. Security experts predict that 2017 will see even more cyberattacks on schools and other educational institutions. Ransomware the attack method of choice.
Ransomware is a form of malware that encrypts data on a compromised system. A wide range of file types are locked with powerful encryption and a ransom demand is issued. If payment is made, the attackers claim they will supply the key to unlock the encryption. Without the key – the sole copy is held by the attackers – data will remain locked forever.
Some forms of ransomware have been cracked and free decryptors made available, but they number in the few. The majority of ransomware variants have yet to be cracked. Recovery depends on payment of the ransom or the wiping of the attacked system and restoration of files from backups.
While a standard charge per encrypted device was the norm early last year, ransomware is now more sophisticated. The attackers are able to set their payment demand based on the types of files encrypted, the extent of the infection, and the perceived likelihood of the victim paying up. Ransomware attacks on British schools have seen ransom demands of an average of £8,000 issued.
Ransomware Attacks on British Schools are Targeted, Not Random
Many ransomware attacks are random – Spam emails are sent in the millions in the hope that some of them reach inboxes and are opened by employees. However, ransomware attacks on British schools have seen a different approach used. Recent attacks have been highly targeted.
Rather than send emails out en masse, the spate of recent ransomware attacks on British schools start with a phone call. In order to find their target, the attackers call the school and ask for the email address of the head teacher. The email address is required because sensitive information needs to be sent that should only be read by the head teacher. Information such as mental health assessment forms and teacher guidance forms.
An email is then crafted and sent to the head teacher; addressed to that individual by name. While there are many types of ransomware emails, a number of recent ransomware attacks on British schools involved an email that appears to have been sent by the Department of Education. Other cases have involved the impersonation of the Department of Work and Pensions and telecom providers.
In the text of the email the attacker explains that they have sent some information in an attached file which is important and needs to be read. The attached file, usually in compressed format such as .ZIP or .RAR, contains files that install ransomware if opened.
How to Prevent Ransomware Attacks
Ransomware attacks on British schools can be highly sophisticated, although risk can be effectively mitigated.
- Ensure all staff with computer access are made aware of the risk of ransomware attacks
- Provide cybersecurity training to all staff, including how to identify ransomware and phishing emails
- Never open attachments or visit links in emails sent from unknown senders
- Implement a spam filter to capture and quarantine malicious spam emails
- Use a web filtering solution to prevent staff members from visiting malicious links and from downloading ‘risky’ files
- Ensure all software is kept up to date and patches are applied promptly
- Keep all anti-virus and anti-malware solutions up to date, setting updates to occur automatically
- Restrict the use of administrator accounts – Only use accounts with high levels of privileges for specific tasks
It is also essential to ensure that backups of all data are made on a daily basis and backup devices are disconnected after backups have been performed. Data should ideally be backed up to the cloud and on a physical backup device. In the event of an attack, data can then be recovered without paying the ransom.
A Los Angeles Valley College ransomware attack has resulted in file systems being taken out of action for seven days and considerable costs being incurred to resolve the infection.
Attackers succeeded in taking control of one of the college’s servers on December 30, 2016. When staff returned after the Christmas break they discovered the computer system to be out of action and essential files locked with powerful encryption.
The attackers had succeeded in locking a wide range of file types on network drives and computers. Unfortunately, the college was unable to recover the files from a backup. Administrators therefore faced a tough decision. To try to recover from the attack without paying the ransom and risk file loss or to give in to the attacker’s demands and pay for the keys to unlock the encryption.
Los Angeles Valley College Ransomware Attack Nets Criminal Gang $28,000
Due to the extent of the infection and the number of devices affected, the ransom payment was considerable. The attackers set the price at $28,000 for the decryption keys. The ransom demand was high but the college had little in the way of options.
The ransom note that was loaded onto the college’s X-drive said if the ransom was not paid within 7 days, the unique keys to unlock the encryption would be permanently deleted. That would likely have resulted in all of the locked files being permanently lost.
The college enlisted help from cybersecurity experts to determine the likelihood of files being recovered without paying the ransom. However, college administrators were advised to dig deep and pay the attackers for the key. While there is no guarantee that paying the ransom would result in viable keys being supplied, the college’s cybersecurity experts said there was a high probability of data recovery if the ransom was paid and a very low probability of data being recovered if the ransom demand was ignored. The likely cost of resolving the infection without paying the ransom was also estimated to be higher than attempting to remove the infection. The decision was therefore made to pay the attackers in Bitcoin as requested.
The attackers made good on their promise and supplied the keys to unlock the data. Now IT staff must apply those keys and remove the encryption on the server, network drives, and the many infected computers. Fortunately for the college, a cyber insurance policy will pay out and cover the cost of the ransom and resetting systems. However, there will be other costs that need to be covered, which will must be paid by the district.
Recovery from the Los Angeles Valley College ransomware attack will not be a quick and simple process, even though the decryption keys have been supplied by the attackers. The district’s Chief Information Officer Jorge Mata said “There are often a lot of steps where there’s no coming back, and if you pick the wrong path, there’s no return.” The recovery process therefore requires care and precision and cannot be rushed. The process could well take a number of weeks. The main priority is to recover the email system. Other systems and devices will then be methodically restored.
Los Angeles Valley College Ransomware Attack One of Many Such Attacks on Educational Institutions
The Los Angeles Valley College ransomware attack has hit the headlines due to the extent of the infection and high ransom demand, but it is one of many such attacks to have occurred over the past 12 months. Educational institutions have been heavily targeted by attackers due to the value of college and school data. Educational establishments cannot risk data loss and are therefore likely to pay the ransom to regain access to files.
In the past few months, other educational institutions in the United States that have been attacked with ransomware include M.I.T, University of California-Berkeley, and Harvard University as well as many K-12 schools throughout the country. Figures from Malwarebytes suggest that 9% of ransomware attacks targeted educational establishments.
How Can Educational Institutions Protect Against Ransomware Attacks?
There are a number of steps that educational institutions can take to reduce the risk of ransomware attacks and ensure that recovery is possible without having to resort to paying a ransom. The most important step to take is to ensure that all data is backed up regularly, including the email system. Backups should be stored on air-gapped devices, not on network drives. A separate backup should be stored in the cloud.
However, backups can fail and files can be corrupted. It is therefore important that protections are implemented to prevent ransomware from being delivered via the two most common attack vectors: Email and the Internet.
Email is commonly used to deliver ransomware or malicious code that downloads the file-encrypting software. Preventing these malicious emails from being delivered to staff and students’ inboxes is therefore essential. An advanced spam filter such as SpamTitan should therefore be installed. SpamTitan blocks 99.97% of spam emails and 100% of known malware.
To protect against web-borne attacks and prevent exploit kit activity and drive-by downloads, schools and colleges should use a web filter such as WebTitan. WebTitan uses a variety of methods to block access to malicious webpages where malware and ransomware is downloaded. WebTitan can also be configured to prevent malicious third-party adverts from being displayed. These adverts – called malvertising – are commonly used to infect end users by redirecting their browsers to websites containing exploit kits.
For further information on SpamTitan and WebTitan, to find out more about how both anti-ransomware solutions can prevent infection, and to register for a free 30-day trial of both products, contact TitanHQ today.
‘Tis the season to be jolly, although ‘tis also the season to be infected with malware. The holiday season is an annual highlight for cybercriminals. Holiday season malware infections are to be expected as cybercriminals increase their efforts and try to infect as many users with malware as possible.
Malware is an ever-present threat, but the increase in online activity in the run up to the holiday season means easy pickings for cybercriminals. Consumers are starting to prepare for the holidays earlier, but not as early as the scammers. As consumers head online in their droves, scammers and other cybercriminals are lying in wait.
The advent of Black Friday and Cyber Monday – days where shoppers are offered amazing deals to prompt early Christmas purchases– see a frenzy of online activity. There are discounts aplenty and great deals to be had.
However, not all of those discounts are genuine. Many are scams that are used to phish for sensitive information or spread malware infections. As is the case every year, the holiday season sees a spike in malware infections, with the biggest spike over Thanksgiving weekend. This year has been no exception. Holiday season malware infections have increased significantly year on year.
Holiday Season Malware Infections Rise 118% Above Normal Levels
This year, over the first official shopping weekend of the holiday season, malware infections increased by 106% according to data compiled by the Enigma Software Group. On Cyber Monday, when even more great deals on online purchases are made available, malware infections were 118% higher than normal.
Those figures are only for Windows users. Add in smartphones and Apple devices and the figures would be higher still. The problem is also getting worse. Last year there was a spike of 84% over normal levels during the Thanksgiving weekend.
There have been a number of suggestions put forward as to why the figures are so high this year. One of the main reasons is simply due to the number of shoppers heading online. Each year sees more individuals choosing to go online shopping over Thanksgiving weekend. More online shoppers mean more opportunities to infect users with malware.
However, there are also more actors involved in online scams, malware-as-a-service and ransomware-as-a-service has also grown in popularity, and many cybercriminals have started up affiliate schemes to get more help spreading their malicious software. Individuals who succeed in infecting computers with ransomware are given a cut of the profits and there is no shortage of people willing to try the affiliate schemes to boost their own earnings.
Cybercriminals are also getting better at developing convincing scams and malicious email messages. The grammatical and spelling mistakes that were common in phishing emails in years gone by are largely gone. Now, almost perfect emails are sent and scammers are using a wide range of social engineering techniques to lure end users into clicking on malicious links or opening infected email attachments. Spoofed retail sites are also now commonplace – and extremely convincing.
The growth of social media has also helped boost cybercriminal activity. Malicious posts are being shared online offering discounts, special offers, and unmissable deals. However, all end users get is a malware download.
Avoiding a Bad Start to Holiday Season
To avoid becoming a victim of a scam or having to deal with a malware or ransomware infection, shoppers must be vigilant and exercise more caution. Offers that sound too good to be true usually are. Unsolicited emails should always be treated as suspicious and extra care should be taken when clicking on any link or visiting a retail site.
Businesses should also take extra precautions. A malware or ransomware infection can prove extremely costly to resolve. While warnings should be sent to end users about the risks of holiday season malware infections, technological solutions should also be in place to prevent malicious file downloads.
Antispam solutions are highly effective at blocking malicious messages such as phishing emails and emails containing malware. SpamTitan blocks 99.97% of spam messages, contains a powerful anti-phishing module, and blocks 100% of known malware.
Malicious links on social media sites and on third-party ad networks (malvertisting) are a very real risk. However, a web filter can be used to control access to social media sites, block malicious third-party adverts, and prevent end users from visiting websites known to contain malware.
If you want to keep your network free from malware this holiday season, if you have not already used these two solutions, now is the time. They will also help to keep your network malware free around the year. And with security experts predicting a massive increase in ransomware and malware attacks in 2017, there is no better time to start improving your defenses.
The Federal Trade Commission (FTC) in the United States has responded to the current ransomware epidemic by issuing ransomware advice for businesses and consumers. The FTC ransomware advice for businesses comes following a spate of high profile ransomware attacks on U.S businesses. The threat has prompted many U.S. government agencies to release ransomware advice for businesses in the past few months.
Ransomware is a form of malware that encrypts files on a victim’s computer and prevents them from being accessed. After a computer is infected, the attackers issue a ransom demand. In order to obtain the key to unlock the encryption the victim is required to pay a ransom. The ransom amount can be set by the attackers, although it is often around $500 per infected computer.
Ransomware has proved incredibly popular with cybercriminals as it offers a quick source of revenue. Since payment is made in an anonymous cryptocurrency such as Bitcoin, money can be collected without fear of being caught.
The scale of the problem has been shown by numerous reports by security firms. This month, SentinelOne released the results of a global survey that showed 48% of organizations had experienced at least one ransomware attack in the past 12 months. The companies that had been attacked had been forced to deal with an average of 6 ransomware incidents in the past year.
A report released by Beazley’s Breach Response Unit suggests ransomware attacks between January and September were four times higher than in 2015, while a report from Kaspersky Lab suggests there has been an eightfold increase in attacks in the past year.
Ransomware is installed via a number of different attack vectors. Ransomware gangs use exploit kits on websites that probe for vulnerabilities in browsers. Those vulnerabilities are leveraged to download ransomware. Malvertising is also used. This is the use of third party ad networks to spread malware. Adverts are created containing malicious code which directs users to websites that silently download ransomware. Ransomware downloaders were also allegedly sent out via Facebook Messenger this week.
While not all ransomware attacks result in files being encrypted, attacks carry a significant cost. SentinelOne suggests that in the United States, organizations spend an average of 38 man-hours restoring files from backups after a ransomware attack. Additional investment in security is also required after an attack.
Since ransomware can spread laterally across a network, a single infection can result in many computers being infected. Ransom demands of the order of tens of thousands of dollars are not uncommon. The recent ransomware attack on the San Francisco ‘Muni’ rail system saw a ransom demand of $73,000 issued.
Ransomware Advice for Businesses
Unfortunately, antivirus software can be ineffective at preventing ransomware attacks. Businesses looking to defend against ransomware must therefore use a range of techniques. These include:
- Ensuring all software is kept up to date and patches applied promptly
- Setting antivirus and antimalware programs to update definitions automatically
- Use endpoint security controls to prevent ransomware installations
- Implement a robust spam filter to prevent malicious emails from being delivered to end users
- Use a web filtering solution to prevent employees from visiting malicious websites and to monitor users’ online activities to identify high risk activities
- Use intrusion prevention software
- Train the workforce on security best practices and test knowledge to ensure training has been effective
- Ensure all members of staff are aware who to contact and what to do if they believe they have inadvertently installed malicious software
To avoid paying a ransom, it is essential to ensure that regular backups of data are performed. Multiple backups should be made to minimize the risk of data loss. Those backups should be stored on an air-gapped device to avoid backup files also being encrypted. A ransomware response plan should also be developed to reduce disruption to the business in the event of an attack.
After a period of quiet, the Necurs botnet is back in action. A number of security companies have reported a massive surge in botnet activity which started on June 21, 2016.
The Necurs botnet has previously been used to send out huge volumes of Dridex malware and Locky; a sophisticated ransomware variant that was first discovered in February 2016. It is too early to tell whether this is just a temporary spike in activity or whether the botnet will be sending emails at the levels seen before the recent lull.
Necurs botnet activity dropped off on May 31. The volume of malicious emails being sent using the botnet fell to as few as 3 million emails per day. However, the number of emails being sent surged on June 21, shooting up to around 80 million emails. 24 hours later the volume of malicious emails had doubled to 160 million. The surge in activity comes is linked to a massive spam email campaign that is delivering emails containing malicious attachments which install Locky ransomware.
It is unclear why there was a period of quiet. Security experts having been pondering this since the dramtic fall in activity on May 31.
The Necurs botnet is massive and is believed to contain approximately 1.7 million computers, spread over 7 separate botnets. It is clear that the botnet had not been taken down, although activity across all seven of the botnets stopped. In April and May of this year, spam email volume was regularly exceeding 150 million emails a day. Now the Necurs botnet appears to be back up to speed.
Around the same time as the pause in activity, Russia’s FSB security service conducted raids resulting in the arrests of approximately 50 hackers. The gang was using the Lurk Trojan to defraud banks and other targets in Russia. It is unclear whether some of those arrests resulted in a disruption to the botnet, or whether the pause was for some other reason. Numerous theories have been suggested for the three-week pause, including the sale or the botnet and issues the operators may have had with the C&C infrastructure. If the botnet has changed hands, a single organization would likely be in control as activity across all seven botnets resumed at the same time.
The resurrection of the Necurs botnet is bad news. According to Proofpoint, the resurrection of the botnet has been accompanied by a new Locky variant which has new capabilities. The latest form of Locky is better at evading detection and determining whether it is running in a sandbox. The new capabilities were detected by Proofpoint shortly before the Necurs botnet went dark.
A recent report issued by the Anti-Phishing Working Group highlights worrying phishing activity trends. According to the Phishing Activity Trends Report, the number of new phishing websites is growing at an alarming rate.
A recent report published by PhishMe showed that email phishing activity has now reached unprecedented levels. Phishing email volume increased by 789% quarter over quarter. The APWG report shows that cybercriminals are also increasingly conducting web-borne attacks. Phishing websites increased by 250% from the last quarter of 2015 through the first quarter of 2016.
APWG expected to see an increase in the number of phishing websites created in the run up to the holiday season. Every year, criminals take advantage of the increased number of online purchases being made around Christmas. Many new phishing websites are created in November and December and online fraud always increases in December.
However, typically, there is a drop in spamming an online fraud in January. This year that fall did not occur. In fact, the number of new phishing websites continued to rise in January. There was a slight fall in February, before a major increase in March. According to the Phishing Activity Trends Report, in December 2015, 65,885 unique phishing websites were detected. In January 2016, the total had risen to 86,557. By March the total had reached a staggering 123,555 unique phishing websites.
Cybercriminals are most commonly targeting the retail sector and are spoofing websites in an attempt to defraud consumers. 42.71% of phishing websites target the retail sector, with the financial sector in second place with 18.67% of sites. Payment services accounted for 14.74% of sites, ISPs 12.01%, and multimedia sites 3.3%.
The phishing activity trends report indicates an increase in the targeting of cloud-based or SAAS companies, which it is claimed is driving the attacks on the retail sector.
More than 55% of phishing websites contain the name of the target brand somewhere in the URL. Attackers are concentrating the attacks on the most popular brands. By March 2016, APWG reported that 418 different brands were being targeted using phishing websites.
Phishing email campaigns are known to be sent extensively from outside the United States, although when it comes to phishing websites they are usually hosted in the United States. 75.62% of phishing websites are hosted in the US.
The United States also hosts the most phishing-based Trojans and downloaders – 62.36%. China is also being extensively targeted. China hosted 5% of phishing-based Trojans and downloaders in January. By March, the figure had risen to 13.71%.
More than 20 million new malware samples were detected at the start of 2016 – That’s an average of 227,000 new malware samples every day. The majority of new malware are Trojans, which account for 66.81% of new samples. Viruses were second (15.98%) and worms third (11.01%).
The massive rise in phishing websites highlights how important it is for caution to be exercised when purchasing online. Businesses should also take additional precautions. Web filters can be used to block phishing websites from being visited by employees. A web filtering solution – WebTitan for example – can also be used to prevent drive-by downloads of malware and ransomware.
Vulnerabilities in Adobe Flash Player are discovered with such regularity that news of another raises few eyebrows, but the latest critical vulnerability – discovered in Adobe Flash Player 184.108.40.206 and earlier versions – is a cause for concern. It is already being exploited by hackers and is being used to infect users with ransomware.
Any device that is running Adobe Flash Player 220.127.116.11 (or earlier) is at risk of the vulnerability being exploited and malicious file-encrypting software being installed. The latest vulnerability can be used to attack Windows, Macs, Linux systems and Chromebooks, according to ProofPoint, although Adobe reports that the vulnerability only affects Windows 10 and earlier versions running the vulnerable versions.
Flash vulnerabilities are usually exploited by visiting malicious websites or webpages that have been compromised and infected with exploit kits. Those exploit kits probe for a range of weaknesses, such vulnerabilities in Adobe Flash Player, and exploit them to download malware or ransomware to the user’s device.
These drive-by attacks occur without users’ knowledge, as the downloaded file is not displayed in the browser and is not saved to the download folder. It is also difficult to determine whether a website has been compromised or is malicious in nature without software solutions that analyze the website content.
Vulnerabilities in Adobe Flash Player Exploited to Deliver Cerber and Locky Ransomware
The latest attack uses the Magnitude exploit kit. The fact that it is Magnitude suggests the latest ransomware attacks are the work of an individual cybercriminal gang. That gang has acted quickly to include the latest Flash vulnerability into Magnitude.
According to Trend Micro, the vulnerability is being used to deliver Locky ransomware – the malicious file-encrypting software that has been used to attack hospitals in the United States in recent weeks. Locky was reportedly the ransomware used in the attack on Hollywood Presbyterian Medical Center in February. That infection cost the healthcare organization $17,000 to remove, not to mention the cost of attempting to remove the infection and restore backup files prior to the ransom being paid.
ProofPoint suggests the vulnerability is being used to deliver Cerber ransomware. Cerber is a new ransomware that has was released in the past month. It can be used to encrypt files on all Windows versions, although not those in Russian.
Cerber and Locky are being downloaded via malicious websites, although these are typically not visited by the vast majority of Internet users. In order to get traffic to these sites the attackers are using spam email containing malicious attachments.
In contrast to many malicious spam emails that install malware using executable files and zip files, the attackers are using Word documents containing malicious macros. The macros do not download the ransomware directly, instead they direct the victim, via a number of redirects, to a malicious site where the drive-by download takes place.
The vulnerability, named as CVE-2016-1019, will crash Adobe Flash when it is exploited. Adobe reports that the vulnerability exists in 18.104.22.168. Trend Micro says the exploit will not work on versions 22.214.171.124 and 126.96.36.199, only on Flash 188.8.131.526 and earlier versions due to mitigations put in place by Adobe.
ProofPoint’s Ryan Kalember said that the exploit has been engineered to only work on earlier versions of Flash and that attacks have been degraded to evade detection. All versions of Flash could potentially be used for the attack should the criminals behind the Magnitude exploit kit so wish.
Of course, this is just one of many vulnerabilities in Adobe Flash Player that can be exploited and used to deliver ransomware or other forms of malware. To prevent attacks, sysadmins should ensure that all devices are updated to the latest version of the software. Adobe said it was releasing a security update to address the vulnerability on April 7, 2016.
Vulnerabilities in Adobe Flash Player are addressed with updates, although there are two software solutions that can help to protect users from attack. Anti-spam solutions such as SpamTitan can be used to prevent spam email from being delivered, reducing the risk of end users opening Word documents infected with malicious macros.
WebTitan products tackle these attacks by blocking malicious websites, preventing users from visiting sites where drive-by downloads take place. There is usually a wait while vulnerabilities in Adobe Flash Player are addressed, and these two solutions can help keep devices malware free until updates are applied.
Each January, the PwC Annual Global CEO Survey is published detailing the major perceived threats to corporate growth. This year the results of the survey show that CEOs are more worried about the cost of dealing with cyberthreats, and believe that they can actually have a major negative impact on corporate growth.
Cost of dealing with cyberthreats a major impediment to 2016 growth
The global survey probed 1,409 CEOs about their concerns about impediments to growth, with cyberthreats ranking as one of the top ten major problems. 61% of respondents said they were worried about cyberthreats and the effect they will have on growth this year.
Over-regulation and geopolitical uncertainty were considered to be more pressing concerns, being cited by 79% and 74% or respondents, while the availability of key skills was mentioned as a major threat to growth by 72% of CEOs. The cost of dealing with cyberthreats was ranked as the eighth biggest impediment to growth in 2016.
While 60% of CEOs believe there are more opportunities for growth than 3 years ago, 66% said there were now more threats to growth. 26% said they only saw more opportunities, while 32% saying they only saw more threats.
The cost of dealing with cyberthreats is considerable, although nowhere near as high of the cost of failing to deal with them. Last year the Ponemon Institute calculated the cost of cyberthreats and determined the cost to businesses is soaring, with the IBM sponsored study determining the average cost of dealing with security breaches had risen to $3.8 million.
Some of the large organizations included in the study suffered cybercrime losses as high as $65 million, with the cost of cyberthreats having risen by 23% over the course of the past two years.
The IBM Cost of Data Breach Study determined the cost per stolen record to be between $145 and $154. When cybercriminals manage to steal millions of customer records, the cost to business can therefore be considerable.
Major cyberthreats of 2016
- Cloud computing
- Mobile devices
- State sponsored hacking
- Phishing attacks
- Medical devices
Cyberthreats may be an impediment to growth, but it doesn’t mean that those threats cannot be mitigated. Given the increasing risk it is imperative that adequate security defenses are put in place to repel attacks. Malware and ransomware are becoming more sophisticated and much more difficult to identify, as are the phishing campaigns that are used to deliver the malicious software. Anti-phishing strategies must therefore be implemented to block malicious emails and staff members must be trained how to identify phishing attacks when they do occur.
Implement SpamTitan to block emails from being delivered to employee’s inboxes, conduct regular staff training exercises to better educate employees, and perform phishing email tests to ensure that members of staff get practice at identifying dummy phishing emails.
It is also essential to develop policies and controls to limit the types of websites that employees are able to visit when using their work computers as well as for BYOD. Drive-by malware downloads are an increasing threat. Exploit kits are much more commonly used to probe for security vulnerabilities, such as out of date plugins. These can be exploited and used to download malware to devices without any interaction from the user.
To mitigate the risk, patch management policies must be developed. It is more essential than ever to ensure that all software is updated as soon as patches are released.
Following the recent news that Intel Security will be discontinuing McAfee SaaS Email Protection products, SpamTitan is preparing for 2016 when business customers start looking for a new email security vendor to ensure continued protection.
McAfee SaaS Email Protection to Come to an End
Intel Security, the new company name for McAfee, has taken the decision to exit the email security business. The company will be dropping McAfee SaaS Email Protection products and will be concentrating on other areas of business.
From January 11, 2016, McAfee SaaS Email Protection and Archiving and McAfee SaaS Endpoint will stop being sold by Intel Security. The news is not expected to trigger a mass exodus in early 2016, as Intel Security has announced that it will continue to provide support for the products for a further 3 years. Support for both McAfee SaaS Email Protection and Archiving and SaaS Endpoint will stop after January 11, 2019. However, many customers are expected to make the switch to a new email security provider in the new year.
SpamTitan Technologies Anti-Spam Solutions
SpamTitan Technologies offers a range of cost effective business email security appliances which keep networks protected from malware, malicious software, and email spam. Users benefit from dual AV engines from Kaspersky Lab and Clam Anti-Virus, offering excellent protection from email spam, phishing emails, and inbox-swamping bulk mail.
SpamTitan is a highly effective anti-spam solution that was first launched as an image solution. Following an agreement with VMware, SpamTitan was developed into a virtual appliance. The range of anti-spam products has since been developed to include SpamTitan OnDemand in 2011 and SpamTitan Cloud in 2013. In August 2015, SpamTitan blocked 2,341 billion emails and has helped keep business networks free from malware and viruses.
SpamTitan was the first Anti-Spam Appliance to be awarded with two Virus Bulletin VBSPAM+ awards and has also received 22 consecutive VBSpam Virus Bulletin certifications. Additionally, SpamTitan was awarded the Best Anti-Spam Solution prize at the Computing Security Awards in 2012.
Companies in over 100 countries around the world have chosen SpamTitan as their anti-email spam partner. The email security appliance stops 99.98% of email spam from being delivered.
WebTitan Web Filtering Solutions from SpamTitan Technologies
WebTitan Gateway offers small to medium businesses a cost effective method of blocking malware and malicious websites, with highly granular controls allowing individual, group, and organization-wide privileges to be set. Delivered as a software appliance that can be seamlessly integrated into existing networks, it is an essential tool to protect all business users and allow the Internet to be viewed securely.
WebTitan Cloud is a cloud-based web filtering solution requiring no software installations. Create your own web usership policies and block malware-infected websites, objectionable websites, and restrict Internet access to work-related content with ease. Benefit from a comprehensive set of reporting tools which allow the browsing activity of every end user in the organization to be easily monitored.
WebTitan Wi-Fi has been developed for Wi-Fi providers and MSPs to allow easy control of Internet access. WebTitan Wi-Fi allows users to easily block objectionable content and malicious websites, with controls able to be applied by location. The cloud solution requires no software installations. All that is required to start protecting your business is a simple DNS redirect to WebTitan cloud servers.
WebTitan web filtering solutions blocked 7,414 malware-infected webpages in August 2015, and have helped keep businesses better protected from malicious website content, phishing campaigns, and drive-by malware downloads.
A recent study conducted by CyberArk has revealed that enterprises now face a high level of risk of privileged account hacking. In fact, the majority of enterprises are at risk of being hacked. Many companies are underestimating the risk, although IT professionals have long been aware of the danger of privileged account hacking.
The study suggests 88% of enterprise networks are susceptible to attack. A complete compromise of the corporate network is possible via 40% of Windows machines. The researchers predict that all it would usually take is for one privileged account to be hacked to allow the attackers to gain access to most accounts and systems. The researchers also determined that any enterprise that has Windows hosts is susceptible to attack via privileged account hacking.
To produce the report “Analyzing Real-World Exposure to Windows Credential Theft Attacks” CyberArk surveyed 51 organizations of varying sizes to determine the level of risk faced from privileged account hacking and the extent to which networks could be compromised should hackers manage to gain access to super-user and/or service accounts.
The results of the survey paint an incredibly worrying picture. The hacking of privileged accounts is not just a problem that must be dealt with by large corporations. Small to medium-sized businesses are also being targeted. Hackers are gaining access to their systems and are using them to launch attacks on their supply chain partners.
The privileged account hacking risk is often underestimated
Many organizations are not even aware how substantial the privileged account hacking risk is. An organization employing 500 individuals may have 1500 or more privileged accounts according to the researchers. The risk of attack is greatest with servers and lower with workstations. This is because servers can be used to gain access to a much wider range of systems and data than workstations. If any one server is compromised, attackers can use that machine for privileged account hacking and can gain access to many other Windows hosts on the network.
Attackers have months to analyze the network infrastructure and exfiltrate data
Mandiant recently estimated the median number of days for enterprises to discover their networks have been compromised is 229 days. The latest report from CyberArk also suggests a similar timescale for detection – placing the time frame at between 6 to 8 months. Once attackers have gained access to a network, they are exceptionally good at hiding and covering their tracks, and have months to browse the network.
How are hackers gaining access to privileged account login credentials?
In many cases, user credentials are stolen via phishing campaigns. Oftentimes, the attacks are highly sophisticated and highly targeted. Individual users are selected and a campaign is developed to fool them into visiting a malicious website and downloading malware or opening an infected email attachment.
Information about the target is obtained via social media networks such as Facebook, Twitter, or LinkedIn. Their contacts are identified, and a phishing email is either sent from a hacked colleagues account or is masked to make it appear that it has been sent from a trusted individual.
All too often a sophisticated attack is not necessary. If malware can be installed on just one single computer, shared-privilege accounts can be used to gain access to a wide range of systems.
What can enterprises do to protect their networks from privileged account hacking?
Protecting against the hacking of privileged accounts is difficult. It is not possible to eliminate privileged accounts as they essential to the functioning of the business. Since these accounts cannot be eliminated, efforts must be made to make accounts more secure. Unfortunately, the management of privileged accounts is complicated and is difficult to automate.
A survey recently conducted by Dimensional Research/Dell highlights the extent of the current problem. 560 IT professionals were asked about privileged access management and 41% revealed that they did not use any software at all or rely on Excel or other spreadsheet software packages to manage their accounts.
Fewer than half of respondents did not log or monitor privileged account access. 23% did not have a defined account management process. 28% did not have a defined process for changing default passwords on new equipment and software. Passwords were also found not to be changed frequently. Only a quarter of organizations changed admin passwords every month.
Make it harder for networks to be compromised by privileged account hacks
In order to improve security and prevent the hacking of privileged accounts, IT professionals should:
- Develop a defined process for managing privileged accounts
- Conduct a full audit of the network to locate all privileged accounts
- Ensure all passwords are unique, complex, and very difficult to guess
- Monitor and audit account passwords
- Use different passwords for different systems
- Change default passwords on all new devices and software
- Change passwords at least once a month
- Implement an automated solution to manage privileged accounts
- Ensure that a full risk assessment is conducted and any security holes are plugged rapidly (Hours rather than weeks or months)
- Conduct an audit of all suppliers and business partners to ensure they have sufficient security in place
- Implement solutions to protect users from phishing and spear phishing attacks, such as anti-spam software with anti-phishing controls
- Implement a web filter to reduce the probability of a user downloading malware to the network from malicious websites.
Fail to secure your login credentials, and privileged account hacking will not be only be a risk; it will be a reality.
If you are a network decision maker, what should be your main focus? Which issues should demand your attention? This post covers five important considerations if you want to protect your critical assets.
The current threat landscape has become very serious
If you work in a large corporation, chances are you will not need to be reminded about the seriousness of the current threat landscape. However, if you work in an SME, the severity of the current situation may not be so apparent. According to the results of the 2012 Verizon Data Breach Investigations Report (DBIR), the main threat of data theft comes not from hackers intent on profiting from selling stolen data, but from hacktivist groups. In 2011, hacktivists were behind 58% of data breaches. Hackers were involved in 81% of all data breaches reported throughout the year.
One of the main issues in 2014 are what Verizon calls “low and slow attacks.” These are authentication attacks, web exploits and social engineering-based attacks. Malware is evolving and carries a much higher risk than when many companies deployed their security systems. The threat landscape is constantly changing and you must stay alert to the changing risks.
Corporate data is one of your biggest assets – Protect data like you protect your financial assets
Company data is incredibly valuable to cybercriminals. Credit card numbers (with expiry dates, holder names and CSCs) sell for up to $6 a set. If hackers obtain several hundred or several thousand, they can make a tidy profit. If Social Security numbers can be obtained, in particular those of minors, they can sell for up to $200 a set, especially if accompanied by medical records. Bank account information is also valuable. Account information can be sold for up to 10% of the balance of the account. As for proprietary company data, to the right person that could be sold for millions of dollars. Data is highly valuable and criminals will attempt to steal it. You must therefore ensure it is appropriately protected.
End users are actually the first line of defense
Firewalls and other systems designed to repel DDoS attacks and stop malware from being installed may be seen as the first line of defense; however, your end users are actually the first line. They are also the weakest link in the security chain, and cybercriminals know it. Many criminals target end users as it is easier to get them to download malware or reveal login credentials than to break through a firewall.
If you want to keep your network secure you must provide training and make end users more security aware. They must be instructed how to identify phishing campaigns, be shown good practices to adopt when surfing the Internet or using email. Social media best practices must also be taught, especially if access to the websites is not blocked.
Application and platform management policies need to be developed
In order to protect networks and connected devices from being infected with malware and viruses, policies must be developed covering the permitted uses of computer equipment, applications, Smartphones and other BYOD devices.
Even some companies that have adopted BYOD have not issued staff members with detailed policies on the allowable uses of their devices in the workplace. SpamTitan recently conducted a research study that showed a third of organizations have not covered the use of messaging and collaboration tools in their corporate policies. Make sure the use of Smartphones, tablets, portable storage devices, collaboration tools, email, Social media, and web 2.0 applications are all covered. This will help to ensure staff do not take unnecessary risks.
Prohibition didn’t work – Neither do blanket bans
Total bans on the use of Smartphones, laptops, social media, or online shopping at work will not prevent end users from bringing their devices to work or using the Internet for personal use. Controls such of these may actually have a negative impact on staff happiness and productivity. Many employers believe the reverse is the case and issue total bans. Controls must be implemented to prevent theft of data, but carefully consider blanket bans. They may sometimes be effective at protecting networks, but they are rarely good for the business.
How long are computer viruses active before they are discovered? A few months? A year? In the case of the Russian Snake Virus, Uroboros, it has been stealing data for 8 years. It has been detected, but that doesn’t mean that the threat is over. The virus will be present on many systems, and will continue to steal data as it is incredibly difficult to detect.
Where did the virus come from?
It has been called the Russian Snake Virus, as many researchers believe the virus was created in Russia. Snake because some believe the Russian government had a hand in its creation. Why? Because of the sophisticated nature of the virus. A malicious program as complex as Uroboros is believed to have required state sponsorship. Foreign governments have been known to create viruses before. China was behind the APT1 virus. Links have been uncovered that tie the virus to the Chinese military. However, so far no link has been proven between the Russian government and Uroboros.
The virus was not created to steal data from individuals. The creators had other loftier aims. The International Business Times reported that the virus was created to steal government secrets and strike at telecoms systems.
The exact targets have not all been announced by the researchers who discovered the virus, but another link to Russia comes from the fact that Ukraine was attacked 14 times by Uroboros. It would appear that the Department of Defense of the United States was also attacked by the Russian Snake Virus in 2010.
The virus is currently being analyzed by UK firm BAE and German company Gdata. As for the level of sophistication, it is reportedly equivalent to Stuxnet. For anyone unaware of Stuxnet, it was developed and used by the U.S. and Israel to destroy Iranian nuclear reactors. It caused them to spin out of control until they were destroyed. Very James Bond, but in this case very real.
Uroboros is a rootkit and hides inside kernel-level processes. Because of this it has remained undetected. Anti-Virus engines do not scan there, allowing it to remain undetected for so long.
The analysis of Uroboros by BAE is secret and, while more is now known, since the virus is part of an ongoing operation few details have been released. The virus is still in operation and may be attacking or monitoring foreign government systems right now. What is known is Uroboros targets a vulnerability in Windows in addition to software running on the Windows platform. The virus has managed to continue working despite new security features being incorporated into the operating system.
How does Uroboros work?
From the information released so far it is known that Uroboros hijacks a running process. It hides inside of processes that are part of Windows so evades detection. Because of this, AV engines do not detect it. The AV software assumes it is part of Windows, and fails to flag the virus or hijacked service as being malicious. The virus is understood to inject DLLs into the running process.
It sends data at the user and kernel level. When a user fires up their browser, the virus launches a GET request and obtains instructions from the hacker’s command and control center. Since hundreds of legitimate requests are usually made, the GET request from the virus remains hidden. The use of HTTP also allows it to bypass firewalls. Uroboros is not always active either. It may be for a short period of time before going to sleep. It is told to do this by the hacker in control of the virus, and may sleep for months if required.
One question that has not been answered is how the Russian Snake Virus infects a computer. According to BAE, Uroboros is installed by a USB plugged into a computer, but it may also be installed via a phishing email. It is known to hack network processes, and monitor and intercept inbound and outbound traffic. It is capable of exfiltrating data and logs and can receive inbound commands.
A security vulnerability in Oracle Virtualbox has been exploited by the virus, allowing access to be gained to the kernel memory. It updates a variable indicating Windows was started in WinPE mode. Unsigned DLL files can then be loaded. These files do not have their owner and integrity verified. The Russian Snake Virus is capable of mounting virtual and physical drives, and different versions exist allowing it to be installed on different operating systems.
How can an attack of this nature be avoided?
Unfortunately, with malicious software such as the Russian Snake Virus it is difficult to totally protect a computer. There are steps that can be taken to reduce the likelihood of infection:
- The virus may be transmitted via phishing and spam emails: Block these using Anti-Spam software
- Issue training on anti-phishing strategies to employees
- Ban the use of all USB drives in your organization
- Keep software systems up to date with patches and, better still, upgrade Windows to the latest version
- Use diskless devices such as Chromebooks as much as possible
- Ensure packet-level inspections read HTTP traffic to look for signals that malware or viruses are communicating with command and control servers
- Data encryption can be used to protect stored data, but unfortunately not the memory
The Russian Snake virus: A risk for everyone or just foreign governments?
At present, the virus is believed to be used to attack foreign governments. Unfortunately, when details are released they can be used to create variants. Non state-sponsored hackers may not have been able to create the virus, but the techniques used to exploit computers and networks can be copied. This may already have occurred.
The next few years may see a number of different versions of the virus discovered, which may be used for many different reasons. Specific data may be targeted and stolen, or systems sabotaged. Only time will tell.
The discovery shows the lengths that some individuals and groups will go to in order to steal data, and why it is essential to implement multi-layered security systems to protect computers and computer networks, and always to use controls to prevent phishing emails from being delivered, and responded to.
Phishing is not a problem that must only be dealt with by consumers. Businesses are being targeted based on the financial organizations they use, according to the latest research conducted by Kaspersky Labs. The Anti-Virus software provider has been investigating the evolution of phishing. The study looked at the attacks that had taken place between May 2012 and April 2013. The survey revealed that phishers are changing tactics, and are attempting to obtain bank account information. If business bank accounts can be obtained, so much the better. They usually contain much more money than personal accounts.
Hackers often target businesses they despise. Their intention is not always to make money but to cause harm. If bank accounts can be obtained they can be sold to cybercriminals. Accounts are plundered, and sometimes businesses go bust as a result. You may not have offended any hackers, but that doesn’t put you in the clear. Some hackers are involved in organized crime and they will not care who they target as long as money can be obtained.
If a bank is targeted and you lose funds, can you sue them?
A bank is attacked and a business loses money from its account. Can a business sue a bank for a cyberattack? Some are now trying.
EMI has filed a lawsuit against Comerica, in which it claims that the financial institution failed to implement appropriate security defenses which directly led to one EMI employee falling for a phishing campaign. An employee was tricked into revealing EMIs bank account details. As a result, over $500,000 was rapidly transferred out of EMIs accounts. Protections were not in place at the bank to stop this.
Unsurprisingly, the bank has claimed that this was the fault of EMI. It is EMIs responsibility to ensure its employees are trained, and do not fall for phishing campaigns. The bank could have done nothing to prevent that employee from falling for the phishing scam. EMI could have taken action though. It is unlikely that the lawsuit will result in the bank having to cover the losses of EMI.
Phishing prevention starts with staff training
If you want to protect your company’s bank balance, and stop phishers making transfers, the first step to take is to provide all staff members with cybersecurity training. One response to a phishing email is all it takes to see a bank account emptied. It therefore makes a great deal of sense to instruct members of staff about phishing emails. In the above case, the provision of such training may have saved $500,000.
The FBI estimates that these schemes, and other cyberattacks, net online criminals around $100 billion a year. These funds are obtained from large corporations and individuals, but small businesses are now being increasingly targeted. They lack the security software used by large corporations and their bank accounts contain more money than consumer accounts.
Unfortunately for SMEs, the same protections are needed as those used by large corporations. Unfortunately, IT budgets are not nearly as large. SMEs must therefore choose the best protections to put in place that will offer the greatest protection for the least outlay. Many do not even employ dedicated cybersecurity staff, so the products they choose must be easy to install, operate and maintain.
To protect against phishing, businesses must concentrate not on protecting their network with firewalls, but protecting end users. They are the ones who will be targeted by a phishing attack.
There are two methods that can be used in this regard (apart from staff training): The use of a spam filter to prevent phishing emails from being delivered, and a web filter to stop users visiting phishing websites.
The number of phishing attacks has increased significantly over the course of the past year. Because the tactic is proving to be so profitable, 2013 and 2014 are likely to see even more attacks take place. Any business that fails to take action to address the risk is likely to become a victim. Maybe not today, maybe not tomorrow, but soon.
Being forewarned is being forearmed, which is why SpamTitan has issued five network and email security predictions for 2013. Over the course of the next 12 months, mobile applications and social media networks are likely to have a major impact on businesses, especially small to medium-sized enterprises. However, both have potential to introduce new security risks. These will need to be addressed.
Last year the volume of cyberattacks increased, as did the variety of new malware identified. More sophisticated cyberattacks were conducted in 2013 than in previous years, and they have proven to be even more damaging.
Last year was difficult for IT security professionals. Unfortunately, the coming year is unlikely to be any easier. If you want to keep your network secure and your data protected, a considerable effort will be required over the next 12 months!
SpamTitan Network and Email Security Predictions for 2013
1. Social media monitoring will become essential to keep networks secure and staff productive
The popularity of social media websites is growing, and people are now spending an extraordinary amount of time connecting with people online, sending messages, reading and writing posts, uploading photographs, friending and poking. People crave interaction so this should be no surprise. With even more social media sites to choose from, and the use of the sites now ingrained, employees will want to use the sites more frequently at work. It is up to employers to harness the power of social media and prevent abuse.
Managers who have yet to tackle the issue of social media website use at work will need to take action in 2013. Whether it is implementing a ban or policies covering usage, the issue will not be able to be ignored any more. Since employees will use the sites even if a ban is implemented, we expect more companies to start adopting ways to curb usage, as well as taking action to address the network security risks the sites pose.
2. BYOD is here to stay and the trend will continue
BYOD is driven by employees, not by employers. Employees want to bring their own devices to work, and employers can reap the benefits. The problem that must be addressed is how to manage the considerable security risks. Many companies will decide the risks posed by the devices outweigh the benefits, and many will look to harness the power of web tools and cloud based applications.
We expect security polices will need to be put in place by organizations in 2013. Employees who are permitted to bring their own devices to work are likely to have more restrictions put in place on the use of those devices. Additional security measures to enforce policies will also be installed.
3. Cybercriminals will start to use social media as the main way of profiling targets
As the use of social media networks grows and consumers spend more time on the sites, cybercriminals will start to use the websites as a way of identifying and profiling their targets for spear phishing campaigns. Malware attacks via Facebook and other social media platforms are also likely to increase over the next 12 months. Criminals will also become more skilled at using social media networks to obtain the information necessary to defraud their targets.
Email spam volumes should continue to fall as criminals find it harder to profit from spamming campaigns. The past 2-3 years have seen spam volume decline and this is likely to continue in 2013. 3 years ago, the volume of spam emails stood at around 90% of all emails sent. Now the figure is around 70%. We expect the total to fall to around 60% this year.
4. Phishing attacks will primarily be conducted via social media websites
Phishing campaigns have been found to be highly effective on Facebook and Twitter. These two social media platforms were the most popular with phishers last year, and that is likely to continue in 2013. Social media campaigns can be conducted rapidly, and require little outlay. As the threat grows, we expect organizations to take action and implement defenses to reduce the risk of their employees falling for phishing schemes. They will be given little choice if they want to keep their networks protected.
5. Market consolidation to continue and businesses will increasingly consider alternative solution providers
The information security industry is likely to see even more market consolidation in 2013. Smaller companies will merge, with numerous takeovers expected. Last year, Trustwave bought out M86 Security, and Eleven GmbH was acquired by Commtouch.
However, end user businesses should find they can stay competitive if they concentrate on niche products. Specialist products will continue to be developed and fine-tuned, offering consumers more powerful security solutions for specific areas of network security.
Do you agree with our network and email security predictions for 2013? We expect, as an IT professional, you will have your own security predictions for 2013. What do you think the next 12 months have in store for IT security pro’s?
Ransomware is all the rage these days. Employees are fooled into downloading malware onto work computers, and hackers lock company data with powerful encryption software. Once encrypted, the data can only be accessed by using a security key. Unfortunately, they are all held by the hackers and will not be released unless a ransom is paid. Agree to pay the ransom and the data will be unencrypted. There is no guarantee that this will happen of course, but companies are often given no choice.
Ransoms are also demanded following the theft of corporate data. The criminals responsible are not looking to use the data personally. They just want a quick and easy payout. AmeriCash Advance, a well-known U.S. Pay Day loan provider, was recently attacked and had customer data stolen by a hacking group called Rex Mundi.
The group asked for a ransom to be paid, but AmeriCash refused to give in to the demand for $15,000. The company had been warned that if it didn’t pay up the stolen data would be posted online. Loan applicants and the company’s customers would then have their financial information sent out via Twitter and social media networks. This would place those individuals at a high risk of suffering fraud, having their identities stolen, or being targeted by phishers and scammers. That would likely result in customers taking their business elsewhere.
The refusal to pay means that is likely to now happen. Previous applicants for loans and AmeriCash customers must therefore be on their guard.
How much risk do victims face?
The level of risk depends on the data that have been stolen. If credit card numbers, full bank account information, Social Security numbers and account logins have been compromised, the risk of identity theft and fraud being suffered will be very high.
Any individual affected would need to put a credit freeze on their accounts, register for credit monitoring services and be extremely careful responding to emails and divulging any information. In the case of the latest attack, individuals had the last four digits of their Social Security numbers exposed, the amount of money they requested or had had loaned, and their names and email addresses. In this case only a small quantity of data was stolen and, although customers are still at risk, it could have been a whole lot worse.
Any person in possession of the data is unlikely to be able to steal the identities of the victims without obtaining further information. The first 5 digits of the Social Security number for example along with a date of birth. Criminals who have purchased data will likely attempt to obtain the further details they need. For that they will use phishing scams. These aim to fool users into revealing sensitive information and the campaigns can be very convincing.
What can be done to reduce risk following a successful cyberattack?
According to a report on CNet, AmeriCash did what all companies should to. The company made sure that its systems were secured to prevent further attacks. The relevant authorities were contacted and law enforcement agencies were notified.
Customers also needed to be advised that their data have been compromised and warned of the risk of phishing campaigns. That process was also performed.
Offering affected individuals free credit monitoring and identity theft resolution services can help reduce fallout. Some state laws demand that this is offered if Personally Identifiable Information (PII) or Protected Health Information (PHI) is exposed.
It is also wise to increase security measures to prevent future attacks. Web filtering solutions and anti-spam protection can reduce the risk of suffering data breaches. It can also prevent employees from falling for phishing campaigns that give hacking groups the information needed to gain access to corporate networks.
The European Football Championships are almost upon us, which is fantastic news for football (soccer) fans, but terrible news haters of ‘The Beautiful Game’. It is also something of a nightmare for employers.
It is easier to manage than the World Cup of course. There are only a very limited number of time zones across Europe, so no matter where the games are played, most kick-off times are outside of normal business hours. Unfortunately, standard business hours are becoming a thing of the past for many workers and not all qualifying games are played in the evening. Many employees will face a dilemma. Watch the game at work and risk the ire of an employer, or miss out on some live football action. A great many will choose the former and will use streaming websites to see the games live.
IT security risks are introduced during major sporting events
Major sporting tournaments have a knock on effect on productivity, but that is actually a relatively minor issue compared to the increased network security threat that comes from sports streaming websites. Streaming websites breach copyright laws. The owners of websites showing live sports games run a risk of arrest, heavy fines and even prison terms for their deeds. They must therefore make enough money to make it worthwhile.
To do this they show adverts on their sites. However, few people click on standard adverts. They go on the sites to watch sports, not click on links. The site owners therefore have to be sneaky. They make it hard for the adverts to be closed. The put multiple X’s in the adverts, which launch pop ups. This means that your standard football addict will end up clicking on multiple adverts in an attempt to close them.
Cyber criminals are well aware of the tactics used by the site owners, and know that ad’s will be clicked by everyone using the sites. If they are able to get their adverts on ad networks, getting visitors to their malicious websites could not be easier. That means more individuals will inadvertently download their malware, more computers will be infected, and they will make more money.
So are the European Football Championships all bad news for employers?
The European Football Championships mean owners of streaming websites will make money, it’s a win for cyber criminals and hackers, and great for Football fans. Employers don’t fare too well, and neither to IT security professionals. Bandwidth is chewed up by employees streaming games, the malware risk increases and it is a potentially unproductive time for a few weeks.
That said, it’s not all bad for employers. Research conducted by Robert Half Technologies shows that there are positives. In a poll of HR directors, 44% thought that the European Football Championships would actually have a positive impact on morale and employees would be more motivated. This happened during the Olympics. IT professionals were not so complimentary about the benefits. In fact, 57% will be banning access at work due to the high network security risk and bandwidth issues.
A ban can be implemented easily. All it takes is an email, or a mention in a staff meeting. But how can the ban be enforced?
How can you block streaming websites, control Internet usage at work, and manage risk?
There are many ways to block website access, but it can be time consuming to set up. It is also hard to block access to ALL websites used for streaming. These often change or are shut down and new ones opened. Blanket bans can result in legitimate websites being blocked, and setting rules on individual browsers is just not an option. It is far too time consuming, and too easy for users to change their own settings to allow temporary access.
The best solution is to use web filtering software. This allows internet usage to be centrally controlled by a system administrator. You could even block all games apart from those involving those played by your home country. It really is very simple to have that level of control (if you have the right web filter installed).
SpamTitan Technologies web filtering solutions have highly granular controls, which will allow you to:
- Block websites by domain, category, URL pattern, or content
- Prevent users from downloading certain file types
- Block or permit certain websites for specific groups or individuals
- Set restrictions based on time-frames – i.e. allowing workers to stay after work to watch games, but block access during working hours for groups or individuals
- Prevent end users from visiting links to malicious websites
- Block malicious adverts from being displayed
- Blocking all streaming services, including music and video
- Block online gaming websites
- Compile reports to see who is trying to access banned sites.
Add a SpamTitan Technologies Anti-Spam solution and you can also block the barrage of spam and phishing emails that are sent whenever major sporting events take place.
You will probably be aware of the term phishing: A method used by criminals and hackers to obtain sensitive information from individuals, usually with a view of using that information to gain access to bank accounts, computer networks, or commit identity theft.
Phishing is a growing phenomenon. Online criminals use social engineering techniques to get users to reveal sensitive data. They also convince end users to install malware that can be used to log keystrokes or even allow hackers to take full control of a device.
Phishing is highly effective and allows criminals to make billions of dollars every year. However, the way campaigns are conducted limits the earning potential of criminals. Campaigns are often sent via spam email and that is a numbers game.
Spam emails get caught up in email filters, are marked as junk, or are quarantined. Emails must therefore be sent out in the millions in order for a criminal to get just a few responses. Oftentimes, online criminals do not actually have enough real email addresses and have to resort to guessing, hoping that catch-all accounts exist and some will be delivered.
Whaling – A new phishing technique that is proving to be highly effective
Rather than sending emails by the million, criminals have worked out that it is possible to get the same number of responses by sending just a handful of emails. In order to successfully obtain the bank account login credentials of one individual, it may be necessary to send out a million emails using standard phishing techniques. It is also possible to do it with one: The email just needs to be very convincing.
The term whaling has been coined to describe this new tactic. Rather than using a very big net to catch a few small fry, a spear gun can be used to target a very big target. Whalers pursue one target and the payoff can be considerable. A whale is more valuable than a handful of sprats.
Whaling is not random and the technique requires skill and effort. A target must be identified and researched. A campaign must then be devised that will convince that individual, or a small group of individuals, to respond. Emails must be crafted that are realistic. Since the targets are usually senior executives in a company, they are likely to be extremely cautious about revealing information, opening files, or visiting websites.
Whaling therefore requires detailed information to be gained about the target. The more information that can be gained about the target’s likes and dislikes, their role within the company, contact information and family life, the easier it is to craft an email that they will respond to. This takes a lot of time and effort but the prize is worth it. Senior executives have access to highly valuable data.
Due to the effectiveness of whaling campaigns, many criminals are switching to this mode of attack. Many of those attacks are conducted not on email, but via social media channels.
Has improved security protections forced phishers to move from email to social media networks?
Opinion is divided within the IT security industry about the move from spam email to social media networks as the preferred vector for delivering phishing campaigns. Almost a third of respondents in a recent SpamTitan survey did not believe that improved Anti-spam technologies have triggered the move to social media networks.
The survey also showed that 37% of respondents believe that phishing is a growing phenomenon, and that additional protections are required to keep networks secure.
Many believe that the switch to social media networks is simply due to the number of individuals that have signed up for accounts, and phishing is therefore a natural response to the rise in popularity of online communities that encourage the sharing of personal information.
If personal information is uploaded by individuals onto social media networks, it is possible to build an accurate picture of an individual very easily indeed. Ask Facebook. The company doesn’t need to charge users as the information it gathers is incredibly valuable to advertisers. They can create highly targeted advertising campaigns with the data. Unfortunately, phishers can use that information too.
Corporations as well as individuals must therefore take great care when using social media sites. It is all too easy to reveal sensitive information and become a victim of a phishing or whaling attack. Fortunately, SpamTitan Technologies can offer protection from phishers, whalers, and other online scammers. Email phishing campaigns can be blocked, while the company’s web filtering solutions can prevent phishing websites from being visited.