Cybercriminals are taking advantage of the 2019 Novel Coronavirus pandemic and are exploiting fear to spread malware and steal data. These tactics many not be new, but these campaigns pose a significant threat in the current climate of global fear and worry.
People are naturally worried about contracting COVID-19 and will be concerned about the wellbeing of their friends and family members. Many people crave new information to help avoid them avoid illness and protect their families. If that information arrives in an inbox, email attachments may be opened, and links clicked to malicious websites.
Even when training is provided to employees and they are taught not to respond to unsolicited messages, open email attachments, or click links in emails from unknown senders, mistakes can still be made. During the COVID-19 crisis, stress levels are high, and this can easily lead to decisions being taken that would not normally be made.
Businesses have been forced to allow their employees to work from home, many of whom are now working in a home environment where there are many distractions. Many people do not have home offices where they can quietly work, and a challenging working environment also makes mistakes more likely. Those mistakes can prove very costly.
Phishing campaigns are being conducted targeting home workers as they are seen as low-hanging fruit and an easy way to gain access to business networks to install malware, ransomware, and steal sensitive data. Several campaigns have been detected that offer important advice on the 2019 novel coronavirus that impersonate authorities on disease control and prevention such as the U.S. Centers for Disease Control and Prevention (CDC), U.S. Department of Health and Human Services, UK National Health Service, and the World Health Organization (WHO). The phishing campaigns are credible, claim to offer important advice, and are likely to be opened by many individuals. These campaigns seek remote access credentials and distribute malware.
Coronavirus maps that display the number of cases per country are being used on many websites, including a legitimate COVID-19 case tracking map on Johns Hopkins University website. One campaign has been detected that uses a carbon copy map and urges users to download a desktop application that allows them to track new cases. The application installs the information-stealing AZORult Trojan. As the COVID-19 crisis has deepened, these phishing and malspam campaigns have increased significantly.
With more people working from home and self-isolating, the risk of malware and phishing attacks has increased significantly. It is therefore important for businesses to make sure that they are properly protected and manage risk. During this difficult time, it is important to provide security awareness training to staff to keep them aware of the threat of cyberattacks and to help them identify malicious messages. Phishing simulation exercises are a useful way of assessing risk and identifying individuals that require further training.
It is also important to implement additional control measure to block attacks at source. There are two main attack vectors being used to target remote workers: Email and the web. Due to the high risk of mistakes by employees it is essential for businesses to have an effective email security solution in place.
The key to improving email security is defense in depth. Layered defenses will greatly improve resilience to phishing and malware attacks. If you are using Office 365 and have yet to augment protection with a third-party email security solution, now is the ideal time. One 2019 study showed that Office 365 protections only block around 75% of phishing attempts. Given the increase in phishing volume, a great many malicious emails will land in inboxes unless protection is improved.
The more time people spend online, the greater the risk. With many workers housebound and self-isolating, online time has increased considerably. Unsurprisingly, the of number of malicious domains being used to distribute malware has increased and drive-by malware attacks have spiked. With corporate laptops being used at home, steps should be taken to limit what employees can do on those laptops. Blocking access to ‘risky’ websites such those distributing pirated TV shows and movies will help to reduce the risk of a malware download, along with controls to prevent the downloading of risky file times such as software installers and executable files.
A web filtering solution will allow you to control the sites that remote employees can access on their corporate laptops and prevent malicious websites from being visited. A cloud-based web filtering solution is the ideal choice as it can be easily implemented to protect all remote workers, without causing any latency issues.
TitanHQ can help you protect your telecommuting workers from email and web-based threats. SpamTitan is a powerful email security solution that compliments Office 365 anti-spam and anti-phishing controls and enhances protection against phishing, spear phishing, and zero-day malware. WebTitan is a cloud-based DNS filtering solution that is simple to implement that allows you to carefully control the online activities of remote employees and block drive-by malware downloads and other web-based threats.
Both solutions can be implemented in a matter of minutes and will greatly improve protection against web and email-based threats. For further information, to book a product demonstration, or to register for a free trial, contact TitanHQ today.
During this unprecedented time of uncertainty, the health and safety of our employees, customers, partners and their families is one of our main focuses and concerns. Team TitanHQ are fully committed to supporting our partners and customers. The benefits from our email and web security products are even more relevant and important now.
Our fantastic team has jumped at the challenge with vigor and we have mobilized our workforce so that it’s business as usual over this unusual phase. We are taking advice from the government on best practice and have a task force in place to manage our progress.
Customers and partners can rest assured that support teams will continue to be available and product teams are working as normal. If you have any questions or concerns about products, or technical support, please contact us in the usual way. The support team has been trained to be aware of special customer concerns during this period and will escalate any question to the appropriate responsible person or department.
We are aware that this is a sensitive time and we will make sure to go the extra mile to make it easier for our customers. All of us at TitanHQ wish you good health and thank you for your continued support.
Phishing attacks are increasing and malware is a growing threat. A DNS filter adds an important level of protection to block these attacks. In this post we explain why.
The Growing Threat from Malware and Phishing Attacks
There are various methods used to deliver malware, but email remains one of the most common methods of distributing malware, either through malicious attachments or hyperlinks in emails that direct users to websites where malware is downloaded. The latter is a popular method of malware delivery as there is an increased chance that the hyperlink will not be detected as malicious by an email security solution. Various tactics are used to mask these URLs from email security solutions, such as adding the hyperlink to an attached file such as a PDF.
The Emotet Trojan is one of the most prevalent threats and also one of the most dangerous. Emotet is primarily spread via email through a combination of attachments and malicious URLs. The Trojan is an information stealer capable of spreading across networks to infect other vulnerable devices. Removing the malware is problematic, as there are usually multiple devices infected. As soon as the malware is removed from one device, others on the network re-infect the cleaned machine. Emotet is also a malware downloader. Once all valuable information has been obtained post-infection, other malware variants such as the TrickBot Trojan and RYUK ransomware are downloaded. All devices infected with Emotet are added to the botnet. An analysis by the SpamHaus project revealed around 6,000 malicious URLs are emitted from infected devices, which act as compromise vectors.
An advanced spam filter will ensure that the majority of malicious emails are blocked, but it is important not to totally rely on a spam filter alone to block email-based malware and phishing attacks. The key to a strong defense is to implement layered defenses. With overlapping layers of security, if one layer fails to block a threat, another is in place to provide protection. One of the most important additional protections against phishing attacks and email-based malware is a web filter.
Why a Web Filter is so Important
Phishing attacks have an email and web-based component. The email contains the lure and a hyperlink is included that directs the recipient to a webpage hosting a phishing kit. When the user visits the website credentials and other sensitive information is harvested. A spam filter will block most of these phishing emails and a web filter provides protection against emails that are not blocked, as well as protecting against accidental navigation to malicious websites through malvertising or general web browsing.
A web filter is a form of content control that prevents network users from visiting known malicious websites. When a network user attempts to visit a malicious website, rather than connecting to the site, they are directed to a block page. That block page informs the user that they have attempted to visit a prohibited website which, in this case is a phishing page or website hosting malware. It could equally be a website that violates an organization’s internet usage policies. A web filter therefore serves as an additional, and important, layer of security to block phishing attacks and malware and ransomware downloads.
Web Filtering Options
There are different web filtering options available. Appliance-based web filters were once the go-to solution, but cloud-based filtering is now much more common, more cost effective for most organizations, and easier to implement and maintain.
Appliance-based solutions are not scalable. Once capacity has been reached, another appliance must be purchased. Software-based web filters, which are usually deployed as a virtual appliance on existing hardware, are a good choice but the most popular web filtering solutions are cloud-based. With cloud-based web filters, all filtering takes place in the cloud on the service provider’s hardware. Cloud-based filters are highly scalable. If capacity is increased, additional licenses just need to be purchased which takes seconds.
DNS Filtering is the Most Flexible Web Filtering Choice
The most popular, flexible, and scalable solution is a DNS filter. When a user makes a request to visit a website, such as by clicking a hyperlink or navigating to a website through their browser, a set of procedures must be followed to display the content.
One of the first steps is to send a query to the DNS server. The DNS server matches an easy to remember domain name – google.com for instance – with an IP address that allows the site to be found. A DNS filter works at this stage of the process and will block attempts to visit prohibited websites or malicious sites before any content is downloaded. Modern DNS filters do not just block content at the domain level. They also block content at the URL and page level. This means that a page on Medium.com could be blocked, while other content on the site is allowed. This means filtering controls are very granular and there is less potential for overblocking of web content.
WebTitan – A DNS Filter for SMBs and MSPs Serving the SMB Market
TitanHQ’s DNS filtering solution – WebTitan – has been developed for use by SMBs, MSPs providing security services to SMBs, and ISPs with millions of users. WebTitan includes market-leading classification of web content and malicious URL detection, and the solution is updated in real-time with more than 60,000 malicious URLs added to the filter every day. The solution includes advanced analytics and threat intelligence feeds and covers more than 99.9% of the active web. The solution is also easy to integrate into your own systems through TitanHQ’s API, and the solution can be purchased, set up, and be providing protection in just a few minutes.
For more information on WebTitan, to sign up for a free trial, or to book a product demonstration, give the TitanHQ team a call today.
A recent phishing attack on an 8,600-student school district in Texas ended up costing an astonishing $2.3 million. The Manor Independent School District phishing attack started in November 2019 and continued through December.
The attack was an example of a highly effective – and highly lucrative – email scam known as business email compromise (BEC) or vendor email compromise, if the attack is conducted through a vendor.
A BEC/VEC scam involves the use of a legitimate business email account to send emails to individuals within the organization (BEC) or to its clients (VEC) requesting a bank transfer. BEC attacks are also conducted to make changes to payroll or requests are sent via email asking for sensitive information such as W-2 forms for use in tax fraud.
The scam starts by sending phishing emails to individuals in the targeted organization. Emails are sent containing a credible ploy to get the recipient to click a hyperlink that directs them to a specially crafted webpage. That webpage is usually a carbon copy of a legitimate website, but on a different domain, that has been set up to harvest credentials.
Attackers often spoof Microsoft to capture Office 365 credentials. When the user visits the website via the hyperlink embedded in the email, they are presented with the standard login prompt that they receive when attempting to login to their Office 365 account. When the credentials are entered, they are captured by the attackers. The attackers then use the credentials to access the email account. The account is then used in the second phase of the attack.
Oftentimes, when attackers gain access to an email account, they set up a mail forwarding rule that will see all messages in the email account forwarded to the attackers. They check the emails until they find something of interest, such as contractors that are performing construction works.
Attackers often insert themselves into legitimate email conversations. Both parties believe they are communicating with each other, when the reality is they are communicating with the scammer. The scammer then asks for payments to be sent to a different email account. These conversations can span many messages and email exchanges can continue for several days or weeks. Since the scammer has full control of one of the email accounts, it is likely that the scam will not be detected until it is too late.
It is unclear whether a vendor’s email account was compromised in the Manor Independent School District phishing attack or if this was a standard BEC attack, with emails sent to the billings department requesting a bank account change. Details on the specifics of the phishing attack have not been released. What is known is that the bank account details of a vendor were changed, and the school district made three separate payments over the space of the following month before the scam was identified and the school district discovered it had been scammed out of $2.3 million.
A defense in depth strategy is required to prevent attacks such as this from succeeding. Technical defenses are essential. An advanced spam filter should be implemented that scans all incoming and outgoing messages, multi-factor authentication should be implemented to prevent stolen credentials from being used to remotely access accounts, and end user training is required to raise awareness of the threat. Policies and procedures should also be implemented that require all bank account changes to be verified, via telephone, before they are authorized.
Today there is an increasingly mobile workforce. Workers are able to travel and stay connected to the office and many employees are allowed to work remotely for at least some part of the week. While workers are in the office, security is not a problem for IT departments. Workers connect to the internal network, be that a wired or wireless network, and thanks to the protection of the firewall, their devices and the network are protected. The problem comes when workers move outside the protection of that firewall. Here IT departments struggle to ensure the same level of protection.
When workers are travelling for work or are between the home and the office, they often connect to public Wi-Fi hotspots. Connecting to those hotspots introduces risks. While connected, sensitive information could potentially be disclosed which could be intercepted. Malware could also be inadvertently downloaded. When a connection is made to the work network, that malware could easily be transferred.
Connecting to untrusted Wi-Fi networks is a major risk. These could be legitimate Wi-Fi services provided on public transport, in coffee shops, or city-wide Wi-Fi networks. While these networks may be safe, there is no telling who may be connected to that network. These Wi-Fi networks are often not monitored, and cybersecurity protections may be poor.
There are several possible attack scenarios where an individual could perform malicious acts on users of the Wi-Fi network. One of the biggest risks is a man-in-the-middle attack. In this scenario, a Wi-Fi user will be connected to the network and will believe that they are securely accessing the internet, their email, or even the work network, when the reality is that their connection is anything but secure.
A hacker could be listening in and could obtain information from that connection. Through ARP poisoning, a hacker could trick the Wi-Fi gateway and the user’s device into connecting, and traffic would be routed through the hacker’s device where it is intercepted. An attacker could also create an evil twin hotspot. Here a rogue hotspot is created that closely mimics the genuine hotspot. A Wi-Fi user may mistakenly connect to the evil twin thinking they are connected to the legitimate hotspot. Since the evil twin is operated by the attacker, any information disclosed while connected can be intercepted.
Remote workers must be told never to connect to a Wi-Fi network unless they do so through a VPN than encrypts their data. Employees may forget to connect to their VPN, and if weak passwords are used, even if they are encrypted they could be cracked relatively easily, but with a VPN and password policies, risk will be reduced to a reasonable level.
Wi-Fi networks tend not to have the same protections as corporate networks, so there may be little restrictions on the types of website that can be accessed while connected. To protect remote workers, a DNS filter such as WebTitan should be used.
A DNS filter performs content control at the DNS lookup stage when a user attempts to access the internet. When a web address is entered in the browser, the DNS server looks up the fully qualified domain name (FQDN) and matches it with the IP address of the website. The browser is provided with the IP address and the server is contacted and the content is downloaded. With a DNS filter, before any content is downloaded, it is subject to certain rules. For instance, category-based filtering could be used to prevent adult content from being accessed. An attempt would be blocked before any content is downloaded. Importantly for security, the DNS filter would prevent the user from visiting any known malicious website. A phishing site for instance or a site known to harbor malware. With a cloud-based DNS filtering service, all filtering takes place in the cloud and there is no latency regardless of where the individual is located. DNS filtering protects workers on corporate networks as well as remote workers.
A further control that is useful is an email filtering solution, such as SpamTitan, that incorporates Domain-Based Message Authentication, Reporting, and Conformance (DMARC).
In the event of a user’s email credentials being obtained in a man-in-the-middle attack via a rogue Wi-Fi hotspot, their email account could be accessed by the attacker. Since legitimate credentials are being used, this would not generate any alerts and the attacker could peruse the email account in their own time. If the account is used to send phishing messages, as they often are, DMARC will prevent those messages from being delivered and will alert the company to the issue.
The DMARC element of the spam filter checks the sender’s IP address to make sure it matches the IP on the DNS servers for the sender’s organization to make sure they match. If the IP is not authorized to send messages from that domain, the messages will be rejected or quarantined, and the company would be alerted to the phishing attack. The same is true for spoofing of email addresses.
SpamTitan also includes dual anti-virus engines to identify malware sent via email and sandboxing to help catch previously unknown malware variants that have yet to have their signatures uploaded to AV engines. Any malware sent via email will also be quarantined to keep inboxes free of threats.
If you run a business and allow workers to connect remotely, speak to TitanHQ today to find out more about how you can better protect your remote workers, and your business, from cyberattacks conducted via email and the web.
Our team of highly experienced staff will walk you through the benefits of DNS and spam filtering, can schedule a personalized product demonstration, and will help you get set up for a free trial of SpamTitan and WebTitan. You can then evaluate both solutions in your own environment. Both solutions can be set up and protecting you in a matter of minutes.
One of the most common misconceptions about email archiving is that an email archive is the same as a backup, but there are some important differences. In this post we explain those differences and why your business needs to be archiving emails as well as creating email backups.
In the event of disaster, you need to be able to recover your data and the same is true of emails. A huge quantity of important information is saved in email accounts and businesses cannot afford to lose all that data. In the event of disaster, a ransomware attack for instance, without some form of backup, all of your email data will be permanently lost. In the case of a ransomware attack, you can pay the ransom and the attackers may supply viable keys to decrypt your data but there is no guarantee that they will make good on their promise. You must have a backup plan, and that is an email backup.
Email accounts can be restored to a particular moment in time from a backup file, and emails can be recovered with little to no data loss. From a business perspective, your backups may not need to be retained for very long. Their primary purpose is to allow data recovery in the event of disaster, and they will be replaced with a new backup.
Backups are designed to restore entire mailboxes. Problems arise if you need to recover a single email that has been accidentally deleted, if you need to respond to a request to have a person’s data deleted in its entirety to comply with GDPR, or if you get an eDiscovery request or have to produce emails to settle disputes. You may also need to review emails to determine if there has been a data breach or to investigate potential malicious insiders. In all of these cases, backups fall short as they are not designed to be searched.
Email archives are different. An email archive can be viewed as an extension of an inbox, where searches for individual emails can be performed and messages can be quickly recovered when needed. Every sent and received email is sent to the archive and is stored along with metadata, which allows searches to be performed. In fact, searching an email archive is almost as easy as searching for a message in an inbox.
If you wanted to restore emails from a particular moment in time, say last year, restoring data from your backup could easily result in loss of current email data. With the restoration of data from an email archive that would not occur. Many businesses only discover the difference between an email archive and a backup when they need to deal with one of the above situations. By then it is too late.
You should also bear in mind that businesses have a legal responsibility to preserve their emails, even in industries that are not highly regulated. The Federal Rules of Civil Procedure in the United States were updated in 2006 to include electronic communications, which require email data to be produced in the event of legal action. Further, an audit trail must be maintained, email data must be protected against accidental loss or deliberate tampering, and data must be immediately available. An archive allows this, a backup does not.
The failure to produce information can result in a heavy fine and could well be the difference between winning and losing a case.
To find out how easy and cost-effective it is to implement an email archiving solution, call TitanHQ today to find out about ArcTitan.
The increase in cyberattacks on law firms has highlighted a need for greater security protections, especially to protect against phishing, malware, and ransomware.
According to a recent Law.com report, more than 100 law firms are known to have experienced cyberattacks in the past five years: Cyberattacks that have resulted in hackers gaining access to sensitive information and, in many cases, employee, attorney, and client information.
Investigations such as this are likely to uncover just a small percentage of successful cyberattacks, as many are resolved quietly and are not reported. Many law firms will be keen to keep a cyberattack private due to the potential damage it could do to a firm’s reputation. The reputation of a law firm is everything.
As Law.com explained, there are different data breach reporting requirements in different states. If there is no legal requirement to report the data breaches, they will not be reported. That means that only if reportable information has potentially been compromised will the breach be reported to regulators or made public. It is therefore not possible to tell how many successful cyberattacks on law firms have occurred. However, there has been a steady rise in reported cyberattacks on law firms, as is the case with attacks on other industry sectors. Law.com’s figures are likely to be just the tip of the iceberg.
From the perspective of cybercriminals, law firms are a very attractive target. The types of information stored on clients is incredibly valuable and can be used for extortion. Information on mergers and takeovers and other sensitive corporate data can be used to gain a competitive advantage. Cybercriminals are also well aware that if they can deploy ransomware and encrypt client files, there is a higher than average probability that the ransom will be quietly paid.
Based on the information that has been made public about law firm data breaches, one of the main ways that law firms are attacked is via email. Many of the data breaches started with a response to a phishing or spear phishing email. Phishing allows cybercriminals to bypass even sophisticated cybersecurity protections as it targets a well-known weakness: Employees.
Employees can be trained to be more security aware and be taught how to recognize potential phishing emails, but phishers are conducting ever more sophisticated campaigns and every employee will make a mistake from time to time. That mistake could be all that it takes to compromise a computer, server, or a large part of a network.
One firm contacted for the report explained that it had implemented advanced cybersecurity protections that were undone with a phishing email. The digital security measures it had in place greatly restricted the harm caused, and there was no evidence that the attacker had accessed sensitive information, but the attack did succeed.
In response, the law firm implemented more advanced security protocols, implemented a more aggressive spam filter, multi-factor authentication was used more widely, and it revised its policies and procedures and training. Had those measures been implemented in advance, it may have been possible to block the attack.
The response was to implement more layered defenses, which are critical for blocking modern cyberattacks. Overlapping layers of security ensure that if one measure fails, others are in place to prevent an attack from succeeding.
This is an area where TitanHQ can help. TitanHQ has developed cybersecurity solutions that can fit seamlessly into existing security stacks and provide extra layers of security to block the most common attack vectors. TitanHQ’s email and web security solutions – SpamTitan and WebTitan – provide advanced protection without compromising usability.
Since many clients prefer to communicate via email, it is important for all incoming attachments to be analyzed for malicious code. Extensive checks are performed on all incoming (and outgoing) emails, with SpamTitan able to block not only known malware but also zero-day threats. SpamTitan also includes DMARC email authentication to block email impersonation attacks and sandbox to analyze suspicious files and identify malicious or suspicious activity.
WebTitan provides protection from web-based threats. Most malware is now delivered via the internet, so a web security solution is essential. WebTitan is a DNS filtering solution that protects against all known malicious sites. It is constantly updated in real time through threat intelligence services to ensure maximum protection. The solution provides advanced protection against drive-by downloads and malicious redirects to exploit kits and other malicious sites and provides and important additional layer of security to protect against phishing attacks.
Law firms will no doubt prefer to host their cybersecurity solutions within their own environments or private clouds, which TitanHQ will happily accommodate.
For further information on TitanHQ’s cybersecurity solutions for law firms, contact the TitanHQ team today. Managed Services Providers serving the legal industry should contact TitanHQ’s channel team to find out more about the TitanShield program and discover why TitanHQ is the leading provider of cloud-based email and web security solutions to MSPs serving the SMB market.
The Spelevo exploit kit is being used to deliver Maze ransomware to unsuspecting internet users via a vulnerability in Adobe Flash Player.
The Spelevo exploit kit has been used to deliver a variety of malicious payloads since it was first detected in early 2019. Initially it was used to silently download the GootKit Trojan, and latterly the Dridex and IceD banking Trojans. Now the threat actors behind Maze ransomware have joined forces with the EK developers to deliver their malicious payload.
Spelevo has previously been loaded onto a compromised business-to-business contact website to target business users, although the latest campaign uses ad network traffic to send users to a fake cryptocurrency website, where they are then redirected to a web page hosting the exploit kit.
The Flash Vulnerability – CVE-2018-15982 – is then exploited in the browser to silently download and execute the ransomware payload. If that download occurs, the user’s files will be encrypted. There is currently no free decryptor for Maze ransomware. Recovery will depend on restoring files from backups – provided they too have not also been encrypted – or the user will face permanent file loss if they do not pay the ransom demand. The ransom doubles if payment is not made within a week.
Exploit kits used to be one of the main ways that malware was distributed, although they fell out of favor with cybercriminals who found alternate, more profitable ways to earn money. The threat never disappeared but exploit kit activity dropped to a tiny fraction of the level seen a few years ago when Angler exploit kit activity was at its peak. However, over the past year or so, exploit kit activity has been increasing. Today, there are several active exploit kits that are being used to deliver a variety of malware and ransomware payloads.
Exploit kits will only work if they have been loaded with an exploit for a vulnerability that has not been patched on a user’s device. Prompt patching will ensure that even if a user lands on a web page hosting an exploit kit, no malware download will take place. However, many businesses are slow to apply patches and it can be several months before vulnerabilities are corrected.
One of the best defenses against exploit kits is a DNS filter. A DNS filter is a control mechanism used to prevent users from visiting malicious websites. With a DNS filter in place, websites known to host malware or malicious code are blocked at the DNS lookup stage, before any content is downloaded. If a user attempts to visit a known malicious web page, they will be directed to a block screen instead.
Web filters can also be used to prevent ‘risky’ file types from being downloaded, such as .exe, .scr, or .js files. In addition to blocking malware downloads, a DNS filter can be used by businesses to enforce their acceptable internet usage policies and prevent employees from accessing productivity-draining websites and adult content.
A web filter is an important part of layered defenses against malware and other internet-based attacks such as phishing. TitanHQ’s DNS filter, WebTitan, is used by thousands of businesses and managed service providers to protect against web-based threats. WebTitan blocks more than 60,000 new malware sites every day and provides businesses and MSPs with real-time protection against the full range of web-based threats.
WebTitan can be deployed in minutes, is updated automatically, highly scalable, and costs as little as 90 cents per user per month. The productivity gains alone from using the solution mean it more than pays for itself, let alone the savings from preventing phishing attacks and costly malware downloads and data breaches.
To find out more about DNS filtering and why it is now considered an essential part of layered security defenses, give the TitanHQ team a call. Our support staff will be happy to answer your questions, book a product demonstration, and help you get set up for a free trial.
Ransomware attacks slowed in 2018 but the malicious file-encrypting malware is back with a vengeance. Ransomware attacks on educational institutions have soared this year, and as the attackers are well aware, these attacks can be extremely profitable.
There have been 182 reported ransomware attacks so far this year and 26.9% of those attacks have been on school districts and higher education institutions. The increase has seen education become the second most targeted sector behind municipalities (38.5%) but well ahead of healthcare organizations (14.8%).
The reason why the number of ransomware attacks on educational institutions, healthcare, and municipalities is so high compared to other sectors is because attacks are relatively easy to perform and there is a higher than average chance that the ransoms will be paid.
Attacks on municipalities mean they can’t access computer systems, and essential services grind to a halt. Police departments can’t access criminal records, courts have to be shut down, and payments for utilities cannot be taken. If hospitals can’t access patient data, appointments have to be cancelled out of safety concerns. In education, teachers cannot record grades and student records cannot be accessed. Administration functions grind to a halt and a huge backlog of work builds up.
Some of the recent ransomware attacks on school districts have seen schools forced to send students home. Monroe-Woodbury Central School District in New York had to delay the start of the school year due to its ransomware attack. If students need to be sent home, there is often backlash from parents – Not only because their children are not getting their education, but childcare then needs to be arranged.
The costs of these attacks are considerable for all concerned. Each day without access to systems costs schools, universities, municipalities, and hospitals a considerable amount of money. Downtime is by far the biggest cost of these attacks. Far greater than any ransom payment.
It is no surprise that even when ransom demands are for tens or hundreds of thousands of dollars, they are often paid. The cost of continued losses as a result of the attacks makes paying the ransom the most logical solution from a financial perspective. However, paying the ransom sends a message to other cybercriminals that these attacks can be extremely profitable, and the attacks increase.
The huge cost of attacks has seen educational institutions take out insurance policies, which typically pay the ransom in the event of an attack. While this is preferable financially for the schools, it ensures that the attackers get their pay day. Some studies have suggested that attackers are choosing targets based on whether they hold insurance, although the jury is out on the extent to which that is the case.
In total, 49 school districts and around 500 K-12 schools have been affected by ransomware attacks this year. While the ransomware attacks on school districts have been spread across the United States, schools in Connecticut have been hit particularly hard. 7 districts have been attacked, in which there are 104 schools.
Prevention of these attacks is key but securing systems and ensuring all vulnerabilities are identified and corrected can be a challenge, especially with the limited budgets and resources of most schools. Cybersecurity solutions need to be chosen wisely to get the maximum protection for the least cost.
A good place to start is by addressing the most common attack vectors, which for ransomware is Remote Desktop Protocol and email-based attacks.
Remote Desktop Protocol should be disabled if it is not required. If that is not possible, connection should only be possible through a VPN. Rate limiting should also be set to block access after a number of failed login attempts to protect against brute force password-guessing attacks.
Email security also needs to be improved. Massive spam campaigns are being conducted to distribute the Emotet banking Trojan, which serves as a downloader for Ryuk ransomware and others. Embedded hyperlinks in emails direct end users to sites where they are encouraged to download files that harbor malware, or to exploit kits where ransomware is silently downloaded.
Advanced spam filters should be deployed that incorporate sandboxing. This allows potentially suspicious email attachments to be checked for malicious activity in a safe environment. DMARC email authentication is also important as it is one of the best defenses against email impersonation attacks. SpamTitan now incorporates both of these measures.
A DNS based content filtering solution is also beneficial as an additional protection against malware downloads and phishing attacks. Not only can the content filter be used to ensure compliance with CIPA, it will prevent end users from visiting malicious websites where ransomware is downloaded.
Email attacks usually require some user interaction, which provides another opportunity to block the attacks. By educating all staff and students on the risks, they can be prepared for when malicious emails arrive in their inboxes and will be conditioned how to respond.
It is often the case that breached entities only implement these measures after an attack has occurred to prevent any further attacks from succeeding. By taking a more proactive approach and implementing these additional security measures now, costly, disruptive attacks can be avoided.
For more information on ransomware defenses such as email and DNS filters for educational institutions, give the TitanHQ team a call today. You are likely to find out that these security measures are far cheaper than you think… and naturally a great deal less expensive than having to deal with an attack.
Venture online and you will be faced with a wide range of threats, some of which could result in your bank account being emptied, others could result in sensitive information being exposed and your accounts being hijacked. Then there is ransomware, which could be used to stop you from accessing your data (unless you have backups or pay the ransom payment).
More malicious websites are now being created than legitimate sites, so how can you stay safe online? One solution used by businesses and ISPs is the use of a web filter. A web filter can be configured to restrict access to certain categories of Internet content and block the majority of malicious websites.
While it is possible for businesses or ISPs to purchase appliances that sit between end users and the Internet, DNS filters allow the Internet to be filtered without having to purchase any hardware or install any software. So how does DNS filtering work?
How Does DNS Filtering Work?
DNS filtering – or Domain Name System filtering to give it its full title – is a technique of blocking access to certain websites, webpages, or IP addresses. DNS is what allows easy to remember domain names to be used – such as Wikipedia.com – rather than typing in very difficult to remember IP addresses – such as 126.96.36.199. DNS maps IP addresses to domain names.
When a domain is purchased from a domain register and that domain is hosted, it is assigned a unique IP address that allows the site to be located. When you attempt to access a website, a DNS query will be performed. Your DNS server will look up the IP address of the domain/webpage, which will allow a connection to be made between the browser and the server where the website is hosted. The webpage will then be loaded.
So how does DNS web filtering work? With DNS filtering in place, rather than the DNS server returning the IP address if the website exists, the request will be subjected to certain controls. DNS blocking occurs if a particular webpage or IP address is known to be malicious via blacklists or is determined to be potentially malicious by the web filter. Instead of being connected to the website the user was attempting to access, the user is instead directed to a local IP address that displays a block page explaining why the site cannot be accessed.
This control could be applied at the router level, via your ISP, or a third party – a web filtering service provider. In the case of the latter, the user – a business for instance – would point their DNS to the service provider. That service provider maintains a blacklist of malicious webpages/IP addresses. If a site is known to be malicious, access to malicious sites will be blocked.
Since the service provider will also categorize webpages, the DNS filter can also be used to block access to certain categories of webpages – pornography, child pornography, file sharing websites, gambling, and gaming sites for instance. Provided a business creates an acceptable usage policy (AUP)and sets that policy with the service provider, the AUP will be enforced. Since DNS filtering is low-latency, there will be next to no delay in accessing safe websites that do not breach an organization’s acceptable Internet usage policies.
Will a DNS Filter Block All Malicious Websites?
Unfortunately, no DNS filtering solution will block all malicious websites, as in order to do so, a webpage must first be determined to be malicious. If a cybercriminal sets up a brand-new phishing webpage, there will be a delay between the page being created and it being checked and added to a blocklist. However, a DNS web filter will block the majority of malicious websites.
Can DNS Filtering be Bypassed?
The short answer is yes. Proxy servers and anonymizer sites could be used to mask traffic and bypass the DNS filter unless the chosen solution also blocks access to these anonymizer sites. An end user could also manually change their DNS settings locally unless they have been locked down. Determined individuals may be able to find a way to bypass DNS filtering, but for most end users, a DNS filter will block any attempt to access forbidden or harmful website content.
No single cybersecurity solution will allow you to block 100% of malicious websites or all NSFW websites, but DNS filtering should certainly be part of your cybersecurity defences as it will allow the majority of malicious sites and malware to be blocked.
If you have yet to implement a web filtering solution, are unhappy with your current DNS filtering service, or you have questions about DNS content filtering, contact the TitanHQ team today and ask about WebTitan Cloud.
WebTitan provides a simple and easy DNS filtering solution to protect your company and employees.
2017 was a bad year for ransomware attacks, but as 2018 progressed it was starting to look like the file-encrypting malware was being abandoned by cybercriminals in favor of more lucrative forms of attack. Between 2017 and 2018 there was a 30% fall in the number of people who encountered ransomware compared to the previous year, and the number of new ransomware variants continued to decline throughout 2018; however, now, that trend has been reversed.
2019 has seen a sharp increase in attacks. Figures from Malwarebytes indicate there was a 195% increase in ransomware attacks in Q1, 2019 and that increase has continued in Q2. A new report from Kaspersky Lab has shown that not only are attacks continuing to increase, the number of new ransomware variants being used in these attacks is also increasing sharply.
Kaspersky Lab identified 16,017 new ransomware modifications in Q2, 2019, which is more than twice the number of new ransomware modifications detected in Q2, 2018. In addition to updates to existing ransomware variants, Q2, 2019 saw 8 brand new malware families detected.
Kaspersky Lab tracked 230,000 ransomware attacks in Q2, which represents a 46% increase from this time last year. Far from ransomware dying a slow death, as some reports in 2018 suggested, ransomware is back and is unlikely to go away any time soon.
Not only are attacks increasing in frequency, ransom demands have increased sharply. Ransom demands of hundreds of thousands of dollars are now the norm. Two Florida cities paid a combined total of $1 million for the keys to unlock files encrypted by ransomware. Jackson County in Georgia paid $400,000 for the keys to unlock the encryption that crippled its court system, and recently, a massive ransomware attack that impacted 22 towns and cities in Texas saw a ransom demand of $2.5 million issued.
Earlier this year, the developers of GandCrab ransomware shut down their popular ransomware-as-a service offering. They claimed to have made so much money from attacks that they have now taken early retirement. Despite GandCrab ransomware being one of the most widely used ransomware variants for the past 18 months, the shut down has not been accompanied with a reduction in attacks. They continue to increase, as other ransomware-as-a-service offerings such as Sodinokibi have taken its place.
Ransomware attacks are increasing because they are profitable, and as long as that remains the case, ransomware is here to stay. Businesses are getting better at backing up their data but recovering files from backups and restoring entire systems is a difficult, time-consuming, and expensive task. When major attacks are experienced, such as those in Texas, recovering systems and files from backups is a gargantuan task.
Attackers realize this and set their ransom demands accordingly. A $400,000 ransom demand represents a sizable loss, but it is a fraction of the cost of recovering files from backups. Consequently, these sizable ransoms are often paid, which only encourage further attacks. It is for this reason that the FBI recommends never paying a ransom, but for many businesses it is the only option they have.
Businesses naturally need to develop plans for recovering from an attack to avert disaster in the event of ransomware being installed on their network, but they must also invest in new tools to thwart attacks. At the current rate that attacks are increasing, those tools need to be implemented soon, and that is an area where TitanHQ can help.
To find out more about email and web security solutions that can block ransomware and protect your network, give the TitanHQ team a call.
A new phishing campaign has been detected which uses Microsoft Office 365 voicemail notifications as a lure to get users to open a malicious HTML file attached to the email.
The phishing emails are very realistic. The emails include the Microsoft and Office 365 logos, use the Microsoft color scheme, and Microsoft contact information. The messages inform the recipient that they have received a new voicemail message. The caller’s number and length of the voicemail message is included, along with the time and date of the message. In order to access that message, the user is required to open a HTML file attached to the email.
Many phishing campaigns use Word documents or Excel spreadsheets containing malicious macros or embedded hyperlinks that direct users to a phishing web page where credentials are harvested. Through security awareness training employees are told to look out for thee commonly used file types. HTML files are likely to be familiar to employees, but since these file types are not often used in phishing campaigns, employees may believe the attached file to be benign, when that is definitely not the case.
The HTML file uses meta refresh to redirect the user from the local HTML file to a phishing page hosted on the Internet. That phishing page contains a highly realistic spoofed voicemail management page where users are required to enter their Office 365 credentials to access the message. Doing so hands those credentials to the attacker.
Cybercriminals are constantly coming up with new ways to trick employees into clicking links in emails or opening malicious attachments. Keeping the workforce up to date on these threats is important. If employees are aware of the types of scam emails, they are likely to receive they will be more likely to correctly identify an email as malicious if it arrives in their inbox.
Keeping the workforce 100% up to date on the latest scams will not be possible as new scams and lures are constantly being developed. It is therefore important to ensure that you have an advanced spam filtering solution in place that can block these messages to ensure they never test employees.
SpamTitan incorporates DMARC to block email impersonation attacks, dual antivirus engines to identify known malware, and a sandbox where suspicious attachments can be executed safely and studied for malicious actions. In addition, a range of checks are performed to assess the content of messages and embedded hyperlinks for any malicious actions.
With SpamTitan in place, businesses will be able to block more than 99.97% of spam and phishing emails, and 100% of known malware.
If you want to improve protections against phishing attacks and ensure fewer malicious messages reach your Office 365 inboxes, give the TitanHQ team a call to find out more about SpamTitan email security and other measures you can take to improve your security posture and block these sophisticated phishing attacks.
A Google Calendar phishing campaign is being conducted that abuses trust in the app to get users to click malicious hyperlinks.
Cybercriminals are constantly developing new phishing tactics to convince end users to click links in emails or open email attachments. These campaigns are often conducted on organizations using Office 365. Campaigns are tested on dummy Office 365 accounts to make sure messages bypass Office 365 spam defenses.
Messages are carefully crafted to maximize the probability of an individual clicking the link and the sender name is spoofed to make the message appear to have been sent from a known and trusted individual.
Businesses that implement email security solutions that incorporate DMARC authentication can block the vast majority of these email spoofing attacks. Office 365 users that use a third-party anti-phishing solution for their Office 365 accounts can make sure malicious messages are blocked. Along with end user training, it is possible to mount a solid defense against phishing and email impersonation attacks.
A new phishing tactic is being used in an active campaign targeting businesses which achieves the same aim as an email-based campaign but uses a personal calendar app to do so.
Phishing campaigns have one of two main aims – To steal credentials for use in a further attack or to convince the user to install some form of malware or malicious code. This is most commonly achieved using an embedded hyperlink in the email that the user is urged to click.
In the Google Calendar phishing attacks, events are added into app users’ calendars along with hyperlinks to the phishing websites. This is possible because the app adds invites to the calendar agenda, even if the invite has not been accepted by the user. All the attacker needs to do is send the invite. As the day of the fictitious event approaches, the user may click the link to find out more. To increase the likelihood of the link being clicked, the attacker sets event reminders so the link is presented to the user on multiple occasions.
This attack method is only possible with Google Calendar in its default setting. Unfortunately, many users will not have updated their settings after installation and will be vulnerable to Google Calendar phishing attacks.
To prevent these attacks, on the desktop application settings menu click on:
Event Settings > Automatically Add Invitations
Select the option, “No, only show invitations to which I’ve responded.”
Navigate to “View Options”and ensure that “Show declined events” is not checked.
The FBI’s Internet Crime Complaint Center (IC3) has issued a warning about the increasing number of phishing websites using HTTPS.
The green padlock next to a URL once gave an impression of security. Now it is a false sense of security for many internet users.
HTTPS or Hyper Text Transfer Protocol Secure to give it its full name, indicates the website holds a valid certificate from a trusted third-party. That certificate confirms that the website is secure and any data transmitted between the browser and the website will be encrypted to prevent interception in transit.
The public has been taught to look for the green padlock and HTTPS before entering card details or other sensitive information. However, the padlock does not mean that the website being visited is genuine. It only means any information transmitted is secured in transit between the browser and the website.
If you are buying a pair of shoes from Amazon, all well and good. If you are on a website controlled by a cybercriminal, HTTPS only means that the cybercriminal will be the only person stealing your data.
Cybercriminals create realistic phishing webpages that imitate well-known brands such as Microsoft and Google to obtain login credentials or banks to obtain banking information. These phishing pages can be set up on dedicated phishing websites or phishing kits can be added to previously compromised websites. Traffic is then generated to those webpages with an email phishing campaign.
If one of the links in the email is clicked, a user will be directed to a website that requests some information. If the website starts with HTTPS and displays the green padlock, the user may mistakenly believe the site is genuine and that it is safe to disclose sensitive information.
The IC3 alert was intended to raise awareness of the threat from HTTPS phishing and make the public aware of the true meaning of the green padlock and never to trust a website because it starts with HTTPS.
Businesses should take note and make sure they include HTTPS phishing in their security awareness training programs to raise awareness of the threat with employees.
A web filter can greatly reduce the risk of HTTPS phishing attacks, provided the web filter has the capability to decrypt, scan, and re-encrypt HTTPS traffic.
WebTitan provides real-time protection against web-based attacks and uses a constantly updated database of 3 million known malicious sites to block attempts to visit phishing websites. WebTitan is capable of SSL inspection and can inspect HTTPS traffic, block specific applications within a webpage, and display alerts or block sites with fake https certificates.
If you want to improve protection against web-based attacks, contact the TitanHQ team today for more information about WebTitan.
While it is good news the GandCrab ransomware operation has been shut down, ransomware attacks are on the rise and a new threat has been detected: Buran ransomware.
Buran ransomware lacks some of the common features of more successful ransomware strains. The ransomware does not make any attempt to hide its activity and it doesn’t attempt to hamper recover by deleting Windows shadow copies. However, it is capable of encrypting a wide range of file types and there is currently no free decryptor available to unlock encrypted files.
Buran ransomware is being spread via the RIG exploit kit, with traffic to that exploit kit generated using a malvertising campaign. Malicious adverts have been injected into legitimate ad networks and are being displayed on a range of different websites. The malvertising campaign was identified by security researcher nao_sec.
The malvertising campaign directs web browsers to a domain hosting RIG, which attempts to exploit several vulnerabilities in Internet Explorer. If an unpatched vulnerability exists, Buran ransomware will be downloaded and executed.
An analysis of the malware suggests it is a new variant of Vega ransomware that was previously used in a campaign in Russia.
While Buran ransomware may not be a long-term successor to GandCrab ransomware, there are many threat actors moving to fill the void. Sodinokibi ransomware attacks are increasing and the ransomware developers are also using a malvertising campaign on the PopCash ad network to deliver traffic to domains hosting the RIG exploit kit.
Exploit kits can only download malware if they have been loaded with an exploit for a vulnerability that has not been patched on a visitor’s computer. The primary defense against these attacks is to ensure that all Windows security updates are applied promptly, along with updates and patches for plugins and other browsers.
There is invariably a delay between a patch being issued and all devices being updated. To provide protection until patches are applied, and to protect against zero-day exploits, a web filtering solution is recommended. A web filter can be used to control the websites that can be visited by employees and can block access to known malicious websites to prevent attacks on vulnerable computers.
TitanHQ is a leading provider of email security, web security, and email archiving solutions to SMBs and managed service providers (MSPs) serving the SMB market. Over the past five years, TitanHQ has significantly expanded its customer base and its solutions now protect over 7,500 businesses and are offered by more than 1,500 MSPs around the world.
TitanHQ works closely with European partners and businesses and has been expanding its footprint throughout the EU. TitanHQ is working towards becoming the leading email and web security solution provider in Europe and as part of that process, the company has recently entered into a new partnership with the French Value Added Distributor Exer.
Exer is one of the leading VADs in France and works with more than 600 value added resellers and integrators in the country. The company specializes in network security, mobile security, Wi-Fi and managed cybersecurity services and helps French VARs better serve their clients.
Under the new partnership agreement, Exer will start offering TitanHQ’s three cloud-based solutions to French VARs: SpamTitan, WebTitan, and ArcTitan.
SpamTitan is an award-winning spam filtering solution that keeps inboxes free from spam emails and malicious messages. The solution is regularly updated to incorporate further controls to ensure that it continues to provide superior protection against an ever-changing email threat landscape. The solution now blocks more than 7 billion spam and malicious messages every month and helps to keep businesses protected from phishing and malware attacks.
WebTitan is a cloud-based DNS filtering solution that protects businesses from a wide range of malicious web content. The solution can also be used to carefully control the types of web content that users can access through company wired and wireless networks. The solution now blocks more than 60 million malicious websites every month and prevents malware downloads, controls bandwidth use, and enforces acceptable internet usage policies, .
ArcTitan is a cloud-based email archiving solution that helps businesses securely store emails to ensure compliance with government and EU regulations. The solution now archives and stores more than 10 million emails each month.
With these solutions, French VARs can provide their clients with even greater value and ensure they are well protected against rapidly evolving cyberthreats.
“Collaboration with TitanHQ is an opportunity to represent a brand internationally recognized on 3 key technologies: Web Content Filtering, Anti-Spam, and Email Archiving. We are eager to propose these security solutions to ours VARs,” explained Exer CEO, Michel Grunspan. “Our regional presence and our expertise will be our strength for asserting the presence of TitanHQ in the French market”
“We are pleased to be offering the Exer partner community choice, enhanced functionality and greater overall value,” explained TitanHQ Executive VP, Rocco Donnino.
A new version of WebTitan Cloud has been released by TitanHQ. WebTitan Cloud 4.12 offers existing and new customers the opportunity to set filtering controls by location, in addition to setting organization-wide policies and role and departmental policies via links to Active Directory/LDAP.
The new feature will be especially useful to MSPs and companies with remote workers, satellite offices, bases in multiple locations, and operations in overseas countries. Organization-wide web filtering policies can be set to prevent users from accessing illegal web content and pornography, but oftentimes, the one size fits all approach does not work for web filtering. The new location filter helps solve this.
MSPs can use this new feature to set web filtering controls for customers in different locations while businesses using WebTitan Cloud can easily set a range of different policies for all users from a specific location, whether those users are accessing the Internet on or off the network.
There will naturally be times when policies need to be bypassed to enable specific tasks to be completed. Rather than making temporary changes to location or other policies, WebTitan Cloud uses cloud keys which allow policy-based controls to be temporarily bypassed.
Accompanying the location-based controls are new reporting options which allow administrators to quickly access information about web views and blocked access attempts in real time. While reports can be useful, oftentimes information needs to be accessed quickly. To help administrators find the information they need, search functionality has been enhanced.
Administrators can use the search filter on the history page to search by location name. For MSPs this allows a specific customer to be selected and for traffic information at a specific location to be quickly viewed in real time, without having to generate a report.
Location-based when filtering policies can be set and viewed for all locations through the same user interface, giving administers full visibility into traffic and settings of all customers through a single pane of glass.
It is hoped that these updates will make WebTitan even more useful for businesses and MSPs and will further improve the user experience.
Earlier this month, the FBI Internet Crime Complaint Center (IC3) released its annual Internet Crime Report, which highlights the most common attack trends and the extent of financial losses based on victims’ reports of internet crime. The report highlighted the seriousness of the threat of Business Email Compromise (BEC) attacks, which resulted in losses of more than $1.2 billion in 2018 – More than twice the losses to BEC attacks that were reported in 2017.
2019 is likely to see losses increase further still as the BEC attacks are continuing at pace. Last week, almost coinciding with the release of the report, Scott County Schools in Kentucky announced that it was the victim of a major BEC attack that resulted in a loss of $3.7 million.
The school was notified by a vendor that a recent invoice was outstanding. Further investigation revealed payment had been made, just not to the vendor in question. An email had been received that appeared to be from the vendor, which included forged documents and details of a bank account that was controlled by the scammer.
The FBI was contacted, and attempts are being made to recover the funds, although since the payment was made two weeks previously, it is unclear whether it will be possible to recover the money.
A few days later, news broke of another major BEC scam, this time on a church. St. Ambrose Catholic Parish in Brunswick, Ohio, was a victim of a BEC attack that resulted in the fraudulent transfer of $1.75 million from the Church’s renovation fund. The scam was a virtual carbon copy of the Scott County Schools BEC attack.
The church was contacted by its contractor after not having had invoices paid for two months. That was news to the church, which believed that payments had been made on time. The funds had left the church account but had been directed elsewhere. The investigation into the BEC attack revealed hackers had gained access to the church’s email system and altered the contractor’s bank and wire transfer instructions.
These are just two recent examples of major losses to BEC attacks. Many other million-dollar and multi-million-dollar losses have been reported over the past 12 months.
With potential profits in the upper hundreds of thousands or millions of dollars, it is no surprise that organized criminal gangs are turning to business email compromise scams. The scams are easier to pull off than many other crimes and the potential profits are considerably higher.
Business email compromise scams involve the impersonation of an individual or company. The scams are often conducted via email and usually include a request for a wire transfer. The scams require some research to identify a company to impersonate, but in many cases that is not particularly difficult. It would not be difficult, for example, to identify a contractor that is conducting a major renovation. The company’s banners are likely to be clearly visible around the building where the work is being completed.
Impersonating a company is far from challenging. It is child’s play to spoof an email and make it appear to have come from another domain. The scams are even more convincing if an email account is compromised. Then the email will come from a genuine account.
Gaining access to an email account requires a carefully crafted phishing email that directs the recipient to a phishing webpage that collects login credentials – such as Office 365 credentials. A single phishing email could start the scam in motion.
These BEC attacks show how critical it is for businesses to have an advanced anti-spam solution in place to prevent the initial phishing attack from succeeding and to implement multi-factor authentication for email accounts to make it harder for stolen credentials to be used to gain access to corporate email accounts.
TitanHQ partner, Viasat, has launched a new managed Wi-Fi service for businesses that allows them to offer their customers free, in-store Wi-Fi at an affordable price point.
The service is aimed at small and medium sized businesses that want to reap the rewards of providing free Wi-Fi to customers. Businesses that provide free Wi-Fi access can attract new customers and can benefit from customers spending longer in stores.
One of the problems for small businesses is finding a hotspot solution that is affordable. Most SMBs have to resort to setting up Wi-Fi access themselves, which can be difficult. Further, should errors be made, security could be placed in jeopardy and customers – or hackers – could potentially gain access to the business Wi-Fi network.
The Viasat Business Hotspots service makes the creation and management of Wi-Fi hotspots simple. The service can be used to set up Wi-Fi networks indoors or outdoors and has scope for customization. The login page is supplied in white label form ready to take a company’s branding.
The solution keeps the business Wi-Fi network totally separate from the guest Wi-Fi network. Two separate Wi-Fi networks are provided through a single internet connection. The business network remains secure and private and cannot be accessed by guest users, who are only permitted to access the public guest network.
Viasat Business Hotspots is an enterprise-grade hotspot solution for SMBs complete with a range of management and security features. Businesses that sign up for the solution can manage their hotspots through the Viasat management portal where they can view the status of the Wi-Fi network and equipment, manage user access, run a wide range of reports on usage, and customize their login screens.
Viasat Business Hotspots also incorporates enterprise-grade Wi-Fi security which is powered by WebTitan – TitanHQ’s advanced web content filtering solution.
WebTitan offers businesses the option of restricting the types of content that users can access while connected to the Wi-Fi network, such stopping users from visiting inappropriate websites, sites hosting malware, and phishing websites.
Granular controls allow businesses to carefully control content and apply application controls. The solution also includes a full reporting suite, which lets businesses see exactly what sites users are accessing, giving them valuable insights into user behavior while in-store.
TitanHQ has formed a strategic partnership with the GRIDHEART, which will see TitanHQ’s leading cloud-based email security, web security, and email archiving solutions made available to users of the Cloudmore Cloud Commerce platform.
GRIDHEART is a privately-owned Swedish company that delivers the world’s leading cloud-based solutions through its Cloud Commerce platform, Cloudmore.
For the past 10 years, GRIDHEART has been offering leading cloud solutions to its customers and resellers and now deals with more than 1,000 cloud partners. The Cloudmore platform makes selling cloud services easy and brings a wide range of cloud services together in a single unified platform.
The platform gives users complete centralized control over their cloud solutions and allows them to easily provision new customers, bill for services, automate processes, and obtain pre-and post-sales support. The platform provides a host of management tools to make control of SaaS and cloud computing simple.
The partnership with TitanHQ will see the Galway, Ireland-based cybersecurity firm add its leading cybersecurity solutions to the platform, through which users can manage the solutions for free.
GRIDHEART’s customers will be able to offer their clients the SpamTitan Cloud email security solution, the WebTitan web filtering solution, and the ArcTitan email security solution and provide multi-layered security to protect against email, web, and modern blended threats.
“By offering additional layers of cloud-based security through Cloudmore’ s unique Cloud Commerce platform, MSPs can procure and deploy IT services for their customers and quickly maximize their IT investment, enhance their security stack and lower operational costs for their customers,” said Rocco Donnino, Executive VP of Strategic Alliances at TitanHQ. “This agreement highlights the importance of delivering comprehensive security solutions to the MSP community through a single and powerful platform”
“TitanHQ fits the bill as a perfect partner with their razor focus on advanced threat protection via email and the web. We’ve very happy to have them on board,” said Stefan Jacobson, Sales Director of GRIDHEART.
Two companion bills have been introduced in the House and Senate that require mandatory Internet filtering in Hawaii by device manufacturers to block access to adult web content, sites that facilitate human trafficking, and illegal content such as child and revenge pornography.
The bills mirror those introduced in other states in the U.S. to restrict access to adult content by default and prevent illegal online activities. The aim of the bills is not to prevent individuals from accessing adult content in Hawaii, only to make it harder for minors to gain access to inappropriate material and to make prostitution hubs harder for the general public to access. The proposed laws will simultaneously help to protect children and fight human trafficking.
If the bills are passed, Internet filtering in Hawaii will be required by default on all Internet-enabled devices that allow the above content to be viewed.
Adults that wish to opt in to view legal adult content will be free to do so, although in order to lift the digital content block they will be required to pay a one-off fee of $20. In order to have the content block lifted, an individual would be required to provide proof of age (18+) and sign to confirm they have been provided with a written warning about the dangers of lifting the content filter. In addition to the $20 fee, manufacturers, vendors, and other individuals/companies that distribute devices will be permitted to charge a separate, reasonable fee for lifting the content block on a device.
The money raised through the $20 fee payments will be directed to a fund which will be used to support victims of human trafficking and for projects that help to prevent human trafficking and child exploitation.
Any manufacturer, vendor, company, or individual covered by the act that does not implement a digital content block will be liable for financial penalties. Financial penalties will also be applied if requests to block covered content are received and are not added to the content filter within 5 days. Similarly, if a request is made to unblock content not covered by the bill and the request is not processed within 5 days a fine will be issued. The proposed fine is $500 per piece of content.
If the bills are passed, Internet filtering in Hawaii will be mandatory from July 1, 2020.
Phishing is the number one threat faced by businesses and attacks are increasing across all industry sectors. Businesses of all sizes are being targeted by hackers. The risk of phishing attacks should not be underestimated.
The High Cost of a Data Breach
A successful phishing attack that results in a data breach can be incredibly costly to resolve. A 2019 Radware survey suggests the cost of a successful cyberattack has increased to $1.1 million, while the Ponemon Institute’s Cost of a Data Breach Study in 2018 placed the average cost at $3.86 million.
The Anthem Inc. data breach of 2015, that resulted in the theft of 78.8 million health plan members’ personal information, started with a phishing email. The attack resulted in losses well over $100 million.
In 2017, a phishing email sent to a MacEwan University employee resulted in a fraudulent wire transfer of $11.8 million to the attacker’s bank account.
Essential Anti-Phishing Controls for Businesses
For most businesses there are two essential elements to anti-phishing defenses. A spam filtering solution to identify phishing emails and block them before they are delivered to employees’ inboxes and training for staff to ensure that if a malicious email makes it past the perimeter defenses, it can be identified as such before any harm is caused.
A spam filter is quick and easy to implement, although care must be taken to choose the correct solution. Not all spam filtering and anti-phishing solutions are created equal.
The Danger of Relying on Office 365 Anti-Phishing Controls
Many businesses now use Office 365 for email. 155 million business (and growing) are now using Office 365. That makes Office 365 a major target for hackers.
Microsoft does provide anti-phishing and anti-spam protection through its Advanced Threat Protection (APT) offering for Office 365. APT is an optional extra and comes at an additional cost.
APT provides a reasonable level of protection against phishing, but ‘reasonable’ is not sufficient for many businesses. APT is certainly better than nothing, but it does not provide the same level of protection as a third-party spam filtering solution from a dedicated cybersecurity solution provider.
Hackers use Office 365 accounts protected by APT to test their phishing campaigns to make sure they can bypass Office 365 controls. Hackers can easily tell which businesses are using Office 365 as it is broadcasted through public DNS MX records, so finding targets is easy.
With a third-party solution implemented, businesses will be much better protected. Hackers can tell that a business is using Office 365, but they will not know that it has advanced spam defenses from a third-party solution provider. This multi-layer approach is essential if you want to ensure you are well protected against phishing attacks.
SpamTitan is a leading spam filtering solution for businesses that is highly effective at blocking phishing and other malicious emails. Independent tests confirm the solution blocks more than 99.9% of spam and malicious emails and 100% of known malware through its two AV engines. It is a perfect addition to Office 365 to provide even greater protection against phishing threats.
Don’t Underestimate the Importance of Security Awareness Training
No technical anti-phishing solution will be 100% effective, 100% of the time. Hackers are constantly developing new techniques to bypass organizations’ defenses and occasionally messages may be delivered. Employees must therefore be trained how to identify malicious messages and conditioned to be alert to the threat of attack. Employees are the last line of defense in an organization and that defensive line will be tested.
A once a year training session may have been sufficient in the past, but the increased threat of attack means far more frequent training is required. To develop a security culture, it is necessary to have regular training sessions and use a variety of different methods to reinforce that training.
Twice a year formal training sessions should be accompanied by more frequent CBT mini-training sessions, cybersecurity newsletters, posters, and phishing email simulations to identify weaknesses.
SMBs are Being Targeted by Hackers
Many SMB owners think that their business is too small to be targeted by hackers. While large organizations are attacked more frequently, SMB cyberattacks are far from uncommon.
The 2018 State of Cybersecurity in Small and Medium Size Businesses study conducted by the Ponemon Institute showed that 67% of SMBs had experienced a cyberattack in the past 12 months and 58% had experienced a data breach.
Due to the high risk of cyberattacks, the increased number of phishing attacks on SMBs, defenses need to be improved. Businesses that fail to implement appropriate cybersecurity solutions and train staff how to identify phishing emails are a data breach waiting to happen.
Fortunately help is at hand. If you want to improve your defenses against phishing, contact TitanHQ to chat about your options.
In this post we explore the key benefits of Internet content control for businesses and explain how the disadvantages can be minimized or eliminated.
The Problems of Providing Unfettered Internet Access to Employees
Providing employees with Internet access makes a great deal of sense. In order to work efficiently and effectively, employees need access to the wealth of information that is available online. Via the internet, businesses can interact with customers and vendors and provide them with important information. Information can easily be shared with colleagues rather than relying on email, and a wide range of online tools are available to improve productivity.
The Internet is something of a double-edged sword. It offers the opportunity to improve productivity, but it also has potential to reduce productivity. A great deal of time is wasted online by employees – Often referred to as cyber slacking. The losses to cyber slacking can be considerable. If each employee spends an hour a day on personal Internet use, a company with 50 employees would lose 50 hours a day or 250 hours a week. That’s 13,000 hours a year lost to personal Internet use. Many employees waste much more time online than an hour a day, so the losses can be significantly higher.
Personal Internet use can also result in legal problems for businesses. Businesses can be vicariously liable for illegal activities that take place on their network. Illegal file sharing for instance. Some online activities can also lead to the creation of a hostile work environment.
Giving employees full access to the Internet also introduces security risks. As well as very beneficial websites there is no shortage of malicious web content. Phishing websites are used to steal login credentials. If credentials are stolen, hackers can gain access to the network undetected and steal data and install malware. Malware downloads are also common. The cost of mitigating cyberattacks is considerable and can be catastrophic for small to medium sized businesses.
Common Internet Content Control Issues and How to Avoid Them
The solution to these issues is to implement an Internet content control solution. By carefully controlling the websites employees can access at work, productivity losses can be avoided and businesses can effectively manage risk. Access to phishing and other malicious websites can be blocked and businesses can block categories of website that are NSFW or are a major drain on productivity. The former includes adult content and the latter includes gaming websites, dating sites, and social media websites.
Internet content control for businesses is best achieved with a web filtering solution. This can either be an appliance that sites between your Internal network and the Internet through which all web traffic passes, or a DNS-based web filter that applies Internet content control for businesses at the DNS level.
The former is a more traditional approach to content control that comes with certain disadvantages. The latter is a more modern approach, that eliminates the problems of internet content control for businesses.
The benefits of Internet content control for businesses are clear but there are disadvantages. Latency is a key issue. If Internet speed is slowed, productivity declines. Appliance based filtering solutions tend to slow Internet access and download speeds. DNS-based Internet content control for businesses avoids this. There is no latency with DNS-level filtering.
Cost is another stickling point. An appliance-based solution requires a significant outlay and the appliances are not scalable. They need to be upgraded when the business grows. DNS-based solutions on the other hand are highly scalable – up and down. DNS-based filtering is much cheaper – a few dollars a year per employee. TitanHQ also offers monthly billing to make the cost more affordable.
Appliances need to be selected to fit in with your network architecture and there can often be compatibility issues. DNS-filtering allows businesses to seamlessly integrate Internet content control into the current infrastructure. DNS-based filters are technology agnostic and work on all operating systems.
Easy Internet Content Control for Businesses
WebTitan Cloud is an innovative, easy to use, DNS-based web filter that provides cost-effective Internet content control for businesses of all sizes.
For further information on WebTitan Cloud, to arrange a product demonstration, or to register for a free trial, contact TitanHQ today.
OpenDNS used to be a free DNS-based web filtering service, although it has since been acquired by Cisco and rebranded as Cisco Umbrella. Cisco Umbrella is a popular web filter for businesses, although many firms are now abandoning the product and making the switch to WebTitan Cloud. In this WebTitan Cloud v Cisco Umbrella post, we cover some of the key reasons behind this switch.
WebTitan Cloud v Cisco Umbrella
If you are currently a Cisco Umbrella customer and are considering a replacement DNS-based web filtering service, or if you have yet to make a decision on the best web filtering solution to match the needs of your business, we hope this quick WebTitan Cloud v Cisco Umbrella comparison is useful.
WebTitan Cloud v Cisco Umbrella: Key Differences
Cost and pricing
One of the main reasons why businesses switch from Cisco Umbrella to WebTitan is cost. Cisco Umbrella is a powerful web filtering solution, but generally speaking, WebTitan Cloud offers similar features and is a direct swap out. Businesses that make the switch can continue to filter the Internet to protect against web-based threats and exercise content control while making savings of up to 50%.
TitanHQ offers a simple and transparent pricing model with monthly billing. All features are included in the price, rather than the multi-tiered system of Cisco Umbrella that only provides the advanced features in the upper product tiers.
User Interface and Reporting
One of the main complaints about Cisco Umbrella is an overly complicated user interface which can make configuration, maintenance, and generating reports time consuming and difficult. If the staff doesn’t like using a product, they may avoid it, which will have an impact on security. WebTitan Cloud has a highly intuitive user interface with all information placed at your fingertips. That makes for simple configuration and management without the need for user training. It also means problems can be quickly identified and remediated, improving security.
Cisco has a vast and diverse product range and is a massive IT provider. While its products have been developed to meet the needs of businesses, the options available are somewhat rigid. TitanHQ is much smaller by comparison, but as an independent entity, has the flexibility to work more closely with customers and better meet the needs of small to medium sized businesses. Commercial arrangements can be made to suit both parties.
TitanHQ customers benefit from industry-leading customer support, with full support provided to all customers at no additional cost. That includes support during the free trial of the product. With Cisco Umbrella, phone support is only provided to customers on the platinum, gold, or silver plans.
In order to protect the entire enterprise network, WebTitan Cloud applies security rules across the entire organization, in addition to AD/LDAP integration to allow rules to be applied for groups and individuals. Sometimes, individuals may require access to content that violates enterprise-wide rules. WebTitan Cloud allows cloud keys to be generated, which allows filtering controls to be bypassed without the need to change policies. They can be configured to expire after a set time or number of uses.
Ability to Host Locally
Some businesses will have no qualms about using a web filter that is hosted on the service provider’s servers, although this is far from ideal for some businesses such as Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs). Businesses that do not want to direct users to an external cloud service can host WebTitan Cloud in a private cloud or host the solution locally. With Cisco Umbrella, local hosting is not an option.
Ability to Rebrand the Solution
Another bugbear of MSPs and MSSPs is the inability to fully rebrand Cisco Umbrella. WebTitan Cloud on the other hand is fully rebrandable and customizable. This includes a full white label and customizable user interface and block page ready for rebranding. This allows service providers to offer the solution to their customers while reinforcing their own brand image.
Further Information on WebTitan Cloud
Our WebTitan Cloud v Cisco Umbrella comparison includes just a few of the reasons why businesses are switching from Cisco Umbrella to WebTitan Cloud. For further information on WebTitan Cloud, to schedule a product demonstration, to register for a free trial to find out how WebTitan Cloud works in your environment, contact the TitanHQ team today.
Reputation loss after a cyberattack can have a major impact on businesses. While large companies may be able to absorb the loss of customers that results, for small to medium businesses, reputation damage and loss of customers can prove devastating.
Cybersecurity consultants and computer forensics firms can be hired to find out how an attack occurred, and new solutions can be implemented to plug the holes through which access to the network was gained. Regaining the trust of customers can be much harder to recover from. Once trust in a brand is lost, some customers will leave and never return.
When personal data has been exposed or stolen, customers feel betrayed. Company privacy policies may not be read, but customers believe that any company that collects their personal data has a responsibility to protect it. A data breach is seen as a breach of the company’s responsibility to keep personal data private and secure, and many customers will take their business elsewhere after such a privacy violation.
Reputation loss after a cyberattack can also make it hard to find new customers. Once information about a breach has been made public, it can be enough to see potential customers avoid a brand.
Extent of Reputation Loss After a Cyberattack
Radware recently conducted a survey to investigate the cost of cyberattacks on businesses. The study revealed 43% of companies that took part in the study said they had experienced negative customer experiences and reputation loss as a result of a successful cyberattack.
Previous studies suggest that as many as one third of customers will stop doing business with a company that has experienced a data breach. A study by Gemalto paints an even bleaker picture. In a global survey of 10,000 individuals, 70% claimed they would stop doing business with a company that had experienced a data breach.
The cyberattack on the telecoms company TalkTalk in 2015 – which cost the firm an estimated £77 million – caused uproar online. Customers turned to social media networks to express their rage about loss of service and the theft of their personal data. The company’s reputation took a massive hit as a result of the attack, not helped by interviews with the hackers who explained how easy it was. The firm claimed it lost around 101,000 customers as a result of the incident. Research from Kantar Worldpanel ComTech suggests 7% of its broadband customers – around 300,000 people – left the firm for another provider.
With such potential losses, it is no surprise that the Marsh and Microsoft Global Cyber Risk Perception Survey in 2018 found that reputation loss after a cyberattack was the biggest concern of companies. 59% of respondents rated it as a major concern.
Steps can naturally be taken to limit customer turnover, repair reputations, and win back customer trust, but repairing damage to a brand and winning back customers can be a long uphill struggle.
Given the high probability of a cyberattack and the potential repercussions, increased investment in cybersecurity defenses to prevent breaches should be given serious consideration.
It is not possible to prevent all cyberattacks, but it is possible to implement security solutions to protect against the most common attack vectors – email and malicious websites – and that is an area where TitanHQ can help.
The Fallout exploit kit, a toolkit used to silently deliver ransomware and malware to vulnerable devices, was first identified in September 2018. Between September and December, the toolkit was used to exploit vulnerabilities and deliver GandCrab ransomware and other malicious payloads. Towards the end of the year, the vulnerabilities most commonly exploited were a remote code execution vulnerability in the Windows VBScript engine (CVE-2018-8174) and the use-after-free vulnerability in Adobe Flash Player (CVE-2018-4878).
Around December 27, 2018, Fallout exploit kit activity stopped, but only for a few days. Now the exploit kit is back, and several updates have been made including the addition of HTTPS support, a new landing page format, and PowerShell-based malware downloads. A new exploit has also been added for a zero-day use-after-free Adobe Flash player vulnerability (CVE-2018-15982) which was patched on December 5, 2018: A vulnerability also exploited by the Underminer exploit kit.
The Fallout exploit kit is primarily delivered via malvertising campaigns – malicious adverts on third-party ad networks that are served on a variety of legitimate websites. The adverts redirect users to the exploit kit, which probes for vulnerabilities and exploits them to silently deliver malware or ransomware. The updated version of the Fallout exploit kit is delivering the latest version of GandCrab ransomware, for which there is no free decryptor. In addition to GandCrab ransomware, the Fallout exploit kit is delivering ServHelper, AZORult, TinyNuke, Dridex and Smokebot malware.
The malvertising campaigns used to generate traffic to the exploit kit include TrafficShop, Popcash, RevenueHits, and HookAds. The latter is primarily used on high-traffic adult websites that are visited millions of times a month. Users are redirected to a decoy adult site that contains the exploit kit and would be unaware that anything untoward has happened. If there is an unpatched vulnerability for which fallout has an exploit, the ransomware or malware payload will be silently downloaded.
Exploit kit activity is now much lower than in 2016 when EKs were extensively used to deliver malware, but the latest updates show EKs are still a threat and that they are regularly being updated with the latest exploits.
Exploit kits can only deliver malware if unpatched vulnerabilities are present, so prompt patching is strongly recommended. Users also need to visit the sites hosting the exploit kit. Businesses can prevent users from visiting malicious websites using a web filter.
Web filters use blacklists of websites known to host exploit kits are capable of scanning websites for malicious content. They can also prevent third-party ads from being displayed, thus preventing redirects. Since certain categories of website are often used in malvertising campaigns, adult sites and torrents sites for instance, blocking access to those categories of content with a web filter is also recommended.
For further information on web filtering and how it can protect against web-based attacks, contact the TitanHQ team today.
Web filtering is important for protecting users from web-based threats and for controlling what users can do online. There are many choices of web filtering solutions, including Cisco Umbrella. While the latter is popular, many businesses and organizations are now changing from Cisco Umbrella to WebTitan.
In this post we explain some of the main benefits of changing from Cisco Umbrella to WebTitan and illustrate this with an example from the education sector.
Web Filtering for Schools and Libraries and CIPA Compliance
Web filters are a requirement of the Children’s Internet Protection Act (CIPA). CIPA was enact by congress in 2000 and is concerned with protecting minors from harmful website content such as pornography. CIPA requires schools and libraries to implement an Internet safety policy that addresses the safety and security of minors online.
To comply with CIPA, measures must be introduced to block access to obscene content, child pornography, and other web content that is considered to be harmful to minors. Additionally, schools must educate minors about appropriate online behavior and monitor the online activities of minors.
While there are many choices of web filters for schools that can help them comply with CIPA, not all solutions are created equal. While it is usually easy to block access to harmful content, with some solutions monitoring user activity can be difficult and time consuming.
Why Did Saint Joseph Seminary College Change from Cisco Umbrella to WebTitan?
There is no doubt that Cisco has developed a powerful web filtering solution in Umbrella that can offer protection from web-based threats and allow content control, but the solution is not without its drawbacks.
One of the main downsides is usability, especially monitoring the online activities of users, something that is particularly important for CIPA compliance. It was proving to be particularly difficult for Saint Joseph Seminary College, which needed to quickly identify attempts by students to access restricted content.
“I don’t need rounded corners and elegant fonts when I am trying to see who has been visiting dangerous websites. I need to clearly see domain names and internal IPs,” explained Saint Joseph Seminary College IT Director Todd Russell. “In my opinion, after Cisco bought OpenDNS, they made some major changes to the UI which made it virtually useless for quickly looking through blocked traffic for signs of particular types of usage.” The complexity of the user interface made the solution unpopular with IT staff and the complexity was jeopardizing security.
Ease of use was a major problem, but the troubles didn’t end there. There was also the issue of cost. “We found that once Cisco bought OpenDNS, they began upping the Umbrella pricing every year at renewal time. Despite the repeated price increases, the service was not improving and there was no additional value offered,” explained Russell.
Cost and usability issues prompted Russell to look for a Cisco Umbrella alternative. After assessing various Cisco Umbrella alternatives, the decision was taken to switch from Cisco Umbrella to WebTitan. “It didn’t take long to realize that WebTitan was the best alternative for an efficient, cost-effective, and easy to use filtering solution to replace Cisco Umbrella,” explained Russell.
“I am able to quickly scan an entire previous day of blocked traffic and take a closer look at the full traffic on any users that raise a concern in a matter of minutes. This has saved me an enormous amount of time when I need to examine a user’s traffic, but it has also made it possible for me to keep close tabs on our traffic.” All the information required was accessible with just two clicks.
In terms of time savings gained from using WebTitan and the lower cost of running the solution, the college has been able to make significant cost savings as well as identify and remediate issues immediately, which means greater safety and security for students.
Are You Looking for an Alternative to Cisco Umbrella?
If you are currently using Cisco Umbrella and are frustrated with the interface and are unable to easily get the information you need, or if you are looking for a lower-cost alternative to Cisco Umbrella that will not jeopardize security, you have nothing to lose by evaluating WebTitan.
Contact the TitanHQ team today and you can arrange a product demonstration and set up a free trial of the full solution to see for yourself the difference it makes.
In the words of Todd Russell, “That brief demo was all I needed to know that WebTitan would serve my needs much better than Umbrella and I have been thrilled with the improvements to my workflow since switching over.”
It is straightforward to implement security controls to protect wired networks, but many businesses fail to apply the same controls to improve WiFi security, often due to a lack of understanding about how to improve wireless access point security. In this post we cover some of the main threats associated with WiFi networks and explain how easy it can be to improve wireless access point security.
Wireless Access Points are a Security Risk
Most businesses now apply web filters to control the types of content that can be accessed by employees on their wired networks but securing wireless networks can be more of a challenge. It is harder to control and monitor access and block content on WiFi networks.
Anyone within range of the access point can launch an attack, especially on public WiFi hotspots which have one set of credentials for all guest users. It is therefore essential that controls are implemented to improve wireless access point security and protect users of the WiFi network.
WiFi Security Threats
A single set of credentials means cybercriminals are afforded a high degree of anonymity. That allows them to use WiFi networks to identify local network vulnerabilities virtually undetected. They could conduct brute force attacks on routers, for example, or use WiFi access to inject malware on servers that lack appropriate security. If access is gained to the router, attacks can be launched on connected devices, and malware can be installed on multiple end points or even POS systems to steal customers’ credit/debit card information.
The cyberattack on Dyn is a good example of how malware can be installed and used for malicious purposes. The DNS service provider was attacked which resulted in large sections of the Internet being made inaccessible. A botnet of more than 100,000 compromised routers and IoT devices was used in the attack.
Man-in-the-Middle attacks are also common on Wi-Fi networks. Any unencrypted content can be intercepted, such as if information is exchanged between a user and a HTTP site, rather than HTTPS, if a VPN is not used.
Public WiFi networks are often used for all manner of nefarious purposes due to the anonymity provided. If users take advantage of that anonymity to access illegal content and download child pornography or perform copyright infringing downloads of music, films, and TV shows from P2P file sharing sites, an investigation would center on the hotspot provider. Questions would likely be asked about the lack of security controls to prevent illegal website access.
The Easy Way to Improve Wireless Access Point Security
The easy way to improve wireless access point security is a web filtering solution. Web filtering solutions are usually implemented by businesses to secure wired networks, but solutions also exist to improve wireless access point security.
A web filter forms a barrier between the users of the network and the Internet. Controls can be applied to stop users from accessing dangerous, illegal, or inappropriate website content. Even if each user has their own access controls, without a web filter, users will still be vulnerable to malware attacks and phishing attempts and the hotspot provider may be liable for illegal activities over the WiFi network.
There are two ways of implementing WiFi web filtering to improve wireless access point security. One is to rely on a list of categorized domain names and use that to control content. The other is DNS-layer web filtering, which uses the DNS lookup process that is required before any user is directed to a website after entering the domain name into their browser. The DNS server turns the domain name into an IP address to allow the web page to be found.
Why DNS Filtering is Best Way to Improve Wireless Access Point Security
The main difference between the two types of web filtering is the point at which access is blocked. With a traditional web filter, content is first downloaded before it is blocked, which is a risk. With DNS-layer filtering, content is blocked during the lookup process before content is downloaded.
If content is downloaded before being blocked, this will naturally have an impact on available bandwidth. DNS-layer filtering has no impact on bandwidth, since the content is blocked before it is downloaded.
DNS filtering does not need to be integrated with other systems and it works across all devices and operating systems, since they all use DNS servers to access websites.
DNS filtering is also quick and easy to implement. No appliances need to be purchased, hardware doesn’t need to be upgraded, and no software downloads are required. A simple change to the DNS is all that is required to point it to the provider’s DNS server. It is also much easier to maintain. No software updates are necessary and, in contrast to other security solutions, no patching is required. It is all handled by the service provider.
WebTitan Cloud for WiFi – The Leading Wireless Access Point Security Solution
TitanHQ has set the standard for WiFi security with WebTitan Cloud for WiFi. WebTitan Cloud for WiFi gives businesses the opportunity to implement bulletproof WiFi security to protect end users from online threats, block malware downloads, and carefully control the content that can be accessed by wireless network users.
Businesses that run WiFi hotspots can quickly and easily implement the solution and let TitanHQ secure their WiFi networks and provide the massive processing power to fight current and emerging web-based threats. With WebTitan Cloud for WiFi, businesses can instead concentrate on profit-generating areas of the business.
If you want to improve wireless access point security, contact TitanHQ for further information on WebTitan cloud for WiFi. Our security experts will be happy to schedule a product demonstration and set up for a free trial.
In this post we explore the use of Internet filtering to improve employee productivity, including statistics from recent surveys that show how many companies are now choosing to control employee Internet access more carefully.
Employee Productivity Falls on Black Friday and Cyber Monday
The staffing firm Robert Half Technology recently conducted a survey on 2,500 chief information officers (CIOs) across 25 metropolitan areas in the United States and more than 1,000 U.S. officer workers over 18 years of age to determine how Black Friday and Cyber Monday affect employee productivity.
The results of the survey provide an indication on what goes on throughout the year, but Black Friday and Cyber Monday were studied as they are the two busiest days for online shopping. The survey results show that three quarters of employees spent at least some of Cyber Monday shopping online on a work device. Four out of 10 workers said they spent more than an hour looking for bargains online on Cyber Monday while they were at work. 23% said they were expecting to spend even longer than that this year.
46% of workers said they would be online shopping on their work computers during their lunch hour and breaks, but 29% said they would be shopping throughout the day and would be keeping browser tabs open. 20% of workers said they would do online shopping at work in the morning.
While policies on accessing pornography may have been made crystal clear, online shopping is something of a gray area. 31% of employees were not aware of their company’s stance on online shopping on work devices. 43% said their employers permit it and 26% said it is not permitted.
The survey of CIOs shows 49% of companies allow online shopping within reason but that they monitor employee Internet use. 22% said they allow totally unrestricted Internet access while 29% have implemented solutions to block access to online shopping sites.
In June 2018, Spiceworks published the results of a survey that showed 58% of organizations actively monitor employee Internet activity and 89% of organizations use Internet filters to block at least one category of Internet content.
Most surveyed companies use Internet filtering to improve employee productivity. While only 13% block online shopping sites, many companies block other productivity-draining sites such as social media, gaming, gambling and dating sites.
Internet filtering to improve employee productivity is important, but the majority of companies are flexible when it comes to employee Internet use for personal shopping, provided employees keep it to a reasonable level.
Monitoring Employee Internet Access to Prevent Abuse
Many businesses use Internet filtering to improve employee productivity and enforce acceptable usage policies. Some control Internet access with an iron fist, others are much more permissive.
Regardless of the controls that are put in place, Internet filters also allow employers to keep close tabs on their employees’ Internet activity. An internet filter is a useful tool for monitoring employees, not just enforcing company policies.
Internet filters allow employers to easily check employee Internet use while maintaining a relatively permissive controls. This allows them to take action when individuals are abusing Internet access. Monitoring is easy as reports can be generated on user, group, or organization-wide activity while providing information on browsing activity in real time. Reports can also be automatically generated and sent to department heads or IT security teams.
Different controls can be applied to different user groups and time-based controls can be set, for instance, only permitting online shopping during lunch hours or other scheduled breaks. Such controls would be useful for stopping the 20% of workers that do their online shopping at work in the morning which, in many businesses, is the most important part of the day when productivity needs to be high.
Since controls can be applied for different types of Internet content, security can be maintained by blocking access to high risk sites and illegal or totally unacceptable content all of the time, while restrictions on other categories of content can be eased during relatively quiet periods.
In short, Internet filters should not be viewed just as a way of restricting employee Internet access, but as a tool for the management of Internet use to improve security and enjoy productivity gains while giving employees some flexibility.
How TitanHQ Can Help
Not all Internet filters offer businesses the highly granular controls that are necessary to carefully control Internet content. Many lack flexibility and have difficult to use interfaces.
Applying and managing Internet filters should be an easy process, which is why TitanHQ developed the WebTitan suite of products. WebTitan Gateway, WebTitan Cloud, and WebTitan Cloud for WiFi have been developed to make Internet filtering a simple process, while giving businesses the ability to precisely control employee Internet access to achieve productivity gains and improve security.
What Makes WebTitan the Ideal Choice for Businesses
Listed below are some of the key features of WebTitan that are often found lacking in other business Internet filtering solutions.
No hardware purchases necessary
No software downloads required
Quick and easy set up and application of Internet policies
Highly granular controls allow flexible policies to be applied
Links with Active Directory and LDAP allowing easy application of organization, department, group, or user-level Internet controls
Easily block content through 53 pre-defined categories and 10 customizable categories
Keyword-based filtering controls
Dual anti-virus engines provide leading AV protection
Excellent protection from phishing websites
An intuitive web-based user interface places all information and controls at your fingertips
Protect wired and wireless networks, including protection/content controls for off-site workers
Provides full visibility of network usage
Full reporting suite, including group and user activity, real time browsing activity, report scheduling, and real-time alerts
If you want to use Internet filtering to improve employee productivity, enforce acceptable usage policies, and improve security by blocking web-based threats, WebTitan is the ideal solution.
For more information on WebTitan and advice on the best option to suit the needs of your business, contact the TitanHQ team today. Our experts will be happy to book a product demonstration and help you take advantage of a free trial of the full product to see the solution in action and discover the difference it makes.
The students of Notre Dame University in Indiana are calling for WiFi filters to block pornography on public WiFi hotspots at the university. The campaign has attracted more than 1,000 signatures and now Enough is Enough has added its backing to the campaign.
Pressure Mounting on WiFi Hotspot Providers to Implement Content Controls
There have been calls for coffee shops, restaurants, and other providers of WiFi filters to block pornography. One campaign targeting Starbucks has recently proven to be successful. A campaign led by the pressure group Enough is Enough helped to convince the global coffee shop chain to finally implement WiFi filters to block pornography, albeit more than two years after the initial promise was made. A similar campaign in 2016 resulted in WiFi filters being implemented in McDonalds restaurants.
This week, Enough is Enough has issued a fresh call for the use of WiFi filters to block pornography, this time at the University of Notre Dame in Indiana.
Support for University of Notre Dame Students Demanding WiFi Filters to Block Pornography
In October 2018, Jim Martinson, a student at the University of Notre Dame, launched a campaign calling for the University to implement a WiFi filter to block pornography on campus. The university cannot stop students from using their own devices and data to view adult content, but Martinson believes the university should not be allowing students to freely use its WiFi networks to view pornographic material on campus.
Jim Martinson’s campaign has gathered considerable support. After writing a letter to the university from the men of Notre Dame, to which 80 fellow male students added their names, a similar letter was written by Ellie Gardey. Gardey’s letter was signed by 68 female students at the university.
In Jim Martinson’s letter to the university from the men of Notre Dame, he cites a previous university survey, conducted in 2013, which revealed 63% of male students had viewed pornography on the WiFi network of the university. That figure is in line with various national surveys that showed 64% of men and 18% of women at colleges spend at least some time each week viewing pornography. National research indicates that each month, 86% of men have at least some interactions with pornographic material. Martinson also points out that pornography has already been declared a public health crisis in five states due to the harm it causes and that the university needs to take action to protect students.
Since the letters were written, the campaign has gathered more than 1,000 signatures from staff and students. Yet even with widespread approval for university WiFi filtering, nothing has yet been done to accommodate the request.
Enough is Enough Launches its Own Campaign to Pressure the University to Take Action
Enough is Enough has now launched its own campaign to pressure the university into responding to the request and has given its backing to the Notre Dame porn free WiFi campaign.
“By implementing a filtered WiFi solution, the University of Notre Dame can stand as a leader among colleges and universities to ensure the safety of its students, faculty and others,” Explained EIE President and CEO, Donna Rice Hughes. “Having a policy prohibiting porn or sexually explicit material is not enough – taking concrete action to prevent its access is the only viable solution. Filtered WiFi will also prevent predators from accessing child pornography utilizing the University’s WiFi and flying under the radar of law enforcement.”
There is another reason why university web filters should be put in place: To prevent financial harm from being caused to students. A WiFi filter not only allows certain categories of web content to be blocked, it will also prevent students from accessing phishing websites and sites known to harbor malware.
WebTitan Cloud for WiFi – A Simple but Powerful WiFi Filtering Solution
TitanHQ has developed an easy to use web filtering solution that is ideal for use in educational institutions to carefully control the content that can be accessed on public WiFi networks and to enforce acceptable internet usage polices.
Being 100% cloud based, the solution requires no hardware or software, the cost per user is low, and the filtering controls are highly accurate. The solution provides coverage of Alexa’s top 1 million most visited websites, supports blacklists such as the child pornography/child abuse blacklist maintained by the Internet Watch Foundation, and allows 53 categories of website to be blocked with a click of a mouse.
In addition to blocking unsavory content, WebTitan is effective at blocking malware downloads and preventing WiFi users from accessing malicious websites such as those used for phishing.
The solution is highly scalable and can protect thousands of WiFi access points through a single, easy to use, user interface.
For further information on WebTitan Cloud for WiFi, to book a product demonstration, and to sign up for a free trial to see the solution in action in your own environment, contact the TitanHQ team today.
A credential stuffing attack has led to a Dunkin Donuts data breach which has seen some customer data compromised. While the breach was limited and most attempts to access customers’ DD Perks accounts were blocked, the incident does highlight the risks of password reuse.
It is unclear exactly how many customers have been affected, but for certain customers, the attackers may have gained access to their DD perks accounts – The loyalty program run by the donut company. The Dunkin Donuts data breach was limited to first and last names, email addresses, DD Perks account numbers, and QR codes.
The method used to gain access to customers DD perks accounts was unsophisticated, cheap to conduct, and in the most part can be conducted automatically. Low cost and little effort makes for a winning combination for hackers.
The Dunkin Donuts data breach did not involve internal systems and no credentials were stolen from the donut giant. Customers’ usernames (email addresses) and passwords were obtained from security breaches at other companies. Those usernames and passwords were then utilized in an automated attack on Dunkin Donuts customers’ DD Perks accounts. Dunkin Donuts has performed a password reset and affected users will be required to choose a new password. New DD Perks account numbers will be given to affected customers and their card balances will be transferred to the new account.
Since Dunkin Donuts did not expose any passwords and its systems remained secure, the only individuals that will have been affected are those that have used the same password for their DD Perks account that they have used on other online platforms.
The Risks of Password Reuse
Hackers obtain credentials from multiple data breaches, compile the data to create a list of passwords that have previously been used with a specific email address, then conduct what is known as a credential stuffing attack. Multiple login attempts are made using the different passwords associated with an email address.
The Dunkin Donuts data breach demonstrates the importance of good password hygiene and the risks of password reuse. Every user account must be secured with a strong, unique password – One that has not been used with a particular email address or username in the past and is not shared across multiple platforms.
If any online platform experiences a data breach and credentials are obtained, only the account at the breached entity will be compromised.
Naturally, using different passwords for each account means users are required to have scores of unique passwords for their work and personal accounts and remembering strong passwords can be difficult. That is why so many people reuse passwords on multiple accounts or recycle old passwords.
To avoid having to remember so many passwords it is advisable to use a password manager to generate strong passwords and store them. Of course, the password manager account must be secured with a very strong password or long pass phrase as if that account is breached, al passwords will be compromised.
There are many reasons why businesses should implement a WiFi filtering solution, but one of the most important aspects of WiFi filtering is protecting your brand.
The Importance of Brand Protection
It takes a lot of hard work to create a strong brand that customers trust, but trust can easily be lost if a company’s reputation is damaged. If that happens, rebuilding the reputation of your company can be a major challenge.
Brand reputation can be damaged in many ways and it is even easier now thanks to the Internet and the popularity of social media sites. Bad feedback about a company can spread like wildfire and negative reviews are wont to go viral.
Smart business owners are proactive and take steps to protect their digital image. They are quick to detect and enforce online copyright infringements and other forms of brand abuse. They monitor social media websites and online forums to discover what people are saying about their company and how customers feel about their products and services. They also actively manage their online reputation and take steps to reinforce their brand image at every opportunity.
Cyberattacks Can Seriously Damage a Company’s Reputation
One aspect of brand protection that should not be underestimated is cybersecurity. There are few things that can have such a devastating impact on the reputation of a company as a cyberattack and data breach. A company that fails to secure its POS systems, websites, and network and experiences a breach that results in the theft of sensitive customer data can see their reputation seriously tarnished. When that happens, customers can be driven to competitors.
How likely are customers to abandon a previously trusted brand following a data breach? A lot more than you may think! In late 2017, the specialist insurance services provider Beazley conducted a survey to find out more about the impact of a data breach on customer behavior. The survey was conducted on 10,000 consumers and 70% said that if a company experienced a data breach that exposed their sensitive information they would no longer do business with the brand.
WiFi Filtering and Protecting Your Brand
The use of Wi-Fi filtering for protecting your brand may not be the first thing that comes to mind when you think about brand protection, but it should be part of your brand protection strategy if you offer WiFi access to your customers or provide your employees with wireless Internet access.
It is essential for businesses to take steps to ensure their customers are protected and are not exposed to malware or phishing websites. If a customer experiences a malware infection or phishing attack on your WiFi network the fallout could be considerable. If your employees download malware, they could give hackers access to your network, POS system, and sensitive customer data. If you offer free Wi-Fi to your customers, you need to make sure your Wi-Fi network is secured and that you protect your customers from malicious website content.
One of the most important aspects of WiFi filtering for protecting your brand is preventing your WiFi access points from being used for illegal activities. Internet Service Providers can shut down Internet access over illegal activities that take place over the Internet. That will not only mean loss of WiFi for customers but could see Internet access lost for the whole company. Your company could also face legal action and fines.
If WiFi users can access pornography and other unacceptable content, a brand can be seriously tarnished. Imagine a parent discovers their child has seen pornography via your WiFi network – The failure to prevent such actions could be extremely damaging. WiFi filters allow businesses to carefully control the content that can be accessed on their network and prevents customers from viewing harmful web content.
WebTitan Cloud for WiFi – The Easy Way to Secure Your WiFi Access Points
Implementing a WiFi filter to protect your brand and provide safe and secure Internet access for your employees and customers is a quick and easy process with WebTitan Cloud for WiFi.
WebTitan Cloud for WiFi is a powerful, yet easy to use web filtering solution for WiFi hotspots that requires no hardware purchases or software downloads. WebTitan Cloud for WiFi can be implemented and configured in just a few minutes. No technical skill required.
WebTitan Cloud for WiFi is highly scalable and can protect any number of access points, no matter where they are located. If you have business premises in multiple locations, or in different countries, WebTitan Cloud for WiFi will protect all of your access points via an intuitive web-based user interface.
WebTitan Cloud for WiFi protects against online threats, allows businesses to carefully control the types of content that WiFi users can access, allows businesses to control bandwidth use, and gives them full visibility into network usage.
If you have yet to implement a WiFi filter on your hotspots, give TitanHQ a call today for details of pricing, to book a product demonstration, and register for a free trial.
A Starbucks porn filter will finally be introduced in 2019 to prevent adult content from being accessed by customers hooked up to the coffee shop chain’s free WiFi network.
It has taken some time for the Starbucks porn filter to be applied. In 2016, the coffee shop chain agreed to implement a WiFi filtering solution following a campaign from the internet safety advocacy group Enough is Enough, but two years on and a Starbucks porn filter has only been applied in the UK.
Businesses Pressured to Implement WiFi Filters to Block Porn
Enough is Enough launched its Porn Free WiFi campaign – now renamed the SAFE WiFi campaign – to pressure businesses that offer free WiFi to customers to apply WiFi filters to restrict access to adult content. In 2016, more than 50,000 petitions were sent to the CEO’s of Starbucks and McDonalds urging them to apply WiFi filters and take the lead in restricting access to pornography and child porn on their WiFi networks.
After petitioning McDonald’s, the global restaurant chain took prompt action and rolled out a WiFi filter across its 14,000 restaurants. However, Starbucks has been slow to take action. Following the McDonalds announcement in 2016, Starbucks agreed to roll out a WiFi filter once it had determined how to restrict access to unacceptable content without involuntarily blocking unintended content. Until the Starbucks porn filter was applied, the coffee shop chain said it would reserve the right to stop any behavior that negatively affected the customer experience, including activities on its free WiFi network.
The apparent lack of action prompted Enough is Enough to turn up the heat on Starbucks. On November 26, 2018, Enough is Enough president and CEO, Donna Rice Hughes, issued a fresh call for a Starbucks porn filter to be implemented and for the coffee chain to follow through in its 2016 promise. Rice Hughes also called for the public to sign a new petition calling for the Starbucks porn filter to finally be put in place.
Starbucks Porn Filter to Be Applied in All Locations in 2019
Starbucks has responded to Enough is Enough, via Business Insider, confirming that it has been testing a variety of WiFi filtering solutions and has identified one that meets its needs. The Starbucks porn filter will be rolled out across all its cafes in 2019.
All businesses that offer free WiFi to their customers have a responsibility to ensure that their networks cannot be abused and are kept ‘family-friendly.’ It is inevitable that some individuals will abuse the free access and flaunt policies on acceptable use. A technical solution is therefore required to enforce those policies.
While Enough is Enough is focused on ensuring adult content is blocked, there are other benefits of WiFi filtering. A WiFi filter protects customers from malware downloads and can stop them accessing phishing websites. All manner of egregious and illegal content can be blocked.
WiFi filters can also help businesses conserve bandwidth to make sure that all customers can access the Internet and enjoy reasonable speeds.
WebTitan Cloud for WiFi – The Easy Way to Start Filtering Content on WiFi Networks
TitanHQ has long been an advocate of WiFi filtering for public WiFi hotspots and has developed WebTitan Cloud for WiFi to allow businesses to easily block access to unacceptable and illegal web content on WiFi networks.
WebTitan Cloud for WiFi allows businesses to carefully control the content that can be accessed over WiFi without involuntarily blocking unintended content. Being 100% cloud based, no hardware purchases are required and no software downloads are necessary.
The solution offers businesses advanced web filtering capabilities through an easy to use intuitive user interface. No IT consultants are required to implement and run the solution. It can be set up and operated by individuals that have little to no technical knowhow.
The solution is highly scalable and can be used to protect thousands of users, at multiple locations around the globe, all controlled through a single user interface.
If you run a business that offers free WiFi to customers and you have not yet started controlling the activities that can take place over your WiFi network, contact TitanHQ today for further information on WebTitan Cloud for WiFi.
Managed Service Providers (MSPs) that want to start offering WiFi filtering to their clients can join the TitanHQ Alliance. All TitanHQ solutions have been developed to meet the needs of MSPs and make it easy for them to add new security capabilities to their service stacks.
DNS web filtering for MSPs is an easy way to improve security for your clients, save them money, and boost your profits. This post explains the benefits of a DNS-level web filter for MSPs and their clients.
DNS web filtering is a great way for MSPs to boost profits, save clients money, and better protect them from cyber threats. Web filtering is an essential cybersecurity measure that businesses of all sizes should be using as part of their arsenal against malware, ransomware, botnets and phishing attacks. However, many MSPs fail to include web filtering in their security offerings and consequently miss out on an important income stream: One that requires little effort and generates regular monthly income.
What Are the Benefits of Web Filtering?
There are two main benefits of web filtering: Enforcing Internet usage policies and cybersecurity. Employees need to be able to access the Internet for work purposes, but many employees spend a considerable percentage of their working day accessing websites that have no work purpose. Cyberslacking costs businesses dearly. Businesses that do not filter the Internet will be paying their employees to check personal mail, view YouTube videos, visit dating websites, and more. A web filter will help to curb these non-productive activities and will also prevent employees from accessing inappropriate or illegal web content and avoid legal and compliance issues.
A recent study by Spiceworks revealed the extent of the problem. 28% of employees at large companies (more than 1,000 employees) spend more than four hours a week on personal Internet use and the percentages increase to 45% for mid-sized businesses and 51% for small businesses. The difference in those figures reflects the fact that more large businesses have implemented web filters. 89% of large companies have implemented a web filter to curb or prevent personal Internet usage and, as a result, benefit from an increase in productivity of the workforce.
Web filtering is essential in terms of cybersecurity. The Spiceworks study revealed 90% of large companies use a web filter to block malware and ransomware infections. A web filter prevents employees from accessing websites known to be used for phishing and those that host malware.
The Spiceworks study showed just how important a web filter is in this regard. 38% of companies had experienced at least one security incident in the past year as a result of employees visiting web pages for personal use, most commonly webmail services and social media channels.
Additional benefits of web filtering include improving network performance and ensuring sufficient bandwidth is available for all users – by blocking access to bandwidth-heavy online activities such as gaming and video streaming.
From the productivity gains alone, a web filter will pay for itself. Add in the costs that are saved by preventing malware and phishing attacks and use of a web filter really is a no brainer.
Why DNS Web Filtering for MSPs is the Way Forward
MSPs have three main web filtering options open to them. An appliance-based web filter, a virtual appliance or software solution, or a DNS filter. DNS web filtering for MSPs is usually the best choice.
DNS web filtering for MSPs avoids the need for hardware purchases so there is not an initial high cost for clients or for the MSP, since a powerful appliance does not need to be installed in an MSP’s own data center. DNS web filtering for MSPs means no site visits are necessary to install the solution as no hardware is required and no software downloads are necessary. DNS web filtering is not restricted by operating systems and is hardware independent, and since there are no clients to install, there will not be any installation issues. A DNS web filter also doesn’t have any impact on Internet speed.
A SaaS DNS web filtering solution, such as WebTitan Cloud, allows MSPs to deploy the web filter for their clients in a few minutes. All that is required is to direct clients’ DNS the cloud-based filter.
DNS web filtering for MSPs is easy to implement, simple to use, requires little management, and with WebTitan Cloud, MSPs benefit from generous margins. Improving clients’ security posture and helping them make important productivity gains could not be easier.
Why WebTitan Cloud is the Best Choice for MSPs
WebTitan Cloud has been developed to meet the needs of the SMB marketplace but with MSPs firmly in mind. WebTitan includes a full suite of pre-configured reports (with scope for customization) to allow MSPs to show their clients the sites that have been blocked and what employees have been up to online. The reports give MSP clients total visibility into their web traffic and highlight problem areas and show trends affecting network performance. The reports can be automated and sent directly to clients with no MSP involvement.
Some of the key benefits of TitanHQ’s DNS web filtering for MSPs are detailed below:
WebTitan Cloud can be hosted by TitanHQ or by MSPs in a private cloud
WebTitan Cloud includes APIs to integrate with auto-provisioning, billing, and monitoring systems
MSPs do not need to become an ISP to use the service
WebTitan Cloud is scalable to hundreds of thousands of users
WebTitan Cloud includes multiple management roles
New customers can be added and configured in minutes
WebTitan Cloud can be supplied in white-label form ready for an MSP’s logos and UI color schemes
MSPs benefit from industry-leading customer service
Highly competitive pricing and aligned monthly billing
If you have yet to start offering web filtering to your clients or if you are unhappy with the usability or cost of your current solution, contact TitanHQ’s Alliance team today for full product details, details of pricing, to book a product demonstration and register for a free trial.
The biggest cyber threat to SMBs is ransomware, according to Dato’s State of the Channel Report. While other forms of malware pose a serious risk and the threat from phishing is ever present, ransomware was considered to be the biggest cyber threat to SMBs by the 2,400 managed service providers that were polled for the study.
Many SMB owners underestimate the cost of mitigating a ransomware attack and think the cost of cybersecurity solutions to prevent attacks, while relatively low, are not justified. After all, according to Datto, the average ransom demand is just $4,300 per attack.
However, the ransom payment is only a small part of the total cost of mitigating an attack. The final cost is likely to be ten times the cost of any ransom payment. Datto points out that the average total cost of an attack on an SMB is $46,800, although there have been many cases where the cost has been far in excess of that amount.
One of the most common mistakes made by SMBs is assuming that attacks will not occur and that hackers are likely to target larger businesses with deeper pockets. The reality is SMBs are being targeted by hackers, as attacks are easier to pull off. SMBs tend not to invest heavily in cybersecurity solutions as larger businesses.
Anti-Virus Software is Not Effective at Preventing Ransomware Attacks
Many SMB owners mistakenly believe they will be protected by anti-virus software. However, the survey revealed that 85% of MSPs said clients that experienced a ransomware attack had anti-virus solutions installed. Anti-virus software may be able to detect and block some ransomware variants, but since new forms of ransomware are constantly being developed, signature-based cybersecurity solutions alone will not offer a sufficient level of protection.
Many SMBs will be surprised to hear just how frequently SMBs are attacked with ransomware. More than 55% of surveyed MSPs said their clients had experienced a ransomware attack in the first six months of this year and 35% experienced multiple attacks on the same day.
Some cybersecurity firms have reported there has been a slowdown in ransomware attacks as cybercriminals are increasingly turning to cryptocurrency mining. While that may be true for some cybercriminal gangs, the ease of conducting attacks using ransomware-as-a-service means many small players have started attacking SMBs. That is unlikely to change.
92% of surveyed MSPs said they thought ransomware attacks would continue at current levels or even increase throughout this year and next.
Ransomware attacks are even being conducted on Apple operating systems. In the past year, there has been a five-fold increase in the number of MSPs who have reported ransomware attacks on macOS and iOS operating systems.
“Not only have ransomware attacks increased in recent years, but the problem may even be bigger than we know, as many attacks go unreported,” explained Jeff Howard, Founder and Owner, of the Texas MSP Networking Results. Datto suggests that only one in four attacks are reported to law enforcement.
How to Protect Against SMB Ransomware Attacks
To protect against ransomware attacks, businesses need to implement a range of solutions to block the most common attack vectors. To block email-based attacks, advanced spam filtering technology is required, and end user security awareness training is essential. To block ransomware downloads from malicious websites, web filtering software should be implemented.
Business continuity and disaster recovery technology should be implemented to ensure that a quick recovery is possible in the event of an attack, and naturally intelligent backing up is required to ensure files can be recovered without paying a ransom.
MSPs need to explain the risks to SMBs, along with the solutions that need to be installed to prevent attacks and the likely cost of recovery. Many businesses are shocked to discover the true cost of a ransomware attack.
How TitanHQ Can Help Improve Defenses Against SMB Ransomware Attacks
TitanHQ has developed two innovative cybersecurity solutions that work in tandem to block the two most common attack vectors: Email and Internet attacks. SpamTitan is a powerful spam filtering solution that combines two AV engines with intelligent scanning of incoming mail using a variety of techniques to identify malicious messages and new ransomware variants and block them at source.
WebTitan is a powerful web filtering solution that can block malvertising attacks, drive-by ransomware downloads, and prevent employees from visiting malicious websites. Both solutions should be part of an SMBs arsenal to protect against ransomware and malware attacks and both solutions should be part of an MSPs security stack.
For further information on SpamTitan and WebTitan and details of TitanHQ’s MSP offerings, contact the TitanHQ today.
Most businesses are aware of the importance of securing their Wi-Fi networks; however, in some industry sectors Wi-Fi security has not been given the importance it requires. Wi-Fi security for hotels, for instance, is often lacking, even though the hospitality sector is being actively being targeted by cybercriminals who see hotel Wi-Fi as a rich picking ground.
Hotel Chains are Under Attack
Hotels are an attractive target for cybercriminals. They satisfy the two most important criteria for cybercriminals when selecting targets. Valuable data that can be quickly turned into profit and relatively poor cybersecurity which makes conducting attacks more straightforward.
In 2018, there have been several major cyberattacks on hotel groups. In November 2018, Federal Group, which runs luxury hotels in Tasmania, experienced an email security incident that exposed the personal data of some of its members. A cyberattack on the Radisson Hotel Group was also reported. In that case it resulted in the exposure of the personal information of its loyalty program members.
In August one of China’s largest chains of hotels – Huazhu Hotels Group Ltd – which operates 13 hotel brands – suffered a cyberattack that affected an estimated 130 million people. In June one of Japan’s largest hotel groups, Prince Hotels & Resorts, experienced a cyberattack that impacted almost 125,000 customers. In 2017 there were major data breaches at Hilton, Hyatt Hotels Corporation, Trump Hotels, Four Seasons Hotels, Loews Hotels, Sabre Hospitality Solutions, and InterContinental Hotels Group to name but a few.
The Cost of a Hotel Data Breach
When a data breach occurs the costs quickly mount. Access to data and networks must be blocked rapidly, the breach must be investigated, the cause must be found, and security must be improved to address the vulnerabilities that were exploited. That invariably requires consultants, forensic investigators and other third-party contractors. Affected individuals must be notified and credit monitoring and identity theft protection services may need to be offered.
The direct costs of a hotel data breach are considerable. The Ponemon Institute calculated the average cost of a data breach in 2018 had risen to $3.86 million. That was for a breach of up to 100,000 records. Larger breaches cost considerably more.
Then there is GDPR. Fines of up to €20 million or 4% of global annual turnover (whichever is higher) can be issued for GDPR compliance failures, which includes data breaches that resulted from poor security.
What is much harder to calculate is the cost of reputation damage and the customer churn rate after a breach. Damage to a hotel chain’s reputation can be long lasting and in the highly competitive hospitality industry, it could even be disastrous.
The security firm Ping Identity recently published the results from its 2018 Consumer Survey: Attitudes and Behavior in a Post-Breach Era. 3,000 people from the USA, UK, France, and Germany were surveyed for the study, which investigated the expectations of customers and the fallout from data breaches. 78% of respondents said they would stop engaging with a brand online after a breach and 36% would stop engaging with a brand altogether. Could your hotel group weather a 78% drop in online bookings or a loss of more than a third of your customer base?
Wi-Fi Security for Hotels
Cybersecurity solutions should be implemented to protect hotel networks from cyberattacks and prevent customer’s personal information from being accessed by cybercriminals. Perimeter cybersecurity solutions such as firewalls are essential, but Wi-Fi security for hotels should not be underestimated.
Guests use the Wi-Fi network to conduct business while at the hotel, for entertainment, and communication. Guests typically bring three devices that they connect to hotel Wi-Fi networks. A hotel with 100 guests potentially means 300 devices connecting to Wi-Fi. There is a high probability that at least some of those devices will be infected with malware, which could be transferred to other guests.
Hotel guests often access types of content that they do not access at home – sites that carry a higher risk of resulting in a malware download. Hackers often exploit poor hotel Wi-Fi security to attack guests. The DarkHotel threat group is a classic example. The group targets high profile hotel guests and has been doing so for more than a decade. If Wi-Fi security for hotels is substandard, successful attacks are inevitable.
Naturally guest and business Wi-Fi networks should be separated to ensure that one does not pose a threat to the other. A VLAN should be set up for the wired network, with a separate VLAN for internal wireless access points and those used by guests.
Wi-Fi security should include WPA2 encryption to prevent the interception of data and a web filtering solution should be implemented to protect guests from phishing websites and sites hosting malware. A web filter will also allow hotels to control the types of content that can be accessed by guests and restrictions can be put in place to create family-friendly Wi-Fi access and prevent guests from accessing illegal web content.
TitanHQ Email and Wi-Fi Security for Hotels
TitanHQ is a leading provider of advanced cybersecurity solutions for hotels to protect against email-based cyberattacks and improve Wi-Fi security for hotels.
WebTitan is a powerful web filtering solution for wired and wireless networks that blocks malware downloads and prevents employees and guest Wi-Fi users from accessing malicious websites. WebTitan also allows hotels to carefully control the content that can be accessed via their Wi-Fi networks, ensuring a business-friendly and family-friendly Internet service is provided.
Key Benefits of WebTitan
WebTitan Cloud and WebTitan Cloud for Wi-Fi are 100% cloud-based web filters for hotels that require no software downloads or hardware purchases. They can be implemented in minutes and are easy to configure and maintain. They are ideal for improving Wi-Fi security for hotels and securing wired hotel networks.
WebTitan web filters allow hotels to:
Control the content that can be accessed by guests without slowing Internet speeds
Block access to pornography to create family-friendly Wi-Fi zones in communal areas
Prevent guests from engaging in illegal online activities
Prevent guests from accessing phishing websites
Block the downloading of viruses, malware, and ransomware
Create custom policies for different user groups – management, employees, guests, or individuals
Create custom controls for different wireless access points
Restrict bandwidth-draining online activities to ensure good Internet speeds for all users
Manage web filtering controls for multiple locations from a single web-based control panel
WebTitan is ideal for use in the hospitality sector to protect internal networks from attack and to block web-based threats that could otherwise lead to a data breach.
To find out more about improving Wi-Fi security for hotels, contact TitanHQ today. The team will be happy to provide details of the products, advise you on the best deployment options, and schedule a product demonstration. You can also sign up for a free trial to evaluate the effectiveness of TitanHQ’s web filters for hotels in your own environment.
This year has seen several ransomware attacks on cities and municipal targets, clearly demonstrating that the threat from ransomware has not abated, despite several analyses from cybersecurity firms that suggest hackers are moving away from ransomware and concentrating on cryptomining malware attacks.
Cryptocurrency miners have certainly become more popular and their use has increased substantially in recent months, but there is still a significant threat from ransomware.
Ransomware development may have slowed, but ransomware attacks on cities and other high value targets have not. In fact, October has seen two new ransomware attacks on cities in the United States, along with several attacks on municipal targets. In the past few months. It is clear that the threat is not going away any time soon.
$2,000 Ransom Paid to Resolve City of West Haven Ransomware Attack
The city of West Haven ransomware attack started on the morning of October 16, 2018, and by the time the attack had been contained, 23 servers had been encrypted and taken out of action. Prompt action limited the scope of the attack, although it did cause major disruption as computers on the affected network had to all be shut down.
The attack affected a critical system, and after an assessment of the situation, the decision was taken to pay the ransom. Considering the number of servers affected, the ransom demand was relatively low. The city paid $2,000 in Bitcoin for the keys to decrypt its files.
Art House, Connecticut’s chief of cybersecurity, explained that this was one of several targeted ransomware attacks on cities and municipal services in the state in recent weeks. In February, around 160 computers were affected by ransomware in more than a dozen agencies in the state according to the Department of Administrative Services, and a month later the state’s Judicial Branch was attacked and had more than 100 servers encrypted.
City of Muscatine Ransomware Attack
The West Haven ransomware attack was shortly followed by a ransomware attack on the city of Muscatine in Ohio, which saw files on several government servers encrypted. The attack is understood to have started on October 17 and caused considerable disruption especially to services at City Hall.
Few details about the attack have been made public, although it is understood that the ransom demand was not paid. Instead, IT teams have had to painstakingly rebuild affected servers and workstations and restore files from backups.
Ransomware Attack on City of Atlanta
In August one of the most serious ransomware attacks on cities occurred. The City of Atlanta was attacked with SamSam ransomware, which was manually deployed on multiple computers after access had been gained to the network. The attack occurred in March and took down computers used for many city services, causing major disruption for weeks. A ransom demand of around $50,000 was issued, although the decision was taken not to pay. Initially the cost of recovery was expected to reach $6 million. Later estimates in the summer suggest that the final cost may exceed $17 million, highlighting just how costly ransomware attacks on cities can be.
Ransomware Attacks on Municipal Services Becoming More Common
Ransomware attacks on cities are becoming more common, as are attacks on municipal targets. In October, the Onslow Water and Sewer Authority in Jacksonville, North Carolina was attacked with ransomware resulting in most systems being taken out of action. In that case, a dual attack occurred, which started with the Emotet Trojan followed by the deployment of Ryuk ransomware two weeks later. The attack is expected to disrupt services for several weeks. The Indiana National Guard also suffered a ransomware attack in October. In both cases, the ransom was not paid.
Prevention and Incident Response
One of the reasons behind the rise in ransomware attacks on cities is underinvestment in cybersecurity defenses. Too little has been spent on protecting systems and updating aging hardware and software. With many vulnerabilities left unaddressed, staff receiving insufficient training, and even basic cybersecurity defenses often found lacking, it is no surprise that the attacks are increasing.
The only way that the attacks will be stopped is by spending more on cybersecurity defenses and training to make it much harder for attacks to occur. It can certainly be hard to find the money to commit to cybersecurity, but as the City of Atlanta found out, the cost of prevention is far lower than the cost of recovery from a ransomware attack.
Many businesses want to block websites at work and exercise greater control over employee Internet access. Acceptable Internet usage policies can be developed and employees told what content they are allowed to access at work, but there are always some employees that will ignore the rules.
In some cases, policy violations may warrant instant dismissal or other disciplinary action, but that takes HR staff away from other important duties. If staff are fired, replacements must be found, trained, and brought up to speed, and the productivity losses that result can be considerable.
The Dangers of Unfettered Internet Access
Before explaining how to block websites at work, it is worthwhile explaining the problems that can arise from the failure to exert control over the content that can be accessed through wired and wireless networks.
While extreme cases of internet abuse need to be tackled through HR, low level Internet abuse can also be a problem. Any time an employee accesses a website for personal reasons, it is time that is not being spent on work duties. Checking emails or quickly visiting a social media website is unlikely to have a major impact on productivity, but when cyber-slacking increases its effect can certainly be felt. If all employees spend 30 minutes a day on personal Internet use, the productivity losses can be considerable – A business with 100 workers would lose 50 hours of working time a day, or 1,100 hours a month!
In addition to lost opportunities, Internet use carries a risk. Casual surfing of the Internet by employees increases the probability of users encountering malware. The accessing of personal webmail at work could easily result in a malware infection on a work device, as personal mail accounts are not protected by the filtering controls of an organization’s email gateway. If illegal activities are taking place at work, the legal ramifications can be considerable. It will be the business that will be liable in many cases, rather than the individual employee.
The easiest solution is for businesses to enforce their acceptable internet usage policies and simply block websites at work that are not required for normal working duties. Preventing end users from visiting certain categories of web content – social media websites, gaming and gambling websites, dating sites, adult content, and other NSFW web content – is the easiest solution.
Even legitimate use of the Internet for work purposes carries risks. There has been a major increase in phishing attacks on businesses in recent years and mitigating attacks can prove incredibly costly. Technical solutions that are used to block websites at work to prevent cyber-slacking can also be configured to block access to phishing websites and prevent malware downloads.
The Easy Way to Block Websites at Work
The easiest way to block websites at work is to use a web filtering solution. This could be a physical appliance through which all Internet traffic is routed, a virtual appliance installed on your existing hardware, or a cloud-based solution. The latter is a popular solution for SMBs as the cost of implementation is minimal and the web filter can be set up in a matter of minutes. All that is required is to make a simple change to point the DNS to the cloud web-filter and all traffic will be routed though the solution.
Not all businesses need to exercise the same controls over Internet content so granular controls are essential. With a cloud-based web filter such as WebTitan, it is easy to block websites at work. The administrator simply logs into the administration panel through a web browser and clicks on the checkboxes of content that they want the filter to block. Blocking adult entertainment, gambling, gaming, dating, and social media by category is common. WebTitan also allows controls to implemented by keyword, through the use of blacklists, or through keyword scoring.
It is not practical to apply the same settings across the board for all employees. The marketing department, for instance, will need access to social media networks when other employees may not. With WebTitan, filtering controls can easily be set at the organization level, by user group, or for individuals. Time-based filters can also be applied to allow controls to be eased outside of standard working hours, if required.
Further Information on Blocking Websites at Work
If you would like further information on how you can selectively block websites at work and take control over the content that your employees can access, speak to TitanHQ today.
Our friendly and knowledgeable sales team will be able to answer all your questions, explain in detail how WebTitan works, and suggest the best option to suit your needs.
After learning about the best setup to suit your business, you can schedule a product demonstration and/or start a free trial to see WebTitan in action.
In 20 minutes your content control issues could be solved and you could be filtering the internet and blocking access to unsuitable, unsavory, and harmful web content.
TitanHQ, the leading provider of web filtering, spam filtering, and email archiving solutions for managed service providers (MSPs) recently partnered with Datto Networking, the leading provider of IT solutions to SMBs delivered through MSPs.
Datto Networking has now incorporated TitanHQ’s advanced web filtering technology into the Datto Networking Appliance to provide superior protection to users on the network.
Datto and TitanHQ will be hosting a webinar on October 18, 2018 to explain how the new technology provides enhanced protection from web-based threats, and how MSPs can easily deliver content filtering to their customers.
During the webinar, MSPs will find out about the enhanced functionality of the Datto Networking Appliance.
Webinar: Datto Networking & Titan HQ Deliver Enhanced Web Content Filtering
Date: Thursday, October 18th
Time: 11AM ET | 8AM PT | 4PM GMT/BST
John Tippett, VP, Datto Networking
Andy Katz, Network Solutions Engineer
Rocco Donnino, EVP of Strategic Alliances, TitanHQ
The CloudFlare IPFS gateway has only recently been launched, but it is already being used by phishers to host malicious content.Cloudflare IPFS gateway phishing attacks are likely to have a high success rate, as some of the checks performed by end users to confirm the legitimacy of domains will not raise red flags.
The IPFS gateway is a P2P system that allows files to be shared easily throughout an organization and accessed through a web browser. Content is distributed to different nodes throughout the networked systems. The system can be used for creating distributed websites, and CloudFlare has made this process easier by offering free SSL certificates and allowing domains to be easily connected to IPFS.
If phishers host their phishing forms on CloudFlare IPFS, they benefit from CloudFlare’s SSL certificate. Since the phishing page will start with cloudflare-ipfs.com, this adds legitimacy. The CloudFlare-owned domain is more likely to be trusted than domains owned by phishers.
When CloudFlare IPFS Gateway phishing forms are encountered, visitors will be advised that the webpage is secure, the site starts with HTTPS, and a green padlock will be displayed. If the visitor takes the time to check certificate information of the web page, they will find it has been issued to CloudFlare-IPFS.com by CloudFlare Inc., and the certificate is valid. The browser will not display any warning and CloudFlare IPFS Gateway phishing content will therefore seem legitimate.
At least one threat actor is using the CloudFlare IPFS Gateway for phishing and is hosting forms that claim to be standard login pages for Office 365, DocuSign, Azure AD, and other cloud-based services, complete with appropriate logos.
If a visitor completes the form information, their credentials will be forwarded to the operator of a known phishing domain – searchurl.bid – and the user will be displayed a document about business models, strategy and innovation. This may also not raise a red flag.
The CloudFlare IPFS Gateway phishing strategy is similar to that used on Azure Blob storage, which also take advantage of legitimate SSL certificates. In that case the certificate is issued by Microsoft.
It is becoming increasingly important for phishers to use HTTPS for hosting phishing content. As more businesses transition from HTTP to HTTPS, and browsers such as Chrome now display warnings to users about insecure sites, phishers have similarly had to make the change to HTTPS. Both CloudFlare IPFS Gateway and Azure Blog storage offer an easy way to do this.
In both cases, links to the malicious forms are distributed through spam email. One of the most common ways to do this is to include an email attachment that contains a button which must be clicked in order to download content. The user is advised that the content of the file is secured, and that professional email login credentials must be entered in order to view the content. The document may be an invoice, purchase order, or a scanned document that needs to be reviewed.
The increase in use of cloud platforms to host phishing content makes it more important than ever for organizations to implement advanced phishing defenses. A powerful spam filter such as SpamTitan should be used to block the initial emails and prevent them from being delivered to end users’ inboxes. These phishing tactics should also be covered in security awareness training to raise awareness of the threat and to alert users that SSL certificates do not necessarily mean the content of a web page is legitimate. Web filtering solutions are also essential for blocking access to known malicious web pages, should a user visit a malicious link.
A suspected Ryuk ransomware attack on Recipe Unlimited, a network of some 1,400 restaurants in Canada and North America, has forced the chain to shutdown computers and temporarily close the doors of some of its restaurants while IT teams deal with the attack.
Recipe Unlimited, formerly known as Cara Operations, operates pubs and restaurants under many names, including Harvey’s, Swiss Chalet, Kelseys, Milestones, Montana’s, East Side Mario’s, Bier Markt, Prime Pubs, and the Landing Group of Restaurants. All of the above pub and restaurant brands have been affected by the Recipe Unlimited ransomware attack.
While only a small number of restaurants were forced to close, the IT outage caused widespread problems, preventing the restaurants that remained open from taking card payments from customers and using register systems to process orders.
While it was initially unclear what caused the outage, a ransomware attack on Recipe Unlimited was later confirmed. An employee of one of the affected restaurants provided CBC News with a copy of the ransom note that had appeared on the desktop of one of the affected computers.
The ransom note is the same used by the threat actors behind Ryuk ransomware. They claim files were encrypted with “military algorithms” which cannot be decrypted without a key that is only held by them. While it is unclear exactly how much the attackers demanded in payment to decrypt files, they did threaten to increase the cost by 0.5 BTC (Approx. $4,000 CAD) per day until contact was made. The Recipe Unlimited ransomware attack is understood to have occurred on September 28. Some restaurants remained closed on October 1.
The ransomware attack on Recipe Unlimited is just one of many such attacks involving Ryuk ransomware. The attackers are understood to have collected more than $640,000 in ransom payments from businesses who have had no alternative other than to pay for the keys to unlock their files. The ransomware attack on Recipe Unlimited did not increase that total, as Recipe Unlimited conducted regular backups and expects to be able to restore all systems and data, although naturally that will take some time.
Ransomware attacks on restaurants, businesses, healthcare providers, and cities are extremely common and can be incredibly costly to resolve. The recent City of Atlanta ransomware attack caused widespread disruption due to the sheer scale of the attack, involving thousands of computers.
The cost of resolving the attack, including making upgrades to its systems, is likely to cost in the region of $17 million, according to estimates from city officials. The Ransomware attack on the Colorado Department of Transportation is expected to cost $1.5 million to resolve.
There is no simple solution that will block ransomware attacks, as many different vectors are used to install the malicious file-encrypting software. Preventing ransomware attacks requires defense in depth and multiple software solutions.
Spam filtering solutions should be used to prevent email delivery of ransomware, web filters can be configured to block assess to malicious websites where ransomware is downloaded, antivirus solutions may detect infections in time to block attacks, and intrusion detection systems and behavioral analytics solutions are useful to rapidly identify an attack in progress and limit the harm caused.
All operating systems and software must be kept fully up to date, strong passwords should be used, and end user must receive training to make them aware of the threat from ransomware. They should be taught security best practices and trained how to identify threats. Naturally, robust backup policies are required to ensure that in the event of disaster, files can be recovered without having to pay the ransom.
Windows Remote Desktop Protocol attacks are one of the most common ways cybercriminals gain access to business networks to install backdoors, gain access to sensitive data, and install ransomware and other forms of malware.
This attack method has been increasing in popularity over the past two years and there has also been a notable rise in darknet marketplaces selling exposed RDP services and RDP login credentials. The high number of Remote Desktop Protocol attacks has prompted the Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) and the Department of Homeland Security to issue an alert to businesses in the United States to raise awareness of the threat.
Remote Desktop Protocol is a proprietary Windows network protocol that allows individuals to remotely access computers and servers over the Internet and gain full control of resources and data. RDP is often used for legitimate purposes, such as allowing managed security service providers (MSSPs) and managed service providers (MSPs) to remotely access devices to provide computer support without having to make a site visit. Through RDP, input such as mouse movements and keystrokes can be transmitted over the Internet with a graphical user interface sent back.
In order to gain access to a machine using RDP, a user must be authenticated by supplying a username and password. Once a user is authenticated, the resources on that device can be accessed. While authorized individuals can use RDP connections, so too can cybercriminals if they have access to login credentials or are able to guess usernames and passwords. As with any software, RDP can contain flaws. For instance, flaws in the CredSSP encryption mechanism could be exploited to perform man-in-the-middle attacks.
Cybercriminals are identifying vulnerable RDP sessions over the Internet and are exploiting them to gain access to sensitive information and conduct extortion attacks. The threat actors behind SamSam ransomware, which has been used in many attacks on U.S. businesses, educational institutions, and healthcare providers, often gain access to networks through brute force attempts to guess weak passwords. The threat actors behind CrySiS and CryptON ransomware attack businesses through open RDP ports and similarly use brute force and dictionary attacks to guess passwords.
How to Prevent Windows Remote Desktop Protocol Attacks
There are four main vulnerabilities that can be exploited to gain access to Windows devices that have RDP enabled:
Exploitation of weak passwords
Use of outdated versions of RDP
Failure to restrict access to the default RDP port – TCP 3389
Failure to block users after a set number of unsuccessful login attempts
Strong passwords should be used to make it harder for cybercriminals to use brute force tactics to guess login credentials. Dictionary words should be avoided. Default passwords must be changed and passwords should be at least 8 characters and include a mix of upper/lower case letters, numbers, and special characters. Rate limiting is also essential. A user should be blocked after a set number of failed login attempts have been made and, if possible, two-factor authentication controls should be implemented. External to internal RDP connections should be limited and software should be kept up to date.
An audit should be conducted to identify all systems that have RDP enabled, including cloud-based virtual machines with public IP addresses. If RDP is not required, it should be disabled. A list of systems with RDP enabled should be maintained and available patches should be applied promptly. All open RDP ports should be located behind a firewall and access should only be possible by using a VPN.
Logging mechanisms should be applied, and successful and unsuccessful login attempts should be regularly monitored to identify systems that have been attacked.
To ensure that recovery from a ransomware or sabotage attack is possible, all data must be regularly backed up and a good backup strategy adopted.
By regulating, monitoring, and controlling the use of RDP and addressing vulnerabilities, it is possible to reduce risk and prevent Remote Desktop Protocol attacks.
Recent research has shown that the United States is the main distributor of exploit kits and hosts the most malicious domains and cyberattacks on websites have increased sharply.
United States Hosts the Most Malicious Domains and Exploit Kits
The United States hosts the most malicious domains and is the number one source for exploit kits, according to new research conducted by Palo Alto Networks. Further, the number of malicious domains increased between Q1 and Q2 in the United States. In all countries, apart from the Netherlands, the number of malicious domains remained constant or declined.
Exploit activity is only at a fraction of the level of 2016, although the web-based kits still pose a major threat to businesses with poor patching processes and a lack of protections against web-based attacks.
Three exploit kits have been extensively used throughout Q1 and Q2, 2018: Sundown, Rig, and KaiXin. The United States is the number one source for the Sundown and Rig EKs and is number two behind China for the KaiXin exploit kit. Further, a new exploit kit was detected in Q2: Grandsoft. The United States is also the number one source for this new exploit kit.
More than twice the number of exploit kits are hosted in the United States than in Russia in second place. 495 malicious URLs were detected in the United States compared to 147 in Russia. 296 malicious URLs hosting exploit kits were detected in the United States, with Russia in second place with 139.
The Microsoft VBScript vulnerability, CVE-2018-8174, is being extensively exploited via these exploit kits. Microsoft released a patch in May 2018 to fix the flaw, but many companies have yet to install the update and are vulnerable to attack. Exploit kits are still using old vulnerabilities to install their malicious payloads. According to Palo Alto Networks’ Unit 42, two vulnerabilities are extensively used – The IE7 vulnerability – CVE-2009-0075 – and the Internet Explorer 5 vulnerability – CVE-2008-4844 – even though patches were released to fix the flaws more than 9 years ago.
The Jscript vulnerability in Internet Explorer 9 through 11 – CVE-2016-0189 – and the OleAut32.dll vulnerability – CVE-2014-6332 – have also been used in many attacks. One vulnerability known to be used in zero-day attacks was also detected.
Website Attacks on the Rise
Research conducted by SiteLock has revealed there has been a significant rise in attacks on websites in Q2, 2018. According to its study of more than 6 million websites, each website is attacked, on average, 58 times a day with one attack occurring every 25 minutes. That represents a 16% increase in website attacks since Q1, 2018.
Many search engines now alert users when websites have been discovered to contain malware, and Google sends warnings to site owners when malicious software is discovered. However, relatively few sites are being detected as malicious. SiteLock notes that out of 19.2 million sites that it has discovered to be hosting malicious files, only 3 million had been detected as malicious by the search engines.
The threat of exploit kit attacks and the rise in sites hosting malicious code highlights the need for businesses to deploy a web filtering solution to prevent employees from visiting these malicious sites and giving cybercriminals an opportunity to install malware on their networks.
Companies that take no action and fail to implement software solutions to restrict access to malicious sites face a high risk of their employees inadvertently installing malware. With the cost of a data breach now $3.86 million (Ponemon/IBM), the decision not to implement a web filter could prove incredibly costly.
Princess Locker ransomware has now morphed into Princess Evolution ransomware. The latest variant is one of several cryptoransomware threats that maximize the number of infections by using an affiliate distribution model – termed Ransomware-as-a-Service or RaaS.
RaaS sees affiliates given a percentage of the ransom payments they generate, while the author of the ransomware also takes a cut of the profits. Under this business model, the author can generate a much higher number of infections, which means more ransom payments. The affiliates get to conduct ransomware campaigns without having to develop their own ransomware and the author can concentrate on providing support and developing the ransomware further. For Princess Evolution ransomware, the split is 60/40 in favor of the affiliate. The RaaS is being promoted on underground web forums and prospective affiliates.
Ransomware attacks involving RaaS use a variety of methods to distribute the malicious payload as multiple actors conduct campaigns. Spam email is usually the main delivery mechanism for RaaS affiliates as it is easy to purchase large quantities of email addresses on darkweb sites to conduct campaigns. Brute force attacks are also commonly conducted.
Princess Evolution ransomware has also been loaded into the RIG exploit kit and is being distributed via web-based attacks. These web-based attacks take advantage of vulnerabilities in browsers and browser plug-ins. Exploits for these vulnerabilities are loaded into the kit which is installed on attacker-controlled web domains. Often legitimate sites are compromised have the exploit kit loaded without the knowledge of the site owner.
Traffic is generated to the websites through search engine poisoning, malvertising, and spam emails containing hyperlinks to the websites. If a user visits the website and has an exploitable vulnerability, the Princess Evolution ransomware will be silently downloaded.
At this stage, there is no free decryptor for Princess Evolution ransomware. If this ransomware variant is downloaded and succeeds in encrypting files, recovery is only possible by paying the ransom for the keys to unlock the encryption or rebuilding systems and recovering files from backups. The ransom demand is currently 0.12 Bitcoin – Approximately $750 per infected device.
Protecting against Princess Evolution ransomware attacks requires a combination of cybersecurity solutions, security awareness training, and robust backup policies. Multiple backups of files should be created, stored on at least two different media, with one copy stored securely off site. Infected devices may need to be re-imaged, so plans should exist to ensure the process can be completed as quickly as possible.
Cybersecurity solutions should focus on prevention and rapid detection of threats. A spam filtering solution – such as SpamTitan – will help to ensure that emailed copies of the ransomware or downloaders are not delivered to inboxes.
Care should be taken with any email sent from an unknown individual. If that email contains an attachment, it should not be opened, but if this is unavoidable, the attachment should be scanned with anti-virus software prior to opening. For greater protection, save the attachment to disk and upload it to VirusTotal for scanning using multiple AV engines.
A web filter such as WebTitan can block web-based attacks through general web browsing and by preventing end users from visiting malicious websites via hyperlinks in spam emails.
To reduce the risk of brute force attacks, strong, unique passwords should be used to secure all accounts and remote desktop protocol should be disabled if it is not required. If RDP is required, it should be configured to only allow connection through a VPN.
You should also ensure that all software, including browsers, browser extensions and plugins, and operating systems are kept patched and fully up to date.
There has been a marked rise in HTTPS phishing website detections, phishing attacks are increasing, and the threat of phishing attacks is greater than ever before.
Phishing is the biggest cyber threat that businesses must now deal with. It is the easiest way for cybercriminals to gain access to email accounts for business email compromise scams, steal credentials, and install malware.
The Threat from Phishing is Getting Worse
The Anti-Phishing Working Group – an international coalition of government agencies, law enforcement, trade associations, and security companies – recently published its phishing trends activity report for Q1, 2018. The report shows that the threat from phishing is greater than ever, with more phishing websites detected in March 2018 than at any point in the past year.
In the first half of 2017, there was an average of 48,516 phishing websites detected each month. The figure rose to 79,464 phishing websites detected on average per month in the second half of the year. In the first quarter of 2018, there was an average of 87,568 phishing websites detected, with detections peaking in March when more than 115,000 phishing sites were identified.
The number of unique phishing reports received in Q1, 2018 (262,704) was 12.45% higher than in the final quarter of 2017.
Healthcare Industry Heavily Targeted
In the United States, the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers, health insurers, healthcare clearinghouses and business associates of HIPAA-covered entities to report breaches of protected health information within 60 days of the discovery of the breach. The main enforcer of HIPAA compliance, the Department of Health and Human Services’ Office for Civil Rights (OCR), publishes summaries of those breach reports. Those summaries show just how serious the threat from phishing is.
HIPAA-covered entities and business associates have reported 45 email hacking incidents in 2018 – 21.68% of all breaches reported.
Phishers Make the Move to HTTPS
PhishLabs, an anti-phishing vendor that provides a security awareness training and phishing simulation platform, has been tracking HTTPS phishing websites. The company has recently released figures showing there has been a sharp increase in HTTPS phishing websites in the past few months with HTTPS and SSL certificates now popular with phishers.
As businesses make the switch to HTTPS, the phishers have followed. In the final quarter of 2015, a little over 1% of all phishing websites were hosted on HTTPS. By the final quarter of 2016, the percentage had increased to a shade under 5%. By the end of the final quarter of 2017, 31% of phishing sites used HTTPS. The Q1, 2018 figures show HTTPS phishing websites now account for a third of all phishing websites.
HTTPS websites ensure the connection between the browser and the website is encrypted. This offers greater protection for website visitors as information entered on the site – such as credit card numbers – is secure and protected from eavesdropping. However, if the site is controlled by a cybercriminal, HTTPS offers no protection.
The Importance of SSL Inspection
Protecting against phishing attacks and malware downloads via HTTPS websites requires the use of a web filtering solution that performs SSL inspection. If a standard web filtering solution is used that is unable to inspect HTTPS websites, it will not protect employees from visiting malicious websites.
It is certainly possible to block users from accessing all HTTPS websites, which solves the problem of SSL inspection, but with more websites now using HTTPS, many valuable internet resources and essential websites for business could not be accessed.
While many businesses may be reluctant to implement SSL filtering due to the strain it can place on CPUs and the potential for slowing internet speed, TitanHQ has a solution. WebTitan includes HTTPS content filtering as standard to ensure businesses are protected from HTTPS phishing websites and other online threats while ensuring internet speeds are not adversely affected.
You can find out more about how you can protect your business from phishing websites by contacting the TitanHQ sales team and asking about WebTitan.
Exploit kit activity may not be at the level it one was, but the threat has not gone away. Rig exploit kit activity has increased steadily in 2018 and now a new exploit kit has been detected.
The exploit kit has been named underminer by Trend Micro researchers, who detected it in July 2018. The Underminer exploit kit is being used to spread bootklits which deliver coinminer malware. The EK is primarily being used in attacks in Japan, although other East Asian countries have also seen attacks with activity now spreading beyond this region.
The underminer exploit kit was also detected by Malwarebytes researchers who note that the exploitation framework was first identified by the Chinese cybersecurity firm Qihoo360 in late 2017, when it was being used to deliver adware. Now the exploit kit is being used to deliver Hidden Bee (Hidden Mellifera) cryptocurrency mining malware. Trend Micro notes that evidence has been uncovered that strongly suggests the exploit kit was developed by the developers of Hidden Mellifera coinminer malware.
The exploit kit uses complex methods to deliver the payload with different methods used for different exploits. The developers have also incorporated several controls to hide malicious activity including the obfuscation of exploits and landing pages and the use of encryption to package exploits on-the-fly.
The EK profiles the user via a user-agent to determine if the user is of interest. If not, the user will be directed to a HTTP 404 error page. If a user is of interest, a browser cookie will be used to identify that user to ensure that the payload will only be delivered once, preventing reinfection and hampering efforts by researchers to reproduce an attack. URLs used in the attacks are also randomized to prevent detection by standard AV solutions. The coinminer is delivered via a bootkit which is downloaded through encrypted TCP tunnels.
The underminer exploit kit contains a limited number of exploits: The Adobe Flash Player exploit CVE-2018-4878, the use-after-free Adobe Flash Player vulnerability CVE-2015-5119, and the Internet Explorer memory corruption vulnerability CVE-2016-0189. Patches for all of the vulnerabilities were released in February 2018, July 2015, and May 2016 respectively.
The best defense against exploit kit attacks is prompt patching. All systems and applications should be kept 100% up to date, with virtual patching deployed on legacy systems and networks. Since there will always be a delay between the identification of a vulnerability and a patch being released, patching alone may not be sufficient to prevent all attacks, although EK developers tend to use old vulnerabilities rather than zero days.
In addition to prompt patching, cybersecurity solutions should be deployed to further reduce risk, such as a web filtering solution (WebTitan) to block users from visiting malicious websites and redirects through malvertising. In this case, one of the main ways that users are directed to the exploit kit is via adult-themed malvertising on legitimate adult websites. Using the web filter to block access to adult sites will reduce exposure.
Cybersecurity solutions should also be deployed to scan for malware installations and monitor for unusual activity and standard cybersecurity best practices should also be employed… the principle of least privilege and removing unused or unnecessary applications, plugins, and browser extensions.
The fact that a new exploit kit has been developed, and that it was recently updated with a new exploit, shows that the threat of web-based attacks has not gone away. EK activity may be at a fraction of the level of 2016, but businesses should not assume that attacks will not take place and should implement appropriate defenses to mitigate the threat.
A recent analysis of exploit kit activity by Trend Micro has shown that while exploit kit activity is at a fraction of what it was in 2016, the threat has not gone away. Links to malicious websites hosting exploit kits are still being distributed by spam email and malicious adverts are still being used to redirect web users to malicious websites hosting exploit kits.
Most of the exploit kits that were in use in 2016 have all but disappeared – Angler, Nuclear, and Neutrino. There was a rise in Sundown activity in 2017, but activity has now stopped, and Disdain and Terror exploit kits have similarly disappeared.
The demise of exploit kits as an attack vector has been attributed, in part, to the arrests of the operators of some of the most commonly used EKs such as Angler, although there have been fewer zero-day vulnerabilities to exploit. Many of the exploits used in exploit kits are for Flash vulnerabilities, and while use of Flash is declining, the creators of exploit kits are still attempting to exploit a handful of these Adobe Flash vulnerabilities. Many threat actors have switched to easier and less time-consuming ways of attacking businesses, but not all.
While most exploit kits are operating at a low level, the Rig exploit kit is still in use and has recently been updated once again. Further, there has been a steady increase in Rig exploit kit activity since April. Rig is most commonly used in attacks in Japan, which account for 77% of Rig activity.
The GrandSoft exploit kit is still active, although at a much lower level than Rig. This exploit kit was first seen in 2012 although activity all but disappeared until the fall of last year when it became active once again. Japan is also the country most targeted by the GrandSoft exploit kit (55% of activity), while the private exploit kit Magnitude is almost exclusively used in South Korea, which accounts for 99.5% of its activity.
For the most part, exploit kits are being used to exploit vulnerabilities that should have been patched long ago, such as the use-after-free vulnerability in Microsoft Windows’ VBScript engine (CVE-2018-8174) which was identified in April 2017 and patched in May 2017.
Internet Explorer vulnerabilities are also being exploited on vulnerable systems, with at least two exploits for IE flaws included in GrandSoft recently. Research conducted by Palo Alto networks showed that out of 1,583 URLs found in malicious emails, the majority were linked to exploit kits including Rig, Sundown, Sinowal, and KaiXin, with the latter still evolving with new exploits still being added – CVE-2016-0189 and CVE-2014-6322 – both IE VBScript flaws – the most commonly used.
Trend Micro has warned that the recent increase in zero-days – there were 119 last year – could see at least some exploits for these vulnerabilities introduced into exploit kits. MalwareBytes reported last month that a zero-day flaw in Flash Player’s ActionScript language had been incorporated into one exploit kit and was being actively used in attacks.
The fact that exploit kits are still being used strongly suggests that they are still working, which means that many systems are not being patched.
The threat from exploit kits does not appear to be going away, so it is still essential for businesses to ensure they are protecting against attacks.
Strict patch management practices are still important, as is the use of a web filter. Drive-by downloads still occur – unintentional downloads of malware by users in the belief that the files are genuine. Implementing a web filter can help to block these malware downloads, either by blocking specific file types or preventing end users from visiting known malicious websites. Web filters can also be used to block adware, which continues to plague businesses.
Why should businesses use a web filtering solution? Listed below are three key benefits of web filtering for businesses.
Protection Against Exploit Kits
Email spam is the most common attack vector used to deliver malware, and while the threat from exploit kits is nowhere near the level in 2015 and 2016, they still pose a problem for businesses. Exploit kits are web-based apps that are loaded onto websites controlled by cybercriminals – either their own sites or sites that have been hijacked.
Exploit kits contain code that exploits vulnerabilities in web browsers, plugins and browser extensions. When a user with a vulnerable browser visits a malicious URL containing an exploit kit, the vulnerability is exploited and malware is downloaded.
With browsers becoming more secure, and Flash being phased out, it has become much harder to infect computers with malware via exploit kits and many threat actors have moved on to other methods of attack. However, some exploit kits remain active and still pose a threat.
The exploit kits currently in use – RIG for example – contain multiple exploits for known vulnerabilities. Most of the vulnerabilities are old and patches have been available for months or years, although zero-day vulnerabilities are occasionally uploaded. Exploit kits are also updated with recently disclosed proof-of-concept code. Exploit code for two recently discovered vulnerabilities: one in Internet Explorer (CVE-2018-8174) and one in Adobe Flash (CVE-2018-4878) have been added to EKs already.
Keeping browsers and plugins up to date and using a top antivirus solution will provide a good level of protection, although businesses can further enhance security by using a web filter. Web filtering for businesses ensures that any attempt to access a website known to host an exploit kit will be blocked.
Blocking Phishing Attacks
Phishing is one of the biggest threats faced by businesses. Phishing is a method of obtaining sensitive information by deception, such as impersonating a company in an attempt to obtain login credentials or to fool employees into making wire transfers to bank accounts controlled by criminals.
A spam filter can prevent the majority of malicious messages from reaching inboxes, although some phishing emails will make it past the perimeter defenses, especially emails containing links to malicious websites. A web filter provides an additional level of protection against phishing by preventing users from visiting malicious websites sent via email and social media posts. When an attempt is made to visit a known malicious website, access will be blocked, and the user will be directed to a block screen.
A web filter can also be used to enforce safe search on search engines such as Google, Yahoo, and Bing. This will help to prevent inappropriate website content from being accessed through search and image search results.
Monitoring Internet Access and Blocking Inappropriate Websites
Employees can waste an extraordinary amount of time on the Internet. Allowing unfettered access to all website content can result in a considerable reduction in productivity. If every employee wastes an hour a day on the Internet instead of working, a company with 100 employees would lose 100 hours a day, 500 hours a week, and 26,000 hours a year. A sizeable loss.
A web filter can be used to block access to websites such as gambling, gaming, and social media sites – all major drains on productivity. Web filters can also be used to monitor Internet activity. When employees are told that the company monitors Internet use, employees will be less likely to spend time surfing the Internet instead of working.
Web filters can also be used to block not-suitable-for-work (NSFW) content such as pornography and will limit company liability by blocking illegal online activities at work, such as the downloading of copyright-protected content via P2P file sharing sites. Web filters can also limit bandwidth hogging activities such as the streaming of audio and video.
WebTitan Cloud – DNS-Based Web Filtering for Businesses
DNS-based web filtering for businesses is easy with WebTitan Cloud. WebTitan Cloud will help improve security posture, reduce company liability, and improve the productivity of the workforce. Being 100% cloud-based, the solution requires no hardware purchases, no software downloads, and can be implemented in a matter of minutes.
The solution filters websites into 53 pre-defined categories, making it easy for businesses to block specific types of content. More than half a billion URLs are categorized in the database and combined with cloud-based lookup, it is possible to ensure highly accurate content filtering without overblocking valuable content. The solution can inspect all web traffic, including encrypted sites.
The solution allows policies to be created for the entire workforce, groups, or individuals and protects employees who on and off the network. When employees use multiple devices, the content filtering controls can be applied across the board and will work whether the user is on-site or roaming.
Administrators benefit from a comprehensive reporting suite, with 55 preconfigured reports and scope for customization, with report scheduling options and the ability to view browsing in real-time.
If you want to improve your security posture, save bandwidth, reduce legal liability, block NSFW content, and improve productivity, give TitanHQ a call today and find out more about how WebTitan Cloud can benefit your business.
The biggest cybersecurity risk for businesses in the United States is employee negligence, according to a recent Shred-It survey of 1,000 small business owners and C-suite executives.
The findings of the survey, detailed in its North America State of the Industry Report, show the biggest cybersecurity risk for businesses is human error such as the accidental loss of data or devices containing sensitive company information.
84% of C-Suite executives and 51% of small business owners said employee negligence was the biggest cybersecurity risk for their business. 42% of small business owners and 47% of C-suite executives said employee negligence was the leading cause of cybersecurity breaches.
Employees are the Biggest Cybersecurity Risk for Businesses in the United States
Employees often cut corners in order to get more done in their working day and take considerable security risks. Even though laptop computers can contain highly sensitive information and allow an unauthorized individual to gain access to a work network, around a quarter of U.S employees leave their computer unlocked and unattended. Documents containing sensitive information are often left unattended in full view of individuals who are not authorized to view the information.
The risks taken by employees are greater when working remotely, such as in coffee shops or at home. 86% of executives and SBOs said remote workers were much more likely to cause data breaches.
88% of C-suite executives and 48% of small business owners said they have implemented flexible working models that allow their employees to spend at least some of the week working off site. A survey conducted on behalf of the Switzerland-based serviced office provider IWG suggests that globally, 70% of workers spend at least one day a week working remotely, while 53% work remotely for at least half of the week.
Adoption of these flexible working practices is increasing, although cybersecurity policies are not being implemented that specifically cover remote workers. Even though a high percentage of workers are spending at least some of the week working remotely, the Shred-It survey shows that more than half of SMBs do not have policies in place for remote workers.
One of the most important ways that business owners and executives can improve their cybersecurity posture is through employee training, especially for remote workers. The provision of security awareness training will help to ensure that workers are aware of the organization’s policies and procedures and are taught security best practices.
However, the survey suggests training is often inadequate or in some cases nonexistent. 78% of surveyed C-suite executives and small business owners said they only provided information security training on policies and procedures once a year. Considering the risk, training needs to be far more frequent. Employees cannot be expected to retain all the information provided in a training session for the entire year. Training should cover the use of strong passwords, locking devices when they are not in use, never leaving portable devices unattended in public areas, safe disposable of electronic and physician data, and Wi-Fi security. Refresher training should be provided at least every six months.
Policies and procedures need to be developed specifically for remote workers, which cover the practices which must be adopted when working outside the office. With so many workers now spending more time working off-site, the probability of portable electronic devices being lost or stolen is greatly increased.
Businesses must ensure they maintain an accurate inventory of all devices used to access their network and implement appropriate security measures to ensure the loss or theft of those devices does not result in a data breach.
Increased use of insecure WiFi networks poses a major problem, greatly increasing the chance of a malware or ransomware download. Appropriate technologies should be implemented to protect remote workers’ devices from malicious software. TitanHQ can help in this regard.
WebTitan Cloud, TitanHQ’s 100% cloud-based web filtering solution can block malware and ransomware downloads and carefully control the websites that remote workers can access on their company-issued and BYOD devices, regardless of where the individual is located: on or off-site.
For more information on WebTitan and how it can protect your remote workers and improve your security posture, contact the TitanHQ team today for further information.
The RIG exploit kit, used on compromised and malicious websites to silently download malware, has been upgraded with a new exploit. Windows Double Kill exploit code has been added to exploit the CVE-2018-8174 vulnerability – a remote code execution vulnerability that was addressed by Microsoft on May 2018 Patch Tuesday.
To protect against exploitation of this vulnerability, Windows users should ensure they have applied the latest round of patches, although many businesses have been slow to update their Windows devices, leaving them vulnerable to attack.
The vulnerability is in the VBScript engine and how it handles objects in the memory. If the vulnerability is exploited, attackers would gain the same level of privileges as the current user, could reallocate memory, gain read/write access, and potentially remotely execute code on a vulnerable device. The vulnerability has been named ‘Double Kill’ and affects all Windows versions.
The Windows Double Kill vulnerability was being actively exploited in the wild when Microsoft released the update on Patch Tuesday. Initially, exploitation of the vulnerability was achieved through phishing campaigns using RTF documents containing a malicious OLE object. If activated, an HTML page was downloaded and rendered through an Internet Explorer library and the VBScript flaw was exploited to download a malicious payload. The attack could also be conducted via a malicious website. In the case of the latter, it does not matter what browser the user has set as default – on unpatched systems the IE exploit could still work.
The Windows Double Kill exploit code was posted online this week and it didn’t take long for it to be incorporated into the RIG exploit kit. End users could be directed to the RIG exploit kit through phishing campaigns, malvertising, web redirects, or potentially could visit malicious sites through general web browsing. In addition to the Windows Double Kill exploit, the RIG exploit kit contains many other exploits for a wide range of vulnerabilities. Any individual that lands on a URL with the kit installed could be vulnerable even if the latest Windows patch has already been applied.
The threat from email-based attacks is also likely to grow. The Double Kill exploit code has also been incorporated into the ThreadKit exploit builder, which is used to create malicious Office documents for use in phishing attacks.
Protecting systems against these types of attacks requires prompt patching, although many organizations are slow to apply updates out of fear of compatibility problems, which could cause performance issues. Consequently, prior to applying patches they need to be fully tested and that can take time. During that time, organizations will be vulnerable to attack.
A web filter – such as WebTitan – provides an additional level of protection while patches are assessed for compatibility. WebTitan provides protection against exploit kits and malware downloads by preventing end users from visiting known malicious sites, either through general web browsing, redirects, or via hyperlinks contacted in phishing emails.
Managed Service Providers (MSPs) now have the option of providing an additional layer of security to their clients to protect against web-based cyberattacks now that TitanHQ’s powerful 100% cloud-based web filtering solution, WebTitan, has been incorporated into the Kaseya IT Complete suite.
The Kaseya technology alliance partner (TAP) program is highly regarded and brings together some of the world’s leading providers of IT solutions for MSPs, including Bitdefender, Cisco, and Dell.
The Kaseya IT Complete platform provides MSPs with easy access to a wide range of managed service-ready software, including cybersecurity, cloud management, endpoint management, network management, identity & access management, and disaster & recovery services. The platform makes it easy for MSPs to expand the services they provide to their clients and deliver invaluable solutions quickly and efficiently.
The platform has been developed to help MSPs increase revenue by providing profitable new services, automate the delivery of those services, and add more value by exceeding SLAs. The ease at which the solutions can be delivered saves MSPs valuable time, allowing them to free up staff to work on strategic projects.
MSPs have access to a wide range of cybersecurity solutions through the platform, but one notable gap was an easy to deploy web filtering solution. The addition of WebTitan to the Kaseya platform allows MSPs to add another layer of security to better protect their clients from web-based threats and malware and ransomware downloads. Being DNS-based, the solution can be quickly deployed with no need for any software downloads, hardware purchases, or site visits and can be deployed and configured in a matter of minutes.
The integration of WebTitan into the Kaseya IT Complete platform was completed in time for the Kaseya Connect conference, which is taking place this week in Las Vegas, Nevada. The event will be attended by some of the top MSPs from around the world.
“Kaseya is a partner we have admired for a long time and I’m delighted to announce this integration,” said Ronan Kavanagh, CEO of TitanHQ. “With over 10 million endpoints under their management it represents a massive opportunity for our business. We look forward to working with Kaseya’s MSP partners and adding our personal touch and renowned focus on great customer support.”
Adding WebTitan to our open ecosystem of partner solutions means our customers now have even greater access to best of breed technologies to meet the needs of their business. With growing concerns over malware, ransomware and phishing as key threats to MSP customers, WebTitan adds a highly effective layer of protection,” said Frank Tisellano, Jr., vice president product management and design.
There have been significant developments relating to exploit kits in the past few days. The threat actors behind the Magnitude exploit kit have now changed their malicious payload, and the EITest malware distribution network that directed traffic to exploit kits has finally been sinkholed.
Magnitude Exploit Kit Switches to GandCrab Ransomware Delivery
Exploit kit activity is at a fraction of the level of 2015 and 2016, and in 2017 there was a 62% reduction in the development of exploit kits according to research from Recorded Future.
However, exploit kit activity has not fallen to zero and the malicious code is still widely used to deliver malware and ransomware underscoring the continued need for technologies to block these attacks such as web filtering solutions and the continued need to keep on top of patching.
Exploit kits often leverage vulnerabilities in Java and Adobe Flash, although more recently it has been Microsoft vulnerabilities that have been exploited due to the fall in Java vulnerabilities and the phasing out of Adobe Flash.
One exploit kit that is still being used in extensive attacks, albeit attacks that are highly geographically targeted, is the Magnitude exploit kit.
For the past seven months, the Magnitude exploit kit has been delivering the Magniber ransomware payload almost exclusively in South Korea. However, there has been a notable change in the past few days with it also being used to distribute GandCrab ransomware, with the latter not restricted geographically and capable of infecting English language Windows devices.
While early variants of GandCrab ransomware were cracked and free recovery of files was possible, there is no known decryptor for the current version of GandCrab ransomware being distributed via Magnitude. While Adobe Flash and Microsoft exploits were commonly used, Magnitude is now using a fileless technique to load the ransomware. This technique makes it much harder to detect.
According to Malwarebytes, “The payload is encoded (using VBScript.Encode/JScript.Encode) and embedded in a scriplet that is later decoded in memory and executed.” Once run, the payload is injected into explorer.exe, files are encrypted, and the infected device is rebooted.
EITest Malware Distribution Network Disrupted
There has been some major good news on the exploit kit front this week with the announcement that the EITest malware distribution network has finally been sinkholed. EITest has been active since at least 2011 and has been used to distribute all manner of malware over the years.
EITest was a major distribution network responsible for countless Kronos, Ramnit, DarkCloud and Gootkit infections, although more recently was used to deliver ransomware variants such as CryptXXX and Cerber and send users to sites running social engineering and tech support scams.
Prior to being sinkholed, EITest was redirecting as many as 2 million users a day to a network of more than 52,000 compromised websites that had been loaded with exploit kit code and social engineering scams. Most of the compromised sites were WordPress sites based in the USA, China, and Ukraine.
The threat actors behind EITest were selling traffic to other actors in blocks of between 50,000 and 70,000 visitors at a cost of $20 per thousand.
Over a 20-day period since EITest was sinkholed, more than 44 million users were directed to the sinkhole rather than malicious websites.
Now all redirects to malicious websites have stopped. The compromised websites remain active, but rather than redirecting users to malicious domains they are directing traffic to benign domains controlled by abuse.ch and brilliantit.com.
Regardless of the size of your business, the most effective security measure to deploy to block threat actors from gaining access to your servers, workstations, and data is a hardware firewall. A hardware firewall will ensure your digital assets are well protected, but how should your firewall be configured for optimal network security? If you follow network segmentation best practices and set up firewall security zones you can improve security and keep your internal network isolated and protected from web-based attacks.
What is Network Segmentation?
As the name suggests, network segmentation is the practice of dividing a computer up into smaller segments, and by doing so, you separate systems and applications from each other. If there are systems that have no interaction with each other, there is no need for them to be on the same network. If they are, it just makes it easier for a hacker to gain access to everything if the perimeter defenses are breached. Network segmentation can also help to boost performance. With fewer hosts on each subnet, local traffic is minimized. It can also improve monitoring capabilities and helps IT teams identify suspicious behavior.
Network Segmentation Security Benefits
There are many benefits to be gained from network segmentation, of which security is one of the most important. Having a totally flat and open network is a major risk. Network segmentation improves security by limiting access to resources to specific groups of individuals within the organization and makes unauthorized access more difficult. In the event of a system compromise, an attacker or unauthorized individual would only have access to resources on the same subnet. If access to certain databases in the data center must be given to a third party, by segmenting the network you can easily limit the resources that can be accessed, it also provides greater security against internal threats.
Network Segmentation Best Practices
Most businesses have a well-defined network structure that includes a secure internal network zone and an external untrusted network zone, often with intermediate security zones. Security zones are groups of servers and systems that have similar security requirements and consists of a Layer3 network subnet to which several hosts connect.
The firewall offers protection by controlling traffic to and from those hosts and security zones, whether at the IP, port, or application level.
There are many network segmentation examples, but there is no single configuration that will be suitable for all businesses and all networks, since each business will have its own requirements and functionalities. However, there are network segmentation best practices that should be followed. We have outlined these and firewall DMZ best practices below.
Suggested Firewall Security Zone Segmentation
In the above illustration we have used firewall security zone segmentation to keep servers separated. In our example we have used a single firewall and two DMZ (demilitarized) zones and an internal zone. A DMZ zone is an isolated Layer3 subnet.
The servers in these DMZ zones may need to be Internet facing in order to function. For example, web servers and email servers need to be Internet facing. Because they face the internet, these servers are the most vulnerable to attack so should be separated from servers that do not need direct Internet access. By keeping these servers in separate zones, you can minimize the damage if one of your Internet facing servers is compromised.
In the diagram above, the allowed direction of traffic is indicated with the red arrows. As you can see, bidirectional traffic is permitted between the internal zone and DMZ2 which includes the application/database servers, but only one-way traffic is permitted between the internal zone and DMZ1, which is used for the proxy, email, and web servers. The proxy, email, and web servers have been placed in a separate DMZ to the application and database servers for maximum protection.
Traffic from the Internet is allowed by the firewall to DMZ1. The firewall should only permit traffic via certain ports (80,443, 25 etc.). All other TCP/UDP ports should be closed. Traffic from the Internet to the servers in DMZ2 is not permitted, at least not directly.
A web server may need to access a database server, and while it may seem a good idea to have both of these virtual servers running on the same machine, from a security perspective this should be avoided. Ideally, both should be separated and placed in different DMZs. The same applies to front end web servers and web application servers which should similarly be placed in different DMZs. Traffic between DMZ1 and DMZ2 will no doubt be necessary, but it should only be permitted on certain ports. DMZ2 can connect to the internal zone for certain special cases such as backups or authentication via active directory.
The internal zone consists of workstations and internal servers, internal databases that do not need to be web facing, active directory servers, and internal applications. We suggest Internet access for users on the internal network to be directed through an HTTP proxy server located in DMZ 1.
Note that the internal zone is isolated from the Internet. Direct traffic from the internet to the internal zone should not be permitted.
The above configuration provides important protection to your internal networks. In the event that a server in DMZ1 is compromised, your internal network will remain protected since traffic between the internal zone and DMZ1 is only permitted in one direction.
By adhering to network segmentation best practices and using the above firewall security zone segmentation you can optimize network security. For added security, we also recommend using a cloud-based web filtering solution such as WebTitan which filters the Internet and prevents end users from accessing websites known to host malware or those that contravene acceptable usage policies.
Web-based malware attacks via exploit kits were commonplace in 2016, although in 2017 this mode of attack fell out of favor with cybercriminals, who concentrated on spam email to deliver their malicious payloads. Exploit kit activity is now at a fraction of the level of 2016, although 2017 did see an increase in activity using the Rig and Terror exploit kits.
Now, a recent discovery by Proofpoint could see exploit kit activity start to increase once again. A new traffic distribution system is being offered on darknet marketplaces that helps cybercriminals direct users to sites hosting exploit kits and conduct web-based malware attacks.
Traffic distribution systems – also known as TDS – buy and sell web traffic and are used to direct web users from one website to another. When a user clicks on a link that is part of a TDS system, they are directed to a website without their knowledge – a website that could host an exploit kit and trigger a malware download.
The new TDS – known as BlackTDS – requires threat actors to direct traffic to the service, which then filters that traffic and directs individuals to exploit kits based on their profile data. The service maximizes the probability of the exploit kit being able to download malware onto their device. The service can also be used to determine which malware will be downloaded, based on the profile of the user.
Threat actors that sign up to use the service can inexpensively select the exploit kits and malware they want installed with all aspects of the malware distribution service handled by the developers of BlackTDS. The developers also claim their cloud-based TDS includes fresh HTTPS domains that have not been blacklisted and that it is difficult for their cloudTDS to be detected by security researchers and sandboxes.
Using spam campaigns and malvertising, threat actors can direct traffic to BlackTDS with all aspects of drive-by downloads handled by the developers. Campaigns being run using BlackTDS have been directing users to the RIG-v, Sundown, and Blackhole exploit kits which are used to download a wide range of keyloggers, ransomware, and other malware variants.
The provision of this malicious service makes it cheap and easy for threat actors to take advantage of web-based malware distribution rather than relying on spam email to spread malicious software. It also makes it clear that exploit kits are still a threat and that web-based malware attacks are likely to become more of a problem over the coming months.
To find out more about how you can protect your business from exploit kits and web-based malware attacks, contact the TitanHQ team today and ask about WebTitan.
A new bill has been introduced that proposes mandatory use of WiFi filters in libraries in Idaho to prevent wireless networks from being used to view obscene content. Current legislation in the state only applies to wired networks.
In many other states, web filters in libraries are only required for libraries that wish to obtain discounts on their internet services under the e-Rate program. Many libraries choose not to apply for such discounts to enable them to continue to provide full access to all forms of Internet content, instead choosing to implement policies and procedures covering acceptable usage of their computers and WiFi networks.
Policies and procedures are not seen as sufficient in Idaho, which already has one of the strictest laws in the United States covering internet filtering in libraries. In 2011, legislation was introduced that made it mandatory for library web filters to be implemented on any computers that can be used by minors. The bill that was passed was scaled back, with the original bill calling for mandatory use of Internet filters on all library computers.
The new resolution was introduced by an Idaho House State Affairs committee this week along with a new bill – proposed by Rep. Lance Clow (R-Twin Falls) – that requires all libraries in the state to expand their Internet filtering controls to include their WiFi networks.
The concern is that simply connecting to library WiFi networks may allow users to gain access to obscene content. “Families are torn apart because of the proliferation of this material,” said Clow. Pornography is “creating a public health crisis.”
The resolution says the use of pornography has been “linked to a reduced desire in young men to marry, dissatisfaction in marriage, and infidelity.” The committee wholeheartedly backed the resolution and the new bill, even changing the language to make it clear that young women were also adversely affected by obscene images. A similar resolution was introduced in Utah, on which the Idaho resolution was based.
The use of WiFi filters in libraries is unlikely to cause too many problems, since many filtering solutions that have been implemented already have the capacity to filter both wired and wireless networks. Some libraries have already made the decision to implement Internet filtering controls on their WiFi networks, even though they are not currently required to do so under state laws.
The implementation of WiFi filters in libraries is a quick and easy process with a solution such as WebTitan Cloud for WiFi. WebTitan allows libraries to accurately filter Internet content to prevent obscene images from being accessed without overblocking content. The solution is easy to configure, has a low maintenance overhead, and is one of the cheapest web filtering solutions on the market.
Being DNS based, there is no need for any software installations or hardware purchases. The solution is highly scalable and there is no latency, which makes it a winning solution for libraries and their patrons. WebTitan Cloud can also be easily applied to wired networks.
For further information on WebTitan Cloud and WebTitan Cloud for WiFi, for a product demonstration, and information on a free trial of the solution, contact the TitanHQ team today.
UPDATE: April, 2019: Governor Brad Little has signed the bill into law. Libraries in Idaho will be required to implement filtering technology on their wireless networks by July 1, 2020.
Today has seen the announcement of a new partnership between TitanHQ – the leading provider of email and web filtering solutions for MSPs – and the international consulting, coaching, and peer group organization HTG. The announcement was made at the Q1 HTG Peer Groups meeting at the Pointe Hilton Squaw Peak Resort, Phoenix, Arizona.
The partnership sees TitanHQ’s web filtering solution – WebTitan; its cloud-based anti-spam service – SpamTitan; and its email archiving solution – ArcTitan made immediately available to the HTG community.
TitanHQ has developed innovative cybersecurity solutions specifically for managed service providers to help them provide even greater protection to their clients from the ever-increasing volume of email and Internet-based threats. The multiple award-winning solutions have now been adopted by more than 7,500 businesses and 1,500 MSPs, helping to protect them from malware, ransomware, viruses, phishing, botnets, and other cyber threats.
HTG is a leading peer group association that was recently acquired by the global technology giant ConnectWise. HTG helps businesses plan and execute strategies to drive forward growth and increase profits. Its consultants and facilitators share wisdom, provide accountability, and build meaningful relationships with businesses to help them succeed in today’s highly competitive marketplace.
The new partnership will see TitanHQ join HTG Peer Groups as a Gold vendor, making the firm’s MSP-friendly cybersecurity solutions immediately available to the HTG community.
“We’re delighted to welcome TitanHQ on board for 2018. As soon as the initial discussion started we knew they would make a great match for our community, as web security is a key area for our members in 2018,” said HTG Peer Groups founder, Arlin Sorensen.
HTG Peer Groups Founder Arlin Sorensen (Left); TitanHQ CEO Conor Madden (Right)
“WebTitan web filter was built by MSP’s for MSP’s and this exciting relationship with HTG Peer Groups is a continuation of that process. It allows us to listen to the opportunities and difficulties faced by MSP senior executives while also allowing us to share how we became a successful web security vendor. Our goal is to successfully engage with HTG members to build strong and long-lasting relationships,” said TitanHQ CEO, Conor Madden.
Web security is a hot topic within the managed service provider community. MSPs are being called upon to improve web security for their clients and protect against a barrage of phishing, malware, and ransomware attacks. They are also called upon to mitigate malware and ransomware attacks when they are experienced by their clients, which can be time-consuming and costly. By implementing WebTitan, TitanHQ’s award-winning web filtering solution, MSPs can substantially reduce support and engineering costs.
WebTitan serves as a barrier between end users and the Internet, blocking attempts by users to visit malicious websites where malware and ransomware is silently downloaded. WebTitan is also a powerful content filtering solution that can be used to enforce organizations’ acceptable Internet usage policies.
The web filtering solution and TitanHQ’s anti-spam solution SpamTitan have been developed specifically with MSPs in mind. The solutions can be applied and configured in under 30 minutes without the need for additional hardware purchases, software downloads, or site visits. The solutions have a low management overhead which means MSPs can protect their clients from email and web-based threats, reduce the hands-on time they need to spend on their clients and provide greater value while improving their bottom lines.
Delegate Dave A. LaRock (R) and State Sen. Richard Hayden Black (R) have proposed a new bill in the Virginia General Assembly that would require a web filter on internet-enabled devices sold or distributed in the state of Virginia.
House Bill No. 1592, also referred to as the The Human Trafficking Prevention Act, is intended to reduce the availability of pornography, which is believed will reduce the level of human trafficking in Virginia.
Mandatory Web Filter on Internet-Enabled Devices in Virginia
The bill calls for a web filter on all internet-enabled devices. The filtering mechanism would be required to block all obscene items, including obscene images, obscene performances, and obscene exhibitions, in addition to child pornography and unlawful images/videos of people that have been recorded and/or distributed without consent.
The bill does not amount to a ban on pornography in Virginia, as it would be possible for purchasers of Internet-enabled devices – which includes computers, laptops, tablets, and smartphones – to legally disable the content blocking mechanism.
To do so would require an individual to prove to the vendor or distributor of the device, by means of an official photographic ID, that they are over 18 years of age. The distributor of the device must receive a written receipt confirming a written warning has been provided advising of the dangers of unblocking the content filter.
Anyone purchasing a device must also pay a one-time digital access fee of $20 to have the web filter lifted, in addition to any fee charged by the distributor or seller of the device to remove the web filtering capability on the device.
The $20 fee would be paid into a Virginia Prevention of Human Trafficking Victim Fund, while the charges applied by the seller/distributor could be retained. The Virginia Prevention of Human Trafficking Victim Fund would be used solely for supporting victims of human trafficking and to pursue criminal prosecutions in human trafficking cases.
There will be stiff financial penalties and potentially jail time for any seller/distributor who fails to apply the web filter. Removal of the filter without paying the fee would similarly be considered an offense under the Virginia Consumer Protection Act.
There have been mixed reactions to the new bill. Proponents of the bill believe a web filter on internet-enabled devices is necessary to make it harder for state residents to access pornography and that it would also help to prevent minors from accidentally or deliberately accessing obscene website content. It is argued that making individuals pay for access to obscene content would help to eliminate temptation.
Critics of the bill have said the proposed legislation amounts to a ‘sin tax’, while many others feel that such a law would violates the human rights of Americans.
Virginia is not the first state in the US to consider such a bill. House Bill No. 1592 is a virtual carbon copy of legislation that has been proposed in several other states including Alabama, New Mexico, North Dakota and South Carolina.
According to Kaspersky Lab, one of the most dangerous threats to mobile users is Skygofree malware – A recently discovered Android malware threat that has been described as the most powerful Android malware variant ever seen.
Skygofree malware has only recently been detected, but it is the product of some serious development. Kaspersky Lab believes it has been in development for more than three years. The result is a particularly nasty threat that all users of Android devices should take care to avoid. Once it is installed on a device, it has access to a considerable amount of data. It also has some rather impressive capabilities, being capable of 48 different commands.
Among its arsenal is the ability to take control of the camera and snap pictures and take videos without the knowledge of the user. It has access to geolocation data so is capable of tracking your every move. Where you go, as well as where you have been.
Skygofree malware will steal call records and discover who you have spoken to and when and will read your text messages. The malware can also record conversations and background noise, both for telephone calls and when the user enters a specific location – based on geolocation data – that has been set by the attacker.
Whenever you are in range of a WiFi network that is controlled by the attacker, the device will automatically connect, even if WiFi is turned off. It also has access to all information in the phone’s memory, can check your calendar to tell what you have planned, and intercept WiFi traffic.
You also cannot privately communicate using WhatsApp with Skygofree malware installed. It abuses the Android Accessibility Service and can view your messages. Skype conversations are similarly not secure. As if that was not enough, the malware also serves as a keylogger, recording all data entered on the device.
With such an extensive range of functions, this powerful new malware variant is clearly not the work of an amateur. It is believed to be the product of an Italian intercept and surveillance company called Negg, that is known to work with law enforcement agencies.
Kaspersky Lab researcher Alexey Firsh said, “Given the artefacts we discovered in the malware code and our analysis of the infrastructure, we have a high level of confidence that the developer behind the Skygofree implants is an Italian IT company that offers surveillance solutions, rather like HackingTeam.”
Skygofree malware is spread via malicious websites that closely resemble those of mobile carriers. Several mobile carriers including Vodaphone have been spoofed.
Protecting against malware threats such as this is difficult. The best defense is to be extremely careful browsing the internet. However, with malicious adverts able to redirect users to malicious sites, careful browsing is no guarantee of safety.
How to Protect Your WiFi Network and Block Malicious Websites
WebTitan for WiFi offers protection from malware when users connect to your WiFi network. WebTitan for WiFi is a powerful web filtering solution that can be used to restrict access to a predefined list of websites or configured to prevent users from visiting categories of websites known to carry a high risk of containing malware. Blacklists are also used to ensure known phishing and malware-laced websites, including those used to spread Android malware, cannot be accessed via your WiFi network.
To find out more about WebTitan for WiFi, and web filtering solutions for your wired networks, contact the TitanHQ today.
Loapi malware is a new Android malware variant that is capable of causing permanent damage to Android smartphones.
The new malware variant was recently discovered by researchers at Kaspersky Lab. In contrast to many new malware variants that operate silently and remain on the device indefinitely, Loapi malware infections can be short-lived. Kaspersky performed a test on an Android phone and discovered that within two days the phone had been destroyed.
The aim of the malware is not sabotage. Destruction of the device is just collateral damage that results from the intense activity of the malware. Loapi malware performs a wide range of malicious functions simultaneously, including some processor-intensive activities that cause the device to overheat, causing irreparable damage.
In the test, over the two days, the constant activity caused the device to overheat and the battery to bulge; deforming the device and its cover.
The researchers said Loapi malware is likely no other malware variant they have seen, and the researchers have seen plenty. Loapi malware was called a ‘jack of all trades’ due to its extensive capabilities. The malware is used to mine the cryptocurrency Monero, a processor-intensive process. The malware uses processing power of infected devices to create new coins. While the mining process is less intensive than for Bitcoin, it still takes its toll.
Additionally, the malware allows infected devices to be used in DDoS attacks, making constant visits to websites to take down online services. The malware is used to spam advertisements, and bombards the user with banners and videos
The malware will silently subscribe to online services, and if they require text message confirmation, that is also handled by the malware. The malware gains access to SMS messages and can send text messages to any number, including premium services. Text messages are used to communicate with its C2 server. Messages are subsequently deleted by the malware to prevent detection by the user, along with any text message confirmations of subscriptions to online services. Kaspersky Lab researchers note that the malware attempted to access more than 28,000 URLs in the two days of the test.
Any apps that are installed on the device that could potentially affect the functioning of the malware are flagged with a false warning that the app contains malware, telling the user to uninstall them. The user will be bombarded with these messages until the app is uninstalled, while other security controls prevent the user from uninstalling the malware or deactivating its admin privileges.
There is little the malware cannot do. The researchers point out that the only function that Loapi does not perform is spying on the user, but since the modular malware can be easily updated, that function could even be added.
While conclusive proof has not been obtained, Kaspersky Lab strongly suspects the malware is the work of the same cybercriminal operation that was behind Podec malware.
So how is Loapi malware distributed? Kaspersky notes that as is common with other Android malware variants, it is being distributed by fake apps on third-party app stores, most commonly disguised as anti-virus apps. A fake app for a popular porn website has also been used. Additionally, fake adverts have been detected that promote these fake apps, with more than 20 separate locations discovered to be pushing the malware.
The malware has not yet been added to the Google Play store, so infections can be prevented by always using official app stores.
A new Kentucky web filtering law have been proposed that will make it mandatory for all vendors of Internet-enabled devices in the state of Kentucky to have pornography filters installed that will prevent users from accessing adult content.
Similar laws have been proposed in other U.S. states to deal with the growing social problems that are caused by pornography. The proposed Kentucky web filtering law is virtually a carbon copy of bills that are being considered in Alabama, North Dakota, and South Carolina.
The proposed Kentucky web filtering law was introduced by Rep. Dan Johnson (R-Mt. Washington). The aim is not to make it impossible to access pornography in Kentucky, only to make it harder. If Kentuckians want to use their Internet-enabled devices to access obscene material such as pornography, they will be required to pay a fee of $20 to have the web filtering controls removed.
The fee could be paid on purchase of the device or at a later date. Lifting the web filter would require proof of age to be supplied and a consent form to be signed. This opt-in approach to adult content is seen as the best way to prevent many of the problems that arise from use of pornography, and to make it much more difficult for minors to view adult web content.
As with other similar web filtering laws that have been proposed, the fees would be directed, in part, to crime victim compensation funds as well as for law enforcement and to add to state funds.
If the Kentucky web filtering law is passed, it would make the supply of PCs and mobile phones without filtering software a Class A misdemeanour. Selling an Internet-enabled device to a minor without web filtering software to block pornography would be a class C felony,
In Alabama, the proposed laws would see the Class A misdemeanour attract a fine of up to $6,000 and a jail term of up to a year, while the Class C felony would be punishable with a $30,000 fine and up to 10 years in jail.
Laws proposed in Alabama, South Carolina and North Dakota also require a mechanism to be introduced that would allow webpages and websites that have not been blocked by the filter to be easily reported. A call center or website would need to be set up for this purpose, and the sites would need to be added to the filter within a reasonable time frame. The failure to do so would result in a fine of $500 per instance.
The new bill would need to survive a vote, but before that takes place, Rep. Johnson first needs to keep his position. Yesterday, Republicans and Democrats called for Johnson’s resignation following allegations that he sexually assaulted a 17-year old girl at his Fern Creek church.
Kaspersky Lab has named ransomware as one of the key threats of 2017, and one that continues to plague businesses the world over. Ransomware attacks in 2017 are down year on year, but ransomware attacks on businesses are up.
Ransomware attacks in 2016 were bad, but this year there have been three major attacks that have gone global – WannaCry in May, NotPetya in June, and most recently, the Bad Rabbit attacks in October. Many of the ransomware attacks in 2017 have been far more sophisticated than in 2015 and 2016, while attackers are now using a wider variety of tactics to install the malicious code.
At the start of 2016, ransomware was primarily being installed using exploit kits, before attackers switched to spam email as the main method of delivery. Spam email remains one of the most common ways for ransomware to be installed, although each of the above three attacks used exploits for unpatched vulnerabilities.
Those exploits had been leaked online by the hacking group Shadow Brokers, all of which had been developed and used by the NSA. While not severe as WannaCry, NotPetya and BadRabbit, exploits were also used by AES-NI and Uiwix ransomware variants. Threat actors are also using remote desktop protocol to gain access to systems to install ransomware, while the use of exploit kits is once again on the rise.
There has been a noticeable change in targets since 2015 when ransomware started to be favored by cybercriminals. Consumers were the main targets, although cybercriminals soon realized there was more to be made from attacking businesses. In 2016, 22.6% of ransomware attacks were on business users. The Kaspersky Lab report shows that ransomware attacks on businesses are becoming far more common, accounting for 26.2% of all attacks in 2017.
Out of the businesses that experienced a ransomware attack in 2017, 65% said they lost access to a significant amount of data, and in some cases, all of their data. Some businesses have prepared for the worst and have developed ransomware response plans and now have multiple copies of backups, with at least one copy on an unnetworked device. In the event of an attack, data can be recovered.
Others have not been so fortunate and have been left with no alternative other than to pay the ransom demand. As we saw with NotPetya, and many other ransomware and pseudo-ransomware variants, it is not always possible to recover data. The Kaspersky Lab report shows that one in six businesses that paid the ransom demand were unable to recover their data, creating massive business disruption and also potentially privacy and compliance fines. Keys to unlock the encryption were not provided or simply did not work.
There is some good news in the report. Ransomware attacks in 2017 affected 950,000 unique users, which is a considerable reduction from last year when 1.5 million users suffered a ransomware attack. This has been attributed not to a reduction in attacks, but better detection.
Kaspersky reports that the explosion in ransomware families in 2016 did not continue at the same level in 2017. Last year, 62 new families of ransomware were discovered. While there is still a month left of the year, to date, the number of new ransomware families in 2017 has fallen to 38.
While this appears to be good news, it is not an indication that the threat from ransomware is reducing. Kaspersky Lab notes that while the creation of new ransomware families halved in 2017, in 2016 there were 54,000 modifications made to existing ransomware variants, but this year there have been 96,000 modifications detected – Almost double the number of modifications last year. Rather than develop new ransomware families, cybercriminals are tweaking existing ransomware variants.
Kaspersky Lab, McAfee, and a host of security experts predict ransomware attacks will continue to plague businesses in 2018. As long as the attacks remain profitable they will continue, although Kaspersky Lab notes that 2018 is likely to see efforts switch to cryptocurrency miners, which can prove more profitable than ransomware in the long run. Even so, ransomware attacks are likely to continue for the foreseeable future.
To prevent the attacks, businesses need to implement a host of defenses to block and detect ransomware. Anti spam software can be deployed to prevent email-based attacks, web filters can be used to block access to websites hosting exploit kits and prevent drive -by downloads, and endpoint protection systems and network monitoring can detect changes made by ransomware and alert businesses to ransomware attacks in progress. Along with good backup policies and end user training, the threat from ransomware can be reduced to an acceptable level and the majority of attacks can be blocked.
A malware threat called LockCrypt ransomware is being used in widespread attacks on businesses in the United States, United Kingdom, and South Africa. While ransomware is commonly spread via spam email, this campaign spreads the file-encrypting malware via remote desktop protocol brute force attacks.
The LockCrypt ransomware attacks were first detected in June this year, but over the past few months the number of attacks has increased significantly, with October seeing the highest number of attacks so far this year.
LockCrypt ransomware is a relatively new malware variant, having first been seen in June 2017. Once infected, users will be unable to access their files. This ransomware variant uses RSA-2048 and AES-256 cryptopgraphy, which makes it virtually impossible to recover files without paying the ransom demand if a viable backup does not exist. To make recovery more difficult, LockCrypt ransomware also deletes Windows Shadow Volume copies. Encrypted files are given the .lock extension.
The ransom payment for this campaign is considerable – typically between 0.5 and 1 Bitcoin per encrypted server. That’s between $3,963 and $7,925 per compromised server; however, since the same login credentials are often used for RDP access on multiple servers, once one password is correctly guessed, it can be used to access multiple servers and deploy LockCrypt ransomware. One of the Bitcoin addresses used by the attackers shows one company paid a ransom of $19,000 to recover files on three of its servers.
Once access to a server is gained, ransomware is deployed; however, the attackers are manually interacting with compromised servers. AlientVault security researcher, Chris Doman, reported that for one company, in addition to deploying ransomware, the attackers “manually killed business critical processes for maximum damage.” All non-core processes on an infected server are killed.
The attacks do not appear to be targeted, instead they are randomly conducted on business servers. Businesses that are most likely to have ransomware installed are those that have failed to use complex passwords for RDP access. While it may be tempting to set an easy-to-remember password, this plays into the hands of attackers.
Other security controls such as two-factor authentication can reduce the risk from this type of attack, as can rate limiting to prevent the number of failed attempts a user can make before their IP address is temporarily – or permanently – blocked.
An additional control that system administrators can apply is to white-list certain IP addresses to restrict RDP access to authorized individuals. If that is not practical, disallowing RDP connections over the Internet from abroad can help to prevent these attacks.
While implementing controls to prevent RDP brute force attacks is vital, most ransomware variants are spread via spam email, and to a lesser extent via exploit kits and drive-by downloads. Comprehensive security defenses must therefore be deployed to reduce the risk of ransomware attacks.
The Magnitude exploit kit is being used to deliver a new malware variant – Magniber ransomware. While the Magnitude EK has been used in attacks throughout the Asia Pacific region, the latest attacks are solely taking place in South Korea.
Ransomware and malware attacks in Europe and the Americas are primarily conducted via spam email. Exploit kits having fallen out of favor with cybercriminals over the past year. However, that is not the case in the Asia Pacific region, where exploit kit attacks are still common.
An exploit kit is a website toolkit that scans visitors’ browsers for exploitable vulnerabilities. When a vulnerability is identified, it is exploited to download malware onto the user’s system. The download occurs silently and in the case of a ransomware attack, the user is only likely to discover the attack when their files have been encrypted.
Magniber ransomware takes its name from the Magnitude EK and Cerber ransomware, the ransomware variant that it has replaced. At present, Magniber ransomware is solely targeting users in South Korea. If the operating system is not in Korean, the ransomware will not execute. While it is not unusual for ransomware campaigns to involve some targeting, it is rare for attacks to be targeted on a specific country.
Up until recently, the Magnitude exploit kit was being used to download Cerber ransomware. FireEye reports that those attacks were concentrated in the Asia Pacific region. 53% of attacks occurred in South Korea, followed by the USA (12%), Hong Kong (10%), Taiwan (10%), Japan (9%), and Malaysia (5%). Small numbers of attacks also occurred in Singapore and the Philippines. At the end of September, Magnitude EK activity fell to zero, but on October 15, the payload was updated and attacks were solely conducted in South Korea.
To avoid analysis, Magniber ransomware checks whether it is running in a virtual environment. A check is also performed to identify the system language. If the system language is Korean, data is encrypted with AES128 and encrypted files are given the .ihsdj extension. After encryption, the ransomware deletes itself. If the system language is not Korean, the ransomware exists.
At present, the Magnitude Exploit Kit has been loaded with a single exploit for CVE-2016-0189 – A memory corruption vulnerability in Internet Explorer. A patch for the vulnerability was released last year. FireEye believes the ransomware is still under development and its capabilities will be enhanced and finetuned.
To prevent attacks, it is important to ensure systems are fully patched. Businesses should make sure all network nodes are updated and are fully patched. A web filtering solution should also be used as an additional protection against this and other exploit kit attacks.
The EU’s proposed Internet copyright filter has not proven popular with digital rights groups. The Internet copyright filter provision, detailed in Article 13 of the Digital Single Market proposals, would require the Internet to be policed to prevent the online publication of copyrighted content.
At present, if an individual decides to share content online and that material is protected by copyright, the holder of the copyright can submit a request to have the material taken down. The process can take some time before the material is removed, during which time the information can be viewed and potentially downloaded.
The proposed Internet copyright filter would improve protections for copyright holders. Online service providers such as Facebook, Twitter, WordPress, YouTube, and Dropbox would be required to constantly scan uploaded content to check the material is not protected by copyright. If it is, the content would need to be removed immediately.
The Internet copyright filter would certainly go some way toward protecting the rights of copyright holders and would make it harder for music, movies, TV shows, and other video content to be uploaded and viewed by the public. Unsurprisingly, the proposed measure has attracted considerable support from the entertainment industry.
However, there has been considerable opposition to the proposed Internet copyright filter by digital rights groups such as the Electronic Frontier Foundation, Human Rights Watch, Reporters Without Borders, Open Rights Group, European Digital Rights and the Civil Liberties Union for Europe. In total, 56 organizations have added their name to an open letter to EU policymakers calling for Article 13 to be dropped.
Those organizations believe that while there are benefits to Article 13, the Internet copyright filter would be impossible to implement without also violating the freedom of expression detailed in Article 11 of the Charter of Fundamental Rights, as well as imposing excessive restrictions on citizens’ fundamental rights.
If passed, Internet companies would be forced to take down content to avoid possible legal liability, and that would undoubtedly see them erring on the side of caution and applying excessive filtering controls. Legitimate content would be deleted and Internet filtering controls would limit freedom to impart and receive information. Further, it would be difficult in practice to differentiate illegal uploads of content that violate copyright laws from legitimate uses of content.
Whether the letter will result in Article 13 being dropped remains to be seen, but if not, there are likely to be further challenges. As is mentioned in the letter, previous attempts to introduce new laws that conflict with the Charter of Fundamental Rights have been rejected by the Court of Justice. If those precedents are followed, Article 13 would likely be rendered invalid.
A Social Community Partnership employee fired for viewing pornography at work took legal action against her employer for unfair dismissal. However, Ireland’s Workplace Relations Commission (WRC) has upheld the Partnership’s decision to fire the employee, confirming the sanction was appropriate.
In May 2016, the employee was discovered to have viewed pornography on her work computer and was promptly fired for gross misconduct. While the employee denied viewing pornography at work, a review of access logs on her computer revealed pornographic websites had been accessed on seven occasions between September and November 2015.
The material accessed included depictions of rape and the abduction of girls. While viewing pornography at work is unacceptable in any office, the nature of the material that was accessed made this an egregious violation of the Partnership’s acceptable Internet usage policy, especially considering the Social Community Partnership works to support children and families.
Lack of Individual Logins Makes it Difficult to Attribute Inappropriate Internet Access to Individual Employees
The case was not clear cut, as the computers in the reception area where she worked did not require secure logins for each employee. The employee also denied that she had viewed pornography and claimed two other workers used the same computers. She also said that other employees could have used the computers when she was not at her desk.
To determine that the employee was the person responsible for violating the company’s acceptable Internet use policy, the Partnership had to compare Internet logs against the work schedule. Multiple employees were found to have been working on four of the seven occasions, but the employee was the only person scheduled to work in the reception area on three of the occasions when pornography was accessed.
The employee suggested the sites could have been popups, although the claim was rejected by her employer. To determine whether access was due to a malware infection, an external computer expert was called in to conduct a scan of the computer. The scan confirmed no malware was present that could have redirected the browser to pornographic websites.
After hearing the unfair dismissal case and the evidence against the employee, the WRC ruled that ‘on the balance of probability,’ the employee was the person responsible for accessing the material and that, under the circumstances, the decision to fire the employee was correct.
Two Thirds of Men and One Third of Women Admit to Viewing Pornography at Work
Even though viewing pornography at work is prohibited in many organizations, employees ignore company rules and access obscene material on their work computers. The actions often result in instant dismissal when they are discovered, although many employees believe they won’t be caught or do not realize Internet logs are maintained. Many choose to anonymize their Internet activity by connecting to the Internet via VPNs and other anonymizing services.
The scale of the problem has been identified by several surveys and studies. In one notable study, conducted by Proven Men Ministries in 2014, 63% of men and 36% of women admitted having accessed pornography at work on at least one occasion. Other studies in the United States and the UK have also confirmed viewing pornography at work is commonplace.
The viewing of pornography at work can cause many problems for employers. In this case, the Social Community Partnership could have lost essential government funding. Even though that didn’t happen, there has been considerable negative publicity and the expense of fighting an unfair dismissal claim.
When employees view pornography at work it can easily lead to the creation of a hostile working environment, lawsuits could be filed by other employees who have been made to feel uncomfortable by the actions of others, and when illegal pornographic material is accessed at work – child pornography for example – the consequences for employers can be severe.
How Can Businesses Prevent Employees Viewing Pornography at Work?
Acceptable Internet usage policies can be used to ensure employees who breach the rules can be fired, but they do not prevent employees viewing pornography at work. Cases such as this show just how important it is to implement technology to prevent employees from accessing inappropriate website content – not just pornography, but also other content that should not be accessed in the workplace.
The expense and problems experienced by the Social Community Partnership could have easily been avoided if a web filter had been used. A web filter is a simple method of enforcing acceptable Internet usage policies and preventing pornography and other unacceptable content from being accessed by employees. A web filter can also block the use of anonymizers such as VPNs.
Further, a web filter is easy to implement, inexpensive, and can help organizations prevent considerable productivity losses, while reducing legal liability.
To find out more about the benefits of web filtering, and how you can stop employees viewing pornography at work, contact the TitanHQ team today and ask about WebTitan.
A massive Pornhub malvertising campaign has been detected that potentially resulted in millions of malware infections in the United States, Canada, UK, Australia and beyond.
Malvertising is the term given to malicious adverts that dupe website visitors into visiting websites where malware is downloaded or to sites that are used to phish for login credentials. These malverts often appear on legitimate websites, adding to their legitimacy. The malicious sites that users are directed to can download any type of malware – keyloggers, ransomware, spyware or adware.
The Pornhub malvertising campaign was used to spread click fraud malware. The hacking group behind the campaign – KovCoreG – used the Kovter Trojan. The malware has persistence and will survive a reboot.
Pornhub is one of the most popular adult websites, attracting millions of visitors. The website uses a third-party ad network called Traffic Junky. The attackers managed to sneak their malicious adverts past the controls the ad network has in place against malvertising.
The attackers detected the browser being used and redirected users to a website tailored to their browser. The Pornhub malvertising campaign worked on users of Chrome, Internet Explorer/Edge and Firefox. The webpages, which had been expertly crafted to exactly match the colors and fonts of Google, Firefox, and Microsoft and included the relevant logos and branding. The malicious webpages indicated a critical security update was required to secure the user’s browser. Clicking to download the update, and running that update, would result in infection.
The Pornhub malvertising campaign was detected by Proofpoint, which notified the ad network and Pornhub. Both acted quickly to remediate the threat, although not before many users had been infected with malware.
A Web Filtering Solution Can Block Malvertising Attacks
Implementing a web filtering solution in the workplace is not just about preventing your employees from wasting time on Facebook. A web filter is an important part of any layered cybersecurity defense strategy. The latest Pornhub malvertising campaign is a good example of how controlling the websites your employees can access can prevent malware infections.
Unless you work in the adult entertainment industry, employees should be prevented from accessing pornography at work. Most organizations include pornography in their acceptable usage policies. However, unless a filtering solution is implemented to block access, some employees are likely to break the rules. You could have a policy in place that states accessing pornography at work will result in instant dismissal. However, if anyone breaks the rules, it is not just their job that is on the line. Your network could be infected with malware.
Of course, cybercriminals do not just use adult websites for malicious adverts. Malvertising can appear on any website that includes ad blocks from third party advertisers. Since these ad blocks are an important source of revenue, many popular websites use them – Websites that are likely to feature heavily in your Internet access logs. The New York Times website for example, or the BBC and MSN.
This Pornhub malvertising campaign required a manual download, although oftentimes users are directed to sites where malware is downloaded automatically using exploit kits. If you are fully patched, you are likely to avoid an infection, but it is easy to miss a patch. The massive Equifax data breach showed how easy it is for a patch to be missed, as did the Wannacry ransomware attacks.
Considering the cost of resolving a malware infection, phishing attack, or ransomware installation, a web filtering solution is likely to pay for itself. Add to that the increase in productivity from blocking access to certain categories of websites and the improvements to your profits can be considerable.
If you are not yet using a web filter, or are unhappy with the cost of your current solution, give TitanHQ a call today and find out more about the savings you could be making.
The cost of cybercrime is 23% higher than last year, according to a new study conducted by the Ponemon Institute on behalf of Accenture. The average annual cost of cybercrime is now $11.7 million per organization, having increased from $9.5 million last year.
The Ponemon Institute conducted the 2017 Cost of Cybercrime study on 2,182 security and IT professionals at 254 organizations. Respondents were asked about the number of security breaches they experienced in the past 12 months, the severity of those incidents, and the cost of mitigation.
The average number of security breaches experienced by each organization was 130 per year, which is more than twice the number of incidents that were being experienced 5 years ago and 27.4% more than this time last year.
The costs of cybercrime were split into four areas: Disruption to businesses processes, data loss, loss of revenue, and damage to equipment. Respondents were asked to rate each based on their cost. While the losses from disruption to the business were not insignificant, they were the least costly. The biggest cost was information loss.
The costliest security incidents to resolve were malware attacks, which cost an average of $2.4 million to resolve, although the attacks were considerably more expensive to resolve in the United States where the average losses were $3.82 million per incident. In second place was web-based attacks, costing an average of $2 million globally and $3.4 million in the United States.
However, in terms of the amount of disruption caused, insider incidents topped the list, taking an average of 50 days to mitigate. Ransomware attacks took an average of 23 days to resolve.
The cost of cybercrime report indicates organizations in the financial services have the highest annual costs, spending an average of $18.28 million per organization. In second place was the energy sector with an average annual cost of $17.20 million.
Organizations in the United States had the biggest annual security breach resolution costs, spending an average of $21 million each per year. Bottom of the list was Australia with average annual costs of $5 million. Organizations in the United Kingdom were spending an average of $8.7 million per year.
As we saw with the NotPetya attacks, the cost of a cyberattack can be considerably higher. Both Maersk and FedEx reported their losses from the attacks could well rise to $300 million.
The most valuable security tools were seen as threat intelligence solutions, which gather data from cyberattacks around the world and allow businesses to prioritize threats. These solutions saved businesses an average of $2.8 million per year.
Email may be the primary vector used in phishing attacks, but the second quarter of 2017 has seen a massive increase in malvertising phishing attacks.
Malvertising is the term given to malicious adverts, which are often displayed on high-traffic websites via third party advertising networks. These adverts are used to direct web visitors to malicious websites, oftentimes sites containing exploit kits that probe for vulnerabilities and silently download ransomware and other malware.
These malware attacks increased between 2015 and 2016, with the total number of malvertising attacks rising by 136%. Demonstrating how quickly the threat landscape changes, between Q1 and Q2, 2017 there was a noticeable decline in malicious advert-related exploit kit and malware attacks. Exploit kit redirects fell by 24% and malware-related adverts fell by almost 43%, according to a recent study released by RiskIQ.
However, the study shows there was a massive increase in malvertising phishing attacks with cybercriminals changing their tactics. Phishing-related adds increased by 131% in Q2, 2017, but between 2015 and 2016, malvertising phishing attacks increased by a staggering 1,978%.
The websites that these adverts direct users to often promise a free gift in exchange for taking part in a survey. Genuine market research firms tend not to offer large incentives for taking part in surveys, or when they do offer an incentive, participants are entered into a draw where they stand a chance of winning a prize. When gifts are offered, to all participants it is a warning sign that all may not be as it seems. That said, many people still fall for the scams.
The aim of the surveys is to obtain sensitive information such as bank account information, Social Security numbers, usernames, passwords and personal information. The information can be used for a wide range of nefarious purposes. It is not only personal information that is sought. Cybercriminals are keen to gain access to corporate email accounts for the data they contain and to use them to send phishing emails.
When phishing attacks occur through corporate email accounts it can seriously tarnish a company’s reputation and may result in litigation if insufficient controls have been implemented to prevent such attacks from occurring.
Businesses can protect against malicious adverts and websites by implementing a web filter. A web filter can be configured to block third party adverts as well as the malicious websites that users are directed to, thus minimizing the risk of web-based malware and phishing attacks.
Many businesses are now choosing to filter the website content that their employees access purely for security reasons, although there are many other benefits to be gained from content filtering. Web filters can help employers curb cyberslacking, control bandwidth usage, and reduce legal liability.
With the cost of DNS-based content filtering low and potentially high losses from the failure to control Internet access, it is no surprise that so many businesses are now choosing to regulate what employees can do online at work.
To find out more about the full range of benefits of web filtering and to take advantage of a free trial of WebTitan, the leading web filtering solution for businesses, contact the TitanHQ today.
Why should businesses invest heavily in technology to detect ransomware attacks when a ransom payment may only be between $500 and $1,000? While that is what cybercriminals are charging as a ransom, the cost of a ransomware attack is far higher than any ransom payment. In fact, the ransom is often one of the lowest costs of a ransomware attack that businesses must cover.
The ransom payment may seem relatively small, although the latest ransomware variants are capable of spreading laterally, infecting multiple computers, servers and encrypting network shares. The ransom payment is multiplied by the number of devices that have been infected.
The Cost of a Ransomware Attack Can Run to Millions of Dollars
When businesses suffer ransomware attacks, the attackers often set their ransoms based on the perceived ability of the organization to pay. In 2016, Hollywood Presbyterian Medical Center was forced to pay a ransom of $19,000 to unlock its infection. When the San Francisco Muni was infected, hackers demanded $50,000 for the keys to unlock its payment system. In June 2017, South Korean web host Nayana agreed to pay $1 million for the keys to unlock the encryption of its 53 Linux servers and 3,400 customer websites.
These ransom payments are high, but the ransom is only one cost of a ransowmare attack. The biggest cost of a ransomware attack is often the disruption to business services while files are taken out of action. Systems can be taken out of action for several days, bringing revenue generating activities to an abrupt stop. One Providence law firm experienced downtime of three months following a ransomware attack, even though the $25,000 ransom was paid. Lawyers were stopped from working, causing a loss in billings of an estimated $700,000.
In heavily regulated industries, notifications must be sent to all individuals whose information has been encrypted, and credit monitoring and identity theft services often need to be provided. When hundreds of thousands of users’ data is encrypted, the cost of printing and mailing notifications and paying for credit monitoring services is substantial.
Once an attack has been resolved, networks need to be analyzed to determine whether any other malware has been installed or backdoors created. Cybersecurity experts usually need to be brought in to conduct forensic analyses. Then ransomware defenses need to be improved and new security systems purchased. The total cost of a ransomware attack can extend to hundreds of thousands or millions of dollars.
Ransomware is Here to Stay
As long as ransomware attacks are profitable, the threat will not go away. The use of ransomware-as-a-service allows ransomware developers to concentrate on creating even more sophisticated ransomware variants and stay one step ahead of security researchers and antivirus companies.
Anonymous payment methods make it hard for law enforcement to discover the identities of ransomware developers, and since those individuals are usually based overseas, even if they are identified, bringing them to justice is problematic.
Ransomware developers are constantly changing tactics and are developing new methods of attack. The coming months and years are likely to see major changes to how ransomware is used, and the systems that are attacked.
Ransomware attacks mostly target Windows systems, although new variants have already been developed to encrypt Mac and Linux files. Security experts predict there will also be an increase in ransomware variants targeting Macs as Apple’s market share increases, while website attacks are becoming more common. When a website is attacked, all site files, pages, and images are encrypted to prevent access. For an e-commerce business, the attacks can be devastating.
Ransomware attacks on mobile devices are now commonplace, with screen-lockers and file-encryptors used. Screen locking ransomware prevents users from accessing any apps or functions rendering the device unusable. File encrypting variants encrypt all data stored on the device. These ransomware variants are most commonly packaged with apps sold in unofficial app stores. Risk can be substantially reduced by only downloading files from official app stores and ensuring all apps are kept up to date.
Given the increase in attacks and the massive increase in new ransomware variants, businesses must improve their defenses, block the common attack vectors, backup all data, and constantly monitor for indicators of compromise.
Tips for Preventing a Ransomware Attack
Ensure users only have access to data and network drives necessary for them to perform their jobs.
Backup devices should be disconnected when backups have been performed.
Keep operating systems, software applications, and plugins up to date and fully patched.
Block access to websites known to host exploit kits using a web filter such as WebTitan.
Implement a spam filtering solution to prevent malicious emails from reaching inboxes.
Provide regular, ongoing training to all staff on the risks of ransomware and phishing.
Segment your network and restrict administrator rights.
To ensure a swift recovery from a ransomware attack, make sure you:
Create multiple backups of all files, websites, and systems.
Create three backups on two different media and store one copy offsite.
Develop a ransomware response plan that can be implemented immediately when an attack is suspected.
A massive Equifax data breach was announced yesterday, which ranks as one of the largest data breaches of 2017. Approximately 143 million consumers have been impacted and had their sensitive data exposed and potentially stolen.
A data breach at any company can cause considerable fallout, although this incident is particularly bad news for a credit reporting agency. Equifax aggregates and stores vast quantities of highly sensitive consumer data that are used by financial firms to make decisions about the creditworthiness of consumers. The data breach is sure to damage trust in the company.
Ironically, Equifax offers credit monitoring and identity theft protection services to companies that experience data breaches to help them protect breach victims. Naturally, all Americans affected by the Equifax data breach will be offered those services free of charge. In fact, Equifax has gone further by agreeing to offer those services free of charge to all U.S. consumers for a period of one year, even if they were not directed affected by the breach.
Chairman and Chief Executive Officer, Richard F. Smith, said “This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes.”
The Equifax data breach may not be the largest data breach of 2017, but the nature of the datya exposed make it one of the most serious. Highly sensitive data were exposed, including personal information, Social Security numbers, birthdates, driver’s license numbers, and 209,000 consumers had their credit card numbers exposed.
These are the exact types of information used by cybercriminals to commit identity theft and fraud. Dispute documents were also stored on the compromised system. Those documents contained a range of personal information of 182,000 consumers. The bulk of the data related to U.S citizens, although some consumers in Canada and the United Kingdom have also been affected by the Equifax data breach.
The hacker(s) responsible for the attack had access to Equifax’s systems for a considerable period of time before the breach was discovered. Access was first gained to systems in mid-May and continued until July 29, 2017 when the breach was discovered.
According to a statement released by Equifax yesterday, hackers gained access to its systems by exploiting a website vulnerability. While sensitive data were exposed and potentially stolen, Equifax reports that its core databases that are used for credit referencing purposes, were not compromised at any point.
The data breach is still being investigated and a third-party cybersecurity firm has been hired to assist with the investigation. Smith said, “I’ve told our entire team that our goal can’t be simply to fix the problem and move on. Confronting cybersecurity risks is a daily fight. While we’ve made significant investments in data security, we recognize we must do more. And we will.”
Breach notification letters are being sent to some, but not all, breach victims. Only the 391,000 individuals whose credit card numbers or dispute documents were exposed will receive notifications by mail. All other individuals will have to check an online tool to find out if their information was exposed in the breach.
Earlier this year, the NeutrinoPOS banking Trojan source code was leaked, leading to several new variants of malware being created, the latest being Jimmy Nukebot. In contrast to its predecessor, which was used to steal bank card information, the latest version has lost that functionality.
However, Jimmy Nukebot can perform a wide range of malicious functions, serving as a downloader for a wide range of malicious payloads. The malware also acts as a backdoor which will allow the actors behind the new malware to monitor activity an infected device.
Security researchers at Kaspersky Lab have analysed Jimmy Nukebot infections and have seen the malware download a wide range of modules including Monero cryptocurrency mining malware, web-injects similar to those used in NeutrinoPOS, and various other modules that modify the functions of the malware. The malware can take screenshots of an infected device and exfiltrate data and could download any malicious payload onto an infected device.
Publication of the source code of malware results in an increase in its popularity. With the malware used in more attacks, the probability of it being detected is much higher. In order to evade detection, considerable modification to the malware is required. This could well be the reason why so many changes have been made to the latest iteration. The authors of Jimmy Nukebot took the original source code of the NeutrinoPOS banking Trojan and totally restructured the malware. The way the new malware has been constructed also makes static analysis much more complicated.
The new features of the malware make it a formidable threat. Jimmy Nukebot is able to learn about the system on which it is installed and use that information for exploitation, tailoring the payload it delivers based on its environment rather than performing a pre-set malicious activity immediately upon infection.
Since the malware passively collects information and responds accordingly, it is unlikely to trigger AV alerts and may remain undetected. Organizations that have the malware installed are therefore unlikely to be aware that their systems have been compromised.
Protecting against threats such as this requires advanced malware defences, although as with most malware infections, they occur as a result of the actions of end users such as opening infected email attachments, clicking hyperlinks in emails or visiting websites that silently download malware.
Improving security awareness of employees will go a long way toward preventing malware from being installed. Coupled with an advanced spam filter to block email-based threats, a web filter to block redirects to exploit kits, regular patching, the enforced use of strong passwords, and advanced anti-malware technology, organisations can protect themselves against malware threats.
Downloading apps from non-official sources potentially places users at risk, but Google Play Store malware infected apps do exist. Google has controls in place to prevent malicious apps from being uploaded to its app store, but those controls are not always 100% effective. Choosing to download apps only from official stores is no guarantee that the apps will be free from malware.
Security researchers recently discovered around 300 apps offered through the Google Play store that appear to be legitimate programs, yet are infected with malware that add infected devices to a large botnet. The botnet was being used to launch distributed denial of service attacks (DDoS) on websites.
The botnet, dubbed WireX, comprises of tens of thousands of Android devices that are being used in highly damaging cyberattacks. Devices started to be infected in early July, with a steady rise in additions over the following weeks. Even though numbers of compromised devices grew steadily in July, the botnet was only discovered in early August when the WireX botnet started to be used in small scale DDoS attacks.
Since then, larger attacks have taken place, mostly targeting the hospitality sector. Those attacks have clogged websites with junk traffic preventing legitimate users from accessing the sites. Some of WireX DDoS attacks involved as many as 160,000 unique IPs. Since devices could conceivably be used to attack websites with multiple addresses, the size of the botnet has been estimated to be around 70,000 devices.
The growth of the botnet was soon attributed to malicious apps, with researchers discovering around 300 Google Play Store malware infected apps. Google has now disabled those apps and is in the process of removing them from devices.
The apps included video players, battery boosters, file managers and ringtones. The apps were not simply malware, as users would undoubtedly attempt to delete the apps if they failed to perform their advertised functions. The apps all worked and users who downloaded the apps were unaware that their devices were being used for malicious purposes. The malware used a ‘headless browser’ which was able to perform the functions of a standard browser, without displaying any information to the user allowing the actors behind the malware to operate undetected.
When the devices were needed for DDoS attacks, they would receive commands from their C2 server to attack specific websites.
Multiple security vendors including Akamai, RiskIQ, Flashpoint and Cloudflare collaborated and succeeded in taking down the WireX botnet. Without that collaboration, the botnet would still be active today and may not have been detected.
The Neptune Exploit kit is being used to turn computers into cryptocurrency miners, with traffic directed to the exploit kit using a hiking-themed malvertising campaign.
Exploit kit activity has fallen this year, although these web-based attacks still pose a significant threat. Exploit kits are web-based toolkits that probe browsers and plugins for vulnerabilities that can be exploited to download malware. Simply visiting a website hosting an exploit kit is all it takes for malware to be silently downloaded.
Protecting against exploit kit attacks requires browsers, plugins and extensions to be kept 100% up to date. However, even updated browsers can be vulnerable. Exploit kits can also include exploits for zero-day vulnerabilities that have not yet been patched.
Acceptable usage policies can help organizations to prevent exploit kit attacks, although website visitors are often redirected to malicious sites from legitimate websites. One of the main ways this happens is the use of malvetisements. Many high traffic websites include advertising blocks that display third-party adverts. The advertising networks serve adverts which are displayed on member sites, with the site owners earning money from ad impressions and click throughs.
While the advertising networks have measures in place to vet advertisers, oftentimes cybercriminals succeed in submitting malicious adverts. Those adverts are then pushed out and displayed on legitimate websites. Clicking one of those malicious adverts will see the user directed to a webpage hosting the exploit kit.
Exploit kits are used to download Trojans, ransomware and other malicious code, although the Neptune exploit kit is being used to download cryptocurrency miners. Infection will see computers’ processing power used to mine the Monero cryptocurrency. Infection will result in the infected computer’s resources being hogged, slowing down the performance of the machine.
The latest Neptune exploit kit campaign uses hiking club-related adverts to drive traffic to landing pages hosting the Neptune exploit kit, which in turn uses HTML and Flash exploits to download malware. These adverts closely mimic genuine domains. FireEye reports that one such campaign mimics the genuine website highspirittreks[.]com using the domain highspirittreks[.]club. Other campaigns offer a service to convert Youtube videos to MP3 files. The imageryused in the adverts is professional and the malvertising campaigns are likely to fool many web surfers.
The exploits used in the latest campaign are all old, therefore, protecting against attacks simply requires plugins and browsers to be updated. The main exploits take advantage of flaws in Internet Explorer – CVE-2016-0189, CVE-2015-2419, CVE-2014-6332 – and Adobe Flash – CVE-2015-8651, CVE-2015-7645.
Having a computer turned into a cryptocurrency miner may not be the worst attack scenario, although exploit kits can rapidly switch their payload. Other exploit kits are being used to deliver far more damaging malware, which will be downloaded silently without the user’s knowledge. Consequently, organizations should take precautions.
In addition to prompt patching and updating of software, organizations can improve their defences against exploit kits by implementing a web filtering solution such as WebTitan.
WebTitan can be configured to block all known malicious sites where drive-by downloads take place and can prevent malvertisements from directing end users to webpages hosting these malicious toolkits.
To find out more about WebTitan and how it can improve your organization’s security posture, contact the TitanHQ team today.
India’s Central Board of Secondary Education is urging all CBSE affiliated schools to take action to improve safety for students, including implementing school web filtering technology to keep students safe online.
The Internet is home to an extensive range of potentially harmful material that can have a major impact on young developing minds. Parents can take action to keep their children safe at home by using parental control filters. However, students must receive similar or greater levels of protection while at school.
School web filtering technology can prevent students from deliberately or accidentally viewing obscene material such as pornography, child pornography or images of child abuse and other categories of potentially harmful website content. CBSE has warned school boards that when students access this material it is “detrimental to themselves, their peers and the value system.” School web filtering technology should also be implemented to prevent students from engaging in illegal activities online via school IT devices.
CBSE affiliates schools have been advised to develop guidelines for safe Internet use and make this information available to students and display the rules prominently. However, without school web filtering technology, these policies would be easy to ignore. A technological solution ensures students wishing to engage in illegal activities online, or view harmful website content, will be prevented from doing so.
Prevention is only one aspect of Internet control. Schools should also set up a monitoring system to discover when individuals are attempting to bypass Internet usage policies. A web filtering solution should therefore have the capability to generate reports of attempted accessing of prohibited material to allow schools to take action. Schools have also been advised to sensitise parents about safety norms and even go as far as suggesting disciplinary action be taken when children are discovered to have attempted to access inappropriate material.
While many school systems around the world have implemented school web filtering technology, CBSE is advising affiliated schools in India to go one step further and restrict Internet content by age groups. Schools should set filtering controls by user groups and restrict access to age-inappropriate websites. Web filtering solutions such as WebTitan allows controls to be easily set for different user groups. The solution can be used to set separate filtering controls for staff and students of differing ages with ease.
Other Internet controls that have been suggested include the rapid blocking usernames/passwords when children leave school, using antivirus solutions to reduce the risk of malware infections, using firewalls to prevent cyberattacks and the theft of children’s sensitive information, and for staff to avoid posting images and videos of their students online.
School Web Filtering Technology from TitanHQ
The benefits of implementing school web filtering technology are clear, but choosing the most cost-effective controls can be a challenge.
Appliance based web filters involve a significant initial cost, there is ongoing maintenance to consider, the need for on-site IT support in many cases, and as the number of Internet users increases, hardware upgrades may be necessary.
TitanHQ offers a more cost-effective and easy to manage solution – The 100% cloud-based web filter, WebTitan.
WebTitan Cloud and WebTitan Cloud for WiFi makes filtering the internet a quick and easy process. There is no need for any hardware purchases or software installations. To start filtering the Internet and protecting students from harmful web content, all that is required is to point your DNS to WebTitan. Once that simple change has been made you can be filtering the Internet in minutes.
Both solutions can be easily configured to block different categories of website content, such as pornography, file sharing websites, gambling and gaming websites and other undesirable website content. The solutions support blacklists, allowing phishing and malware-infected sites to be easily blocked along with all webpages identified by the Internet Watch Foundation as containing images of child abuse and child pornography.
These powerful web filtering solutions require no software updates or patching. All updates are handled by TitanHQ. Once acceptable Internet usage policies have been set via the intuitive web-based control panel, maintenance only requires occasional updates such as adding legitimate webpages to whitelists. Even blacklists are updated automatically.
If you are keen to implement school web filtering technology for the first time or are unhappy with your current provider, contact the TitanHQ team today and register for your no-obligation free trail and see the benefits of WebTitan for yourself before making a decision about a purchase.
Internet filtering laws in the United States are mostly introduced at the state level, although federal legislation has been introduced for schools and libraries – The Children’s Internet Protection Act (CIPA).
Typically, Internet filtering laws in the United States are concerned with protecting minors. Laws apply to schools and libraries, although some states also require publicly funded institutions to apply controls to block the accessing of pornography, obscene and other harmful material by minors.
However, legislation is now being considered to force vendors or suppliers of Internet-enabled devices to implement Internet filtering technology by default. The aim is not to prevent adults from accessing pornographic material on their personal devices, only to ensure that there are some controls in place. That means all vendors/suppliers of Internet-enabled devices will be required to implement a web filtering control, with the new device owners required to opt in if they wish to view pornography. Opting in must be done in writing and requires proof of age.
Consumers will also be required to pay a fee to have the Internet filtering software removed. In South Carolina, legislation has been proposed that would require consumers to pay $20 to have the pornography block removed. The legislation was filed with the South Carolina General Assembly in December 2016. Similar legislation was also proposed in Utah in 2016.
Federal Internet Filtering Laws in the United States
At the federal level, all schools and libraries are required to comply with CIPA and implement web filters to prevent minors from accessing obscene material, pornographic images, images of child abuse, and other potentially harmful material if they wish to apply for discounts under the E-rate program or accept Library Services and Technology Act grants. If organizations choose not to apply for those grants or receive E-rate discounts, Internet filtering laws in the United States do not apply, at least at the federal level.
State-Level Legislation on Internet Controls
Internet filtering laws in the United States are applied at the state level and usually concern K12 schools and public libraries. Not all states require Internet filters to be applied. Some only require policies to be introduced to restrict access.
Individual states that have introduced legislation requiring schools and libraries to implement web filters or policies to control the content that can be accessed by minors are summarized in the table below. Since state laws often change, it is strongly advisable to consult your state department for updates to state legislation.
When policies are required to control access, schools and libraries may prefer to use a software or cloud-based solution to provide a greater level of protection. State laws are only concerned with ensuring the minimum level of Internet safety for minors when venturing online.
Quick Reference Guide Detailing U.S. States with Internet Filtering Laws (2017)
Yes (Technology or policies)
Yes (Policies and Technology)
Yes (Policies or Technology)
No (Policies or Technology)
No (Under evaluation)
Yes (Policies or Technology)
Yes (Policies or Technology)
* Libraries that apply for and receive funding through the Enrich Iowa Program
** Public libraries receiving state funding must also apply filtering controls to prevent adults from accessing obscene material including child pornography.
*** Home schooled students must also be provided with a filtering device or service
The following states have introduced legislation that requires Internet service providers to offer web filtering services to allow state residents to protect children from accessing potential harmful website content
Internet filtering laws in the United States are subject to change. The Internet filtering laws in the United States detailed on this page are for information purposes only. Schools and libraries should consult their state/education departments for details of the laws that apply in their state.
Law firm hacking incidents are up and recent attacks have shown cybersecurity best practices for law firms are not being adhered to. Unless cybersecurity defenses are improved, it is too easy for hackers to gain access to sensitive data.
Cybercriminals have their sights firmly set on lawyers, or more specifically, the treasure trove of highly sensitive data stored on their computers and networks. Data that in the wrong hands could be used for blackmail.
Clients share highly sensitive information with their legal teams. Lawyers store company secrets, employment contracts and PII, banking details, financial projections, medical records, and naturally information about current and future lawsuits. All of this information is highly valuable to hackers and can be used for blackmail, sold to competitors, or used for all manner of nefarious purposes. It is therefore no surprise that hackers want to attack law firms and that they are increasingly doing just that.
Cyberattacks are not only about stealing data. It can also be lucrative to prevent lawyers from gaining access to their clients’ files. Ransomware attacks on law firms can result in sizable payments for the keys to unlock the encryption.
For the most part, malware and ransomware attacks on law firms are entirely preventable. Simply adopting standard cybersecurity best practices for law firms will prevent the majority of attacks.
One recent ransomware attack on a Providence law firm resulted in a ransom payment of $25,000 being made to the attackers to regain access to the firm’s data. The incident is also a good example of how damaging those attacks can be. Even though payment was made, the law firm lost access to its files for three months, essentially preventing the firm from conducting any business. Lost billings alone cost the firm around $700,000.
Malware and ransomware attacks on law firms are common, although they are underreported for obvious reasons. One incident that was covered in the press was the malware attack on DLA Piper. The attack involved NotPetya, the wiper malware that caused chaos for many organizations around the globe in June. DLA Piper lost access to its data causing huge losses. Losses that are likely to be in the millions.
Part of the problem, especially for smaller law firms, is the high cost of cybersecurity protections. Many law firms simply do not have the budget to cover the cost. They cannot afford to hire skilled cybersecurity professionals to protect their computers and networks, scan for security vulnerabilities and patch and update software. However, the good news is that adopting standard cybersecurity best practices for law firms does not cost big bucks, but it will help firms improve their security posture.
The DLA Piper cyberattack shows that it is not only small law firms that are not following cybersecurity best practices for law firms. Microsoft issued a patch to fix the vulnerability that was exploited by both WannaCry and NotPetya more than two months before the attacks occurred. If the firm had patched promptly, the attack would have been prevented.
Protecting against all cyberattacks is not straightforward, especially with the number of connected devices now used by law firms. However, by adopting the cybersecurity best practices for law firms below and it is possible to reduce risk to an acceptable level.
Cybersecurity Best Practices for Law Firms
Adopting these cybersecurity best practices for law firms will make it harder for hackers to break through defenses and for simple errors to result in costly data breaches.
Conduct weekly checks of all software to ensure the latest versions are installed and check for patches and apply them promptly
Ensure that ALL sensitive data is backed up using the 3-2-1 approach. 3 copies of data, on two types of media, with one copy stored securely off site
Ensure all staff undergo security awareness training covering phishing, social engineering and other threats
Develop a password policy that requires the use of strong passwords. Enforce password changes regularly
Consider encryption for all sensitive data
Use two-factor authentication
Use an advanced spam filtering solution to reduce spam and block malicious messages
Employ a next-generation firewall
Ensure all computers are running supported operating systems and are set to update automatically
Implement a web filtering solution to block access to all sites known to host malware and exploit kits and to block links to phishing websites
Develop a data breach response plan – When a breach occurs, fast action can greatly reduce the damage caused
Engage the services of a third-party security firm to conduct risk analyses to identify vulnerabilities and perform penetration tests
Consider outsourcing cybersecurity to a managed service provider that will ensure systems, software and security are effectively managed and all vulnerabilities are addressed
Consider cybersecurity insurance – Only 23% of law firms have purchased cybersecurity insurance according to Logicforce.
A new mobile malware threat has been discovered – Invisible Man Malware – that is being installed via fake software updates. Invisible Man malware is a keylogger that has been designed to obtain banking credentials. While the malware is not new – it has been around for four years – it is frequently updated, with a new variant discovered that takes advantage of the accessibility services on Android devices.
As the name suggests, Invisible Man malware runs silently on infected devices unbeknown to the user. The malware is an overlay that sits atop of legitimate banking apps and intercepts inputs as they are entered on the device. It also allows the attackers behind the malware to intercept text messages, in particular, those used for two-factor authentication and codes sent by banks to authorize transactions.
Once installed on a device it has administrator rights to all Android accessibility services, is installed as the default SMS app and has rights to send and receive SMS messages, make calls, and access contacts on the phone. It can also take screenshots and prevents itself from being uninstalled, according to Kaspersky Lab.
Invisible Man malware has been developed for attacks in Australia, France, Germany, Poland, Singapore, Turkey and the UK, working as a keylogger over 63 banking apps. All data collected is immediately transferred to its C2 server.
Kaspersky Lab reports that Invisible Man malware is primarily being installed on devices using fake software updates, specifically fake Flash Player updates on malicious websites via a downloaded apk file.
Beware of Fake Software Updates
The latest attacks highlight an important point. If you receive a warning on screen telling you that your software is out of date, don’t click and download the update. In this case, the user will be asked to confirm installation, and will be required to provide this app with administrator rights to accessibility services.
Fake software updates are one of the most common methods used to distribute malware, bloatware, adware, ransomware and other nasties.
Given the frequency of software updates now being released to address recently found vulnerabilities, your software may actually be out of date. However, you should visit the vendor’s website and perform a check to see if you have the latest version installed. If not, download the update directly from the vendors website.
Fake software updates are usually offered via popups – Windows that appear when you access a website. They commonly feature flashing Gifs and stern warnings of the risks of not updating your software immediately. Warnings that your computer has already been infected with malware are also common.
Warnings do not only appear when surfing the Internet, spammers use the same tactics via email. The emails often contain the correct logos, color schemes and branding as the legitimate software vendor and look highly realistic.
However, you should not trust any email asking for you to download an executable, part with login credentials or provide other sensitive information, even if it is sent from someone you know.
A new study has shown that cybercriminals have generated ransomware profits in excess of $25 million over the past two years, clearly demonstrating why cryptoransomware attacks have soared. There is big money to be made in this form of cyber extortion. The bad news is that with so many organizations paying to recover their files, the ransomware attacks will continue and will likely increase.
Ransomware attacks are profitable because users are still failing to back up their data. Google’s figures suggest that even though the threat of data deletion or encryption is high, only 37% of computer users back up their data. That means if ransomware encrypts files, the only option to recover data is to pay the ransom demand.
Figures from the FBI estimated ransomware payments to have exceeded $1 billion in 2016; however, it is difficult to accurately calculate ransomware profits since the authors go to great lengths to hide their activities. Ransomware profits are difficult to track and companies are reluctant to announce attacks and whether payment has been made.
Two notable exceptions were the South Korean hosting company Nayana that was attacked and had 153 Linux servers and 3,400 customer websites encrypted. The firm paid 1.2 billion Won – approximately $1 million – for the keys to unlock the encryption. Recently, a Canadian company has reportedly paid a ransom of $425,000 to recover its files, although the identity of the firm is still unknown.
Now, a study conducted by Google, with assistance from Chainalysis, the University of California at San Diego, and New York University’s Tandon School of Engineering has shed some light on actual ransomware profits. The study involved an analysis using blockchains and Bitcoin wallets known to have been used to collect ransomware payments. The researchers also used reports from victims and monitored network traffic generated by victims of ransomware attacks to help track where payments were sent.
The study looked at the top 34 ransomware strains and determined more than $25 million has been collected in the past two years. 95% of payments were cashed out using the Bitcoin trading platform BTC-e.
Google has calculated Locky has earned $7.8 million in ransom payments over the past 24 months – 28% of the total payments made. Cerber is in second place with $6.9 million, followed by CryptoLocker on $2 million and CryptXXX and Sam Sam, both on $1.9 million. Spora ransomware may not have made it into the top five, although Google researchers warn that this is an up-and-coming ransomware variant and one to watch over the coming months.
In recent months Cerber ransomware has become the most widely used ransomware variant. The success of Cerber ransomware can be attributed to the skill of the developers in developing a ransomware variant that can evade detection and the affiliate model used to distribute the ransomware – Ransomware-as-a-Service (RaaS).
RaaS means any number of individuals can conduct ransomware campaigns. Kits are offered to anyone willing to conduct campaigns. Little technical skill is required. All that is required is a lack of moral fiber and the ability to send spam emails distributing the ransomware. Affiliates receive a percentage of the ransomware profits.
WannaCry ransomware certainly caused something of a storm when the worldwide attacks were conducted in May, and while there were more than 200,000 victims worldwide and some 300,000 computers affected, a flaw in the design meant the attacks could be halted and relatively few ransom payments were made. The ransomware profits from these attacks was calculated by Google to be around $100,000.
Ransomware profits from NotPetya were low, although making money was never the aim. NotPetya appeared to be ransomware, although it was actually a wiper. A ransomware demand was issued, but it was not possible to recover data on infected machines. Once this became clear, ransoms were not paid.
The success of Locky, Cerber and CryptXXX is due to the skill of the developers at evading detection. These ransomware variants are constantly evolving to stay one step ahead of security researchers. In the case of Cerber, the researchers discovered thousands of new binaries are being detected each month. There are 23,000 binaries for Cerber and around 6,000 for Locky. In total, the study involved an analysis of 301,588 binaries. The malware variants are capable of changing binaries automatically making detection difficult.
Ransomware attacks may still only make up a small percentage of the total number of malware-related incidents – less than 1% – but the threat is still severe and the attacks are likely to continue, if not increase. As long as it is profitable to develop ransomware and/or use existing ransomware variants, the attacks will continue.
Kylie McRoberts, a senior strategist with Google’s Safe Browsing team, said “Ransomware is here to stay and we will have to deal with for a long time to come.”
It has been a long time coming, and we are not quite there yet, but Adobe Flash is about to die. The long, slow drawn out death of Adobe Flash will continue for another three years yet, with Adobe finally confirming that it will be pulling the plug by December 31, 2020. By then, all updates for Adobe Flash will stop and the we will all enter a Flash free age.
Until then, Adobe is committed to working with partners to ensure Flash remains as secure as possible and updates will continue until that time. However, Adobe is already trying to encourage businesses to start switching to other standards such as HTML5.
The decision to finally put Flash out of its misery was made because other platforms and technology have “matured enough and are capable enough to provide viable alternatives to the Flash player,” according to Adobe.
In 2005, Flash was on 98% of all computers, and even three years ago it was being used by 80% of desktop users on a daily basis. Today, helped in no short part but the serious security flaws in the platform and the switch to mobile devices from PCs, usage has fallen to just 14%.
Google is not supporting Flash anymore and has not done so for Android since 2012. Apple has never supported the plug-in on its mobile devices and Firefox, Chrome, Edge and Safari no longer run Flash content automatically. Even Internet Explorer will disable Flash by default in 2019, ahead of its official death date the following year.
Of course, just stopping updates does not mean that Flash will cease to exist. But given the rate that vulnerabilities in Flash are now being discovered, anyone still using Flash by 2020 will be wide open to attack as soon as the updates stop. However, by then there will be far fewer websites using Flash and fewer devices with the Flash plug-in installed.
The Internet will most likely be a safer place without Flash, but what will happen to all the hackers who are currently developing exploits for Flash vulnerabilities? They will not also decide to retire. Instead they will put their efforts into something else. What that is of course remains to be seen.
Three years may seem like an awfully long time, but there are still many businesses that continue to use Flash and have yet to migrate to other standards. Flash is still extensively used by educational institutions for training programs, while web-based gaming websites will also need time to transition.
Govind Balakrishnan, Adobe’s vice president of product development, pointed out the importance of Flash saying, “Few technologies have had such a profound and positive impact in the Internet era.” That is certainly true, but all good things must come to an end and few will be sorry to see Flash finally die. The end came long ago, but at least now there is an official date when the final nail will be hammered into the coffin.
Stantinko malware may only have recently been detected, but it is far from a new malware variant. It has been in use for the past five years, yet has only recently been identified. During the past five years, Stantinko malware has spread to more than 500,000 devices and has been operating silently, adding infected systems to a large botnet, with the majority of infected machines in Russia and Ukraine.
The botnet has primarily been used to run a largescale adware operation. The malware installs the browser extensions Teddy Protection and The Safe Surfing, which appear to users to be legitimate apps that block malicious URLs. These apps are legitimate if downloaded via the Chrome Web Store, but they are not if they are installed by Stantinko. The Stantinko versions contain different code that is used for click fraud and ad injection.
ESET reports that additional plugins known to be installed by Stantinko malware include Brute-Force and Search Parser which are used for Joomla/WordPress brute force attacks and to anonlymously search for Joomla/WordPress sites. Remote Administrator is a fully functional back door and Facebook Bot can generate fake likes, create new accounts, or add friends on Facebook, virtually undetected.
While click fraud is the primary goal of the attackers, Stantinko malware can perform a wide range of functions. Since Stantinko includes a loader, enabling threat actors to send any code to an infected device via their C2 server and run the code.
ESET researchers say the malware uses Windows services to perform backdoor activities and brute force attacks on WordPress and Joomla websites. Once access is gained, the attackers sell on the login credentials to other cybercriminal groups, according to ESET. That’s not all. ESET says Stantinko malware could be used to perform any task on an infected host.
The malware and botnet have remained undetected for so long due to their ability to adapt to avoid being detected by anti-malware solutions. The malware also uses code encryption to avoid detection. Users would be unlikely to realize that anything untoward was happening on their machine. The tasks performed by the malware involve low CPU activity and do not slow an infected device considerably.
Infection is believed to occur through illegal file sharing, especially the downloading of pirated software. However, ESET notes that infection has occurred through fake torrent files that are actually executables.
Removal of the malware is not straightforward. The malware installs two Windows services, each of which is capable of reinstalling the other service if one is deleted. If for any reason that process fails, the attackers can reinstall those services via their C2 server.
The discovery of Stantinko malware highlights the danger of failing to prevent employees from accessing file sharing websites at work. The downloading of pirated material, even accessing torrents files, has potential to infect enterprise networks with malware. Even if anti-virus and anti-malware solutions have been deployed, there is no guarantee that malware will be detected.
Organizations can protect against these types of attacks by implementing a web filtering solution and blocking access to file sharing websites and torrents sites. If these sites cannot be accessed and pirated software downloads are blocked, infection can be prevented.
UK porn filtering controls are expected to be introduced next year to make it harder for minors to access – accidentally or deliberately – pornographic material over the Internet. The government has proposed a new requirement that will make it mandatory for all sites hosting adult or pornographic content to conduct age verification checks before adult content is displayed.
From April next year, a yet to be decided regulator – most likely the British Board of Film Classification – will be able to block websites hosting pornography if they do not conduct checks to ensure visitors are over the age of 18. Blocks are likely to be applied at the ISP level and the sites could be barred from taking credit card payments from the UK if they do not comply.
The change to UK porn filtering controls would mean minors would be prevented from accessing pornographic material. Digital minister, Matt Hancock, explained the move would mean “UK will have the most robust internet child protection measures of any country in the world.”
While many adult websites ask the user if they are over 18 before content is displayed to prevent accidental access, further controls would be required to verify age. One of the easiest ways to do that is by forcing the visitor to submit their credit card details. In the UK, it is not possible for individuals under the age of 18 to be issued with a credit card.
The new UK porn filtering controls have been welcomed by some groups – the National Society for the Prevention of Cruelty to Children (NSPCC) for example – but the move has raised many concerns.
Age verification checks are likely to result in the operators of the websites maintaining a database of site users, even individuals who do not pay for access. The database is likely not only to include details supplied in the verification checks, but include profiling and viewing histories. It is possible that large volumes of highly sensitive data could be collected on millions of users.
Any website that collects sensitive consumer data is a target for hackers. The databases that could be built by adult content providers would be an even bigger target. Not only could information be used for fraud, the data could be used for blackmail and extortion. One only needs to look back to the Ashley Madison data breach in 2015 to see the damage that can be caused when the databases of adult websites are hacked.
That breach resulted in personal information being exposed along with details of sexual preferences and other highly sensitive information. The fact that a user was registered on a website that is used to hook up for extramarital affairs made even the exposure of personal information even worse. The stolen information was subsequently used by criminals to blackmail users and led to many public shaming incidents. In some cases, exposed users of the site committed suicide as a direct result of the breach.
The Open Rights Group has spoken out about the proposed changes to UK porn filtering controls. Jim Killock, director of the Open Rights Group, said “The Government has repeatedly refused to ensure that there is a legal duty for age verification providers to protect the privacy of web users.” Now, the change “could lead to porn companies building databases of the UK’s porn habits, which could be vulnerable to Ashley Madison style hacks.”
Killock also pointed out, “There is also nothing to ensure a free and fair market for age verification. We are concerned that the porn company MindGeek will become the Facebook of age verification, dominating the UK market.” Were that to happen, the company would be able to decide the level of profiling that takes place, the level of controls it sees fit to introduce to protect data and what privacy risks UK citizens would face.
An enterprise email archiving solution allows emails to be retrieved on demand and ensures messages remain usable. Emails must be produced in the event of an audit and during the legal discovery process. Federal laws require organizations to produce emails, such as when a request is made under the Freedom of Information Act. An email archive is searchable and allows emails to be quickly and easily located and accessed when needed.
Since recovering emails from backups is a long and complicated process, many companies now use an enterprise email archiving solution such as ArcTitan. ArcTitan makes archiving emails a quick and easy process, freeing up valuable storage space on mail servers. Recovering emails is also rapid and straightforward as the archive is searchable. Even large numbers of emails from multiple email accounts can be recovered in minutes. Recovering multiple emails from backups can take several days.
Even though federal laws require emails to be produced on demand, many companies have yet to switch to an email archive and the IRS is not setting a good example. The IRS has recently been discovered to have failed to comply with federal regulations on email storage.
The Treasury Inspector General for Tax Administration (TIGTA) recently conducted an audit of the Inland Revenue Service and discovered that IRS policies on email storage do not allow it to consistently ensure records are retained, and that in several cases, the IRS has been unable to produce emails on request.
The audit was requested by the Chairman of the Senate Committee on Finance and the Chairman of the House Committee on Ways and Means after the IRS reported that it was unable to produce some documents after receiving Freedom of Information requests. After searching for the documents, the IRS discovered documents had been accidentally deleted.
The auditors determined that emails are not automatically archived for all employees and some employees had been instructed to manually store emails on their hard drives or network drives. As a result, some emails and documents were permanently lost when hard drives were damaged or destroyed.
The audit also showed that even though a new executive e-mail retention policy had been introduced that should have resulted in emails being automatically archived, that failed to happen as some executives did not turn on the automatic archiving feature.
Polices on email archiving were also not applied consistently. The IRS was discovered to have failed to follow its own policies on email archiving in more than half of the 30 Freedom of Information requests assessed by auditors. Had an enterprise email archiving solution been used, all documents and emails would have been recoverable and could have been quickly been located.
TIGTA made five recommendations, including the implementation of an enterprise email archiving solution – which is something that all organizations in the United States should consider. In the event of an audit, Freedom of Information request or lawsuit, all relevant emails can be quickly produced and regulatory fines can be avoided.
An Enterprise Archiving Solution will Help IRS´ Compliance with GDPR
The implementation of an enterprise email archiving solution will also help IRS´ compliance with the EU´s General Data Protection Regulation (GDPR) due to be introduced in May 2018. Under the Regulation, the IRS (and any other US organization maintaining the personal data of EU citizens) have a duty to protect EU citizens´ personal data from loss, theft or unauthorized disclosure.
EU citizens also have the right to request access to personal data held by the IRS and a “right to be forgotten” if the IRS no longer has any lawful basis for retaining the data. TIGTA´s audit of email practices within the IRS could not have been more timely, as – should the IRS be unable to produce an email on request or fail to respond to a data access request within thirty days – the Service could be liable for a fine of up to 4% of global turnover. The IRS collected $3.3 trillion in taxes in 2015.
The NotPetya ransomware attacks on Tuesday this week initially looked like another WannaCry-style attack. They used similar NSA exploits to spread infections, ransoms were demanded and like WannaCry, the attacks rapidly spread around the globe. However, closer inspection of NotPetya ransomware has revealed that all may not be as it first appeared.
The purpose of ransomware is to lock files with powerful encryption to prevent files from being accessed. A ransom demand is then issued. Payment of the ransom will see the keys to unlock the decryption supplied. Organizations get their files back. The attackers get a big payday.
There have been many cases when ransomware has encrypted files, yet the attackers are not capable of supplying the keys. These attacks have tended to be conducted by amateurs or show the authors have been sloppy and failed to check that decryption is possible.
If attackers do not make good on their promise to supply valid keys to unlock the encryption, word will soon spread on social media and security websites that paying the ransom will not enable organizations to recover their files. That means the campaign will likely not be profitable.
Developing a new ransomware variant is not a quick and easy process. It does not make sense for a threat actor to go to all the trouble of developing ransomware, devising a sophisticated multi-vector campaign to spread the ransomware, but then forget about essential elements that make it possible to receive ransom payments. That is, unless the aim of the campaign is not to make money.
In the case of the recent NotPetya ransomware attacks, the actors behind the campaign appear to have made some serious errors if making money was their aim.
First, the ransom demand was only $300 per infected machine, which is well below the current average payment demanded by ransomware gangs.
As for the errors, they were numerous. Petya ransomware, which NotPetya closely resembles, provides the victim with an installation ID. That ID is unique to the victim. It is used to determine who has paid the ransom. In the latest attacks, the IDs consisted entirely of random characters. As Kaspersky Lab explained, that means it is not possible for the attackers to identify the victims that pay up.
Successful ransomware campaigns use a different Bitcoin address for each victim, yet only one Bitcoin account was used by the attackers. The email address used by the attacker was hosted by Posteo. The German firm quickly shut down that account, meaning it was not possible to check who had paid. That would be a serious oversight by the attackers, who surely must have suspected that would occur.
NotPetya ransomware also does not encrypt files. Like Petya, it replaces and encrypts the Master File Table (MFT). However, NotPetya ransomware corrupts the MFT, wiping out the first 24 sector blocks. Petya ransomware did not do that, instead modifications were made that could be reversed. As a result, NotPetya causes permanent damage ensuring recovery is not possible.
These factors suggest that Petya was modified and turned into a wiper to cause permanent damage rather than make money. That would suggest this was a state-sponsored attack designed attack to cause major disruption. Due to the extent to which Ukraine was attacked, that country appears to be the main target. As for who was responsible for the attack… that has yet to be established. However, many people in Ukraine have strong suspicions.
Confidence in cyber response plans doesn’t appear to be lacking according to a new study conducted by Deloitte. However, that does not mean organizations are prepared for cyberattacks when they occur. The survey revealed that while confidence is high and IT professionals believe they are well prepared to deal with attacks, their cyber response plans may not be effective.
The only way to determine whether cyber response plans will function as planned is to conduct regular tests. If plans are not tested, organizations will not be able to determine with any degree of certainty, if their plans will be effective.
As the recent Ponemon Institute Cost of a Data Breach study confirmed, the ability to respond quickly to a data breach can reduce breach resolution costs considerably. For that to happen, a response plan must have been developed prior to the breach being experienced and that plan must be effective.
The Deloitte study revealed that 76% of business executives were confident that in the event of a cyberattack they would be able to respond quickly and implement their cyberattack response policies. Yet, the study also revealed that 82% of respondents had not tested their response plans in the past year. They had also not documented their plans with business stakeholders in the past year.
A lot can change in a year. New software solutions are implemented, configurations change as do personnel. Only regular testing will ensure that plans work and staff know their roles when an attack occurs.
Cyberattack simulations are a useful tool to determine how attack response plans will work in practice. As is often the case, plans look great on paper but often fail when put in place. Running simulations every 6 months will help to ensure that a fast and effective response to a cyberattack is possible. However, the survey showed that only 46% of respondents conduct simulations twice a year or more frequently.
A data breach can have dire consequences for a company. The study showed that many companies are most concerned about disruptions to business processes as a result of a cyberattack, although loss of trust and tarnishing of a brand should be of more concern. When a data breach is experienced, customers often choose to take their business elsewhere resulting in a considerable loss of revenue. A fast and efficient breach response can help restore faith in a brand and reduce the churn rate.
If you want to reduce the impact of a data breach and reduce costs, it is essential for cyber response plans to be developed and tested. With the volume of cyberattacks now occurring, it is highly probable that those plans will need to be implemented. By then it will be too late to determine whether they are effective. That could prove extremely costly.
Hackers have been phishing for domain credentials and using the logins to gain access to websites and create malicious subdomains – a process called domain shadowing – and using those subdomains as gates that redirect users to sites loaded with the RIG exploit kit.
The RIG exploit kit probes for vulnerabilities in web browsers and exploits flaws to download malware. Those malware downloads usually occur silently without the users’ knowledge. All that is required for infection is an out of date browser or plugin and for the victim to be directed to a website hosting the exploit kit. RIG has primarily been used to download banking Trojans and Cerber ransomware. While use of the exploit kit is nowhere near the level of Angler prior to its demise, the Rig exploit kit is now the leading EK used by cybercriminals and activity has increased sharply in recent months.
Cybercriminals have been generating traffic to the malicious subdomains using malvertising campaigns – malicious adverts sneaked onto third party ad networks. Those ads are then syndicated across a wide range of high traffic websites and redirect visitors to the malicious subdomains. Other techniques used to drive traffic to the sites include malicious Chrome popups and iframes inserted into compromised WordPress, Drupal and Joomla! Websites.
Tens of thousands of subdomains have been created on legitimate websites that have been compromised by hackers. Cybercriminals are understood to have been obtaining login credentials to websites using malware.
The subdomains were mostly created on websites hosted by GoDaddy. The domain registrar has been working with RSA Security and independent security researchers to identify the compromised websites and take down the subdomains. In total, around 40,000 subdomains were taken down in May.
While this take down is certainly good news, it is unclear how much of an effect it will have on Rig EK operations as little is known about the RIG infrastructure and the total number of websites that have had malicious subdomains added. However, RSA Security says these takedowns have resulted in “a significant loss of capabilities to RIG operations”. RSA and GoDaddy are working to prevent cybercriminals from using domain shadowing and are monitoring for new subdomains that are created. It is unclear if sites purchased through other domain registrars have been targeted in a similar way.
Domain shadowing is a problem because content filters typically have problems identifying malicious subdomains on a genuine website. Since the subdomains only remain active for around 24 hours before being shut down, cybercriminals can avoid domain blacklisting.
However, content filters can prevent users from visiting known malicious websites and they offer protection against webpages hosting exploit kits. They can also be configured to block the downloading of specific file types.
Organizations care also strongly advised to ensure browsers and plugins are kept up to date, especially Java, Silverlight and Adobe Flash plugins. Malware downloaded by the RIG exploit kit most commonly leverages the CVE-2015-8651 vulnerability, although other common exploits include CVE-2016-0189, CVE-2015-2419, and CVE-2014-6332
The Terror exploit kit is a relative newcomer to the EK scene, yet it is evolving rapidly. Since the demise of Angler, exploit kit activity has waned. However, the threat from new exploit kits such as Terror is growing.
Exploit kits probe for vulnerabilities in browsers or plugins. When an individual is directed to a website hosting an exploit kit, the EK searches for exploitable vulnerabilities. When exploitable vulnerabilities are discovered, the EK silently downloads malware or ransomware.
Exploit kits can be hosted on compromised websites or sites run by the attackers. Cybercriminals use a variety of techniques to get traffic to the sites. Links can be sent via spam email or via instant messaging services and social media sites. Malicious advertisements – termed malvertising – can be hosted on third party ad networks. Those ads are then served in sidebars on any number of legitimate, high traffic websites. Web redirects are also used to divert traffic to malicious sites hosting exploit kits.
If an individual with out of date plugins or older browser version visits such a malicious site, and an exploit has been loaded to the kit for a vulnerability in the browser, a malicious payload can be silently downloaded onto the user’s device.
In recent months, spam email has become the main attack vector used by cybercriminals. However, exploit kit activity appears to be increasing with the Terror exploit kit fast evolving into a significant threat.
The Terror exploit kit used to use a ‘carpet-bombing’ approach, sending a wide range of exploits at the end users system in the hope that one would be effective. Such an approach is not particularly sophisticated.
However, Terror has now been updated and attacks can be tailored based on the user’s browser environment. Exploits that have a high probability of being successful are then delivered. The Terror exploit kit can now determine which exploits to drop based on the victim’s browser version, the plugins that have been installed, or patch level, according to the researchers who discovered the update.
Protecting against exploit kits requires browsers and plugins to be kept 100% up to date and vulnerability free, which can be a challenge for businesses. Additional security solutions on endpoints can help to prevent malware downloads, although many are unable to detect or block fileless malware.
One of the best security solutions to deploy is a web filter capable of scanning the URL to prevent end users from landing on websites that are known to host exploit kits. Web filters can also be configured to block malicious adverts.
By preventing users from visiting known malicious sites, the threat from exploit kits can be significantly reduced.
The version of WannaCry ransomware used in Friday’s attacks has been blocked, although new WannaCry ransomware variants have been detected.
U.S Escapes WannaCry Relatively Unscathed
The total number of computers infected with WannaCry ransomware is now believed to be around 300,000, although the United States escaped relatively unscathed, according to the U.S. Department of Homeland Security (DHS).
While it is still unclear exactly how many U.S. organizations have been affected, fewer than 10 organizations have reported a WannaCry ransomware attack to DHS.
The ransomware attacks have now stopped, although organizations that have experienced an infection that has resulted in files being encrypted must recover those files from a backup, accept data loss, or pay the attackers for the decryption keys.
The attackers have so far made around $81,000 from their ransomware campaign, according to @actual_ransom. With a ransom payment of $300 per infected device, many payments have already been made; however, given the number of devices locked by the ransomware, most victims are not paying the attackers to unlock their files.
WannaCry ransomware encryptions were stopped when a security researcher (Malware Tech) from the UK discovered a kill switch while investigating the worm code. In an apparent effort to avoid running in a sandbox or virtual environment, a check was performed on a nonsense domain. If a connection to that domain was successful, the ransomware would exit. If connection to the unregistered domain failed, the ransomware would proceed and encrypt files. By registering that domain, Malware Tech stopped further encryptions.
WannaCry Victims Appear to Have Been Contacted by the Attackers
In an apparent effort to increase the profits from the campaign, the attackers have generated pop up messages on affected computers saying, “I have already sent decryption keys to many customers who had sent me the correct amounts of bitcoin, and I guarantee the decryptions for such honest customers.” While this message could indicate the attacker has access to infected computers, it is possible that the message was pre-programmed to appear.
Paying ransom demands only encourages attackers to conduct further attacks. Ransom payments can be used by the attackers to fund further ransomware campaigns. There is also no guarantee that the attackers will supply valid keys to unlock data, even if they say they will. The advice from the Federal Bureau of Investigation (FBI) is never to pay a ransom unless it is absolutely necessary.
New WannaCry Ransomware Variants Detected
While the version of WannaCry ransomware used in Friday’s attacks has been stopped, that is not the only version of the ransomware being used. New WannaCry ransomware variants have been identified.
A second version was identified by researcher Matt Suiche. This version also included a kill switch, but used a different domain. Suiche registered that second domain and prevented 10,000 infected machines from having files encrypted.
A third version of Wannacry ransomware was also identified by Kaspersky Lab without the kill switch, although in that case, the ransomware component had been corrupted and infected computers would not have data encrypted.
The WannaCry attacks used the ETERNALBLUE exploit published by Shadow Brokers last month, which takes advantage of a vulnerability in Microsoft Server Message Block 1.0 (SMBv1). The threat from WannaCry may be temporarily over, although WannaCry is not the only threat that uses the ETERNALBLUE exploit and the DoublePulsar backdoor.
Researchers at Proofpoint have identified another threat that similarly uses the exploit to gain access to computers. In this case, the goal is not to encrypt files or even steal data. The attackers install Adylkuzz – a program that hogs computer resources and mines the cryptocurrency Monero.
How to Block the ETERNALBLUE Exploit
Other cybercriminals may also be using the ETERNALBLUE exploit and new WannaCry ransomware variants may be released without the kill switch. To block attacks, organizations should ensure that the MS17-010 patch is applied to plug the vulnerability. Older operating systems (Windows 8, Windows Server 2003, and Windows XP) can also be patched and protected against WannaCry ransomware attacks and other malware that use the ETERNALBLUE exploit. Any organization that has port 445 open should also ensure the port is closed, and if SMB must be used over the Internet, SMB should be used through an internal network via a VPN.
Browsing the Internet can result in malware and spyware downloads, malicious software can arrive via spam email, but a fresh-out-of-the-box laptop computer should be totally malware free. But not always. A pre-installed keylogger on HP laptops has recently been identified by Swedish security firm Modzero.
Potentially unwanted programs can be found on many new devices. Some serve a purpose but pose a security threat. For instance, in 2014, Lenovo laptop computers were shipped with ‘malware’ already installed that made the devices vulnerable to man-in-the-middle attacks. The program was Superfish.
The pre-installed keylogger on HP laptops does not appear to be used for any malicious purposes, although there is considerable potential for the program to be abused. The spyware records all keystrokes on the laptops after a user logs in and stores that information in a local drive. In some situations, the keystrokes will be passed to an API on the laptop.
The keylogger was discovered in an audio driver package – Conexant HD Audio Driver Package 188.8.131.52 and earlier versions. The offending file is MicTray64.exe, located in the C:\windows\system32\ folder.
Each time a user logs in, the program is scheduled to run. The file monitors all keystrokes on the device in order to monitor for special keystrokes. The program was developed by, Conexant, the audio chip manufacturer. The program has been included on HP laptops since December 2015.
While the software itself does not exactly pose a threat, the way the program logs the keystrokes allows the recorded keystrokes to be easily accessed. The log file created by the software is stored in the public folder (C:\users\public\MicTray.log) and can therefore be accessed by anyone.
The file is overwritten each time a user logs in, but any keystrokes recorded during that session could be accessed by anyone with access to the device. Additionally, if the registry key with the filepath is missing or corrupted, the keystrokes will be passed to a local API called OutputDebugString API.
Malware installed on the device could potentially allow the log file to be copied, and along with it, all keystrokes from the session. It would also be possible for keystrokes to be obtained in real-time.
The inclusion of the keylogger on HP laptops was an error according to HP. It was used as a debugging tool and should have been removed in the final version of the product.
HP has responded to the discovery by releasing a patch to fix the issue, which is available from the HP website or via Microsoft Update. All owners of HP laptops purchased since December 2015 should download the patch to mitigate the issue.
Models found to contain the pre-installed spyware include the following 28 models of HP laptops:
Pew Research has recently published the results of a study that set out to test cybersecurity awareness in America and find out more about the risks individuals are unwittingly taking when venturing online.
The study was conducted on 1,055 adult Americans, who were each asked 13 cybersecurity questions of varying difficulty. Questions included what HTTPS means, what two-factor authentication is, what private browsing means and the level of protection offered by insecure WiFi networks using a VPN. The study showed that cybersecurity awareness in America is poor and consumers are potentially taking major risks online.
While all 13 questions should have been answered correctly ‘security aware’ individuals, only 1% were able to answer all questions correctly. A substantial majority of adult Americans that took the questionnaire were only able to answer two of the questions correctly. The median was 5 correct answers out of 13, the mean 5.5, and only 20% of participants were able to answer more than 8 answers correctly.
Three quarters of participants were able to identify the most secure password in a list and 73% of respondents were aware that the use of public WiFi networks carries a major risk and should not be used for sensitive activities such as online banking, even if the WiFi network required the use of a password.
However, cybersecurity awareness was much worse for all other areas tested by the survey. Just over half of respondents were able to correctly identify what a phishing attack involved, which is a particularly worrying result considering how widespread the use of phishing is.
Ransomware has been heavily reported in the press and attacks on businesses have soared, yet fewer than half of survey participants were able to correctly identify what ransomware is and only 46% knew that email was not encrypted by default.
Worryingly, only 33% of participants were aware that HTTPS meant traffic was encrypted, suggesting many are entering credit card information into unencrypted websites.
Only one in ten participants were able to correctly identify multi-factor authentication, with 71% thinking CAPTCHA was a form of multi-factor authentication rather than just a method of differentiating between a human web visitor and a bot.
The survey showed cybersecurity awareness improved with the level of education in all areas tested by the study. Younger participants (18-29) were also more likely to answer questions correctly than the older age groups.
The share of incorrect answers was relatively low, with many opting to answer the questions with ‘not sure.’ While the survey does not show that cybersecurity awareness is woefully inadequate, it does clearly indicate that when it comes to cybersecurity awareness, there is considerable room for improvement.
While it is the responsibility of every individual to ensure they are aware of the risks when venturing online and should take steps to protect their identities and bank accounts, the survey confirms what many IT security professionals know all too well. Employee cybersecurity awareness is poor and the risk of employees making mistakes that compromise the security of their organization is high.
Cybersecurity training programs clearly need to be improved to raise awareness of the main threats and drill in best practices. However, it is essential that robust defenses are implemented to ensure that business networks are protected from poor security decisions made by employees.
If you would like to find out more about the best cybersecurity solutions that you can implement to keep your business protected from your own employees and how you can reduce reliance on your staff making the right security choices, contact the TitanHQ team today.
Security researcher Chris Vickery has discovered a Schoolzilla AWS misconfiguration that resulted in the records of 1.3 million students being accidentally left unprotected.
Schoolzilla is a student warehouse platform used by K12 schools to track and analyze student data. While data on the platform were protected and access by unauthorized individuals was not possible, that was not the case for a backup file on the platform.
Vickery had been conducting scans to identify unprotected Amazon Web Services installations when he noticed a number of unsecured buckets on the Tableau data visualization platform. Further investigation revealed an unprotected ‘sz tableau’ bucket named sz-backups, which was a data repository for backups of the Schoolzilla database.
The Amazon S3 bucket had been accidentally configured to allow public access, leaving 1.3 million student records exposed. The records contained sensitive information such as the names and addresses of students, along with test scores, grades, birthdates and some Social Security numbers.
Vickery notified Schoolzilla of the error and the company worked quickly to secure the backups. Schoolzilla has now implemented a number of additional technical safeguards to ensure all student data is protected and all affected schools have been contacted and notified of the data exposure. It is unclear exactly how many schools were affected.
The Schoolzilla AWS misconfiguration shows just how easy it is for sensitive data to be exposed online. This time it was a security researcher that discovered the exposed data, but cybercriminals are also performing scans for unprotected data. In this case, Schoolzilla was able to confirm that no unauthorized individuals had accessed the file except Vickery. Other companies may not be so fortunate.
Schools and other educational institutions are increasingly using AWS and other cloud storage platforms to house student data. Data can be securely stored in the cloud; however, human error can all too easily result in sensitive data being exposed.
The incident highlights just how important it is for organizations to conduct security scans and perform penetration tests to ensure that vulnerabilities and errors are rapidly discovered and corrected.
The Human Trafficking and Child Exploitation Prevention Act is a bill that will make it harder for individuals to access pornography on Internet-enabled devices by making manufacturers and retailers of those devices implement a pornography filtering solution by default.
Support for the bill is growing, with 12 states having already backed the bill – Alabama, Florida, Georgia, Indiana, Louisiana, New Jersey, North Dakota, Oklahoma, South Carolina, Texas, West Virginia, and Wyoming – and many others are considering implementing similar legislation.
While many states have been opposed to introducing legislation that prevents pornography from being accessed, support for the bill has been growing due to the change in how pornography is being portrayed. Rather than being viewed as a moral issue that must be tackled, pornography is now being viewed as a public health crisis. Proponents of the Human Trafficking and Child Exploitation Prevention Act claim viewing pornography is bad for mental health, sexual health, as well as causing damage to relationships. It has been claimed that the availability of pornography is also contributing to the growth of human trafficking for the sex trade.
The legislation requires all manufacturers and retailers who make or sell Internet-enabled devices to be required by law to implement a web filtering solution on those devices to block pornography, prostitution hubs, child pornography, obscenity, and revenge pornography on those devices by default.
The law will not make it illegal for individuals over the age of 18 to view Internet pornography and other obscene content, but in order to do so they will be required to provide the retailer – or manufacturer – with proof of age. Similar laws are already in place requiring retail stores to prevent minors from being able to view pornographic magazines unless they first provide proof of age.
The legislation is the most workable solution to restrict access to pornography. It would not be feasible to require websites to conduct age checks, as there would be no jurisdiction over website owners based outside the United States. Pornography filtering legislation is viewed as the least restrictive method of controlling who can access pornography.
The Human Trafficking and Child Exploitation Prevention Act will not prohibit individuals from viewing pornography if they wish to do so. However, exercising their right to access obscene content will come at a cost. In addition to providing proof of age, consumers will be required to pay a one off fee of $20 to have the pornography filter lifted. The money collected will go to the state in which the individual resides, and those funds will be directed to a number of groups that are tackling the problem of human trafficking and sexual violence.
Individuals may have to pay further costs to access pornography as retailers and manufacturers will be permitted to charge individuals a fee on top of the $20 state fee for unlocking the pornography filter.
It is possible that the filtering solution used by manufacturers and retailers may not get the balance right 100% of the time. There are likely to be many cases of over-blocking or under-blocking of obscene content. Therefore, the Human Trafficking and Child Exploitation Prevention Act requires a mechanism to be put in place that allows individuals to submit requests to have websites and webpages added to the filter if they contain obscene content and have not been blocked. Similarly, if websites containing acceptable content are incorrectly blocked by the filter, it must be possible for individuals to request that the block be lifted. A call center or website must be made available for this purpose.
Manufacturers/retailers will be required to process requests in a reasonable timeframe. If they fail to do so they will be liable for fines.
McAfee has issued a new threat report detailing 2016 malware trends. The decline in new malware samples in the final quarter of 2016 does not suggest that 2017 will see a continued fall in new malware, but the opposite, according to McAfee Labs.
2016 malware trends follow a similar pattern to 2015. The first quarter saw large volumes of new malware discovered, followed by a steady decline over the next three quarters. The same trend was identified in 2015. Far from that decline continuing into 2017, the first quarter figures – which will not be made available until the summer – are likely to follow a similar trend and involve a massive in malware numbers in the first three months of 2017.
Further, there has been a steady increase in the number of new malware samples detected year on year, from around 400 million per quarter in 2015 to more than 600 million per quarter in 2016. If that trend continues into 2017, this year is likely to see around 800,000 new malware samples detected each quarter on average. McAfee predicts that there will be around 17 million malware samples by the end of this year.
McAfee reports that ransomware has increased steadily over the course of 2016, starting the year with around 6 million samples and finishing the year with over 9 million detected samples. However, the final quarter of 2016 saw a sharp drop in ransomware due to a decline in generic ransomware detections and a fall in the use of Locky.
There have been relatively few new Mac OS malware samples detected over the past two years, although Q3, 2016 saw new Mac OS malware increase from around 10,000 to 50,000, with a massive rise to around 320,000 new samples in the final quarter of 2016.
By the end of 2016, the total number of Mac OS malware rose to more than 450,000, from around 50,000 at the end of Q4, 2015. The increase mostly involved bundled adware.
The switch from exploit kits to email as the main attack vector is evident from the figures for new macro malware, with a sharp rise in Q2, 2016 and a continued rise in Q3. In Q1, there were around 60,000 detections, in Q3 that figure had risen to more than 200,000.
The public sector was most affected by security breaches in 2016, followed by healthcare, online services, finance, and software development. The biggest causes of security incidents, for which the causes are known, were account hijacking, followed by DDoS attacks, targeted attacks, SQL injection and malware. The main methods used for conducting network attacks last year were SSL (33%), DoS (15%), Worms (13%), brute force attacks (13%), and browser-based attacks (15%).
There has been a downward trend in new suspect URLS detected from Q1 2015 to Q2, 2016, although that trend has reversed in the last two quarters of 2016 with new malicious URL detections starting to rise steadily. New phishing URLS ebb and flow, although there was a general upward trend in 2016. McAfee’s figures shows spam email volume has remained fairly constant for the past two years, with the bulk of spam messages delivered using the Necurs botnet in Q3 and Q4, 2016.
A recent insider threat intelligence report from Dtex has revealed the vast majority of firms have employees bypassing security controls put in place to limit Internet activity. Those controls may simply be policies that prohibit employees from accessing certain websites during working hours, or in some cases, Internet filtering controls such as web filtering solutions.
Dtex discovered during its risk assessments on organizations that 95% of companies had employees that were using virtual private networks (VPNs) to access the Internet anonymously, with many installing the TOR browser or researching ways to bypass security controls online. The researchers discovered that in some cases, employees were going as far as installing vulnerability testing tools to bypass security controls.
Why Are Employees Bypassing Security Controls?
Employees bypassing security controls is a major problem, but why is it happening?
The report indicates 60% of attacks involve insiders, with 22% of those attacks malicious in nature. During the first week of employment and the final week before an employee leaves, there is the greatest chance of data theft. 56% of organizations said they had discovered potential data theft during those two weeks. During these times there is the greatest risk of employees attempting to bypass security controls for malicious reasons.
In many cases, VPNs and anonymizers are used to allow employees to access websites without being tracked. Many companies have policies in place that prohibit employees from accessing pornography in the workplace. Similar policies may cover gaming and gambling websites and other categories of website that serve no work purpose. Some employees choose to ignore those rules and use anonymizers to prevent their organization from having any visibility into their online activities.
The report indicates 59% or organizations had discovered employees were accessing pornographic websites at work. There are many reasons why companies prohibit the accessing of pornography at work. It is a drain of productivity, it can lead to the development of a hostile working environment, and from a security standpoint, it is a high-risk activity. Pornographic websites are often targeted by cybercriminals and used to host malware. Visiting those sites increases the risk of silent malware downloads. 43% of companies said they had found out some employees had been using gambling sites at work, another high-risk category of website and a major drain of productivity.
While employees are provided with email accounts, many are choosing to access web-based accounts such as Gmail. Dtex found that 87% of employees were using web-based email programs on work computers. Not only does this present a security risk by increasing the probability of malware being downloaded, it makes it harder for employers to identify data theft. Dtex says “By completely removing data and activity from the control of corporate security teams, insiders are giving attackers direct access to corporate assets.”
Lack of Control and Visibility
Many companies are unaware that they have employees bypassing security controls because they lack visibility into what is happening on end points. Shadow IT can be installed without the organization’s knowledge, including VPN’s and hacking tools, but what can be done to stop employees bypassing security controls?
Security software can be installed to allow organizations to closely monitor the types of activities that are taking place on work computers. This can allow action to be taken to reduce insider threats. Organizations should also block the use of VPN’s and anonymizers to ensure they have more visibility into employee’s online activities.
One of the easiest ways to block the use of VPNs and anonymizers is to use a web filtering solution. Web filters are increasingly used as a way of preventing productivity losses during the working day. Web filtering solutions can be configured to block specific sites or categories of website.
A web filter, such as WebTitan, can be configured to block access to anonymizer websites, along with other websites that are prohibited under organization’s acceptable use policies.
Some employees find the controls overly restrictive and search for ways to bypass those controls. Organizations should carefully consider what websites and types of websites are blocked. Excessively restrictive controls over personal Internet access can prompt employees to try to bypass security controls. Allowing some personal use may be preferable.
One solution, possible with WebTitan, is to ease restrictions on Internet access by using time controls. To prevent falls in productivity, web filters can be applied during working hours, yet relaxed at other times such as lunch breaks. By allowing some personal Internet use, there is less incentive for employees to attempt to bypass security controls.
WebTitan also produces access logs to allow organizations to carefully monitor online user activity and take action against the individuals discovered to be violating company policies. Automatic reports can also be generated to allow organizations to take more timely action.
Monitoring employee Internet access and installing solutions to provide visibility into end point activity allows organizations to reduce the risk of insider threats and stop employees from engaging in risky behavior.
Bitdefender has developed a free Bart ransomware decryptor that allows victims to unlock their files without paying a ransom.
Bart Ransomware was first detected in June 2016. The ransomware variant stood out from the many others due to its ability to encrypt files even without an Internet connection. Most ransomware variants rely on a connection to their command and control server to generate public-private key pairs; however, Bart ransomware does not. Only the decryption process requires an Internet connection to transfer the ransom payment and receive the decryption key.
Bart ransomware posed a significant threat to corporate users. Command and control center communications could potentially be blocked by firewalls preventing encryption of files. However, without any C&C contact, corporate users were at risk.
Bart ransomware was believed to have been developed by the gang behind Locky and the Dridex banking Trojan. Bart ransomware shared a significant portion of code with Locky, was distributed in the same manner and used a ransom message very similar to that used by Locky.
As with Locky, Bart ransomware encrypted a wide range of file types. While early versions of the ransomware variant were fairly unsophisticated, later versions saw flaws corrected. Early versions of the ransomware variant blocked access to files by locking them in password-protected zip files.
The initial method of locking files was ‘cracked’ by AVG, although only by guessing the password using brute force methods. In order for the brute force method to work, a copy of an encrypted file along with its unencrypted original was required. In later versions of the ransomware, the use of zip files was dropped and AVG’s decryption technique was rendered ineffective. The encryption process used in the later versions was much stronger and the ransomware had no known flaws.
Until Bitdefender developed the latest Bart Ransomware decryptor, victims had two choices – recover encrypted files from backups or pay the attackers’ ransom demand.
Fortunately, Bitdefender was able to create a Bart Ransomware decryptor from keys supplied by Romanian police which were obtained during a criminal investigation. The Bart ransomware decryptor was developed by Bitdefender after collaborating with both the Romanian police and Europol.
From April 4, 2017, the Bart ransomware decryptor has been made available for free download from the No More Ransom website. If your files have been encrypted by ransomware, it is possible to tell if the culprit is Bart from the extension added to encrypted files. Bart uses the .bart, .perl, or bart.zip extensions.
Bart ransomware may be believed to have links to Locky, although there is no indication that keys have been obtained that will allow a Locky ransomware decryptor to be developed. The best form of defense against attacks is blocking spam emails to prevent infection and ensuring backups of all sensitive data have been made.
The FBI has issued a cybersecurity warning for healthcare providers on the use of FTP servers. FTP servers should have authentication controls in place to ensure only authorized individuals can access stored data. However, when FTP servers are in anonymous mode, access can be gained with a generic username and password. In some cases, access is possible without a password.
The usernames that provide access could be as simple as ‘FTP’ or ‘anonymous’ and lists of usernames can be easily found on the Internet. Cycling through a short list of possible usernames is likely to take seconds or minutes at the most and access to stored data can be gained without any hacking skills. Data stored on an anonymous FTP server could be accessed by anyone.
The FBI cybersecurity warning for healthcare providers cites research conducted by the University of Michigan in 2015 that shows the scale of the problem. The study revealed there are more than one million FTP servers in use around the world that allow anonymous access. Any data stored on those servers could be freely accessed by the public. Should those FTP servers contain sensitive data such as protected health information, it could easily be stolen and used for malicious purposes.
Firewalls and other perimeter defenses serve to protect networks and EHRs from cyberattacks, yet FTP servers could be a gaping hole in an organization’s defenses. Many healthcare providers use FTP servers to allow data to be easily shared with business associates and other healthcare entities. Yet, if authentication controls are not used they are a data breach waiting to happen.
The FBI has warned all medical and dental organizations to ensure that no sensitive data are stored on anonymous FTP servers and advises healthcare organizations to check if their servers are running in anonymous mode. Smaller organizations without the resources of large healthcare systems are more likely to have overlooked this vulnerability; although checks should be performed by all healthcare organizations.
The cybersecurity warning for healthcare providers explains the risks extend beyond the theft of sensitive data. If access to the servers can be gained, FTP servers could be used to store illegal material. Healthcare organizations may have cybersecurity solutions in place to monitor for data being exfiltrated, but not data that are being uploaded. Hacking tools could be uploaded to the servers or they could be used to share illegal content.
If FTP servers must be run in anonymous mode, healthcare organizations should ensure the servers only contain data that is publicly available.
Educational institutions have been warned about Moodle security flaws that could allow cybercriminals to attack web servers, gain administrative privileges and run malicious code.
Many educational institutions use the Moodle platform for their e-learning websites. The platform allows students to access interactive online courses. There are almost 80,000 websites that use the open source platform, many of which are operated by schools, colleges and universities.
On Monday this week, Security researcher Netanel Rubin discovered a vulnerability – tracked as CVE-2017-2641 – that could be exploited to run malicious PHP code on an unpatched Moodle server. He pointed out on his blog that the problem does not lie with a single critical security flaw, but a number of smaller vulnerabilities which can be exploited when combined.
An attacker could exploit the Moodle security flaws and create hidden administrative accounts; however, in order to exploit the flaws, it would be necessary for the attacker to have an account on the platform. It does not matter what type of account the attacker has, provided it is not a guest account. Since more than 100 million individuals log onto the websites to access courses, obtaining a user account would not pose too much of a problem.
The Moodle security flaws could be exploited by attackers to install backdoors in the system allowing persistent access to data stored on a Moodle server, and there is data aplenty. Highly sensitive information about students is stored on the system, including personal information, grades and test data.
According to Rubin, the Moodle security flaws affect all versions of the platform tested, including “3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions.”
Rubin pointed out that such a large system – Moodle contains more than 2 million lines of PHP code – will almost inevitably have numerous vulnerabilities. In this case, the code has been written by multiple authors which has led to logical flaws being introduced. The problem comes from having too much code, too many developers and a lack of documentation. That is a problem for any system of this size, not just Moodle.
Rubin was able to take advantage of the Moodle security flaws and gain administrative privileges on the server, after which it was child’s play to execute code. Rubin said it was as simple as uploading a new plugin to the server.
Last week Moodle released a patch to address a number of vulnerabilities in the system, although no information was released about what the patch addressed. All users of the system are advised to update to the latest version of the platform and apply the latest security patch as soon as possible.
Failure to update systems and apply patches promptly will leave systems vulnerable to attack, whether it is Moodle or any other platform or software. If patches are not applied it will only be a matter of time before security flaws are exploited to gain access to servers or computers and steal sensitive data.
2017 has already seen numerous cyberattacks on educational institutions. 2017 has started particularly badly for the education sector and there is no sign of the cyberattacks abating any time soon. But why is the education sector being so heavily targeted by hackers, cybercriminals, and scammers?
It is easy to see why cyberattacks on financial institutions occur. There are substantial funds to be plundered. Cyberattacks on healthcare organizations are also common. Those organizations hold vast quantities of data; data that can be sold for big bucks on the black market and used for all manner of fraud: Medical fraud, identity theft, tax fraud, and insurance fraud for example.
However, the education sector is similarly being targeted. K12 schools, colleges, and universities have all been attacked and those attacks have soared in 2017.
The list of educational institutions that have reported cyberattacks in 2017 is long. Barely a day goes by without another educational institution being added to the list. Many of the cyberattacks on educational institutions are random, but it is becoming increasingly clear that the education sector is being targeted.
There are many reasons why the attacks have soared in recent months. Educational institutions hold vast quantities of valuable data, they have considerable computer resources that can be used by cybercriminals, and in contrast to other industry sectors, educational institutions are not as heavily regulated when it comes to cybersecurity protections. Defenses are relatively poor and educational organizations tend to have relatively few IT staff compared to the corporate sector.
In short, the potential profits from cyberattacks on educational institutions are high and attacks are relatively easy to perform. For cybercriminals that is an excellent combination.
What Data are Cybercriminals Attempting to Steal?
K12 school systems have been targeted by criminals in order to gain access to student data. Social Security numbers of minors are extremely valuable. Dates of birth and Social Security numbers can be used for identity theft and fraud and in the case of minors, fraud is less likely to be identified quickly. Minors details can be used for longer.
Universities and school systems also hold considerable amounts of intellectual property and research. That information can be sold for considerable sums on the black market.
As we have seen on many occasions this year, the personal information of school employees has been targeted by scammers. Emails have been sent requesting W-2 Form data, which are used to file fraudulent tax returns in school employees’ names.
This tax season, the following colleges, universities, schools and school districts have reported that employees have fallen for a W-2 Form phishing scam and have emailed the data of their employees to cybercriminals.
Abernathy Independent School District
Ark City School District
Barron Area School District
Belton Independent School District
Black River Falls School District
Bloomington Public Schools
College of Southern Idaho
Corsicana Independent School District
Crotched Mountain Foundation
Davidson County Schools
Glastonbury Public Schools
Groton Public Schools
Independent School District
Lexington School District Two
Manatee County School District
Mohave Community College
Morton School District
Mount Healthy City Schools
Odessa School District
Redmond School District
Tipton County Schools
Trenton R-9 School District
Tyler Independent School District
Virginian Wesleyan College
Yukon Public Schools
As with the healthcare industry, the reliance on data makes schools, colleges, and universities targets for ransomware attacks. Ransomware is used to encrypt data and a ransomware demand is issued to unlock files. In many cases ransoms are paid as no backups of the encrypted data exist.
Some notable cyberattacks on educational institutions that have been reported this year are listed below.
2017 Cyberattacks on Educational Institutions
Northside Independent School District in San Antonio, TX, discovered its email system had been hacked. Names, addresses, and dates of birth were potentially stolen. In total, 23,000 individuals were impacted by the incident.
South Washington County Schools in Minnesota discovered that one of its students had hacked into its system and stolen more than 15,000 employee records.
Los Angeles County College was attacked with ransomware in January and was forced to pay a ransom demand of $28,000 to regain access to its files. The attack resulted in most of the college’s infrastructure, including email and voicemail, being encrypted by the ransomware.
Horry County Schools in South Carolina was forced to pay a ransom demand of $8,500 to recover data that were encrypted with ransomware. Even though the ransom was paid, systems were taken out of action for over a week as a result of the infection.
These are just a handful of the cyberattacks on educational institutions reported this year. Given the increase in cyberattacks on educational institutions, it is essential that schools, colleges, and universities take action and implement appropriate defences to mitigate risk.
If you are in charge of cybersecurity at your educational organization and you would like to receive tailored advice on some of the best protection measures you can implement to reduce the risk of a cyberattack, contact the TitanHQ team today.
At a recent cybersecurity conference, Director of the FBI, James B. Comey, has given valuable ransomware advice for healthcare providers to help them tackle the growing threat of attack. Comey confirmed that ransomware is now the biggest cybersecurity threat for the healthcare industry. Healthcare providers must be prepared for an attack and be able to respond quickly to limit the harm caused.
Ransomware is used to encrypt files and databases to prevent the victim from accessing essential data. Since healthcare providers need access to patient health information in order to provide medical services, healthcare providers are being extensively targeted. If data access is essential, victims are more likely to pay ransom demands.
However, Comey explained that ransoms should never be paid. If a ransom is paid, this only encourages cybercriminals to attack more businesses. The payment of a ransom sends a message to other cybercriminals that the attacks are profitable.
Ransomware can be sent randomly via spam email or distributed by malicious websites. Cybercriminals also install ransomware once access to a computer system has been gained and data have been exfiltrated. Tackling the problem involves implementing a range of cybersecurity defenses to prevent attacks and ensuring data can be recovered and business processes can continue if ransomware is installed.
In the case of the latter, data backups are essential. All critical data should be backed up on a daily basis at a minimum. Data backups can also be encrypted by ransomware, so it is essential that backup devices are not left connected to computers or servers. Data should ideally also be backed up in the cloud.
One of the best pieces of ransomware advice for healthcare providers is to prepare for an attack now. Healthcare organizations should not wait until a ransomware infection occurs to decide how to respond. Not only should policies be developed that can be implemented immediately following a ransomware attack, business continuity plans must be tested prior to a disaster occurring. The same goes for backups. Many organizations have been attacked with ransomware only to discover that they have been unable to restore their data due to a corrupted backup file.
At the conference, there were many security professionals offering ransomware advice for healthcare providers, although when it comes to prevention there is no silver bullet. A range of ransomware defenses should be deployed to prevent email and web-borne attacks.
Cybersecurity solutions should be implemented to prevent malicious emails from being delivered to end users. Spam filtering solutions are one of the best defenses against email-borne threats as they block the majority of malicious emails from being delivered to end users. Cybersecurity solutions should also be implemented to prevent web-borne attacks. Web filters block malicious websites from being visited and can be configured to prevent downloads of malicious and suspicious files. Endpoint security solutions should also be considered. They can rapidly detect downloads of malicious files and prevent malicious software from being installed.
Employees must also be informed of the risk of attack and trained to be more cyber aware. Training should be reinforced with exercises to test whether cybersecurity training has been effective. Individuals can then be singled out and provided with further training as necessary.
Comey explained to attendees at the Boston Conference on Cybersecurity that the key to combating cybercrime is collaboration. Cybercrime has escalated in recent years and the problem is not going to be beaten by organizations acting independently. Collaboration between law enforcement organizations and companies across all industries is essential. Comey said all new cyberthreats and details of cyberattacks should be shared with the FBI.
A new fileless malware has been detected that uses DNS to receive commands and send information to the attackers’ command and control server. The stealthy communication method together with the lack of files written to the hard drive makes this new malware threat almost impossible to spot.
The attack method, termed DNSMessenger, starts with a phishing email, as is the case with many of the new malware threats now being detected. The host is infected via a malicious Word document.
Opening the Word document will display a message informing the user that the document has been protected using McAfee Secure. The user is required to enable content to view the document; however, doing so will call a VBA function that defines the Powershell command and includes the malicious code. As is the case with other forms of fileless malware, since no files are written to the hard drive during the infection process, the threat is difficult to detect.
Fileless malware are nothing new, in fact they are becoming increasingly common. What makes this threat unique is the method of communication it uses. The malware is able to receive commands via the DNS – which is usually used to look up Internet Protocol addresses associated with domain names. The malware sends and received information using DNS TXT queries and responses.
DNS TXT records are commonly used as part of the controls organizations have in place to identify phishing emails and verify the sender of a message – Sender Policy Framework (SPF) and Domain Message Authentication Reporting and Conformance (DMARC).
The attackers can send commands to the malware via DNS TXT queries and the malware can send the attackers the output of the commands via the same channel. Even if an organization has blocked outbound DNS for unapproved servers, the malware will still be able to communicate with the attackers C2 infrastructure.
While many organizations inspect the contents of web traffic, relatively few inspect the content of DNS requests. The malware is therefore likely to operate unnoticed. Further, the Cisco Talos team that detected the malware reports that only 6/54 AV engines detected the threat, although ClamAV did identify the file as malicious.
Cybercriminals are constantly looking for new methods of bypassing security controls and infecting end users. However, since this threat is delivered via email, that is the point at which it is easiest to block. Infection also requires macros to be enabled. If macros are blocked, the malware will not be executed. Otherwise, since the DNS communications between the malware and the attackers differs from standard DNS communications, inspecting DNS content should enable security professionals to identify infection.
Opposition to pornography filtering in libraries has seen the American Library Association placed on the National Center for Sexual Exploitation (NCOSE) naughty list.
Each year, NCOSE publishes a list of the top twelve companies and organizations that it believes are either profiting from pornography or facilitating access. The aim of the list, referred to as the Dirty Dozen, is to name and shame the companies and organizations that are failing to do enough to tackle the growing problem of online pornography.
Pornography is only the tip of the iceberg. Hidden underneath is a world of sexual exploitation, prostitution, and sex trafficking. NCOSE sees companies and organizations that fail to take action as being part of the problem, inadvertently – or in some cases deliberately – contributing to the considerable harm that is caused by pornography.
This year’s list includes technology and telecoms companies (Amazon, Comcast, Roku) the American Library Association (ALA) and EBSCO, a provider of library resources to schools, colleges, higher education establishments and libraries). Four websites make the list (YouTube, Twitter, Snapchat, and Backpage.com), along with Cosmopolitan Magazine, HBO, and Amnesty International.
The ALA is almost a permanent fixture on the NCOSE Dirty Dozen list, having been present for the past five years. It is the ALA’s opposition to the use of pornography filtering in libraries that sees it included year after year. NCOSE says “the ALA zealously encourages public libraries not to install internet filters on public access computers.” By taking such a stance, the ALA is providing patrons – including children – with the means to access sexually explicit and obscene material. ALA told CBN news that “Librarians encourage parents and children to talk with one another. Families have a right to set their own boundaries and values. They do not have the right to impose them on others.”
NCOSE doesn’t hold back, saying the ALA stance on pornography filtering in libraries “has turned the once safe community setting of the public library into a XXX space that fosters child sexual abuse, sexual assault, exhibitionism, stalking, and lewd behavior in libraries across the country.”
Only this month, NCOSE responded to the ALA’s continued opposition to pornography filtering in libraries on the grounds of free speech, saying there is no constitutional requirement for libraries to provide access to hardcore pornography to patrons.
EBSCO made the list as its databases “provide easy access to hardcore pornography sites and extremely graphic sexual content,” pointing out that its system allows schoolchildren to easily circumvent web filters in schools. In response to its inclusion on the list, EBSCO says it is working on enhancing its web filtering systems and will implement better algorithms to filter pornographic content.
Amazon made the list, even though it has a policy prohibiting the sale of pornography, because of its pornography-related items on its site, including hardcore pornographic films and sex dolls with childlike features.
Amnesty International made the list for its stance on the decriminalization of prostitution and for creating “a de facto right for men to buy people.” Cosmopolitan was included for its hypersexualized imagery and glamorization of violent, public, and group sex. Roku, Comcast, Snapchat, Twitter, YouTube and HBO were included for peddling pornography, pushing the boundaries of what is acceptable, and making it too easy for pornographic content to be accessed.