Oct 24, 2017 | Cybersecurity News, Internet Security News, Network Security, Web Filtering
The Magnitude exploit kit is being used to deliver a new malware variant – Magniber ransomware. While the Magnitude EK has been used in attacks throughout the Asia Pacific region, the latest attacks are solely taking place in South Korea.
Ransomware and malware attacks in Europe and the Americas are primarily conducted via spam email. Exploit kits having fallen out of favor with cybercriminals over the past year. However, that is not the case in the Asia Pacific region, where exploit kit attacks are still common.
An exploit kit is a website toolkit that scans visitors’ browsers for exploitable vulnerabilities. When a vulnerability is identified, it is exploited to download malware onto the user’s system. The download occurs silently and in the case of a ransomware attack, the user is only likely to discover the attack when their files have been encrypted.
Magniber ransomware takes its name from the Magnitude EK and Cerber ransomware, the ransomware variant that it has replaced. At present, Magniber ransomware is solely targeting users in South Korea. If the operating system is not in Korean, the ransomware will not execute. While it is not unusual for ransomware campaigns to involve some targeting, it is rare for attacks to be targeted on a specific country.
Up until recently, the Magnitude exploit kit was being used to download Cerber ransomware. FireEye reports that those attacks were concentrated in the Asia Pacific region. 53% of attacks occurred in South Korea, followed by the USA (12%), Hong Kong (10%), Taiwan (10%), Japan (9%), and Malaysia (5%). Small numbers of attacks also occurred in Singapore and the Philippines. At the end of September, Magnitude EK activity fell to zero, but on October 15, the payload was updated and attacks were solely conducted in South Korea.
To avoid analysis, Magniber ransomware checks whether it is running in a virtual environment. A check is also performed to identify the system language. If the system language is Korean, data is encrypted with AES128 and encrypted files are given the .ihsdj extension. After encryption, the ransomware deletes itself. If the system language is not Korean, the ransomware exists.
At present, the Magnitude Exploit Kit has been loaded with a single exploit for CVE-2016-0189 – A memory corruption vulnerability in Internet Explorer. A patch for the vulnerability was released last year. FireEye believes the ransomware is still under development and its capabilities will be enhanced and finetuned.
To prevent attacks, it is important to ensure systems are fully patched. Businesses should make sure all network nodes are updated and are fully patched. A web filtering solution should also be used as an additional protection against this and other exploit kit attacks.
Oct 23, 2017 | Web Filtering
The EU’s proposed Internet copyright filter has not proven popular with digital rights groups. The Internet copyright filter provision, detailed in Article 13 of the Digital Single Market proposals, would require the Internet to be policed to prevent the online publication of copyrighted content.
At present, if an individual decides to share content online and that material is protected by copyright, the holder of the copyright can submit a request to have the material taken down. The process can take some time before the material is removed, during which time the information can be viewed and potentially downloaded.
The proposed Internet copyright filter would improve protections for copyright holders. Online service providers such as Facebook, Twitter, WordPress, YouTube, and Dropbox would be required to constantly scan uploaded content to check the material is not protected by copyright. If it is, the content would need to be removed immediately.
The Internet copyright filter would certainly go some way toward protecting the rights of copyright holders and would make it harder for music, movies, TV shows, and other video content to be uploaded and viewed by the public. Unsurprisingly, the proposed measure has attracted considerable support from the entertainment industry.
However, there has been considerable opposition to the proposed Internet copyright filter by digital rights groups such as the Electronic Frontier Foundation, Human Rights Watch, Reporters Without Borders, Open Rights Group, European Digital Rights and the Civil Liberties Union for Europe. In total, 56 organizations have added their name to an open letter to EU policymakers calling for Article 13 to be dropped.
Those organizations believe that while there are benefits to Article 13, the Internet copyright filter would be impossible to implement without also violating the freedom of expression detailed in Article 11 of the Charter of Fundamental Rights, as well as imposing excessive restrictions on citizens’ fundamental rights.
If passed, Internet companies would be forced to take down content to avoid possible legal liability, and that would undoubtedly see them erring on the side of caution and applying excessive filtering controls. Legitimate content would be deleted and Internet filtering controls would limit freedom to impart and receive information. Further, it would be difficult in practice to differentiate illegal uploads of content that violate copyright laws from legitimate uses of content.
Whether the letter will result in Article 13 being dropped remains to be seen, but if not, there are likely to be further challenges. As is mentioned in the letter, previous attempts to introduce new laws that conflict with the Charter of Fundamental Rights have been rejected by the Court of Justice. If those precedents are followed, Article 13 would likely be rendered invalid.
Oct 12, 2017 | Internet Security News, Web Filtering
A Social Community Partnership employee fired for viewing pornography at work took legal action against her employer for unfair dismissal. However, Ireland’s Workplace Relations Commission (WRC) has upheld the Partnership’s decision to fire the employee, confirming the sanction was appropriate.
In May 2016, the employee was discovered to have viewed pornography on her work computer and was promptly fired for gross misconduct. While the employee denied viewing pornography at work, a review of access logs on her computer revealed pornographic websites had been accessed on seven occasions between September and November 2015.
The material accessed included depictions of rape and the abduction of girls. While viewing pornography at work is unacceptable in any office, the nature of the material that was accessed made this an egregious violation of the Partnership’s acceptable Internet usage policy, especially considering the Social Community Partnership works to support children and families.
Lack of Individual Logins Makes it Difficult to Attribute Inappropriate Internet Access to Individual Employees
The case was not clear cut, as the computers in the reception area where she worked did not require secure logins for each employee. The employee also denied that she had viewed pornography and claimed two other workers used the same computers. She also said that other employees could have used the computers when she was not at her desk.
To determine that the employee was the person responsible for violating the company’s acceptable Internet use policy, the Partnership had to compare Internet logs against the work schedule. Multiple employees were found to have been working on four of the seven occasions, but the employee was the only person scheduled to work in the reception area on three of the occasions when pornography was accessed.
The employee suggested the sites could have been popups, although the claim was rejected by her employer. To determine whether access was due to a malware infection, an external computer expert was called in to conduct a scan of the computer. The scan confirmed no malware was present that could have redirected the browser to pornographic websites.
After hearing the unfair dismissal case and the evidence against the employee, the WRC ruled that ‘on the balance of probability,’ the employee was the person responsible for accessing the material and that, under the circumstances, the decision to fire the employee was correct.
Two Thirds of Men and One Third of Women Admit to Viewing Pornography at Work
Even though viewing pornography at work is prohibited in many organizations, employees ignore company rules and access obscene material on their work computers. The actions often result in instant dismissal when they are discovered, although many employees believe they won’t be caught or do not realize Internet logs are maintained. Many choose to anonymize their Internet activity by connecting to the Internet via VPNs and other anonymizing services.
The scale of the problem has been identified by several surveys and studies. In one notable study, conducted by Proven Men Ministries in 2014, 63% of men and 36% of women admitted having accessed pornography at work on at least one occasion. Other studies in the United States and the UK have also confirmed viewing pornography at work is commonplace.
The viewing of pornography at work can cause many problems for employers. In this case, the Social Community Partnership could have lost essential government funding. Even though that didn’t happen, there has been considerable negative publicity and the expense of fighting an unfair dismissal claim.
When employees view pornography at work it can easily lead to the creation of a hostile working environment, lawsuits could be filed by other employees who have been made to feel uncomfortable by the actions of others, and when illegal pornographic material is accessed at work – child pornography for example – the consequences for employers can be severe.
How Can Businesses Prevent Employees Viewing Pornography at Work?
Acceptable Internet usage policies can be used to ensure employees who breach the rules can be fired, but they do not prevent employees viewing pornography at work. Cases such as this show just how important it is to implement technology to prevent employees from accessing inappropriate website content – not just pornography, but also other content that should not be accessed in the workplace.
The expense and problems experienced by the Social Community Partnership could have easily been avoided if a web filter had been used. A web filter is a simple method of enforcing acceptable Internet usage policies and preventing pornography and other unacceptable content from being accessed by employees. A web filter can also block the use of anonymizers such as VPNs.
Further, a web filter is easy to implement, inexpensive, and can help organizations prevent considerable productivity losses, while reducing legal liability.
To find out more about the benefits of web filtering, and how you can stop employees viewing pornography at work, contact the TitanHQ team today and ask about WebTitan.
Oct 11, 2017 | Cybersecurity News, Internet Security News, Web Filtering
A massive Pornhub malvertising campaign has been detected that potentially resulted in millions of malware infections in the United States, Canada, UK, Australia and beyond.
Malvertising is the term given to malicious adverts that dupe website visitors into visiting websites where malware is downloaded or to sites that are used to phish for login credentials. These malverts often appear on legitimate websites, adding to their legitimacy. The malicious sites that users are directed to can download any type of malware – keyloggers, ransomware, spyware or adware.
The Pornhub malvertising campaign was used to spread click fraud malware. The hacking group behind the campaign – KovCoreG – used the Kovter Trojan. The malware has persistence and will survive a reboot.
Pornhub is one of the most popular adult websites, attracting millions of visitors. The website uses a third-party ad network called Traffic Junky. The attackers managed to sneak their malicious adverts past the controls the ad network has in place against malvertising.
The attackers detected the browser being used and redirected users to a website tailored to their browser. The Pornhub malvertising campaign worked on users of Chrome, Internet Explorer/Edge and Firefox. The webpages, which had been expertly crafted to exactly match the colors and fonts of Google, Firefox, and Microsoft and included the relevant logos and branding. The malicious webpages indicated a critical security update was required to secure the user’s browser. Clicking to download the update, and running that update, would result in infection.
The Pornhub malvertising campaign was detected by Proofpoint, which notified the ad network and Pornhub. Both acted quickly to remediate the threat, although not before many users had been infected with malware.
A Web Filtering Solution Can Block Malvertising Attacks
Implementing a web filtering solution in the workplace is not just about preventing your employees from wasting time on Facebook. A web filter is an important part of any layered cybersecurity defense strategy. The latest Pornhub malvertising campaign is a good example of how controlling the websites your employees can access can prevent malware infections.
Unless you work in the adult entertainment industry, employees should be prevented from accessing pornography at work. Most organizations include pornography in their acceptable usage policies. However, unless a filtering solution is implemented to block access, some employees are likely to break the rules. You could have a policy in place that states accessing pornography at work will result in instant dismissal. However, if anyone breaks the rules, it is not just their job that is on the line. Your network could be infected with malware.
Of course, cybercriminals do not just use adult websites for malicious adverts. Malvertising can appear on any website that includes ad blocks from third party advertisers. Since these ad blocks are an important source of revenue, many popular websites use them – Websites that are likely to feature heavily in your Internet access logs. The New York Times website for example, or the BBC and MSN.
This Pornhub malvertising campaign required a manual download, although oftentimes users are directed to sites where malware is downloaded automatically using exploit kits. If you are fully patched, you are likely to avoid an infection, but it is easy to miss a patch. The massive Equifax data breach showed how easy it is for a patch to be missed, as did the Wannacry ransomware attacks.
Considering the cost of resolving a malware infection, phishing attack, or ransomware installation, a web filtering solution is likely to pay for itself. Add to that the increase in productivity from blocking access to certain categories of websites and the improvements to your profits can be considerable.
If you are not yet using a web filter, or are unhappy with the cost of your current solution, give TitanHQ a call today and find out more about the savings you could be making.
