Cybersecurity News
Keeping up-to-date with cybersecurity news can help protect organizations from online threats such as malware downloads and phishing campaigns. By being aware of type of threats that exist, how they operate, and what damage they can do, organizations can take precautions against the threats, educate their employees to be aware of online security, and strengthen their online defenses.
The most effective way of preventing attacks by cybercriminals is to stop Internet users from receiving emails containing phishing links or visiting websites that harbor viruses. This can be achieved with an email filter and an Internet content filter – both solutions having mechanisms in place to protect organizations and ensure they are not featured in future in our cybersecurity news section.
by G Hunt |
December 30, 2022 |
Cybersecurity News, Security Awareness Training
A phishing campaign has been detected that is being used to deliver QBot malware, one of the oldest malware families still in use. QBot malware has been around since at least 2009 and is known by many different names, including QakBot, QuackBot and Pinkslipbot. One of the primary functions of the malware is to steal passwords, although the latest variants also serve as a backdoor into victims’ systems. As is the case with many other Trojan malware variants, the group operating the malware works as an initial access broker for ransomware gangs. After the gang has achieved its aims, access to compromised devices is sold to ransomware gangs. The threat actors behind QBot malware have previously worked with the operators of the Emotet botnet, and used the Emotet malware for delivering QBot; however, the law enforcement takedown of the Emotet botnet in January 2021 forced the group to switch attack vectors, and since then QBot malware has been primarily distributed using phishing emails. Now the group has been observed using a new tactic in its phishing campaigns that use Scalable Vector Graphics (SVG) files. SVG files have become popular due to their ability to support interactivity and animations and are a web-friendly XML-based vector file format. It is the support for interactivity that makes SVG files a good choice for malware distribution. SVG files can include HTML tags, and JavaScript can be included in the <script> tags in the image. In this case, the JavaScript is malicious. The phishing campaign involves emails that have an HTML attachment, which loads an SVG file from the Internet. The SVG image will be specified within an <embed> or <iframe> tag and will be displayed, but the JavaScript in the image will also be executed. In this campaign, the JavaScript within the SVG image assembles the malware directly on the user’s device, instead of downloading the malware from the Internet, as that would risk detection by security solutions. The malware is packaged into a ZIP file that is password protected, so antivirus solutions cannot scan the content. The user is provided with the password to open the zip file in the HTML. The user is told...
by G Hunt |
September 30, 2022 |
Cybersecurity Advice, Cybersecurity News, Web Filtering
A new and dangerous new malware called Erbium is being advertised on hacking forums and has the potential to become a major threat. Erbium malware is an information stealer with extensive functionality, which is offered under the malware-as-a-service (MaaS) model. MaaS provides hackers with an easy way to conduct attacks. The MaaS operators develop their malware and lease it out, usually charging a weekly, monthly, or annual subscription. The MaaS operator provides detailed instructions on how to conduct attacks, which means the malware can be used without having to become a programming expert. In fact, many MaaS operations make conducting attacks incredibly easy, requiring little in the way of technical skill. After signing up to use the malware, it can be operated via the web-based UI, where users can access the data stolen by the malware. Oftentimes, live chat is available to help resolve any issues. Currently, one of the most popular information stealers available under the MaaS model is the RedLine Stealer, which is a highly capable malware variant that can be purchased or rented under a subscription model. The malware can steal information from browsers such as autocomplete data and saved credentials, steal from FTP and IM clients, and from cryptocurrency wallets. The latest variants allow users to upload and download files. RedLine has proven very popular; however, it is quite expensive. Erbium malware is disrupting the market, offering broadly the same capabilities as RedLine but for a fraction of the cost. Initially, Erbium malware was being advertised at just $9 per week, although due to the popularity of the malware the price was increased to $100 per month. Even with the increase, the malware is far cheaper than RedLine, and based on user feedback, it is proving very popular with the cybercrime community. Erbium malware is a work in progress, but it already has extensive capabilities. The malware can steal information from browsers such as saved credentials, cookies, credit card numbers, and autofill information. It can steal from cryptocurrency wallets installed on web browsers and attempts to steal from a wide range of cold desktop cryptocurrency...
by G Hunt |
August 31, 2022 |
Cybersecurity News
A sophisticated phishing campaign is being conducted to steal Microsoft 365 credentials that bypasses multifactor authentication on accounts. Attacks on Microsoft 365 users are far from uncommon. With so many businesses using Microsoft 365, it is an attractive target for hackers. If they can develop a campaign that bypasses Microsoft’s security controls, huge numbers of businesses can be attacked. Microsoft 365 credentials are valuable. They provide an attacker with access to email accounts, and often other Microsoft products such as SharePoint, OneDrive, and Skype. A successful attack on just one Microsoft 365 user can give the attacker access to huge amounts of sensitive data and provide a foothold in the network for a much more extensive attack. One of the latest campaigns spoofs DocuSign – a platform used by organizations to manage electronic agreements. The email requests feedback on a document, with the message crafted to look like a genuine email sent through DocuSign. This campaign appears to be a spear phishing attack, which targets executives at businesses. If the link is clicked, the user will be directed to a malicious URL where they are required to log in with their Microsoft 365 credentials. The website appears to be the genuine Microsoft login page, and if credentials are entered, they are captured. The user is then presented with a notice advising them that the authentication has failed and will likely be unaware that credentials have been stolen. Stealing credentials alone may not be enough to gain access to Microsoft 365 accounts, as multifactor authentication may have been enabled. This is strongly encouraged by Microsoft to prevent stolen credentials from being used by unauthorized individuals to access accounts. To get around this, this campaign involves the use of a reverse proxy in a man-in-the-middle attack. The web page linked in the email used the evilginx2 proxy. When the credentials are entered on the fake login page they are fed to the genuine Microsoft 365 login, unbeknown to the victim. The session cookie from the successful login attempt is stolen and is used to assume the identity of the victim. That cookie means credentials do...
by G Hunt |
June 30, 2022 |
Cybersecurity Advice, Cybersecurity News, Internet Security News, Network Security
Ransomware gangs gain initial access to business networks using a variety of techniques, with phishing one of the most common methods of gaining initial access to business networks. Phishing is used to obtain credentials, especially for cloud-based services and applications. Phishing emails are often used to deliver malware loaders. Once installed, the malware loader drops malicious payloads which ultimately results in a network-wide ransomware attack. A relatively new malware loader – Bumblebee – is now gaining popularity with ransomware gangs and is known to be used by some of the highest profile ransomware operations. According to Symantec, Bumblebee Loader is known to be used by Conti, Quantum, and Mountlocker, and possibly others, and has fast become the ransomware delivery vehicle of choice. The BumbleBee loader is primarily delivered via phishing emails and is used to create a backdoor in victims’ networks, allowing the attacker to take control of devices and execute commands. Bumblebee has been observed delivering the Cobalt Strike attack framework, which is used for lateral movement within networks. Once a sufficiently high number of devices and systems have been compromised, the BumbleBee loader drops the ransomware payload. After sensitive data has been exfiltrated from the victim’s systems, the file encryption process is initiated. According to Symantec, the Bumblebee loader has replaced several other malware variants that have proven popular with ransomware gangs in the past, such as the TrickBot Trojan and BazarLoader. The replacement of those malware variants with Bumblebee the loader appears to have been pre-planned. If the Bumblebee loader is detected on any device, rapid action should be taken as it is likely that the malware could lead to a ransomware attack. The Growing Threat of Ransomware Attacks Ransomware attacks on businesses increased significantly in 2021. The Federal Bureau of Investigation (FBI) reported in its 2021 Internet Crime Report that the FBI Internet Crime Complaint Center (IC3) received 2,084 reports of ransomware attacks between January 1 and July 31, 2021, which represents a 62% increase year-over-year. The 2021...
by G Hunt |
November 24, 2021 |
Cybersecurity News
A new malware downloader has been identified that is being used to deliver 8 different malware payloads, including several Remote Access Trojans (RATs) and keyloggers. The malware has been named RATDispenser by security researchers at HP Wolf Security, who recently identified and analyzed the malware. RATDispenser is a stealthy JavaScript-based malware that is primarily being used as a malware dropper to deliver a broad range of payloads, possibly under the malware-as-a-service model. Out of 155 samples analyzed by the researchers, 145 were droppers and 10 were downloaders that communicated over the network to retrieve a secondary stage of the malware. RATDispenser is being distributed in spam emails that contain a malicious attachment – A JavaScript file with a double extension to make it appear to be a text file (.txt). In one of the emails distributing the malware, the email had the subject line “Product Specification” and related to a fake order placed by the recipient. JavaScript files are executable files, so simply double clicking on the attachment is all that is required to start the infection process. When the JavaScript file is executed, it decodes itself at runtime and writes a Visual Basic script file to the %TEMP% folder using cmd.exe, with the VBScript file then run which delivers the malware payloads. RATDispenser drops GuLoader, Ratty, Remcos, AdWind, STRRAT, and WSHRAT and downloads the FormBook keylogger and information stealer and the Panda Stealer cryptocurrency stealer. The malware delivered by RATDispenser can be used to obtain credentials and other sensitive data and gives the attacker backdoor access and full control of infected devices. Once sensitive data has been obtained, the threat actor could sell access to other threat groups, such as ransomware gangs. The range of malware variants delivered by RATDispenser makes this malware particularly dangerous, made worse by the poor detection rates by many antivirus engines. Email security solutions use antivirus engines to detect malware and malicious files, but only 11% of the 77 antivirus systems on VirusTotal are currently identifying RATDispenser as malicious. An email security...
by G Hunt |
September 29, 2021 |
Cybersecurity News
A new malware threat has been discovered that is being distributed using phishing emails. BluStealer malware can perform a range of malicious activities including logging keystrokes to obtain credentials, steal cryptocurrency and banking information, and exfiltrates sensitive files from victims’ devices via SMTP. BluStealer malware was first identified by an infosec researcher in May and was initially named a310logger. Initially, BluStealer malware was being used in limited attacks, although it is now being distributed more widely in larger phishing campaigns. In mid-September, one phishing campaign was conducted targeting 6,000 users in a single day. The malware has been distributed in several countries, mainly Argentina, Czech Republic, Italy, Greece, Romania, Spain, Turkey, the United Kingdom and the United States. As with many other malspam campaigns, the emails used to distribute the malware use social engineering techniques to trick recipients into opening a malicious attachment. The attached file is seemingly benign but delivers the BluStealer payload. A variety of lures have been used in the phishing campaigns and multiple companies have been impersonated. The antivirus company Avast intercepted messages that impersonated the Mexican metal producer General de Perfiles and the international courier firm DHL. The DHL phishing emails target businesses and closely resemble genuine email communications from the firm. The emails claim a package has been delivered to head office since the recipient was unavailable. The emails include an attached form which users are required to complete to reschedule a delivery; however, opening the attached file will allow a script to run that results in BluStealer malware being silently downloaded and executed. Avast says the General de Perfiles email also targets businesses and claims the recipient has overpaid an invoice and the money will be applied against the next purchase. Again, the user is required to open an attachment. The emails contained .iso attachments and download URLs on the Discord Content Delivery Network, along with a C# .NET loader. The core code of the malware is written in Visual Basic and there is a...
by G Hunt |
August 31, 2021 |
Cybersecurity News, Web Filtering
A widespread phishing campaign has been identified that uses a range of tricks to fool end users and spam filters, with the ultimate goal of stealing Office 365 credentials. Office 365 credentials are extremely valuable. Phishers can use the compromised email accounts for conducting more extensive phishing attacks on an organization or for business email compromise scams. There is also a market for these credentials and they can be sold for big bucks to other threat groups such as ransomware gangs. Office 365 email accounts also contain a wealth of sensitive data that can easily be monetized. This campaign involves a range of social engineering techniques to fool end users into believing the emails are genuine. Well-known productivity tools such as SharePoint are impersonated, with the emails claiming to be collaboration requests. Zoom has also been spoofed to make it appear that the recipient has been invited to attend a meeting. The emails include the correct logos, and closely resemble the genuine requests they impersonate. The emails direct users to a phishing webpage where users are required to enter their Office 365 credentials. Those phishing pages include the correct Microsoft logo and styling and appear genuine, other than the URL of the page. The scammers have also used CAPTCHA verification pages that need to be completed to prove the user is a human rather than a bot. The CAPTCHA adds legitimacy to the campaign and gives an illusion of security, whereas the purpose is to prevent security solutions from identifying the phishing content. After passing the CAPTCHA challenge, the user is presented with a fake Office 365 login prompt. After entering their credentials, they are presented with a fake error message and are prompted to re-enter the password. This additional step helps to ensure that the correct password is captured. After completing that step, the user is sent to a legitimate domain advising them that the email message has been released. The campaign also abuses open redirects to fool end uses and security solutions. An open redirect is a legitimate tool that is commonly used in marketing campaigns, where companies want to track responses to...
by G Hunt |
July 24, 2021 |
Cybersecurity News, Internet Security News, Web Filtering
A new malware dubbed Crackonosh is being used in attacks on gamers with the goal of hijacking the resources on their computers to turn them into cryptocurrency mining rigs. Cryptocurrency prices have been soaring in recent months, with many reaching record prices. That makes mining cryptocurrency profitable, and even more so when using the powerful computers of gamers without their knowledge. The gamers cover the electricity costs and supply the hardware, while the coin mining profits go to the scammers. Getting malware onto gamers’ devices is the key to this scam, and what better way to do that than to offer gamers free versions of popular games such as Grand Theft Auto V, Pro Evolution Soccer 2018, or NBA 2K19. These cracked games can be installed without having to make a purchase, with the games offered free in forums. Currently, most infections have come via forums, but games could easily be hosted on a website and traffic driven to those sites through malicious adverts in the search engines or third-party ad blocks on any number of high traffic websites. The games are legitimate, although they have been cracked to allow them to be installed without having to purchase the game key. The correct game will be installed but bundled into the installer are several other files that will execute in the background and install Crackonosh malware, which is capable of disabling certain antivirus programs to ensure it is not detected, including Windows Defender. It also disables Windows Update to ensure that Windows Defender is not reactivated. Since the malware creates and stores an icon in the system tray, the user will most likely be unaware that their antivirus software has been disabled. One of the main aims of Crackonosh malware is to deliver a legitimate cryptomining program named XMRig, although in this case, XMRig is used to hijack the CPU and GPU of victims’ devices and use those resources for generating cryptocurrency. Using XMRig on one gaming computer will not make much money, but at scale the operation is hugely profitable. The malware distribution campaign has proven successful, with the malware found in more than a dozen countries, with the highest...
by G Hunt |
May 14, 2021 |
Cybersecurity News, Internet Security News, Web Filtering
TitanHQ has announced a new version of WebTitan Cloud has been released that brings new features and improved security. The release of WebTitan Cloud version 4.16 has allowed TitanHQ to introduce a new web filtering solution for the education sector – WebTitan OTG (on-the-go) for Chromebooks. The use of Chromebooks has been steadily increasing, especially in the education sector where they are a cost-effective option for schools to allow students to access the Internet. Internet access is important in education, but it is vital that students can access the Internet safely and securely. Controls need to be implemented to prevent students from accessing age-inappropriate content such as pornography, devices need to be protected from malware and ransomware, and phishing and other malicious websites should be blocked. WebTitan OTG for Chromebooks allows IT professionals in the education sector to easily implement web filtering controls for individuals, user groups, or globally to ensure compliance with federal and state laws, including the Children’s Internet Protection Act (CIPA) and protect their students and their devices from threats. WebTitan OTG for Chromebooks, like other WebTitan products, is a DNS-based web filter that applies filtering controls at the DNS lookup stage of web requests. That means there is no latency – Internet speed is unaffected. Since WebTitan is entirely cloud-based, there is no need for any additional hardware and the solution requires no proxies or VPNs. Set up is easy and user and device level web filtering for Chromebooks can be set up in just a few minutes. The solution provides protection for students regardless of where the Internet is accessed – students will have access to a clean, safe, filtered Internet in the classroom and at home, and it is also easy to lockdown Chromebooks to prevent any bypassing of filtering controls. Administrators also have full visibility into Internet access, including locations, web pages visited, and attempts made to visit prohibited content. Support Added for in Azure Active Directory WebTitan Cloud version 4.16 includes DNS Proxy 2.06, which supports filtering of users in Azure Active Directory,...
by G Hunt |
February 26, 2021 |
Cybersecurity News, Email Archiving, Internet Security News, Web Filtering
TitanHQ has announced that three of its cybersecurity solutions have been named winners at the 2021 Expert Insights’ Best-Of” Awards, beating some of the best-known email security, web security, and email archiving products on the market. For more than 25 years, TitanHQ has been developing innovative cybersecurity solutions to protect businesses from email and web-based threats to their networks and data. TitanHQ’s multi-award-winning products are used by more than 8,500 businesses in over 150 countries, and 2,500 Managed Service Providers (MSPs) offer TitanHQ solutions to their customers to protect them from phishing, malware, ransomware, botnets, viruses, and other cyber threats. Expert Insights is a respected website that was created in 2018 to help businesses research and select the best cybersecurity solutions to protect their networks and data from cyber threats. Through impartial product reviews, advice from cybersecurity experts, and industry analysis, IT leaders can discover the best cybersecurity solutions to meet their unique needs. The website helps more than 40,000 businesses a month with their research into cybersecurity products and services. Each year, Expert Insights recognizes the leading cybersecurity service and solution providers and their products at the Expert Insights’ Best-Of” Awards. Technical experts with decades of experience in the cybersecurity industry assess products based on several factors, including ease of use, range of features, the protection provided, and market position, as well as how each product is rated by verified business users. The top products then receive an Expert Insights’ Best-Of” Award. This year, TitanHQ was recognized by Expert Insights for the powerful threat protection provided by its products, the ease-of-use of the solutions, and their cost-effectiveness, which is why the solutions have proven to be so popular with enterprises, SMBs and MSPs looking for comprehensive protection against email and web-based threats. “2020 was an unprecedented year of cybersecurity challenges, with a rapid rise in remote working causing a massive acceleration in cybercrime,” said Expert Insights CEO and Founder...
by G Hunt |
January 27, 2021 |
Cybersecurity News, Internet Security News
A phishing campaign is underway which is distributing a new variant of the DanaBot Trojan. The DanaBot Trojan was first identified in May 2018 and has been actively distributed via phishing emails for more than two years. In the summer of 2020, activity slowed but the campaigns resumed in October. DanaBot is a modular banking Trojan used in targeted geographical attacks on businesses. The first variant that emerged in 2018 was used in targeted attacks in Australia, while the second variant was primarily used in attacks on U.S. companies. Attacks have also been conducted in Europe, primarily in Ukraine, Austria, Poland, Italy, and Germany. The latest variant is the fourth to be identified and has been released around a year after the third variant was identified in February 2019. The latest variant has had several technical anti-analysis changes made to the main component of the malware and its method of maintaining persistence has changed. The latest variant now achieves persistence through a LNK file loaded into the user’s startup folder, which launches the malware when the device is booted. Affiliates are used to conduct campaigns distributing the DanaBot Trojan under the malware-as-a-service model. Several new affiliate IDs have been added which suggests the malware-as-a-service operation is growing. It is therefore probable that DanaBot will grow into a much bigger threat in 2021. Previously, DanaBot has been primarily distributed via spam emails that deliver a malware dropper, which downloads the banking Trojan via a multi-stage process. It now appears that the malware is being distributed via websites that offer cracks and software keys for pirated software such as graphics software, VPNs, antivirus software, and games. Protecting Against Banking Trojans by Blocking Malware Delivery Protecting against DanaBot and other Trojans requires a range of security measures. Two of the most important are an advanced spam filter and a web filtering solution. The spam filter will detect malicious emails that attempt to deliver the malware dropper, while the web filter will block access to the websites that are used to download the malware. TitanHQ has developed a...
by G Hunt |
December 31, 2020 |
Cybersecurity News, Network Security
The K-12 education sector has long been a target for cybercriminals, but this year has seen the sector targeted more aggressively by threat actors. 2020 has seem a major increase in attacks involving ransomware and malware, phishing incidents have risen, as have network compromises and distributed denial-of-service (DDoS) attacks. This December, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a warning to the education sector after the massive increase in cyberattacks was identified. Data from the Multi-State Information Sharing and Analysis Center (MS-ISAC) shows a substantial increase in ransomware attacks on K-12 schools. In August and September 2020, 57% of all reported ransomware attacks occurred at K-12 schools, compared to just 28% from the year to July. Ransomware attacks renders essential systems and data inaccessible which can cause serious disruption to learning, especially at a time when many schools have transitioned to distance learning. K-12 schools often have little choice other than paying the ransom, and many do. Figures from the Department of Education show that between 2016 and 2017, 60% of schools attacked with ransomware paid the ransom to recover their data. A recent Department of Education alert to K12 schools called for a collective effort to ensure that all data is regularly backed up and advised schools not to pay the ransom demands if attacked. The DoE wants to send a message to ransomware gangs that attacks on the education sector are not financially viable. Similar tactics have been used in ransomware attacks on K-12 schools that have been used to attack business and industry targets. Access to networks is gained, the attackers move laterally to identify data of interest, and exfiltrate that data prior to encrypting files. The attackers threaten to publish or sell sensitive student and employee data if the ransom is not paid. Several ransomware gangs have stepped up attacks on K-12 schools, including REvil, Nefilim, Ryuk, and AKO. The Maze ransomware operation, which has now been shut down, has also conducted several attacks on K-12...
by G Hunt |
September 30, 2020 |
Cybersecurity News
The operators of Exorcist 2.0 ransomware have adopted a new tactic for distributing their ransomware. They have set up fake websites that claim to be crack sites for popular software programs. The websites offer cracking tools that can be used to generate valid license codes that allow popular software to be used free of charge. One of the websites offers a Windows 10 activator, which can be used to generate a license code that activates windows 10 free of charge. When a user arrives on the website, they are presented with download links for the software cracking tool. Clicking on the link will generate the download of a password-protected zip file, along with a text file that provides the user with the password to open the zip file. This method of file delivery helps to prevent the malicious contents of the zip file from being detected by antivirus solutions. Since the zip file can only be opened if the password is entered, antivirus software is unable to scan the contents. This method also bypasses the protection of Microsoft SmartScreen and Google Safe Browsing. Once the file contents are extracted, the user must run the setup program, which is actually the Exorcist 2.0 binary. Double clicking and executing the file will start the file encryption process and a ransom demand will be presented. Contact must be made with the attackers to find out how much must be paid for the keys to decrypt files, with the attackers in control of the ransom amount. Ransom demands can be for several thousand dollars and there is no way of decrypting files without paying the ransom. While phishing emails are commonly used to direct individuals to websites where malware and ransomware is downloaded, this campaign involves malvertising – malicious advertisements on third-party ad networks that direct web visitors to malicious websites. These adverts are displayed in ad blocks on legitimate websites, often high traffic websites. There have recently been several major malvertising campaigns that have seen malicious adverts displayed on some of the most popular adult websites, although any website that uses third-party ad blocks could potentially have malicious adverts displayed to...
by G Hunt |
April 29, 2020 |
Cybersecurity News, Internet Security News
The massive increase employees working reportedly has not been missed by cybercriminals, who are actively targeting these workers using a variety of tactics to fool them into disclosing their credentials or installing malware. Phishing attacks remain the most common method used to attack remote workers, but there has also been a notable increase in malvertising during the COVID-19 pandemic. Malvertising is the practice of creating malicious adverts which are syndicated across legitimate websites through third-party ad networks. The malicious adverts are used to redirect website visitors to webpages where credentials are harvested, malware is downloaded, or to other scams to obtain fraudulent payments or charitable donations. Several COVID-19 themed ploys have been used in these malvertising campaigns to trick people into downloading malware. These scams prey on fears about SARS-CoV-19, often spoofing WHO and other COVID-19 authorities to add legitimacy to the campaigns. A common theme is an offer of important advice on how to protect against COVID-19. There rise in malvertising activity during the COVID-19 pandemic has been significant, with some reports indicating the number of malicious adverts have doubled in March compared to standard levels of malicious advert activity prior to the pandemic. A malvertising campaign was recently identified that spoofed the anti-malware software vendor Malwarebytes. The campaign claimed the user’s computer was infected with malware and a download of Malwarebytes’ software was required to remove the infections. The malicious webpage used for the scam was on a malwarebytes-free domain that was registered on March 29, 2020. The site used a copycat template created from stolen branding from the genuine site. Any individual that landed on the website that was using the Internet Explorer browser was redirected to a webpage hosting the Fallout exploit kit that silently downloads the Raccoon information stealer. There was a major increase in domain registrations related to COVID-19 in March. While not all of these websites are currently being used for nefarious purposes, many are being used for scamming. NTT recently issued an...
by G Hunt |
April 27, 2020 |
Cybersecurity News, Internet Security News
New research has recently been published which suggests there has been a lack of security awareness training for remote workers, even with the massive increase in people working from home due to the COVID-19 pandemic and the increased threat level. Many companies have had to make major changes to policies and allow most employees to work from home, even though doing so introduces cybersecurity risks. While this is seen by many as a temporary measure due to the pandemic, there is currently some debate about how long lockdown measures will be in place. It could well be many months before lockdowns are eased and there is a return to “normal” working life. It may also be difficult to convince workers to return to the office when measures are eased, or at least until a vaccine for the virus has been developed. That could well be a year or most likely much longer. In the meantime, remote workers are not just encountering the odd phishing email. These workers are being actively targeted by cybercriminals and APT groups. It is important to ensure that technical controls are up to scratch and are blocking threats but also to train workers to recognize threats such as phishing. Technical Controls Will Not Block 100% of Cybersecurity Threats Technical solutions can block most malware and phishing attacks on remote workers and will protect devices and the networks to which those devices connect. TitanHQ has developed two solutions that provide excellent protection from email and web-based threats, and there has been a massive increase in demand for those solutions during the COVID-19 pandemic from businesses and managed service providers (MSPs). When these solutions are coupled with other cybersecurity protections such as firewalls, antivirus software, and intrusion detection systems, businesses will be well protected; however, no matter how many layers are added to your defenses, security awareness training for remote workers should still be provided. Employees are the last line of defense and require training to help them identify threats that bypass your technical defenses. Employees are a Weak Link, but Neglecting Security Awareness Training for Remote Workers is a...
by G Hunt |
March 26, 2020 |
Cybersecurity Advice, Cybersecurity News
Cybercriminals are taking advantage of the 2019 Novel Coronavirus pandemic and are exploiting fear to spread malware and steal data. These tactics many not be new, but these campaigns pose a significant threat in the current climate of global fear and worry. People are naturally worried about contracting COVID-19 and will be concerned about the wellbeing of their friends and family members. Many people crave new information to help avoid them avoid illness and protect their families. If that information arrives in an inbox, email attachments may be opened, and links clicked to malicious websites. Even when training is provided to employees and they are taught not to respond to unsolicited messages, open email attachments, or click links in emails from unknown senders, mistakes can still be made. During the COVID-19 crisis, stress levels are high, and this can easily lead to decisions being taken that would not normally be made. Businesses have been forced to allow their employees to work from home, many of whom are now working in a home environment where there are many distractions. Many people do not have home offices where they can quietly work, and a challenging working environment also makes mistakes more likely. Those mistakes can prove very costly. Phishing campaigns are being conducted targeting home workers as they are seen as low-hanging fruit and an easy way to gain access to business networks to install malware, ransomware, and steal sensitive data. Several campaigns have been detected that offer important advice on the 2019 novel coronavirus that impersonate authorities on disease control and prevention such as the U.S. Centers for Disease Control and Prevention (CDC), U.S. Department of Health and Human Services, UK National Health Service, and the World Health Organization (WHO). The phishing campaigns are credible, claim to offer important advice, and are likely to be opened by many individuals. These campaigns seek remote access credentials and distribute malware. Coronavirus maps that display the number of cases per country are being used on many websites, including a legitimate COVID-19 case tracking map on Johns Hopkins University website....
by G Hunt |
January 30, 2020 |
Cybersecurity News
A recent phishing attack on an 8,600-student school district in Texas ended up costing an astonishing $2.3 million. The Manor Independent School District phishing attack started in November 2019 and continued through December. The attack was an example of a highly effective – and highly lucrative – email scam known as business email compromise (BEC) or vendor email compromise, if the attack is conducted through a vendor. A BEC/VEC scam involves the use of a legitimate business email account to send emails to individuals within the organization (BEC) or to its clients (VEC) requesting a bank transfer. BEC attacks are also conducted to make changes to payroll or requests are sent via email asking for sensitive information such as W-2 forms for use in tax fraud. The scam starts by sending phishing emails to individuals in the targeted organization. Emails are sent containing a credible ploy to get the recipient to click a hyperlink that directs them to a specially crafted webpage. That webpage is usually a carbon copy of a legitimate website, but on a different domain, that has been set up to harvest credentials. Attackers often spoof Microsoft to capture Office 365 credentials. When the user visits the website via the hyperlink embedded in the email, they are presented with the standard login prompt that they receive when attempting to login to their Office 365 account. When the credentials are entered, they are captured by the attackers. The attackers then use the credentials to access the email account. The account is then used in the second phase of the attack. Oftentimes, when attackers gain access to an email account, they set up a mail forwarding rule that will see all messages in the email account forwarded to the attackers. They check the emails until they find something of interest, such as contractors that are performing construction works. Attackers often insert themselves into legitimate email conversations. Both parties believe they are communicating with each other, when the reality is they are communicating with the scammer. The scammer then asks for payments to be sent to a different email account. These conversations can span many messages and...
by G Hunt |
September 27, 2019 |
Cybersecurity Advice, Cybersecurity News
Ransomware attacks slowed in 2018 but the malicious file-encrypting malware is back with a vengeance. Ransomware attacks on educational institutions have soared this year, and as the attackers are well aware, these attacks can be extremely profitable. There have been 182 reported ransomware attacks so far this year and 26.9% of those attacks have been on school districts and higher education institutions. The increase has seen education become the second most targeted sector behind municipalities (38.5%) but well ahead of healthcare organizations (14.8%). The reason why the number of ransomware attacks on educational institutions, healthcare, and municipalities is so high compared to other sectors is because attacks are relatively easy to perform and there is a higher than average chance that the ransoms will be paid. Attacks on municipalities mean they can’t access computer systems, and essential services grind to a halt. Police departments can’t access criminal records, courts have to be shut down, and payments for utilities cannot be taken. If hospitals can’t access patient data, appointments have to be cancelled out of safety concerns. In education, teachers cannot record grades and student records cannot be accessed. Administration functions grind to a halt and a huge backlog of work builds up. Some of the recent ransomware attacks on school districts have seen schools forced to send students home. Monroe-Woodbury Central School District in New York had to delay the start of the school year due to its ransomware attack. If students need to be sent home, there is often backlash from parents – Not only because their children are not getting their education, but childcare then needs to be arranged. The costs of these attacks are considerable for all concerned. Each day without access to systems costs schools, universities, municipalities, and hospitals a considerable amount of money. Downtime is by far the biggest cost of these attacks. Far greater than any ransom payment. It is no surprise that even when ransom demands are for tens or hundreds of thousands of dollars, they are often paid. The cost of continued losses as a result of the attacks makes paying...
by G Hunt |
August 30, 2019 |
Cybersecurity Advice, Cybersecurity News
2017 was a bad year for ransomware attacks, but as 2018 progressed it was starting to look like the file-encrypting malware was being abandoned by cybercriminals in favor of more lucrative forms of attack. Between 2017 and 2018 there was a 30% fall in the number of people who encountered ransomware compared to the previous year, and the number of new ransomware variants continued to decline throughout 2018; however, now, that trend has been reversed. 2019 has seen a sharp increase in attacks. Figures from Malwarebytes indicate there was a 195% increase in ransomware attacks in Q1, 2019 and that increase has continued in Q2. A new report from Kaspersky Lab has shown that not only are attacks continuing to increase, the number of new ransomware variants being used in these attacks is also increasing sharply. Kaspersky Lab identified 16,017 new ransomware modifications in Q2, 2019, which is more than twice the number of new ransomware modifications detected in Q2, 2018. In addition to updates to existing ransomware variants, Q2, 2019 saw 8 brand new malware families detected. Kaspersky Lab tracked 230,000 ransomware attacks in Q2, which represents a 46% increase from this time last year. Far from ransomware dying a slow death, as some reports in 2018 suggested, ransomware is back and is unlikely to go away any time soon. Not only are attacks increasing in frequency, ransom demands have increased sharply. Ransom demands of hundreds of thousands of dollars are now the norm. Two Florida cities paid a combined total of $1 million for the keys to unlock files encrypted by ransomware. Jackson County in Georgia paid $400,000 for the keys to unlock the encryption that crippled its court system, and recently, a massive ransomware attack that impacted 22 towns and cities in Texas saw a ransom demand of $2.5 million issued. Earlier this year, the developers of GandCrab ransomware shut down their popular ransomware-as-a service offering. They claimed to have made so much money from attacks that they have now taken early retirement. Despite GandCrab ransomware being one of the most widely used ransomware variants for the past 18 months, the shut down has not been accompanied...
by G Hunt |
August 27, 2019 |
Cybersecurity News, Internet Security News
A new phishing campaign has been detected which uses Microsoft Office 365 voicemail notifications as a lure to get users to open a malicious HTML file attached to the email. The phishing emails are very realistic. The emails include the Microsoft and Office 365 logos, use the Microsoft color scheme, and Microsoft contact information. The messages inform the recipient that they have received a new voicemail message. The caller’s number and length of the voicemail message is included, along with the time and date of the message. In order to access that message, the user is required to open a HTML file attached to the email. Many phishing campaigns use Word documents or Excel spreadsheets containing malicious macros or embedded hyperlinks that direct users to a phishing web page where credentials are harvested. Through security awareness training employees are told to look out for thee commonly used file types. HTML files are likely to be familiar to employees, but since these file types are not often used in phishing campaigns, employees may believe the attached file to be benign, when that is definitely not the case. The HTML file uses meta refresh to redirect the user from the local HTML file to a phishing page hosted on the Internet. That phishing page contains a highly realistic spoofed voicemail management page where users are required to enter their Office 365 credentials to access the message. Doing so hands those credentials to the attacker. Cybercriminals are constantly coming up with new ways to trick employees into clicking links in emails or opening malicious attachments. Keeping the workforce up to date on these threats is important. If employees are aware of the types of scam emails, they are likely to receive they will be more likely to correctly identify an email as malicious if it arrives in their inbox. Keeping the workforce 100% up to date on the latest scams will not be possible as new scams and lures are constantly being developed. It is therefore important to ensure that you have an advanced spam filtering solution in place that can block these messages to ensure they never test employees. SpamTitan incorporates DMARC to block email...
by G Hunt |
June 28, 2019 |
Cybersecurity Advice, Cybersecurity News
The FBI’s Internet Crime Complaint Center (IC3) has issued a warning about the increasing number of phishing websites using HTTPS. The green padlock next to a URL once gave an impression of security. Now it is a false sense of security for many internet users. HTTPS or Hyper Text Transfer Protocol Secure to give it its full name, indicates the website holds a valid certificate from a trusted third-party. That certificate confirms that the website is secure and any data transmitted between the browser and the website will be encrypted to prevent interception in transit. The public has been taught to look for the green padlock and HTTPS before entering card details or other sensitive information. However, the padlock does not mean that the website being visited is genuine. It only means any information transmitted is secured in transit between the browser and the website. If you are buying a pair of shoes from Amazon, all well and good. If you are on a website controlled by a cybercriminal, HTTPS only means that the cybercriminal will be the only person stealing your data. Cybercriminals create realistic phishing webpages that imitate well-known brands such as Microsoft and Google to obtain login credentials or banks to obtain banking information. These phishing pages can be set up on dedicated phishing websites or phishing kits can be added to previously compromised websites. Traffic is then generated to those webpages with an email phishing campaign. If one of the links in the email is clicked, a user will be directed to a website that requests some information. If the website starts with HTTPS and displays the green padlock, the user may mistakenly believe the site is genuine and that it is safe to disclose sensitive information. The IC3 alert was intended to raise awareness of the threat from HTTPS phishing and make the public aware of the true meaning of the green padlock and never to trust a website because it starts with HTTPS. Businesses should take note and make sure they include HTTPS phishing in their security awareness training programs to raise awareness of the threat with employees. A web filter can greatly reduce the risk of HTTPS phishing...
by G Hunt |
June 24, 2019 |
Cybersecurity News, Internet Security News
While it is good news the GandCrab ransomware operation has been shut down, ransomware attacks are on the rise and a new threat has been detected: Buran ransomware. Buran ransomware lacks some of the common features of more successful ransomware strains. The ransomware does not make any attempt to hide its activity and it doesn’t attempt to hamper recover by deleting Windows shadow copies. However, it is capable of encrypting a wide range of file types and there is currently no free decryptor available to unlock encrypted files. Buran ransomware is being spread via the RIG exploit kit, with traffic to that exploit kit generated using a malvertising campaign. Malicious adverts have been injected into legitimate ad networks and are being displayed on a range of different websites. The malvertising campaign was identified by security researcher nao_sec. The malvertising campaign directs web browsers to a domain hosting RIG, which attempts to exploit several vulnerabilities in Internet Explorer. If an unpatched vulnerability exists, Buran ransomware will be downloaded and executed. An analysis of the malware suggests it is a new variant of Vega ransomware that was previously used in a campaign in Russia. While Buran ransomware may not be a long-term successor to GandCrab ransomware, there are many threat actors moving to fill the void. Sodinokibi ransomware attacks are increasing and the ransomware developers are also using a malvertising campaign on the PopCash ad network to deliver traffic to domains hosting the RIG exploit kit. Exploit kits can only download malware if they have been loaded with an exploit for a vulnerability that has not been patched on a visitor’s computer. The primary defense against these attacks is to ensure that all Windows security updates are applied promptly, along with updates and patches for plugins and other browsers. There is invariably a delay between a patch being issued and all devices being updated. To provide protection until patches are applied, and to protect against zero-day exploits, a web filtering solution is recommended. A web filter can be used to control the websites that can be visited by employees and can block...
by G Hunt |
May 29, 2019 |
Cybersecurity News, Internet Security News
TitanHQ is a leading provider of email security, web security, and email archiving solutions to SMBs and managed service providers (MSPs) serving the SMB market. Over the past five years, TitanHQ has significantly expanded its customer base and its solutions now protect over 7,500 businesses and are offered by more than 1,500 MSPs around the world. TitanHQ works closely with European partners and businesses and has been expanding its footprint throughout the EU. TitanHQ is working towards becoming the leading email and web security solution provider in Europe and as part of that process, the company has recently entered into a new partnership with the French Value Added Distributor Exer. Exer is one of the leading VADs in France and works with more than 600 value added resellers and integrators in the country. The company specializes in network security, mobile security, Wi-Fi and managed cybersecurity services and helps French VARs better serve their clients. Under the new partnership agreement, Exer will start offering TitanHQ’s three cloud-based solutions to French VARs: SpamTitan, WebTitan, and ArcTitan. SpamTitan is an award-winning spam filtering solution that keeps inboxes free from spam emails and malicious messages. The solution is regularly updated to incorporate further controls to ensure that it continues to provide superior protection against an ever-changing email threat landscape. The solution now blocks more than 7 billion spam and malicious messages every month and helps to keep businesses protected from phishing and malware attacks. WebTitan is a cloud-based DNS filtering solution that protects businesses from a wide range of malicious web content. The solution can also be used to carefully control the types of web content that users can access through company wired and wireless networks. The solution now blocks more than 60 million malicious websites every month and prevents malware downloads, controls bandwidth use, and enforces acceptable internet usage policies, . ArcTitan is a cloud-based email archiving solution that helps businesses securely store emails to ensure compliance with government and EU regulations. The solution now archives...
by G Hunt |
April 30, 2019 |
Cybersecurity News
Earlier this month, the FBI Internet Crime Complaint Center (IC3) released its annual Internet Crime Report, which highlights the most common attack trends and the extent of financial losses based on victims’ reports of internet crime. The report highlighted the seriousness of the threat of Business Email Compromise (BEC) attacks, which resulted in losses of more than $1.2 billion in 2018 – More than twice the losses to BEC attacks that were reported in 2017. 2019 is likely to see losses increase further still as the BEC attacks are continuing at pace. Last week, almost coinciding with the release of the report, Scott County Schools in Kentucky announced that it was the victim of a major BEC attack that resulted in a loss of $3.7 million. The school was notified by a vendor that a recent invoice was outstanding. Further investigation revealed payment had been made, just not to the vendor in question. An email had been received that appeared to be from the vendor, which included forged documents and details of a bank account that was controlled by the scammer. The FBI was contacted, and attempts are being made to recover the funds, although since the payment was made two weeks previously, it is unclear whether it will be possible to recover the money. A few days later, news broke of another major BEC scam, this time on a church. St. Ambrose Catholic Parish in Brunswick, Ohio, was a victim of a BEC attack that resulted in the fraudulent transfer of $1.75 million from the Church’s renovation fund. The scam was a virtual carbon copy of the Scott County Schools BEC attack. The church was contacted by its contractor after not having had invoices paid for two months. That was news to the church, which believed that payments had been made on time. The funds had left the church account but had been directed elsewhere. The investigation into the BEC attack revealed hackers had gained access to the church’s email system and altered the contractor’s bank and wire transfer instructions. These are just two recent examples of major losses to BEC attacks. Many other million-dollar and multi-million-dollar losses have been reported over the past 12 months. With potential...
by G Hunt |
March 28, 2019 |
Cybersecurity News, Email Archiving
TitanHQ has formed a strategic partnership with the GRIDHEART, which will see TitanHQ’s leading cloud-based email security, web security, and email archiving solutions made available to users of the Cloudmore Cloud Commerce platform. GRIDHEART is a privately-owned Swedish company that delivers the world’s leading cloud-based solutions through its Cloud Commerce platform, Cloudmore. For the past 10 years, GRIDHEART has been offering leading cloud solutions to its customers and resellers and now deals with more than 1,000 cloud partners. The Cloudmore platform makes selling cloud services easy and brings a wide range of cloud services together in a single unified platform. The platform gives users complete centralized control over their cloud solutions and allows them to easily provision new customers, bill for services, automate processes, and obtain pre-and post-sales support. The platform provides a host of management tools to make control of SaaS and cloud computing simple. The partnership with TitanHQ will see the Galway, Ireland-based cybersecurity firm add its leading cybersecurity solutions to the platform, through which users can manage the solutions for free. GRIDHEART’s customers will be able to offer their clients the SpamTitan Cloud email security solution, the WebTitan web filtering solution, and the ArcTitan email security solution and provide multi-layered security to protect against email, web, and modern blended threats. “By offering additional layers of cloud-based security through Cloudmore’ s unique Cloud Commerce platform, MSPs can procure and deploy IT services for their customers and quickly maximize their IT investment, enhance their security stack and lower operational costs for their customers,” said Rocco Donnino, Executive VP of Strategic Alliances at TitanHQ. “This agreement highlights the importance of delivering comprehensive security solutions to the MSP community through a single and powerful platform” “TitanHQ fits the bill as a perfect partner with their razor focus on advanced threat protection via email and the web. We’ve very happy to have them on board,” said Stefan Jacobson, Sales Director of GRIDHEART....
by G Hunt |
January 25, 2019 |
Cybersecurity News
Reputation loss after a cyberattack can have a major impact on businesses. While large companies may be able to absorb the loss of customers that results, for small to medium businesses, reputation damage and loss of customers can prove devastating. Cybersecurity consultants and computer forensics firms can be hired to find out how an attack occurred, and new solutions can be implemented to plug the holes through which access to the network was gained. Regaining the trust of customers can be much harder to recover from. Once trust in a brand is lost, some customers will leave and never return. When personal data has been exposed or stolen, customers feel betrayed. Company privacy policies may not be read, but customers believe that any company that collects their personal data has a responsibility to protect it. A data breach is seen as a breach of the company’s responsibility to keep personal data private and secure, and many customers will take their business elsewhere after such a privacy violation. Reputation loss after a cyberattack can also make it hard to find new customers. Once information about a breach has been made public, it can be enough to see potential customers avoid a brand. Extent of Reputation Loss After a Cyberattack Radware recently conducted a survey to investigate the cost of cyberattacks on businesses. The study revealed 43% of companies that took part in the study said they had experienced negative customer experiences and reputation loss as a result of a successful cyberattack. Previous studies suggest that as many as one third of customers will stop doing business with a company that has experienced a data breach. A study by Gemalto paints an even bleaker picture. In a global survey of 10,000 individuals, 70% claimed they would stop doing business with a company that had experienced a data breach. The cyberattack on the telecoms company TalkTalk in 2015 – which cost the firm an estimated £77 million – caused uproar online. Customers turned to social media networks to express their rage about loss of service and the theft of their personal data. The company’s reputation took a massive hit as a result of the attack, not helped...
by G Hunt |
January 21, 2019 |
Cybersecurity News, Internet Security News
The Fallout exploit kit, a toolkit used to silently deliver ransomware and malware to vulnerable devices, was first identified in September 2018. Between September and December, the toolkit was used to exploit vulnerabilities and deliver GandCrab ransomware and other malicious payloads. Towards the end of the year, the vulnerabilities most commonly exploited were a remote code execution vulnerability in the Windows VBScript engine (CVE-2018-8174) and the use-after-free vulnerability in Adobe Flash Player (CVE-2018-4878). Around December 27, 2018, Fallout exploit kit activity stopped, but only for a few days. Now the exploit kit is back, and several updates have been made including the addition of HTTPS support, a new landing page format, and PowerShell-based malware downloads. A new exploit has also been added for a zero-day use-after-free Adobe Flash player vulnerability (CVE-2018-15982) which was patched on December 5, 2018: A vulnerability also exploited by the Underminer exploit kit. The Fallout exploit kit is primarily delivered via malvertising campaigns – malicious adverts on third-party ad networks that are served on a variety of legitimate websites. The adverts redirect users to the exploit kit, which probes for vulnerabilities and exploits them to silently deliver malware or ransomware. The updated version of the Fallout exploit kit is delivering the latest version of GandCrab ransomware, for which there is no free decryptor. In addition to GandCrab ransomware, the Fallout exploit kit is delivering ServHelper, AZORult, TinyNuke, Dridex and Smokebot malware. The malvertising campaigns used to generate traffic to the exploit kit include TrafficShop, Popcash, RevenueHits, and HookAds. The latter is primarily used on high-traffic adult websites that are visited millions of times a month. Users are redirected to a decoy adult site that contains the exploit kit and would be unaware that anything untoward has happened. If there is an unpatched vulnerability for which fallout has an exploit, the ransomware or malware payload will be silently downloaded. Exploit kit activity is now much lower than in 2016 when EKs were extensively used to deliver malware, but...
by G Hunt |
November 29, 2018 |
Cybersecurity News, Internet Security News
A Starbucks porn filter will finally be introduced in 2019 to prevent adult content from being accessed by customers hooked up to the coffee shop chain’s free WiFi network. It has taken some time for the Starbucks porn filter to be applied. In 2016, the coffee shop chain agreed to implement a WiFi filtering solution following a campaign from the internet safety advocacy group Enough is Enough, but two years on and a Starbucks porn filter has only been applied in the UK. Businesses Pressured to Implement WiFi Filters to Block Porn Enough is Enough launched its Porn Free WiFi campaign – now renamed the SAFE WiFi campaign – to pressure businesses that offer free WiFi to customers to apply WiFi filters to restrict access to adult content. In 2016, more than 50,000 petitions were sent to the CEO’s of Starbucks and McDonalds urging them to apply WiFi filters and take the lead in restricting access to pornography and child porn on their WiFi networks. After petitioning McDonald’s, the global restaurant chain took prompt action and rolled out a WiFi filter across its 14,000 restaurants. However, Starbucks has been slow to take action. Following the McDonalds announcement in 2016, Starbucks agreed to roll out a WiFi filter once it had determined how to restrict access to unacceptable content without involuntarily blocking unintended content. Until the Starbucks porn filter was applied, the coffee shop chain said it would reserve the right to stop any behavior that negatively affected the customer experience, including activities on its free WiFi network. The apparent lack of action prompted Enough is Enough to turn up the heat on Starbucks. On November 26, 2018, Enough is Enough president and CEO, Donna Rice Hughes, issued a fresh call for a Starbucks porn filter to be implemented and for the coffee chain to follow through in its 2016 promise. Rice Hughes also called for the public to sign a new petition calling for the Starbucks porn filter to finally be put in place. Starbucks Porn Filter to Be Applied in All Locations in 2019 Starbucks has responded to Enough is Enough, via Business Insider, confirming that it has been testing a variety of WiFi filtering solutions...
by G Hunt |
November 15, 2018 |
Cybersecurity Advice, Cybersecurity News
The biggest cyber threat to SMBs is ransomware, according to Dato’s State of the Channel Report. While other forms of malware pose a serious risk and the threat from phishing is ever present, ransomware was considered to be the biggest cyber threat to SMBs by the 2,400 managed service providers that were polled for the study. Many SMB owners underestimate the cost of mitigating a ransomware attack and think the cost of cybersecurity solutions to prevent attacks, while relatively low, are not justified. After all, according to Datto, the average ransom demand is just $4,300 per attack. However, the ransom payment is only a small part of the total cost of mitigating an attack. The final cost is likely to be ten times the cost of any ransom payment. Datto points out that the average total cost of an attack on an SMB is $46,800, although there have been many cases where the cost has been far in excess of that amount. One of the most common mistakes made by SMBs is assuming that attacks will not occur and that hackers are likely to target larger businesses with deeper pockets. The reality is SMBs are being targeted by hackers, as attacks are easier to pull off. SMBs tend not to invest heavily in cybersecurity solutions as larger businesses. Anti-Virus Software is Not Effective at Preventing Ransomware Attacks Many SMB owners mistakenly believe they will be protected by anti-virus software. However, the survey revealed that 85% of MSPs said clients that experienced a ransomware attack had anti-virus solutions installed. Anti-virus software may be able to detect and block some ransomware variants, but since new forms of ransomware are constantly being developed, signature-based cybersecurity solutions alone will not offer a sufficient level of protection. Many SMBs will be surprised to hear just how frequently SMBs are attacked with ransomware. More than 55% of surveyed MSPs said their clients had experienced a ransomware attack in the first six months of this year and 35% experienced multiple attacks on the same day. Some cybersecurity firms have reported there has been a slowdown in ransomware attacks as cybercriminals are increasingly turning to cryptocurrency...
by G Hunt |
October 26, 2018 |
Cybersecurity News, Internet Security News
This year has seen several ransomware attacks on cities and municipal targets, clearly demonstrating that the threat from ransomware has not abated, despite several analyses from cybersecurity firms that suggest hackers are moving away from ransomware and concentrating on cryptomining malware attacks. Cryptocurrency miners have certainly become more popular and their use has increased substantially in recent months, but there is still a significant threat from ransomware. Ransomware development may have slowed, but ransomware attacks on cities and other high value targets have not. In fact, October has seen two new ransomware attacks on cities in the United States, along with several attacks on municipal targets. In the past few months. It is clear that the threat is not going away any time soon. $2,000 Ransom Paid to Resolve City of West Haven Ransomware Attack The city of West Haven ransomware attack started on the morning of October 16, 2018, and by the time the attack had been contained, 23 servers had been encrypted and taken out of action. Prompt action limited the scope of the attack, although it did cause major disruption as computers on the affected network had to all be shut down. The attack affected a critical system, and after an assessment of the situation, the decision was taken to pay the ransom. Considering the number of servers affected, the ransom demand was relatively low. The city paid $2,000 in Bitcoin for the keys to decrypt its files. Art House, Connecticut’s chief of cybersecurity, explained that this was one of several targeted ransomware attacks on cities and municipal services in the state in recent weeks. In February, around 160 computers were affected by ransomware in more than a dozen agencies in the state according to the Department of Administrative Services, and a month later the state’s Judicial Branch was attacked and had more than 100 servers encrypted. City of Muscatine Ransomware Attack The West Haven ransomware attack was shortly followed by a ransomware attack on the city of Muscatine in Ohio, which saw files on several government servers encrypted. The attack is understood to have started on October 17 and caused...
by G Hunt |
October 17, 2018 |
Cybersecurity News, Internet Security News
TitanHQ, the leading provider of web filtering, spam filtering, and email archiving solutions for managed service providers (MSPs) recently partnered with Datto Networking, the leading provider of IT solutions to SMBs delivered through MSPs. Datto Networking has now incorporated TitanHQ’s advanced web filtering technology into the Datto Networking Appliance to provide superior protection to users on the network. Datto and TitanHQ will be hosting a webinar on October 18, 2018 to explain how the new technology provides enhanced protection from web-based threats, and how MSPs can easily deliver content filtering to their customers. During the webinar, MSPs will find out about the enhanced functionality of the Datto Networking Appliance. Webinar: Datto Networking & Titan HQ Deliver Enhanced Web Content Filtering Date: Thursday, October 18th Time: 11AM ET | 8AM PT | 4PM GMT/BST Speakers: John Tippett, VP, Datto Networking Andy Katz, Network Solutions Engineer Rocco Donnino, EVP of Strategic Alliances, TitanHQ
by G Hunt |
October 8, 2018 |
Cybersecurity News, Internet Security News
The CloudFlare IPFS gateway has only recently been launched, but it is already being used by phishers to host malicious content.Cloudflare IPFS gateway phishing attacks are likely to have a high success rate, as some of the checks performed by end users to confirm the legitimacy of domains will not raise red flags. The IPFS gateway is a P2P system that allows files to be shared easily throughout an organization and accessed through a web browser. Content is distributed to different nodes throughout the networked systems. The system can be used for creating distributed websites, and CloudFlare has made this process easier by offering free SSL certificates and allowing domains to be easily connected to IPFS. If phishers host their phishing forms on CloudFlare IPFS, they benefit from CloudFlare’s SSL certificate. Since the phishing page will start with cloudflare-ipfs.com, this adds legitimacy. The CloudFlare-owned domain is more likely to be trusted than domains owned by phishers. When CloudFlare IPFS Gateway phishing forms are encountered, visitors will be advised that the webpage is secure, the site starts with HTTPS, and a green padlock will be displayed. If the visitor takes the time to check certificate information of the web page, they will find it has been issued to CloudFlare-IPFS.com by CloudFlare Inc., and the certificate is valid. The browser will not display any warning and CloudFlare IPFS Gateway phishing content will therefore seem legitimate. At least one threat actor is using the CloudFlare IPFS Gateway for phishing and is hosting forms that claim to be standard login pages for Office 365, DocuSign, Azure AD, and other cloud-based services, complete with appropriate logos. If a visitor completes the form information, their credentials will be forwarded to the operator of a known phishing domain – searchurl.bid – and the user will be displayed a document about business models, strategy and innovation. This may also not raise a red flag. The CloudFlare IPFS Gateway phishing strategy is similar to that used on Azure Blob storage, which also take advantage of legitimate SSL certificates. In that case the certificate is issued by Microsoft. It...
by G Hunt |
October 3, 2018 |
Cybersecurity News
A suspected Ryuk ransomware attack on Recipe Unlimited, a network of some 1,400 restaurants in Canada and North America, has forced the chain to shutdown computers and temporarily close the doors of some of its restaurants while IT teams deal with the attack. Recipe Unlimited, formerly known as Cara Operations, operates pubs and restaurants under many names, including Harvey’s, Swiss Chalet, Kelseys, Milestones, Montana’s, East Side Mario’s, Bier Markt, Prime Pubs, and the Landing Group of Restaurants. All of the above pub and restaurant brands have been affected by the Recipe Unlimited ransomware attack. While only a small number of restaurants were forced to close, the IT outage caused widespread problems, preventing the restaurants that remained open from taking card payments from customers and using register systems to process orders. While it was initially unclear what caused the outage, a ransomware attack on Recipe Unlimited was later confirmed. An employee of one of the affected restaurants provided CBC News with a copy of the ransom note that had appeared on the desktop of one of the affected computers. The ransom note is the same used by the threat actors behind Ryuk ransomware. They claim files were encrypted with “military algorithms” which cannot be decrypted without a key that is only held by them. While it is unclear exactly how much the attackers demanded in payment to decrypt files, they did threaten to increase the cost by 0.5 BTC (Approx. $4,000 CAD) per day until contact was made. The Recipe Unlimited ransomware attack is understood to have occurred on September 28. Some restaurants remained closed on October 1. The ransomware attack on Recipe Unlimited is just one of many such attacks involving Ryuk ransomware. The attackers are understood to have collected more than $640,000 in ransom payments from businesses who have had no alternative other than to pay for the keys to unlock their files. The ransomware attack on Recipe Unlimited did not increase that total, as Recipe Unlimited conducted regular backups and expects to be able to restore all systems and data, although naturally that will take some time. Ransomware attacks on restaurants,...
by G Hunt |
September 20, 2018 |
Cybersecurity News, Internet Security News
Recent research has shown that the United States is the main distributor of exploit kits and hosts the most malicious domains and cyberattacks on websites have increased sharply. United States Hosts the Most Malicious Domains and Exploit Kits The United States hosts the most malicious domains and is the number one source for exploit kits, according to new research conducted by Palo Alto Networks. Further, the number of malicious domains increased between Q1 and Q2 in the United States. In all countries, apart from the Netherlands, the number of malicious domains remained constant or declined. Exploit activity is only at a fraction of the level of 2016, although the web-based kits still pose a major threat to businesses with poor patching processes and a lack of protections against web-based attacks. Three exploit kits have been extensively used throughout Q1 and Q2, 2018: Sundown, Rig, and KaiXin. The United States is the number one source for the Sundown and Rig EKs and is number two behind China for the KaiXin exploit kit. Further, a new exploit kit was detected in Q2: Grandsoft. The United States is also the number one source for this new exploit kit. More than twice the number of exploit kits are hosted in the United States than in Russia in second place. 495 malicious URLs were detected in the United States compared to 147 in Russia. 296 malicious URLs hosting exploit kits were detected in the United States, with Russia in second place with 139. The Microsoft VBScript vulnerability, CVE-2018-8174, is being extensively exploited via these exploit kits. Microsoft released a patch in May 2018 to fix the flaw, but many companies have yet to install the update and are vulnerable to attack. Exploit kits are still using old vulnerabilities to install their malicious payloads. According to Palo Alto Networks’ Unit 42, two vulnerabilities are extensively used – The IE7 vulnerability – CVE-2009-0075 – and the Internet Explorer 5 vulnerability – CVE-2008-4844 – even though patches were released to fix the flaws more than 9 years ago. The Jscript vulnerability in Internet Explorer 9 through 11 – CVE-2016-0189 – and the OleAut32.dll...
by G Hunt |
August 27, 2018 |
Cybersecurity Advice, Cybersecurity News
Princess Locker ransomware has now morphed into Princess Evolution ransomware. The latest variant is one of several cryptoransomware threats that maximize the number of infections by using an affiliate distribution model – termed Ransomware-as-a-Service or RaaS. RaaS sees affiliates given a percentage of the ransom payments they generate, while the author of the ransomware also takes a cut of the profits. Under this business model, the author can generate a much higher number of infections, which means more ransom payments. The affiliates get to conduct ransomware campaigns without having to develop their own ransomware and the author can concentrate on providing support and developing the ransomware further. For Princess Evolution ransomware, the split is 60/40 in favor of the affiliate. The RaaS is being promoted on underground web forums and prospective affiliates. Ransomware attacks involving RaaS use a variety of methods to distribute the malicious payload as multiple actors conduct campaigns. Spam email is usually the main delivery mechanism for RaaS affiliates as it is easy to purchase large quantities of email addresses on darkweb sites to conduct campaigns. Brute force attacks are also commonly conducted. Princess Evolution ransomware has also been loaded into the RIG exploit kit and is being distributed via web-based attacks. These web-based attacks take advantage of vulnerabilities in browsers and browser plug-ins. Exploits for these vulnerabilities are loaded into the kit which is installed on attacker-controlled web domains. Often legitimate sites are compromised have the exploit kit loaded without the knowledge of the site owner. Traffic is generated to the websites through search engine poisoning, malvertising, and spam emails containing hyperlinks to the websites. If a user visits the website and has an exploitable vulnerability, the Princess Evolution ransomware will be silently downloaded. At this stage, there is no free decryptor for Princess Evolution ransomware. If this ransomware variant is downloaded and succeeds in encrypting files, recovery is only possible by paying the ransom for the keys to unlock the encryption or rebuilding...
by G Hunt |
August 15, 2018 |
Cybersecurity News, Internet Security News
There has been a marked rise in HTTPS phishing website detections, phishing attacks are increasing, and the threat of phishing attacks is greater than ever before. Phishing is the biggest cyber threat that businesses must now deal with. It is the easiest way for cybercriminals to gain access to email accounts for business email compromise scams, steal credentials, and install malware. The Threat from Phishing is Getting Worse The Anti-Phishing Working Group – an international coalition of government agencies, law enforcement, trade associations, and security companies – recently published its phishing trends activity report for Q1, 2018. The report shows that the threat from phishing is greater than ever, with more phishing websites detected in March 2018 than at any point in the past year. In the first half of 2017, there was an average of 48,516 phishing websites detected each month. The figure rose to 79,464 phishing websites detected on average per month in the second half of the year. In the first quarter of 2018, there was an average of 87,568 phishing websites detected, with detections peaking in March when more than 115,000 phishing sites were identified. The number of unique phishing reports received in Q1, 2018 (262,704) was 12.45% higher than in the final quarter of 2017. Healthcare Industry Heavily Targeted In the United States, the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers, health insurers, healthcare clearinghouses and business associates of HIPAA-covered entities to report breaches of protected health information within 60 days of the discovery of the breach. The main enforcer of HIPAA compliance, the Department of Health and Human Services’ Office for Civil Rights (OCR), publishes summaries of those breach reports. Those summaries show just how serious the threat from phishing is. HIPAA-covered entities and business associates have reported 45 email hacking incidents in 2018 – 21.68% of all breaches reported. Phishers Make the Move to HTTPS PhishLabs, an anti-phishing vendor that provides a security awareness training and phishing simulation platform, has been tracking HTTPS...
by G Hunt |
July 30, 2018 |
Cybersecurity News, Internet Security News
Exploit kit activity may not be at the level it one was, but the threat has not gone away. Rig exploit kit activity has increased steadily in 2018 and now a new exploit kit has been detected. The exploit kit has been named underminer by Trend Micro researchers, who detected it in July 2018. The Underminer exploit kit is being used to spread bootklits which deliver coinminer malware. The EK is primarily being used in attacks in Japan, although other East Asian countries have also seen attacks with activity now spreading beyond this region. The underminer exploit kit was also detected by Malwarebytes researchers who note that the exploitation framework was first identified by the Chinese cybersecurity firm Qihoo360 in late 2017, when it was being used to deliver adware. Now the exploit kit is being used to deliver Hidden Bee (Hidden Mellifera) cryptocurrency mining malware. Trend Micro notes that evidence has been uncovered that strongly suggests the exploit kit was developed by the developers of Hidden Mellifera coinminer malware. The exploit kit uses complex methods to deliver the payload with different methods used for different exploits. The developers have also incorporated several controls to hide malicious activity including the obfuscation of exploits and landing pages and the use of encryption to package exploits on-the-fly. The EK profiles the user via a user-agent to determine if the user is of interest. If not, the user will be directed to a HTTP 404 error page. If a user is of interest, a browser cookie will be used to identify that user to ensure that the payload will only be delivered once, preventing reinfection and hampering efforts by researchers to reproduce an attack. URLs used in the attacks are also randomized to prevent detection by standard AV solutions. The coinminer is delivered via a bootkit which is downloaded through encrypted TCP tunnels. The underminer exploit kit contains a limited number of exploits: The Adobe Flash Player exploit CVE-2018-4878, the use-after-free Adobe Flash Player vulnerability CVE-2015-5119, and the Internet Explorer memory corruption vulnerability CVE-2016-0189. Patches for all of the vulnerabilities were...
by G Hunt |
June 27, 2018 |
Cybersecurity Advice, Cybersecurity News
The biggest cybersecurity risk for businesses in the United States is employee negligence, according to a recent Shred-It survey of 1,000 small business owners and C-suite executives. The findings of the survey, detailed in its North America State of the Industry Report, show the biggest cybersecurity risk for businesses is human error such as the accidental loss of data or devices containing sensitive company information. 84% of C-Suite executives and 51% of small business owners said employee negligence was the biggest cybersecurity risk for their business. 42% of small business owners and 47% of C-suite executives said employee negligence was the leading cause of cybersecurity breaches. Employees are the Biggest Cybersecurity Risk for Businesses in the United States Employees often cut corners in order to get more done in their working day and take considerable security risks. Even though laptop computers can contain highly sensitive information and allow an unauthorized individual to gain access to a work network, around a quarter of U.S employees leave their computer unlocked and unattended. Documents containing sensitive information are often left unattended in full view of individuals who are not authorized to view the information. The risks taken by employees are greater when working remotely, such as in coffee shops or at home. 86% of executives and SBOs said remote workers were much more likely to cause data breaches. 88% of C-suite executives and 48% of small business owners said they have implemented flexible working models that allow their employees to spend at least some of the week working off site. A survey conducted on behalf of the Switzerland-based serviced office provider IWG suggests that globally, 70% of workers spend at least one day a week working remotely, while 53% work remotely for at least half of the week. Adoption of these flexible working practices is increasing, although cybersecurity policies are not being implemented that specifically cover remote workers. Even though a high percentage of workers are spending at least some of the week working remotely, the Shred-It survey shows that more than half of SMBs do not have policies...
by G Hunt |
May 31, 2018 |
Cybersecurity News, Internet Security News
The RIG exploit kit, used on compromised and malicious websites to silently download malware, has been upgraded with a new exploit. Windows Double Kill exploit code has been added to exploit the CVE-2018-8174 vulnerability – a remote code execution vulnerability that was addressed by Microsoft on May 2018 Patch Tuesday. To protect against exploitation of this vulnerability, Windows users should ensure they have applied the latest round of patches, although many businesses have been slow to update their Windows devices, leaving them vulnerable to attack. The vulnerability is in the VBScript engine and how it handles objects in the memory. If the vulnerability is exploited, attackers would gain the same level of privileges as the current user, could reallocate memory, gain read/write access, and potentially remotely execute code on a vulnerable device. The vulnerability has been named ‘Double Kill’ and affects all Windows versions. The Windows Double Kill vulnerability was being actively exploited in the wild when Microsoft released the update on Patch Tuesday. Initially, exploitation of the vulnerability was achieved through phishing campaigns using RTF documents containing a malicious OLE object. If activated, an HTML page was downloaded and rendered through an Internet Explorer library and the VBScript flaw was exploited to download a malicious payload. The attack could also be conducted via a malicious website. In the case of the latter, it does not matter what browser the user has set as default – on unpatched systems the IE exploit could still work. The Windows Double Kill exploit code was posted online this week and it didn’t take long for it to be incorporated into the RIG exploit kit. End users could be directed to the RIG exploit kit through phishing campaigns, malvertising, web redirects, or potentially could visit malicious sites through general web browsing. In addition to the Windows Double Kill exploit, the RIG exploit kit contains many other exploits for a wide range of vulnerabilities. Any individual that lands on a URL with the kit installed could be vulnerable even if the latest Windows patch has already been applied. The threat from...
by G Hunt |
April 20, 2018 |
Cybersecurity News, Internet Security News
There have been significant developments relating to exploit kits in the past few days. The threat actors behind the Magnitude exploit kit have now changed their malicious payload, and the EITest malware distribution network that directed traffic to exploit kits has finally been sinkholed. Magnitude Exploit Kit Switches to GandCrab Ransomware Delivery Exploit kit activity is at a fraction of the level of 2015 and 2016, and in 2017 there was a 62% reduction in the development of exploit kits according to research from Recorded Future. However, exploit kit activity has not fallen to zero and the malicious code is still widely used to deliver malware and ransomware underscoring the continued need for technologies to block these attacks such as web filtering solutions and the continued need to keep on top of patching. Exploit kits often leverage vulnerabilities in Java and Adobe Flash, although more recently it has been Microsoft vulnerabilities that have been exploited due to the fall in Java vulnerabilities and the phasing out of Adobe Flash. One exploit kit that is still being used in extensive attacks, albeit attacks that are highly geographically targeted, is the Magnitude exploit kit. For the past seven months, the Magnitude exploit kit has been delivering the Magniber ransomware payload almost exclusively in South Korea. However, there has been a notable change in the past few days with it also being used to distribute GandCrab ransomware, with the latter not restricted geographically and capable of infecting English language Windows devices. While early variants of GandCrab ransomware were cracked and free recovery of files was possible, there is no known decryptor for the current version of GandCrab ransomware being distributed via Magnitude. While Adobe Flash and Microsoft exploits were commonly used, Magnitude is now using a fileless technique to load the ransomware. This technique makes it much harder to detect. According to Malwarebytes, “The payload is encoded (using VBScript.Encode/JScript.Encode) and embedded in a scriplet that is later decoded in memory and executed.” Once run, the payload is injected into explorer.exe, files are encrypted, and...
by G Hunt |
March 20, 2018 |
Cybersecurity News, Internet Security News
Web-based malware attacks via exploit kits were commonplace in 2016, although in 2017 this mode of attack fell out of favor with cybercriminals, who concentrated on spam email to deliver their malicious payloads. Exploit kit activity is now at a fraction of the level of 2016, although 2017 did see an increase in activity using the Rig and Terror exploit kits. Now, a recent discovery by Proofpoint could see exploit kit activity start to increase once again. A new traffic distribution system is being offered on darknet marketplaces that helps cybercriminals direct users to sites hosting exploit kits and conduct web-based malware attacks. Traffic distribution systems – also known as TDS – buy and sell web traffic and are used to direct web users from one website to another. When a user clicks on a link that is part of a TDS system, they are directed to a website without their knowledge – a website that could host an exploit kit and trigger a malware download. The new TDS – known as BlackTDS – requires threat actors to direct traffic to the service, which then filters that traffic and directs individuals to exploit kits based on their profile data. The service maximizes the probability of the exploit kit being able to download malware onto their device. The service can also be used to determine which malware will be downloaded, based on the profile of the user. Threat actors that sign up to use the service can inexpensively select the exploit kits and malware they want installed with all aspects of the malware distribution service handled by the developers of BlackTDS. The developers also claim their cloud-based TDS includes fresh HTTPS domains that have not been blacklisted and that it is difficult for their cloudTDS to be detected by security researchers and sandboxes. Using spam campaigns and malvertising, threat actors can direct traffic to BlackTDS with all aspects of drive-by downloads handled by the developers. Campaigns being run using BlackTDS have been directing users to the RIG-v, Sundown, and Blackhole exploit kits which are used to download a wide range of keyloggers, ransomware, and other malware variants. The provision of this malicious service...
by G Hunt |
February 5, 2018 |
Cybersecurity News, Email Archiving
Today has seen the announcement of a new partnership between TitanHQ – the leading provider of email and web filtering solutions for MSPs – and the international consulting, coaching, and peer group organization HTG. The announcement was made at the Q1 HTG Peer Groups meeting at the Pointe Hilton Squaw Peak Resort, Phoenix, Arizona. The partnership sees TitanHQ’s web filtering solution – WebTitan; its cloud-based anti-spam service – SpamTitan; and its email archiving solution – ArcTitan made immediately available to the HTG community. TitanHQ has developed innovative cybersecurity solutions specifically for managed service providers to help them provide even greater protection to their clients from the ever-increasing volume of email and Internet-based threats. The multiple award-winning solutions have now been adopted by more than 7,500 businesses and 1,500 MSPs, helping to protect them from malware, ransomware, viruses, phishing, botnets, and other cyber threats. HTG is a leading peer group association that was recently acquired by the global technology giant ConnectWise. HTG helps businesses plan and execute strategies to drive forward growth and increase profits. Its consultants and facilitators share wisdom, provide accountability, and build meaningful relationships with businesses to help them succeed in today’s highly competitive marketplace. The new partnership will see TitanHQ join HTG Peer Groups as a Gold vendor, making the firm’s MSP-friendly cybersecurity solutions immediately available to the HTG community. “We’re delighted to welcome TitanHQ on board for 2018. As soon as the initial discussion started we knew they would make a great match for our community, as web security is a key area for our members in 2018,” said HTG Peer Groups founder, Arlin Sorensen. HTG Peer Groups Founder Arlin Sorensen (Left); TitanHQ CEO Conor Madden (Right) “WebTitan web filter was built by MSP’s for MSP’s and this exciting relationship with HTG Peer Groups is a continuation of that process. It allows us to listen to the opportunities and difficulties faced by MSP senior executives while also allowing us to share how we became a successful web...
by G Hunt |
January 24, 2018 |
Cybersecurity News, Internet Security News
According to Kaspersky Lab, one of the most dangerous threats to mobile users is Skygofree malware – A recently discovered Android malware threat that has been described as the most powerful Android malware variant ever seen. Skygofree malware has only recently been detected, but it is the product of some serious development. Kaspersky Lab believes it has been in development for more than three years. The result is a particularly nasty threat that all users of Android devices should take care to avoid. Once it is installed on a device, it has access to a considerable amount of data. It also has some rather impressive capabilities, being capable of 48 different commands. Among its arsenal is the ability to take control of the camera and snap pictures and take videos without the knowledge of the user. It has access to geolocation data so is capable of tracking your every move. Where you go, as well as where you have been. Skygofree malware will steal call records and discover who you have spoken to and when and will read your text messages. The malware can also record conversations and background noise, both for telephone calls and when the user enters a specific location – based on geolocation data – that has been set by the attacker. Whenever you are in range of a WiFi network that is controlled by the attacker, the device will automatically connect, even if WiFi is turned off. It also has access to all information in the phone’s memory, can check your calendar to tell what you have planned, and intercept WiFi traffic. You also cannot privately communicate using WhatsApp with Skygofree malware installed. It abuses the Android Accessibility Service and can view your messages. Skype conversations are similarly not secure. As if that was not enough, the malware also serves as a keylogger, recording all data entered on the device. With such an extensive range of functions, this powerful new malware variant is clearly not the work of an amateur. It is believed to be the product of an Italian intercept and surveillance company called Negg, that is known to work with law enforcement agencies. Kaspersky Lab researcher Alexey Firsh said, “Given the...
by G Hunt |
December 20, 2017 |
Cybersecurity Advice, Cybersecurity News
Loapi malware is a new Android malware variant that is capable of causing permanent damage to Android smartphones. The new malware variant was recently discovered by researchers at Kaspersky Lab. In contrast to many new malware variants that operate silently and remain on the device indefinitely, Loapi malware infections can be short-lived. Kaspersky performed a test on an Android phone and discovered that within two days the phone had been destroyed. The aim of the malware is not sabotage. Destruction of the device is just collateral damage that results from the intense activity of the malware. Loapi malware performs a wide range of malicious functions simultaneously, including some processor-intensive activities that cause the device to overheat, causing irreparable damage. In the test, over the two days, the constant activity caused the device to overheat and the battery to bulge; deforming the device and its cover. The researchers said Loapi malware is likely no other malware variant they have seen, and the researchers have seen plenty. Loapi malware was called a ‘jack of all trades’ due to its extensive capabilities. The malware is used to mine the cryptocurrency Monero, a processor-intensive process. The malware uses processing power of infected devices to create new coins. While the mining process is less intensive than for Bitcoin, it still takes its toll. Additionally, the malware allows infected devices to be used in DDoS attacks, making constant visits to websites to take down online services. The malware is used to spam advertisements, and bombards the user with banners and videos The malware will silently subscribe to online services, and if they require text message confirmation, that is also handled by the malware. The malware gains access to SMS messages and can send text messages to any number, including premium services. Text messages are used to communicate with its C2 server. Messages are subsequently deleted by the malware to prevent detection by the user, along with any text message confirmations of subscriptions to online services. Kaspersky Lab researchers note that the malware attempted to access more than 28,000 URLs in the two days...
by G Hunt |
November 30, 2017 |
Cybersecurity News, Internet Security News
Kaspersky Lab has named ransomware as one of the key threats of 2017, and one that continues to plague businesses the world over. Ransomware attacks in 2017 are down year on year, but ransomware attacks on businesses are up. Ransomware attacks in 2016 were bad, but this year there have been three major attacks that have gone global – WannaCry in May, NotPetya in June, and most recently, the Bad Rabbit attacks in October. Many of the ransomware attacks in 2017 have been far more sophisticated than in 2015 and 2016, while attackers are now using a wider variety of tactics to install the malicious code. At the start of 2016, ransomware was primarily being installed using exploit kits, before attackers switched to spam email as the main method of delivery. Spam email remains one of the most common ways for ransomware to be installed, although each of the above three attacks used exploits for unpatched vulnerabilities. Those exploits had been leaked online by the hacking group Shadow Brokers, all of which had been developed and used by the NSA. While not severe as WannaCry, NotPetya and BadRabbit, exploits were also used by AES-NI and Uiwix ransomware variants. Threat actors are also using remote desktop protocol to gain access to systems to install ransomware, while the use of exploit kits is once again on the rise. There has been a noticeable change in targets since 2015 when ransomware started to be favored by cybercriminals. Consumers were the main targets, although cybercriminals soon realized there was more to be made from attacking businesses. In 2016, 22.6% of ransomware attacks were on business users. The Kaspersky Lab report shows that ransomware attacks on businesses are becoming far more common, accounting for 26.2% of all attacks in 2017. Out of the businesses that experienced a ransomware attack in 2017, 65% said they lost access to a significant amount of data, and in some cases, all of their data. Some businesses have prepared for the worst and have developed ransomware response plans and now have multiple copies of backups, with at least one copy on an unnetworked device. In the event of an attack, data can be recovered. Others have not been so...
by G Hunt |
November 17, 2017 |
Cybersecurity Advice, Cybersecurity News
A malware threat called LockCrypt ransomware is being used in widespread attacks on businesses in the United States, United Kingdom, and South Africa. While ransomware is commonly spread via spam email, this campaign spreads the file-encrypting malware via remote desktop protocol brute force attacks. The LockCrypt ransomware attacks were first detected in June this year, but over the past few months the number of attacks has increased significantly, with October seeing the highest number of attacks so far this year. LockCrypt ransomware is a relatively new malware variant, having first been seen in June 2017. Once infected, users will be unable to access their files. This ransomware variant uses RSA-2048 and AES-256 cryptopgraphy, which makes it virtually impossible to recover files without paying the ransom demand if a viable backup does not exist. To make recovery more difficult, LockCrypt ransomware also deletes Windows Shadow Volume copies. Encrypted files are given the .lock extension. The ransom payment for this campaign is considerable – typically between 0.5 and 1 Bitcoin per encrypted server. That’s between $3,963 and $7,925 per compromised server; however, since the same login credentials are often used for RDP access on multiple servers, once one password is correctly guessed, it can be used to access multiple servers and deploy LockCrypt ransomware. One of the Bitcoin addresses used by the attackers shows one company paid a ransom of $19,000 to recover files on three of its servers. Once access to a server is gained, ransomware is deployed; however, the attackers are manually interacting with compromised servers. AlientVault security researcher, Chris Doman, reported that for one company, in addition to deploying ransomware, the attackers “manually killed business critical processes for maximum damage.” All non-core processes on an infected server are killed. The attacks do not appear to be targeted, instead they are randomly conducted on business servers. Businesses that are most likely to have ransomware installed are those that have failed to use complex passwords for RDP access. While it may be tempting to set an easy-to-remember password,...
by G Hunt |
October 24, 2017 |
Cybersecurity News, Internet Security News
The Magnitude exploit kit is being used to deliver a new malware variant – Magniber ransomware. While the Magnitude EK has been used in attacks throughout the Asia Pacific region, the latest attacks are solely taking place in South Korea. Ransomware and malware attacks in Europe and the Americas are primarily conducted via spam email. Exploit kits having fallen out of favor with cybercriminals over the past year. However, that is not the case in the Asia Pacific region, where exploit kit attacks are still common. An exploit kit is a website toolkit that scans visitors’ browsers for exploitable vulnerabilities. When a vulnerability is identified, it is exploited to download malware onto the user’s system. The download occurs silently and in the case of a ransomware attack, the user is only likely to discover the attack when their files have been encrypted. Magniber ransomware takes its name from the Magnitude EK and Cerber ransomware, the ransomware variant that it has replaced. At present, Magniber ransomware is solely targeting users in South Korea. If the operating system is not in Korean, the ransomware will not execute. While it is not unusual for ransomware campaigns to involve some targeting, it is rare for attacks to be targeted on a specific country. Up until recently, the Magnitude exploit kit was being used to download Cerber ransomware. FireEye reports that those attacks were concentrated in the Asia Pacific region. 53% of attacks occurred in South Korea, followed by the USA (12%), Hong Kong (10%), Taiwan (10%), Japan (9%), and Malaysia (5%). Small numbers of attacks also occurred in Singapore and the Philippines. At the end of September, Magnitude EK activity fell to zero, but on October 15, the payload was updated and attacks were solely conducted in South Korea. To avoid analysis, Magniber ransomware checks whether it is running in a virtual environment. A check is also performed to identify the system language. If the system language is Korean, data is encrypted with AES128 and encrypted files are given the .ihsdj extension. After encryption, the ransomware deletes itself. If the system language is not Korean, the ransomware exists. At...
by G Hunt |
October 11, 2017 |
Cybersecurity News, Internet Security News
A massive Pornhub malvertising campaign has been detected that potentially resulted in millions of malware infections in the United States, Canada, UK, Australia and beyond. Malvertising is the term given to malicious adverts that dupe website visitors into visiting websites where malware is downloaded or to sites that are used to phish for login credentials. These malverts often appear on legitimate websites, adding to their legitimacy. The malicious sites that users are directed to can download any type of malware – keyloggers, ransomware, spyware or adware. The Pornhub malvertising campaign was used to spread click fraud malware. The hacking group behind the campaign – KovCoreG – used the Kovter Trojan. The malware has persistence and will survive a reboot. Pornhub is one of the most popular adult websites, attracting millions of visitors. The website uses a third-party ad network called Traffic Junky. The attackers managed to sneak their malicious adverts past the controls the ad network has in place against malvertising. The attackers detected the browser being used and redirected users to a website tailored to their browser. The Pornhub malvertising campaign worked on users of Chrome, Internet Explorer/Edge and Firefox. The webpages, which had been expertly crafted to exactly match the colors and fonts of Google, Firefox, and Microsoft and included the relevant logos and branding. The malicious webpages indicated a critical security update was required to secure the user’s browser. Clicking to download the update, and running that update, would result in infection. The Pornhub malvertising campaign was detected by Proofpoint, which notified the ad network and Pornhub. Both acted quickly to remediate the threat, although not before many users had been infected with malware. A Web Filtering Solution Can Block Malvertising Attacks Implementing a web filtering solution in the workplace is not just about preventing your employees from wasting time on Facebook. A web filter is an important part of any layered cybersecurity defense strategy. The latest Pornhub malvertising campaign is a good example of how controlling the websites your employees can access can...
by G Hunt |
September 30, 2017 |
Cybersecurity News, Internet Security News
The cost of cybercrime is 23% higher than last year, according to a new study conducted by the Ponemon Institute on behalf of Accenture. The average annual cost of cybercrime is now $11.7 million per organization, having increased from $9.5 million last year. The Ponemon Institute conducted the 2017 Cost of Cybercrime study on 2,182 security and IT professionals at 254 organizations. Respondents were asked about the number of security breaches they experienced in the past 12 months, the severity of those incidents, and the cost of mitigation. The average number of security breaches experienced by each organization was 130 per year, which is more than twice the number of incidents that were being experienced 5 years ago and 27.4% more than this time last year. The costs of cybercrime were split into four areas: Disruption to businesses processes, data loss, loss of revenue, and damage to equipment. Respondents were asked to rate each based on their cost. While the losses from disruption to the business were not insignificant, they were the least costly. The biggest cost was information loss. The costliest security incidents to resolve were malware attacks, which cost an average of $2.4 million to resolve, although the attacks were considerably more expensive to resolve in the United States where the average losses were $3.82 million per incident. In second place was web-based attacks, costing an average of $2 million globally and $3.4 million in the United States. However, in terms of the amount of disruption caused, insider incidents topped the list, taking an average of 50 days to mitigate. Ransomware attacks took an average of 23 days to resolve. The cost of cybercrime report indicates organizations in the financial services have the highest annual costs, spending an average of $18.28 million per organization. In second place was the energy sector with an average annual cost of $17.20 million. Organizations in the United States had the biggest annual security breach resolution costs, spending an average of $21 million each per year. Bottom of the list was Australia with average annual costs of $5 million. Organizations in the United Kingdom were spending an...
by G Hunt |
September 27, 2017 |
Cybersecurity Advice, Cybersecurity News
Email may be the primary vector used in phishing attacks, but the second quarter of 2017 has seen a massive increase in malvertising phishing attacks. Malvertising is the term given to malicious adverts, which are often displayed on high-traffic websites via third party advertising networks. These adverts are used to direct web visitors to malicious websites, oftentimes sites containing exploit kits that probe for vulnerabilities and silently download ransomware and other malware. These malware attacks increased between 2015 and 2016, with the total number of malvertising attacks rising by 136%. Demonstrating how quickly the threat landscape changes, between Q1 and Q2, 2017 there was a noticeable decline in malicious advert-related exploit kit and malware attacks. Exploit kit redirects fell by 24% and malware-related adverts fell by almost 43%, according to a recent study released by RiskIQ. However, the study shows there was a massive increase in malvertising phishing attacks with cybercriminals changing their tactics. Phishing-related adds increased by 131% in Q2, 2017, but between 2015 and 2016, malvertising phishing attacks increased by a staggering 1,978%. The websites that these adverts direct users to often promise a free gift in exchange for taking part in a survey. Genuine market research firms tend not to offer large incentives for taking part in surveys, or when they do offer an incentive, participants are entered into a draw where they stand a chance of winning a prize. When gifts are offered, to all participants it is a warning sign that all may not be as it seems. That said, many people still fall for the scams. The aim of the surveys is to obtain sensitive information such as bank account information, Social Security numbers, usernames, passwords and personal information. The information can be used for a wide range of nefarious purposes. It is not only personal information that is sought. Cybercriminals are keen to gain access to corporate email accounts for the data they contain and to use them to send phishing emails. When phishing attacks occur through corporate email accounts it can seriously tarnish a company’s reputation and may result in...
by G Hunt |
September 27, 2017 |
Cybersecurity Advice, Cybersecurity News
Why should businesses invest heavily in technology to detect ransomware attacks when a ransom payment may only be between $500 and $1,000? While that is what cybercriminals are charging as a ransom, the cost of a ransomware attack is far higher than any ransom payment. In fact, the ransom is often one of the lowest costs of a ransomware attack that businesses must cover. The ransom payment may seem relatively small, although the latest ransomware variants are capable of spreading laterally, infecting multiple computers, servers and encrypting network shares. The ransom payment is multiplied by the number of devices that have been infected. The Cost of a Ransomware Attack Can Run to Millions of Dollars When businesses suffer ransomware attacks, the attackers often set their ransoms based on the perceived ability of the organization to pay. In 2016, Hollywood Presbyterian Medical Center was forced to pay a ransom of $19,000 to unlock its infection. When the San Francisco Muni was infected, hackers demanded $50,000 for the keys to unlock its payment system. In June 2017, South Korean web host Nayana agreed to pay $1 million for the keys to unlock the encryption of its 53 Linux servers and 3,400 customer websites. These ransom payments are high, but the ransom is only one cost of a ransowmare attack. The biggest cost of a ransomware attack is often the disruption to business services while files are taken out of action. Systems can be taken out of action for several days, bringing revenue generating activities to an abrupt stop. One Providence law firm experienced downtime of three months following a ransomware attack, even though the $25,000 ransom was paid. Lawyers were stopped from working, causing a loss in billings of an estimated $700,000. In heavily regulated industries, notifications must be sent to all individuals whose information has been encrypted, and credit monitoring and identity theft services often need to be provided. When hundreds of thousands of users’ data is encrypted, the cost of printing and mailing notifications and paying for credit monitoring services is substantial. Once an attack has been resolved, networks need to be analyzed to...
by G Hunt |
September 8, 2017 |
Cybersecurity News, Internet Privacy
A massive Equifax data breach was announced yesterday, which ranks as one of the largest data breaches of 2017. Approximately 143 million consumers have been impacted and had their sensitive data exposed and potentially stolen. A data breach at any company can cause considerable fallout, although this incident is particularly bad news for a credit reporting agency. Equifax aggregates and stores vast quantities of highly sensitive consumer data that are used by financial firms to make decisions about the creditworthiness of consumers. The data breach is sure to damage trust in the company. Ironically, Equifax offers credit monitoring and identity theft protection services to companies that experience data breaches to help them protect breach victims. Naturally, all Americans affected by the Equifax data breach will be offered those services free of charge. In fact, Equifax has gone further by agreeing to offer those services free of charge to all U.S. consumers for a period of one year, even if they were not directed affected by the breach. Chairman and Chief Executive Officer, Richard F. Smith, said “This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes.” The Equifax data breach may not be the largest data breach of 2017, but the nature of the datya exposed make it one of the most serious. Highly sensitive data were exposed, including personal information, Social Security numbers, birthdates, driver’s license numbers, and 209,000 consumers had their credit card numbers exposed. These are the exact types of information used by cybercriminals to commit identity theft and fraud. Dispute documents were also stored on the compromised system. Those documents contained a range of personal information of 182,000 consumers. The bulk of the data related to U.S citizens, although some consumers in Canada and the United Kingdom have also been affected by the Equifax data breach. The hacker(s) responsible for the attack had access to Equifax’s systems for a considerable period of time before the breach was...
by G Hunt |
August 31, 2017 |
Cybersecurity News, Internet Security News
Earlier this year, the NeutrinoPOS banking Trojan source code was leaked, leading to several new variants of malware being created, the latest being Jimmy Nukebot. In contrast to its predecessor, which was used to steal bank card information, the latest version has lost that functionality. However, Jimmy Nukebot can perform a wide range of malicious functions, serving as a downloader for a wide range of malicious payloads. The malware also acts as a backdoor which will allow the actors behind the new malware to monitor activity an infected device. Security researchers at Kaspersky Lab have analysed Jimmy Nukebot infections and have seen the malware download a wide range of modules including Monero cryptocurrency mining malware, web-injects similar to those used in NeutrinoPOS, and various other modules that modify the functions of the malware. The malware can take screenshots of an infected device and exfiltrate data and could download any malicious payload onto an infected device. Publication of the source code of malware results in an increase in its popularity. With the malware used in more attacks, the probability of it being detected is much higher. In order to evade detection, considerable modification to the malware is required. This could well be the reason why so many changes have been made to the latest iteration. The authors of Jimmy Nukebot took the original source code of the NeutrinoPOS banking Trojan and totally restructured the malware. The way the new malware has been constructed also makes static analysis much more complicated. The new features of the malware make it a formidable threat. Jimmy Nukebot is able to learn about the system on which it is installed and use that information for exploitation, tailoring the payload it delivers based on its environment rather than performing a pre-set malicious activity immediately upon infection. Since the malware passively collects information and responds accordingly, it is unlikely to trigger AV alerts and may remain undetected. Organizations that have the malware installed are therefore unlikely to be aware that their systems have been compromised. Protecting against threats such as this requires...
by G Hunt |
August 31, 2017 |
Cybersecurity News, Internet Security News
Downloading apps from non-official sources potentially places users at risk, but Google Play Store malware infected apps do exist. Google has controls in place to prevent malicious apps from being uploaded to its app store, but those controls are not always 100% effective. Choosing to download apps only from official stores is no guarantee that the apps will be free from malware. Security researchers recently discovered around 300 apps offered through the Google Play store that appear to be legitimate programs, yet are infected with malware that add infected devices to a large botnet. The botnet was being used to launch distributed denial of service attacks (DDoS) on websites. The botnet, dubbed WireX, comprises of tens of thousands of Android devices that are being used in highly damaging cyberattacks. Devices started to be infected in early July, with a steady rise in additions over the following weeks. Even though numbers of compromised devices grew steadily in July, the botnet was only discovered in early August when the WireX botnet started to be used in small scale DDoS attacks. Since then, larger attacks have taken place, mostly targeting the hospitality sector. Those attacks have clogged websites with junk traffic preventing legitimate users from accessing the sites. Some of WireX DDoS attacks involved as many as 160,000 unique IPs. Since devices could conceivably be used to attack websites with multiple addresses, the size of the botnet has been estimated to be around 70,000 devices. The growth of the botnet was soon attributed to malicious apps, with researchers discovering around 300 Google Play Store malware infected apps. Google has now disabled those apps and is in the process of removing them from devices. The apps included video players, battery boosters, file managers and ringtones. The apps were not simply malware, as users would undoubtedly attempt to delete the apps if they failed to perform their advertised functions. The apps all worked and users who downloaded the apps were unaware that their devices were being used for malicious purposes. The malware used a ‘headless browser’ which was able to perform the functions of a standard...
by G Hunt |
August 24, 2017 |
Cybersecurity Advice, Cybersecurity News
The Neptune Exploit kit is being used to turn computers into cryptocurrency miners, with traffic directed to the exploit kit using a hiking-themed malvertising campaign. Exploit kit activity has fallen this year, although these web-based attacks still pose a significant threat. Exploit kits are web-based toolkits that probe browsers and plugins for vulnerabilities that can be exploited to download malware. Simply visiting a website hosting an exploit kit is all it takes for malware to be silently downloaded. Protecting against exploit kit attacks requires browsers, plugins and extensions to be kept 100% up to date. However, even updated browsers can be vulnerable. Exploit kits can also include exploits for zero-day vulnerabilities that have not yet been patched. Acceptable usage policies can help organizations to prevent exploit kit attacks, although website visitors are often redirected to malicious sites from legitimate websites. One of the main ways this happens is the use of malvetisements. Many high traffic websites include advertising blocks that display third-party adverts. The advertising networks serve adverts which are displayed on member sites, with the site owners earning money from ad impressions and click throughs. While the advertising networks have measures in place to vet advertisers, oftentimes cybercriminals succeed in submitting malicious adverts. Those adverts are then pushed out and displayed on legitimate websites. Clicking one of those malicious adverts will see the user directed to a webpage hosting the exploit kit. Exploit kits are used to download Trojans, ransomware and other malicious code, although the Neptune exploit kit is being used to download cryptocurrency miners. Infection will see computers’ processing power used to mine the Monero cryptocurrency. Infection will result in the infected computer’s resources being hogged, slowing down the performance of the machine. The latest Neptune exploit kit campaign uses hiking club-related adverts to drive traffic to landing pages hosting the Neptune exploit kit, which in turn uses HTML and Flash exploits to download malware. These adverts closely mimic genuine domains. FireEye reports...
by G Hunt |
August 23, 2017 |
Cybersecurity Advice, Cybersecurity News
India’s Central Board of Secondary Education is urging all CBSE affiliated schools to take action to improve safety for students, including implementing school web filtering technology to keep students safe online. The Internet is home to an extensive range of potentially harmful material that can have a major impact on young developing minds. Parents can take action to keep their children safe at home by using parental control filters. However, students must receive similar or greater levels of protection while at school. School web filtering technology can prevent students from deliberately or accidentally viewing obscene material such as pornography, child pornography or images of child abuse and other categories of potentially harmful website content. CBSE has warned school boards that when students access this material it is “detrimental to themselves, their peers and the value system.” School web filtering technology should also be implemented to prevent students from engaging in illegal activities online via school IT devices. CBSE affiliates schools have been advised to develop guidelines for safe Internet use and make this information available to students and display the rules prominently. However, without school web filtering technology, these policies would be easy to ignore. A technological solution ensures students wishing to engage in illegal activities online, or view harmful website content, will be prevented from doing so. Prevention is only one aspect of Internet control. Schools should also set up a monitoring system to discover when individuals are attempting to bypass Internet usage policies. A web filtering solution should therefore have the capability to generate reports of attempted accessing of prohibited material to allow schools to take action. Schools have also been advised to sensitize parents about safety norms and even go as far as suggesting disciplinary action be taken when children are discovered to have attempted to access inappropriate material. While many school systems around the world have implemented school web filtering technology, CBSE is advising affiliated schools in India to go one step further and restrict...
by G Hunt |
August 3, 2017 |
Cybersecurity News, Internet Security News
A new mobile malware threat has been discovered – Invisible Man Malware – that is being installed via fake software updates. Invisible Man malware is a keylogger that has been designed to obtain banking credentials. While the malware is not new – it has been around for four years – it is frequently updated, with a new variant discovered that takes advantage of the accessibility services on Android devices. As the name suggests, Invisible Man malware runs silently on infected devices unbeknown to the user. The malware is an overlay that sits atop of legitimate banking apps and intercepts inputs as they are entered on the device. It also allows the attackers behind the malware to intercept text messages, in particular, those used for two-factor authentication and codes sent by banks to authorize transactions. Once installed on a device it has administrator rights to all Android accessibility services, is installed as the default SMS app and has rights to send and receive SMS messages, make calls, and access contacts on the phone. It can also take screenshots and prevents itself from being uninstalled, according to Kaspersky Lab. Invisible Man malware has been developed for attacks in Australia, France, Germany, Poland, Singapore, Turkey and the UK, working as a keylogger over 63 banking apps. All data collected is immediately transferred to its C2 server. Kaspersky Lab reports that Invisible Man malware is primarily being installed on devices using fake software updates, specifically fake Flash Player updates on malicious websites via a downloaded apk file. Beware of Fake Software Updates The latest attacks highlight an important point. If you receive a warning on screen telling you that your software is out of date, don’t click and download the update. In this case, the user will be asked to confirm installation, and will be required to provide this app with administrator rights to accessibility services. Fake software updates are one of the most common methods used to distribute malware, bloatware, adware, ransomware and other nasties. Given the frequency of software updates now being released to address recently found vulnerabilities, your software may...
by G Hunt |
July 31, 2017 |
Cybersecurity News, Internet Security News
A new study has shown that cybercriminals have generated ransomware profits in excess of $25 million over the past two years, clearly demonstrating why cryptoransomware attacks have soared. There is big money to be made in this form of cyber extortion. The bad news is that with so many organizations paying to recover their files, the ransomware attacks will continue and will likely increase. Ransomware attacks are profitable because users are still failing to back up their data. Google’s figures suggest that even though the threat of data deletion or encryption is high, only 37% of computer users back up their data. That means if ransomware encrypts files, the only option to recover data is to pay the ransom demand. Figures from the FBI estimated ransomware payments to have exceeded $1 billion in 2016; however, it is difficult to accurately calculate ransomware profits since the authors go to great lengths to hide their activities. Ransomware profits are difficult to track and companies are reluctant to announce attacks and whether payment has been made. Two notable exceptions were the South Korean hosting company Nayana that was attacked and had 153 Linux servers and 3,400 customer websites encrypted. The firm paid 1.2 billion Won – approximately $1 million – for the keys to unlock the encryption. Recently, a Canadian company has reportedly paid a ransom of $425,000 to recover its files, although the identity of the firm is still unknown. Now, a study conducted by Google, with assistance from Chainalysis, the University of California at San Diego, and New York University’s Tandon School of Engineering has shed some light on actual ransomware profits. The study involved an analysis using blockchains and Bitcoin wallets known to have been used to collect ransomware payments. The researchers also used reports from victims and monitored network traffic generated by victims of ransomware attacks to help track where payments were sent. The study looked at the top 34 ransomware strains and determined more than $25 million has been collected in the past two years. 95% of payments were cashed out using the Bitcoin trading platform BTC-e. Google has...
by G Hunt |
July 26, 2017 |
Cybersecurity News, Internet Security News
It has been a long time coming, and we are not quite there yet, but Adobe Flash is about to die. The long, slow drawn out death of Adobe Flash will continue for another three years yet, with Adobe finally confirming that it will be pulling the plug by December 31, 2020. By then, all updates for Adobe Flash will stop and the we will all enter a Flash free age. Until then, Adobe is committed to working with partners to ensure Flash remains as secure as possible and updates will continue until that time. However, Adobe is already trying to encourage businesses to start switching to other standards such as HTML5. The decision to finally put Flash out of its misery was made because other platforms and technology have “matured enough and are capable enough to provide viable alternatives to the Flash player,” according to Adobe. In 2005, Flash was on 98% of all computers, and even three years ago it was being used by 80% of desktop users on a daily basis. Today, helped in no short part but the serious security flaws in the platform and the switch to mobile devices from PCs, usage has fallen to just 14%. Google is not supporting Flash anymore and has not done so for Android since 2012. Apple has never supported the plug-in on its mobile devices and Firefox, Chrome, Edge and Safari no longer run Flash content automatically. Even Internet Explorer will disable Flash by default in 2019, ahead of its official death date the following year. Of course, just stopping updates does not mean that Flash will cease to exist. But given the rate that vulnerabilities in Flash are now being discovered, anyone still using Flash by 2020 will be wide open to attack as soon as the updates stop. However, by then there will be far fewer websites using Flash and fewer devices with the Flash plug-in installed. The Internet will most likely be a safer place without Flash, but what will happen to all the hackers who are currently developing exploits for Flash vulnerabilities? They will not also decide to retire. Instead they will put their efforts into something else. What that is of course remains to be seen. Three years may seem like an awfully long time, but there are still many...
by G Hunt |
July 26, 2017 |
Cybersecurity News, Internet Security News
Stantinko malware may only have recently been detected, but it is far from a new malware variant. It has been in use for the past five years, yet has only recently been identified. During the past five years, Stantinko malware has spread to more than 500,000 devices and has been operating silently, adding infected systems to a large botnet, with the majority of infected machines in Russia and Ukraine. The botnet has primarily been used to run a largescale adware operation. The malware installs the browser extensions Teddy Protection and The Safe Surfing, which appear to users to be legitimate apps that block malicious URLs. These apps are legitimate if downloaded via the Chrome Web Store, but they are not if they are installed by Stantinko. The Stantinko versions contain different code that is used for click fraud and ad injection. ESET reports that additional plugins known to be installed by Stantinko malware include Brute-Force and Search Parser which are used for Joomla/WordPress brute force attacks and to anonlymously search for Joomla/WordPress sites. Remote Administrator is a fully functional back door and Facebook Bot can generate fake likes, create new accounts, or add friends on Facebook, virtually undetected. While click fraud is the primary goal of the attackers, Stantinko malware can perform a wide range of functions. Since Stantinko includes a loader, enabling threat actors to send any code to an infected device via their C2 server and run the code. ESET researchers say the malware uses Windows services to perform backdoor activities and brute force attacks on WordPress and Joomla websites. Once access is gained, the attackers sell on the login credentials to other cybercriminal groups, according to ESET. That’s not all. ESET says Stantinko malware could be used to perform any task on an infected host. The malware and botnet have remained undetected for so long due to their ability to adapt to avoid being detected by anti-malware solutions. The malware also uses code encryption to avoid detection. Users would be unlikely to realize that anything untoward was happening on their machine. The tasks performed by the malware involve low CPU activity...
by G Hunt |
June 29, 2017 |
Cybersecurity News, Internet Security News
The NotPetya ransomware attacks on Tuesday this week initially looked like another WannaCry-style attack. They used similar NSA exploits to spread infections, ransoms were demanded and like WannaCry, the attacks rapidly spread around the globe. However, closer inspection of NotPetya ransomware has revealed that all may not be as it first appeared. The purpose of ransomware is to lock files with powerful encryption to prevent files from being accessed. A ransom demand is then issued. Payment of the ransom will see the keys to unlock the decryption supplied. Organizations get their files back. The attackers get a big payday. There have been many cases when ransomware has encrypted files, yet the attackers are not capable of supplying the keys. These attacks have tended to be conducted by amateurs or show the authors have been sloppy and failed to check that decryption is possible. If attackers do not make good on their promise to supply valid keys to unlock the encryption, word will soon spread on social media and security websites that paying the ransom will not enable organizations to recover their files. That means the campaign will likely not be profitable. Developing a new ransomware variant is not a quick and easy process. It does not make sense for a threat actor to go to all the trouble of developing ransomware, devising a sophisticated multi-vector campaign to spread the ransomware, but then forget about essential elements that make it possible to receive ransom payments. That is, unless the aim of the campaign is not to make money. In the case of the recent NotPetya ransomware attacks, the actors behind the campaign appear to have made some serious errors if making money was their aim. First, the ransom demand was only $300 per infected machine, which is well below the current average payment demanded by ransomware gangs. As for the errors, they were numerous. Petya ransomware, which NotPetya closely resembles, provides the victim with an installation ID. That ID is unique to the victim. It is used to determine who has paid the ransom. In the latest attacks, the IDs consisted entirely of random characters. As Kaspersky Lab explained, that means it is...
by G Hunt |
June 9, 2017 |
Cybersecurity News, Internet Security News
Hackers have been phishing for domain credentials and using the logins to gain access to websites and create malicious subdomains – a process called domain shadowing – and using those subdomains as gates that redirect users to sites loaded with the RIG exploit kit. The RIG exploit kit probes for vulnerabilities in web browsers and exploits flaws to download malware. Those malware downloads usually occur silently without the users’ knowledge. All that is required for infection is an out of date browser or plugin and for the victim to be directed to a website hosting the exploit kit. RIG has primarily been used to download banking Trojans and Cerber ransomware. While use of the exploit kit is nowhere near the level of Angler prior to its demise, the Rig exploit kit is now the leading EK used by cybercriminals and activity has increased sharply in recent months. Cybercriminals have been generating traffic to the malicious subdomains using malvertising campaigns – malicious adverts sneaked onto third party ad networks. Those ads are then syndicated across a wide range of high traffic websites and redirect visitors to the malicious subdomains. Other techniques used to drive traffic to the sites include malicious Chrome popups and iframes inserted into compromised WordPress, Drupal and Joomla! Websites. Tens of thousands of subdomains have been created on legitimate websites that have been compromised by hackers. Cybercriminals are understood to have been obtaining login credentials to websites using malware. The subdomains were mostly created on websites hosted by GoDaddy. The domain registrar has been working with RSA Security and independent security researchers to identify the compromised websites and take down the subdomains. In total, around 40,000 subdomains were taken down in May. While this take down is certainly good news, it is unclear how much of an effect it will have on Rig EK operations as little is known about the RIG infrastructure and the total number of websites that have had malicious subdomains added. However, RSA Security says these takedowns have resulted in “a significant loss of capabilities to RIG operations”. RSA and GoDaddy are working to...
by G Hunt |
May 24, 2017 |
Cybersecurity News, Internet Security News
The Terror exploit kit is a relative newcomer to the EK scene, yet it is evolving rapidly. Since the demise of Angler, exploit kit activity has waned. However, the threat from new exploit kits such as Terror is growing. Exploit kits probe for vulnerabilities in browsers or plugins. When an individual is directed to a website hosting an exploit kit, the EK searches for exploitable vulnerabilities. When exploitable vulnerabilities are discovered, the EK silently downloads malware or ransomware. Exploit kits can be hosted on compromised websites or sites run by the attackers. Cybercriminals use a variety of techniques to get traffic to the sites. Links can be sent via spam email or via instant messaging services and social media sites. Malicious advertisements – termed malvertising – can be hosted on third party ad networks. Those ads are then served in sidebars on any number of legitimate, high traffic websites. Web redirects are also used to divert traffic to malicious sites hosting exploit kits. If an individual with out of date plugins or older browser version visits such a malicious site, and an exploit has been loaded to the kit for a vulnerability in the browser, a malicious payload can be silently downloaded onto the user’s device. In recent months, spam email has become the main attack vector used by cybercriminals. However, exploit kit activity appears to be increasing with the Terror exploit kit fast evolving into a significant threat. The Terror exploit kit used to use a ‘carpet-bombing’ approach, sending a wide range of exploits at the end users system in the hope that one would be effective. Such an approach is not particularly sophisticated. However, Terror has now been updated and attacks can be tailored based on the user’s browser environment. Exploits that have a high probability of being successful are then delivered. The Terror exploit kit can now determine which exploits to drop based on the victim’s browser version, the plugins that have been installed, or patch level, according to the researchers who discovered the update. Protecting against exploit kits requires browsers and plugins to be kept 100% up to date and vulnerability free, which...
by G Hunt |
May 18, 2017 |
Cybersecurity News, Internet Security News
The version of WannaCry ransomware used in Friday’s attacks has been blocked, although new WannaCry ransomware variants have been detected. U.S Escapes WannaCry Relatively Unscathed The total number of computers infected with WannaCry ransomware is now believed to be around 300,000, although the United States escaped relatively unscathed, according to the U.S. Department of Homeland Security (DHS). While it is still unclear exactly how many U.S. organizations have been affected, fewer than 10 organizations have reported a WannaCry ransomware attack to DHS. The ransomware attacks have now stopped, although organizations that have experienced an infection that has resulted in files being encrypted must recover those files from a backup, accept data loss, or pay the attackers for the decryption keys. The attackers have so far made around $81,000 from their ransomware campaign, according to @actual_ransom. With a ransom payment of $300 per infected device, many payments have already been made; however, given the number of devices locked by the ransomware, most victims are not paying the attackers to unlock their files. WannaCry ransomware encryptions were stopped when a security researcher (Malware Tech) from the UK discovered a kill switch while investigating the worm code. In an apparent effort to avoid running in a sandbox or virtual environment, a check was performed on a nonsense domain. If a connection to that domain was successful, the ransomware would exit. If connection to the unregistered domain failed, the ransomware would proceed and encrypt files. By registering that domain, Malware Tech stopped further encryptions. WannaCry Victims Appear to Have Been Contacted by the Attackers In an apparent effort to increase the profits from the campaign, the attackers have generated pop up messages on affected computers saying, “I have already sent decryption keys to many customers who had sent me the correct amounts of bitcoin, and I guarantee the decryptions for such honest customers.” While this message could indicate the attacker has access to infected computers, it is possible that the message was pre-programmed to appear. Paying ransom demands only...
by G Hunt |
May 16, 2017 |
Cybersecurity News, Internet Privacy
Browsing the Internet can result in malware and spyware downloads, malicious software can arrive via spam email, but a fresh-out-of-the-box laptop computer should be totally malware free. But not always. A pre-installed keylogger on HP laptops has recently been identified by Swedish security firm Modzero. Potentially unwanted programs can be found on many new devices. Some serve a purpose but pose a security threat. For instance, in 2014, Lenovo laptop computers were shipped with ‘malware’ already installed that made the devices vulnerable to man-in-the-middle attacks. The program was Superfish. The pre-installed keylogger on HP laptops does not appear to be used for any malicious purposes, although there is considerable potential for the program to be abused. The spyware records all keystrokes on the laptops after a user logs in and stores that information in a local drive. In some situations, the keystrokes will be passed to an API on the laptop. The keylogger was discovered in an audio driver package – Conexant HD Audio Driver Package 1.0.0.46 and earlier versions. The offending file is MicTray64.exe, located in the C:windowssystem32 folder. Each time a user logs in, the program is scheduled to run. The file monitors all keystrokes on the device in order to monitor for special keystrokes. The program was developed by, Conexant, the audio chip manufacturer. The program has been included on HP laptops since December 2015. While the software itself does not exactly pose a threat, the way the program logs the keystrokes allows the recorded keystrokes to be easily accessed. The log file created by the software is stored in the public folder (C:userspublicMicTray.log) and can therefore be accessed by anyone. The file is overwritten each time a user logs in, but any keystrokes recorded during that session could be accessed by anyone with access to the device. Additionally, if the registry key with the filepath is missing or corrupted, the keystrokes will be passed to a local API called OutputDebugString API. Malware installed on the device could potentially allow the log file to be copied, and along with it, all keystrokes from the session. It would also be...
by G Hunt |
May 5, 2017 |
Cybersecurity News, Internet Security News
Pew Research has recently published the results of a study that set out to test cybersecurity awareness in America and find out more about the risks individuals are unwittingly taking when venturing online. The study was conducted on 1,055 adult Americans, who were each asked 13 cybersecurity questions of varying difficulty. Questions included what HTTPS means, what two-factor authentication is, what private browsing means and the level of protection offered by insecure WiFi networks using a VPN. The study showed that cybersecurity awareness in America is poor and consumers are potentially taking major risks online. While all 13 questions should have been answered correctly ‘security aware’ individuals, only 1% were able to answer all questions correctly. A substantial majority of adult Americans that took the questionnaire were only able to answer two of the questions correctly. The median was 5 correct answers out of 13, the mean 5.5, and only 20% of participants were able to answer more than 8 answers correctly. Three quarters of participants were able to identify the most secure password in a list and 73% of respondents were aware that the use of public WiFi networks carries a major risk and should not be used for sensitive activities such as online banking, even if the WiFi network required the use of a password. However, cybersecurity awareness was much worse for all other areas tested by the survey. Just over half of respondents were able to correctly identify what a phishing attack involved, which is a particularly worrying result considering how widespread the use of phishing is. Ransomware has been heavily reported in the press and attacks on businesses have soared, yet fewer than half of survey participants were able to correctly identify what ransomware is and only 46% knew that email was not encrypted by default. Worryingly, only 33% of participants were aware that HTTPS meant traffic was encrypted, suggesting many are entering credit card information into unencrypted websites. Only one in ten participants were able to correctly identify multi-factor authentication, with 71% thinking CAPTCHA was a form of multi-factor authentication rather than...
by G Hunt |
April 28, 2017 |
Cybersecurity News, Internet Privacy
Security researcher Chris Vickery has discovered a Schoolzilla AWS misconfiguration that resulted in the records of 1.3 million students being accidentally left unprotected. Schoolzilla is a student warehouse platform used by K12 schools to track and analyze student data. While data on the platform were protected and access by unauthorized individuals was not possible, that was not the case for a backup file on the platform. Vickery had been conducting scans to identify unprotected Amazon Web Services installations when he noticed a number of unsecured buckets on the Tableau data visualization platform. Further investigation revealed an unprotected ‘sz tableau’ bucket named sz-backups, which was a data repository for backups of the Schoolzilla database. The Amazon S3 bucket had been accidentally configured to allow public access, leaving 1.3 million student records exposed. The records contained sensitive information such as the names and addresses of students, along with test scores, grades, birthdates and some Social Security numbers. Vickery notified Schoolzilla of the error and the company worked quickly to secure the backups. Schoolzilla has now implemented a number of additional technical safeguards to ensure all student data is protected and all affected schools have been contacted and notified of the data exposure. It is unclear exactly how many schools were affected. The Schoolzilla AWS misconfiguration shows just how easy it is for sensitive data to be exposed online. This time it was a security researcher that discovered the exposed data, but cybercriminals are also performing scans for unprotected data. In this case, Schoolzilla was able to confirm that no unauthorized individuals had accessed the file except Vickery. Other companies may not be so fortunate. Schools and other educational institutions are increasingly using AWS and other cloud storage platforms to house student data. Data can be securely stored in the cloud; however, human error can all too easily result in sensitive data being exposed. The incident highlights just how important it is for organizations to conduct security scans and perform penetration tests to ensure that...
by G Hunt |
April 21, 2017 |
Cybersecurity News, Internet Security News
McAfee has issued a new threat report detailing 2016 malware trends. The decline in new malware samples in the final quarter of 2016 does not suggest that 2017 will see a continued fall in new malware, but the opposite, according to McAfee Labs. 2016 malware trends follow a similar pattern to 2015. The first quarter saw large volumes of new malware discovered, followed by a steady decline over the next three quarters. The same trend was identified in 2015. Far from that decline continuing into 2017, the first quarter figures – which will not be made available until the summer – are likely to follow a similar trend and involve a massive in malware numbers in the first three months of 2017. Further, there has been a steady increase in the number of new malware samples detected year on year, from around 400 million per quarter in 2015 to more than 600 million per quarter in 2016. If that trend continues into 2017, this year is likely to see around 800,000 new malware samples detected each quarter on average. McAfee predicts that there will be around 17 million malware samples by the end of this year. McAfee reports that ransomware has increased steadily over the course of 2016, starting the year with around 6 million samples and finishing the year with over 9 million detected samples. However, the final quarter of 2016 saw a sharp drop in ransomware due to a decline in generic ransomware detections and a fall in the use of Locky. There have been relatively few new Mac OS malware samples detected over the past two years, although Q3, 2016 saw new Mac OS malware increase from around 10,000 to 50,000, with a massive rise to around 320,000 new samples in the final quarter of 2016. By the end of 2016, the total number of Mac OS malware rose to more than 450,000, from around 50,000 at the end of Q4, 2015. The increase mostly involved bundled adware. The switch from exploit kits to email as the main attack vector is evident from the figures for new macro malware, with a sharp rise in Q2, 2016 and a continued rise in Q3. In Q1, there were around 60,000 detections, in Q3 that figure had risen to more than 200,000. The public sector was most affected by security breaches...
by G Hunt |
April 18, 2017 |
Cybersecurity Advice, Cybersecurity News
A recent insider threat intelligence report from Dtex has revealed the vast majority of firms have employees bypassing security controls put in place to limit Internet activity. Those controls may simply be policies that prohibit employees from accessing certain websites during working hours, or in some cases, Internet filtering controls such as web filtering solutions. Dtex discovered during its risk assessments on organizations that 95% of companies had employees that were using virtual private networks (VPNs) to access the Internet anonymously, with many installing the TOR browser or researching ways to bypass security controls online. The researchers discovered that in some cases, employees were going as far as installing vulnerability testing tools to bypass security controls. Why Are Employees Bypassing Security Controls? Employees bypassing security controls is a major problem, but why is it happening? The report indicates 60% of attacks involve insiders, with 22% of those attacks malicious in nature. During the first week of employment and the final week before an employee leaves, there is the greatest chance of data theft. 56% of organizations said they had discovered potential data theft during those two weeks. During these times there is the greatest risk of employees attempting to bypass security controls for malicious reasons. In many cases, VPNs and anonymizers are used to allow employees to access websites without being tracked. Many companies have policies in place that prohibit employees from accessing pornography in the workplace. Similar policies may cover gaming and gambling websites and other categories of website that serve no work purpose. Some employees choose to ignore those rules and use anonymizers to prevent their organization from having any visibility into their online activities. The report indicates 59% or organizations had discovered employees were accessing pornographic websites at work. There are many reasons why companies prohibit the accessing of pornography at work. It is a drain of productivity, it can lead to the development of a hostile working environment, and from a security standpoint, it is a high-risk activity....
by G Hunt |
April 6, 2017 |
Cybersecurity Advice, Cybersecurity News
Bitdefender has developed a free Bart ransomware decryptor that allows victims to unlock their files without paying a ransom. Bart Ransomware was first detected in June 2016. The ransomware variant stood out from the many others due to its ability to encrypt files even without an Internet connection. Most ransomware variants rely on a connection to their command and control server to generate public-private key pairs; however, Bart ransomware does not. Only the decryption process requires an Internet connection to transfer the ransom payment and receive the decryption key. Bart ransomware posed a significant threat to corporate users. Command and control center communications could potentially be blocked by firewalls preventing encryption of files. However, without any C&C contact, corporate users were at risk. Bart ransomware was believed to have been developed by the gang behind Locky and the Dridex banking Trojan. Bart ransomware shared a significant portion of code with Locky, was distributed in the same manner and used a ransom message very similar to that used by Locky. As with Locky, Bart ransomware encrypted a wide range of file types. While early versions of the ransomware variant were fairly unsophisticated, later versions saw flaws corrected. Early versions of the ransomware variant blocked access to files by locking them in password-protected zip files. The initial method of locking files was ‘cracked’ by AVG, although only by guessing the password using brute force methods. In order for the brute force method to work, a copy of an encrypted file along with its unencrypted original was required. In later versions of the ransomware, the use of zip files was dropped and AVG’s decryption technique was rendered ineffective. The encryption process used in the later versions was much stronger and the ransomware had no known flaws. Until Bitdefender developed the latest Bart Ransomware decryptor, victims had two choices – recover encrypted files from backups or pay the attackers’ ransom demand. Fortunately, Bitdefender was able to create a Bart Ransomware decryptor from keys supplied by Romanian police which were obtained during a criminal...
by G Hunt |
March 30, 2017 |
Cybersecurity Advice, Cybersecurity News
The FBI has issued a cybersecurity warning for healthcare providers on the use of FTP servers. FTP servers should have authentication controls in place to ensure only authorized individuals can access stored data. However, when FTP servers are in anonymous mode, access can be gained with a generic username and password. In some cases, access is possible without a password. The usernames that provide access could be as simple as ‘FTP’ or ‘anonymous’ and lists of usernames can be easily found on the Internet. Cycling through a short list of possible usernames is likely to take seconds or minutes at the most and access to stored data can be gained without any hacking skills. Data stored on an anonymous FTP server could be accessed by anyone. The FBI cybersecurity warning for healthcare providers cites research conducted by the University of Michigan in 2015 that shows the scale of the problem. The study revealed there are more than one million FTP servers in use around the world that allow anonymous access. Any data stored on those servers could be freely accessed by the public. Should those FTP servers contain sensitive data such as protected health information, it could easily be stolen and used for malicious purposes. Firewalls and other perimeter defenses serve to protect networks and EHRs from cyberattacks, yet FTP servers could be a gaping hole in an organization’s defenses. Many healthcare providers use FTP servers to allow data to be easily shared with business associates and other healthcare entities. Yet, if authentication controls are not used they are a data breach waiting to happen. The FBI has warned all medical and dental organizations to ensure that no sensitive data are stored on anonymous FTP servers and advises healthcare organizations to check if their servers are running in anonymous mode. Smaller organizations without the resources of large healthcare systems are more likely to have overlooked this vulnerability; although checks should be performed by all healthcare organizations. The cybersecurity warning for healthcare providers explains the risks extend beyond the theft of sensitive data. If access to the servers can be gained, FTP...
by G Hunt |
March 22, 2017 |
Cybersecurity News, Internet Security News
Educational institutions have been warned about Moodle security flaws that could allow cybercriminals to attack web servers, gain administrative privileges and run malicious code. Many educational institutions use the Moodle platform for their e-learning websites. The platform allows students to access interactive online courses. There are almost 80,000 websites that use the open source platform, many of which are operated by schools, colleges and universities. On Monday this week, Security researcher Netanel Rubin discovered a vulnerability – tracked as CVE-2017-2641 – that could be exploited to run malicious PHP code on an unpatched Moodle server. He pointed out on his blog that the problem does not lie with a single critical security flaw, but a number of smaller vulnerabilities which can be exploited when combined. An attacker could exploit the Moodle security flaws and create hidden administrative accounts; however, in order to exploit the flaws, it would be necessary for the attacker to have an account on the platform. It does not matter what type of account the attacker has, provided it is not a guest account. Since more than 100 million individuals log onto the websites to access courses, obtaining a user account would not pose too much of a problem. The Moodle security flaws could be exploited by attackers to install backdoors in the system allowing persistent access to data stored on a Moodle server, and there is data aplenty. Highly sensitive information about students is stored on the system, including personal information, grades and test data. According to Rubin, the Moodle security flaws affect all versions of the platform tested, including “3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions.” Rubin pointed out that such a large system – Moodle contains more than 2 million lines of PHP code – will almost inevitably have numerous vulnerabilities. In this case, the code has been written by multiple authors which has led to logical flaws being introduced. The problem comes from having too much code, too many developers and a lack of documentation. That is a problem for any system of this size, not just...
by G Hunt |
March 15, 2017 |
Cybersecurity News, Internet Security News
2017 has already seen numerous cyberattacks on educational institutions. 2017 has started particularly badly for the education sector and there is no sign of the cyberattacks abating any time soon. But why is the education sector being so heavily targeted by hackers, cybercriminals, and scammers? It is easy to see why cyberattacks on financial institutions occur. There are substantial funds to be plundered. Cyberattacks on healthcare organizations are also common. Those organizations hold vast quantities of data; data that can be sold for big bucks on the black market and used for all manner of fraud: Medical fraud, identity theft, tax fraud, and insurance fraud for example. However, the education sector is similarly being targeted. K12 schools, colleges, and universities have all been attacked and those attacks have soared in 2017. The list of educational institutions that have reported cyberattacks in 2017 is long. Barely a day goes by without another educational institution being added to the list. Many of the cyberattacks on educational institutions are random, but it is becoming increasingly clear that the education sector is being targeted. There are many reasons why the attacks have soared in recent months. Educational institutions hold vast quantities of valuable data, they have considerable computer resources that can be used by cybercriminals, and in contrast to other industry sectors, educational institutions are not as heavily regulated when it comes to cybersecurity protections. Defenses are relatively poor and educational organizations tend to have relatively few IT staff compared to the corporate sector. In short, the potential profits from cyberattacks on educational institutions are high and attacks are relatively easy to perform. For cybercriminals that is an excellent combination. What Data are Cybercriminals Attempting to Steal? K12 school systems have been targeted by criminals in order to gain access to student data. Social Security numbers of minors are extremely valuable. Dates of birth and Social Security numbers can be used for identity theft and fraud and in the case of minors, fraud is less likely to be identified quickly. Minors...
by G Hunt |
March 7, 2017 |
Cybersecurity Advice, Cybersecurity News
A new fileless malware has been detected that uses DNS to receive commands and send information to the attackers’ command and control server. The stealthy communication method together with the lack of files written to the hard drive makes this new malware threat almost impossible to spot. The attack method, termed DNSMessenger, starts with a phishing email, as is the case with many of the new malware threats now being detected. The host is infected via a malicious Word document. Opening the Word document will display a message informing the user that the document has been protected using McAfee Secure. The user is required to enable content to view the document; however, doing so will call a VBA function that defines the Powershell command and includes the malicious code. As is the case with other forms of fileless malware, since no files are written to the hard drive during the infection process, the threat is difficult to detect. Fileless malware are nothing new, in fact they are becoming increasingly common. What makes this threat unique is the method of communication it uses. The malware is able to receive commands via the DNS – which is usually used to look up Internet Protocol addresses associated with domain names. The malware sends and received information using DNS TXT queries and responses. DNS TXT records are commonly used as part of the controls organizations have in place to identify phishing emails and verify the sender of a message – Sender Policy Framework (SPF) and Domain Message Authentication Reporting and Conformance (DMARC). The attackers can send commands to the malware via DNS TXT queries and the malware can send the attackers the output of the commands via the same channel. Even if an organization has blocked outbound DNS for unapproved servers, the malware will still be able to communicate with the attackers C2 infrastructure. While many organizations inspect the contents of web traffic, relatively few inspect the content of DNS requests. The malware is therefore likely to operate unnoticed. Further, the Cisco Talos team that detected the malware reports that only 6/54 AV engines detected the threat, although ClamAV did identify the...
by G Hunt |
February 28, 2017 |
Cybersecurity News, Internet Privacy
Opposition to pornography filtering in libraries has seen the American Library Association placed on the National Center for Sexual Exploitation (NCOSE) naughty list. Each year, NCOSE publishes a list of the top twelve companies and organizations that it believes are either profiting from pornography or facilitating access. The aim of the list, referred to as the Dirty Dozen, is to name and shame the companies and organizations that are failing to do enough to tackle the growing problem of online pornography. Pornography is only the tip of the iceberg. Hidden underneath is a world of sexual exploitation, prostitution, and sex trafficking. NCOSE sees companies and organizations that fail to take action as being part of the problem, inadvertently – or in some cases deliberately – contributing to the considerable harm that is caused by pornography. This year’s list includes technology and telecoms companies (Amazon, Comcast, Roku) the American Library Association (ALA) and EBSCO, a provider of library resources to schools, colleges, higher education establishments and libraries). Four websites make the list (YouTube, Twitter, Snapchat, and Backpage.com), along with Cosmopolitan Magazine, HBO, and Amnesty International. The ALA is almost a permanent fixture on the NCOSE Dirty Dozen list, having been present for the past five years. It is the ALA’s opposition to the use of pornography filtering in libraries that sees it included year after year. NCOSE says “the ALA zealously encourages public libraries not to install internet filters on public access computers.” By taking such a stance, the ALA is providing patrons – including children – with the means to access sexually explicit and obscene material. ALA told CBN news that “Librarians encourage parents and children to talk with one another. Families have a right to set their own boundaries and values. They do not have the right to impose them on others.” NCOSE doesn’t hold back, saying the ALA stance on pornography filtering in libraries “has turned the once safe community setting of the public library into a XXX space that fosters child sexual abuse, sexual assault, exhibitionism, stalking,...
by G Hunt |
February 23, 2017 |
Cybersecurity News, Internet Security News
A security researcher has discovered a new Google Chrome scam that infects victims’ computers with malware. In contrast to many malware-downloading scams, the new Google Chrome scam is highly convincing and is certain to result in many malware infections. Hackers have installed malicious JavaScript on a number of compromised WordPress websites. The JavaScript modifies the text on a compromised webpage when it is visited using the Google Chrome browser. The text on the website appears as if Google Chrome cannot read the font, with the characters on the site replaced with random fonts and symbols. A popup appears on screen informing the visitor that “the “HoeflerText” font wasn’t found” by Google Chrome. The visitor is told that the webpage they are trying to view cannot be displayed correctly as a result. Visitors are prompted to update their Chrome browser to include the new font by downloading a “Chrome Font Pack.” The Google Chrome scam is convincing. The popup uses the Chrome logo and looks official, with colors and branding that Google would use on its popup windows. The shading used for the “Update” button on the popup window is also accurately reproduced. Furthermore, HoeflerText is a true font. If the user opens a new tab on their browser and Google’s the font, they will discover the font is real, making the Google Chrome scam seem entirely plausible. Clicking the update button will trigger a download of the update file – ChromeFontv7.5.1.exe – which is an executable containing the malware. While attempting to run the executable would normally result in an anti-virus warning being displayed, relatively few anti-virus products are detecting the ChromeFontv7.5.1.exe file as malicious. VirusTotal shows that just 9 out of 59 AV products identify the file as malicious. The Google Chrome scam was uncovered by NeoSmart Technologies researcher Mahmoud Al-Qudsi. He reports that while the Google Chrome scam is highly convincing, there are two signs that the update is not real. First, regardless of the version of Chrome used, the popup says the user has Chrome version 53. The second sign of the scam is the popup says the update file is called...
by G Hunt |
February 17, 2017 |
Cybersecurity News
The hacking of WiFi networks can be highly lucrative for cybercriminals. If WiFi passwords are obtained by hackers, malware can be installed and every user who connects to that network faces a higher risk of having their device and sensitive information stolen. Strong passwords should be set on Wi-Fi networks to make it harder for cybercriminals to guess the passwords. However, a ISP in the United States recently encouraged its customers to make their Wi-Fi passwords less secure, suggesting they change them to show support for their Super Bowl team. Charter Spectrum – the second largest ISP in the United States – sent the following tweet to its customers on January 23, 2017 – “Change your WiFi password and show guests where your loyalty lies! #ThatsMyTeam”. With the Super Bowl fast approaching, the idea was for businesses to show their support for either the New England Patriots or the Atlanta Falcons. By changing their Wi-Fi passwords to GO_ATLANTA or GO_NEWENGLAND they would be telling their customers that they fully supported their local team. It is clear what the intention of the ISP was, although suggesting an easy password for a Wi-Fi network and then tweeting it to customers and followers of the #ThatsMyTeam hashtag was a monumentally bad idea. It is possible that the ISP was trying to suggest that businesses change the name of their WiFi network temporarily. That would not pose any cybersecurity risk, although that is not what the tweet said. The ISP was widely criticized for the tweet on social media sites and the tweet has since been deleted. Making a WiFi password less secure makes it easier for hackers to conduct man in the middle attacks. These attacks are where an attacker intercepts and alters communications between two parties – In this case a person who connects to the WiFi network and the website which they wish to communicate – Their bank or an online store for instance. Email conversations can also be hijacked and communications intercepted. Hackers can eavesdrop on conversations and gather information that can be used in future spear phishing campaigns or highly sensitive login credentials to work networks or secure...
by G Hunt |
February 7, 2017 |
Cybersecurity Advice, Cybersecurity News
Following a massive increase in ransomware attacks, security experts have called for ransomware protection for universities to be augmented Ransomware: A Major Threat to Universities the World Over Ransomware has become one of the biggest data security threats. The healthcare industry has been extensively targeted, as have the financial services, manufacturing, telecoms, and just about every other industry sector. Now, attacks are being conducted on higher education establishments with increased vigor. Universities are attractive targets. They store vast quantities of data. Researchers, teaching staff, and students alike need access to data on a daily basis. Without access, all work grinds to a halt. That means ransom demands are likely to be paid. Secondly, universities use thousands of computers and have tens of thousands of users. Cybersecurity defenses may be good, but with so many individuals with access to Internet facing computers, protecting against targeted attacks on those individuals is a major challenge. Staff and students are being actively targeted as they are the weak links in the security chain. Then there is the issue of academic freedom. While many industries have implemented web filtering solutions to limit the websites that can be visited by staff and students, many universities have been reluctant to restrict Internet access. In a similar vein, university networks tend to be more open than in the business world for example. Businesses tend to severely restrict access to networks. If an attack occurs, the damage is very limited. Open networks tend to result in huge numbers of files and devices being encrypted if an attacker breaks through the security perimeter. Ransomware Protection for Universities Clearly Lacking The number of university ransomware attacks that have been reported by institutions in the United States and Canada in 2016 has reached alarming levels. Many of those universities have been forced to pay the ransom demands to restore access to files. Last year, the University of Calgary was forced to pay $16,000 to restore access after a ransomware attack. Carleton University was also attacked with ransomware, as was Los Angeles...
by G Hunt |
January 10, 2017 |
Cybersecurity News, Web Filtering
There is now a new and particularly dangerous ransomware threat to deal with. Spora ransomware could well be the new Locky. Locky and Samas ransomware have proved to be major headaches for IT departments. Both forms of ransomware have a host of innovative features designed to avoid detection, increase infections, and inflict maximum damage, leaving businesses with little alternative but pay the ransom demand. However, there is now a new ransomware threat to deal with, and it could well be even bigger than Locky and Samas. Fortunately, the ransomware authors only appear to be targeting Russian users, but that is likely to change. While a Russian version has been used in attacks so far, an English language version has now been developed. Spora ransomware attacks will soon be a global problem. A considerable amount of time and effort has gone into producing this particularly dangerous new ransomware variant and a decryptor is unlikely to be developed due to the way that the ransomware encrypts data. In contrast to many new ransomware threats that rely on a Command and Control server to receive instructions, Spora ransomware is capable of encrypting files even if the user is offline. Shutting down Internet access will not prevent an infection. It is also not possible to block access to the C&C server to stop infection. Ransomware variants have previously been developed that can encrypt without C&C communication, although unique decryption keys are not required. That means one key will unlock all infections. Spora ransomware on the other hand requires all victims to use a unique key to unlock the encryption. A hard-coded RSA public key is used to generate a unique AES key for every user. That process occurs locally. The AES key is then used to encrypt the private key from a public/private RSA key pair generated for each victim, without C&C communications. The RSA key also encrypts the unique AES keys for each user. Without the key supplied by the attackers, it will not be possible to unlock the encryption. This complex encryption process is only part of what makes Spora ransomware unique. In contrast to many other ransomware variants, the attackers...
by G Hunt |
November 24, 2016 |
Cybersecurity News, Internet Security News
In the past few days, Facebook Messenger Locky ransomware attacks have been discovered, exploit activity has increased, and malicious spam email volume has increased. Organizations now need to defense against a wide range of attack vectors 2016 – The Year of Ransomware 2016 has seen an explosion in the use of ransomware by cybercriminals and there is no sign of that changing in the near future. More than 200 ransomware families have now been identified, one of the most dangerous being Locky. Locky ransomware was first discovered in February this year, but it has fast become one of the most prolific ransomware variants and has infected thousands of computers. No organization is immune to attack, although the gang behind the infections have been extensively targeting healthcare organizations. A number of U.S. healthcare providers have been forced to pay a ransom demand to recover their data. Rather than cybercriminals having to break through company defenses to gain access to data, then exfiltrate files, and sell those data on the black market – a process that can take weeks before payment is received – ransomware is a quick and easy revenue generator. Payments are made within a few days of infection as many companies cannot continue to function without access to their data. It is not even necessary for cybercriminals to develop their own ransomware. The malicious file-encrypting software can be ‘hired’ from the authors. By using ransomware-as-a-service, anyone with an Internet connection could run a ransomware campaign. Little skill is needed and attacks result in fast payment. It is therefore no surprise that the file-encrypting software has become so popular. Infection can occur via malicious adverts, exploit kits, or via spam email. All of those infection vectors allow the attackers to bypass traditional cybersecurity defenses such as firewalls. Some headway has been made by security researchers and decryptors have been developed for some ransomware variants. Wildfire, Chimera, Shade, TeslaCrypt, and CoinVault have all been cracked. However, Locky has so far resisted security researchers’ efforts to crack it. The authors of the crypto-ransomware are...
by G Hunt |
September 30, 2016 |
Cybersecurity News, Web Filtering
The threat from malware is now greater than ever before in the history of the Internet. New malware is being developed at alarming rates, and traditional antivirus software developers are struggling to maintain pace and prevent new forms of malware from being installed on endpoints. Not only are malware developers creating ever stealthier information stealers, Trojans, and ransomware, the methods used to install the malicious software are becoming much more sophisticated. Keeping endpoints and networks free from infection is becoming far more complicated, while the cost of dealing with malware infections is increasing. Figures from the Ponemon Institute suggest the average cost of a data breach has now reached $4 million. 2015 saw some of the largest data breaches ever discovered and the situation is getting worse. The 78.8-million record attack on Anthem Inc. may have been one of the worst ever data breaches in terms of the number of individuals affected and the amount of data obtained by the attackers, but 2016 has seen even larger data breaches uncovered. The attack on LinkedIn, which was discovered in May this year, affected 117 million users. The data breach at MySpace resulted in 460 million passwords being obtained by hackers, 111 million of those records also included a username. However, even those massive data breaches were dwarfed by the discovery of the data breach at Yahoo Inc., this month. Hackers were found to have obtained the information of around 500 million individuals. Not all of those data breaches involved the use of malware, but a large percentage of smaller breaches have occurred as a result of malware infections and the threat from ransomware has grown significantly over the past few months. Threat from Malware Greater than Ever Before This month, a study conducted by Proofpoint has cast more light on the seriousness of the threat from malware and the extent to which organizations are being attacked and the seriousness of the threat from malware. The Proofpoint 2016 Security Report shows that throughout 2015, an average of 274 new forms of previously unknown malware were discovered every minute. 971 forms of unknown malware hit...
by G Hunt |
July 15, 2016 |
Cybersecurity News, Web Filtering
New Locky ransomware variants are frequently developed to keep security researchers on their toes. The malicious ransomware is highly sophisticated and further development allows the gang behind the crypto-ransomware to keep raking in millions of dollars in ransoms. According to security researchers at Avira, a new Locky variant has now been discovered with new capabilities that spell trouble for businesses, even those with highly advanced security systems in place. Now, even rapid detection of Locky will not prevent files from being encrypted. Even if Locky cannot contact its command and control server, it will still execute and encrypt files. Previous Locky ransomware variants would only encrypt files after C&C server contact was established. This means that if Locky is detected on a computer, shutting down the network or blocking communications will not prevent files from being encrypted. This is one of the few options open to organizations to limit the damage caused if ransomware is discovered. New Locky Ransomware Variants Encrypt Without C&C Server Contact Many of the latest ransomware strains use public key cryptography to lock users’ files. They will not encrypt files if systems are taken offline because they require contact with a C&C server to obtain the public-private key pairs that are used to lock files. These are only generated if a connection to the C&C is made. The private key that is used to unlock files is stored on the attacker’s server and never on the local machine that is infected. Without a connection, unique keys for each user cannot be generated. This means that even if millions of computers are locked, one key will unlock them all. By generating a unique key for each infection, a ransom must be paid for each device that is encrypted. Without this, a business would only need to pay one ransom payment to unlock all infected devices. Fortunately, that is the case with the latest Locky strain. If no C&C contact is made, all infected devices will be locked with the same key. That means only one ransom payment may need to be paid. However, if C&C contact is established, the AES encryption key will be encrypted using...
by G Hunt |
July 8, 2016 |
Cybersecurity News, Internet Security News
If you want to keep your computers and network protected, you should ensure that browsers are patched as soon as updates are made available. However, end users may be fooled into taking action to keep their computers secure and inadvertently use fake Firefox updates. Fake FireFox Updates Used to Install the Kovter Trojan Fake Firefox updates are being used by the gang behind the Kovter Trojan. A new version of the fileless malware has been identified recently, and it is infecting users by posing as a fake Firefox update. The cybercriminal gang behind Kovter frequently tweak the malware and come up with new ways of infecting end users. Kovter is a particular worry as it can be particularly difficult to detect. Being fileless, there are no actual files to detect. The malware resides only in the memory, and it ensures it is reloaded into the memory each time a computer is rebooted with a Windows registry component. Kovter can perform a range of malicious activities, such as redirecting users to malicious websites, performing click fraud, downloading other malware, and now also encrypting files. The latest variant discovered by CheckPoint also has ransomware capabilities. When users visit a malicious or infected website they are presented with fake Firefox updates and are urged to download the latest version to keep their computers secure. Researchers at Barkly discovered that the gang behind the latest Kovter campaign are using a legitimate certificate to fool antivirus engines. The certificate was issued to Comodo, although it has since been revoked. Anti-virus engines are also now being updated to detect the malware and block its download. Preventing Drive by Malware Downloads There are a number of steps that can be taken to prevent drive-by downloads of malware such as Kovter. Policies should be implemented that prohibit end users from performing software updates, which should be left to the IT team to handle. Patch management policies should be developed and implemented to make sure that when software updates and patches are issued, they are installed promptly or preferably automatically. Browsers should never be updated outside the normal update process. To...
by G Hunt |
June 30, 2016 |
Cybersecurity News, Internet Security News
Mobile ransomware may not be nearly as prevalent as its PC counterpart, but attacks on mobile devices are on the rise according to a new report issued by anti-virus firm Kaspersky Lab. Kaspersky Lab assessed thwarted ransomware attacks on mobile users over a period of two years and saw that the numbers of attacks doubled, signifying a worrying new trend. Between 2014 and 2015, 2.04% of malware attacks on mobile users involved ransomware. Between 2015 and 2016, the percentage of ransomware attacks rose to 4.63%. During that period, 136,532 attacks took place. Kaspersky Lab noted that the ransomware used to infect mobile devices differs considerably from the strains used to infect PC users. While Locky, CryptXXX, and RAA are now the main threats affecting PCs, the main mobile ransomware strains currently being used are Fusob, Small, Svpeng, and Pletor. Mobile ransomware tends not to use encryption to lock files, instead malicious software is developed that blocks users from accessing their device. Oftentimes, this is achieved with a simple HTML overlay. Encryption is more effective on PCs because many users fail to back up their data, or when they do they leave their backup devices connected. Many strains of PC ransomware are able to delete backup files or encrypt them, leaving end users with no alternative but to pay the ransom or lose their data forever. Many mobile users automatically backup their data in the cloud. If data is ever lost or encrypted, files can easily be recovered. However, overlays prevent the user from being able to access their files from the device. With mobile devices victims cannot simply take out a hard drive and plug it into another machine and manually remove malicious files. If an infection takes place, users either have to pay the ransom or replace their device. Provided the ransom is lower, many users will end up paying. Without the need for encryption, the development of mobile ransomware is considerably cheaper. The ransoms that can be demanded may be lower than for PC infections, but campaigns can be highly profitable for cybercriminals. Criminal gangs are also using an affiliate model to spread infections. There is usually no...
by G Hunt |
June 29, 2016 |
Cybersecurity News, Internet Security News
A new threat has recently been discovered by security researchers at Phishme: Bart ransomware. The new ransomware variant is not as sophisticated as Locky and Samsa, but it is still highly effective and poses a risk to businesses. Should end users be fooled into opening spam emails, file recovery will only be possible via backups if the ransom demand is not paid. Bart Ransomware Locks Files in Password-Protected ZIP Files Bart Ransomware bears a number of similarities to other ransomware variants that have been discovered in recent months. If installed on a device, media files, photos, documents, spreadsheets, databases, and a host of other files are located and encrypted. Bart ransomware also encrypts .n64 ROM files, which was previously unique to Locky ransomware. Bart is also delivered using the same Dridex botnet that was used to deliver Locky. Bart ransomware also uses a payment interface that looks very similar to Locky. However, there are notable differences to Locky and other ransomware variants. Bart demands a particularly high payment from its victims. Rather than a demand of 0.5 Bitcoin, Bart asks for 3 Bitcoin per infected machine – Approximately $1988 per device. There are also notable differences in the method used to encrypt files. Bart doesn’t use public key cryptography. Files are added to zip files which are then password protected. In order to unzip files, a password must be supplied. These passwords are only supplied to the victim if the sizeable ransom is paid. Bart also does not use the typical command and control center infrastructure. Most new ransomware variants communicate with the attackers’ command and control center before files are encrypted, but that does not appear to happen with Bart. New Ransomware Variant Delivered via Spam Emails The campaign uses spam emails to deliver malicious Javascript files, which are disguised as image files. End users may be fooled into opening the attachments in the belief they are simply images. However, if the attachments are opened, JavaScript is executed and Rocketloader is downloaded. Rocketloader installs Bart ransomware and is also capable of downloading a variety of other malware. The...
by G Hunt |
June 22, 2016 |
Cybersecurity News, Network Security
There have been a number of high-profile data breaches reported in recent weeks, now Citrix has announced its users have been impacted after receiving multiple reports of GoToMyPC password reuse attacks. An investigation into the attacks revealed that the account compromises were not the result of a Citrix data breach, but that the attacks had been made possible due to poor security practices of some of its users. Passwords Reset After Spate of GoToMyPC Password Reuse Attacks After discovering the GoToMyPC password reuse attacks, Citrix performed a password reset on all users’ accounts to reduce the risk of account compromises. When users next login to the remote desktop access service they will be required to set up a new password before being allowed to access the service. While Citrix has taken steps to protect its own users, simply changing passwords on GoToMyPC will not protect users who share passwords across multiple applications and web services. It is therefore important for users to login to all online accounts that have the same password set and to create new, unique passwords for each. Following the cyberattacks on LinkedIn, MySpace, and Tumblr, login credentials were openly sold on darknet marketplaces. Many individuals purchased the data and have been searching online platforms to find users that have accounts elsewhere. The same passwords are then tried to see if access can be gained. Shortly after these data dumps, numerous Twitter accounts were hacked, including those belonging to a number of high profile celebrities – Katy Perry, Mark Zuckerberg, Tenacious D, and Lana Del Rey for example. While the hacking of a Twitter account may only be an inconvenience for many victims, far more serious hacks have occurred. TeamViewer remote desktop connection software was targeted by attackers who had obtained data from the LinkedIn breach. Users’ accounts were accessed and the software leveraged to obtain access to users’ PayPal accounts and bank accounts, primarily using passwords saved in browsers. The victims had their bank and PayPal accounts emptied. Some individuals also reported that TeamViewer had been used to install ransomware on their...
by G Hunt |
June 21, 2016 |
Cybersecurity News, Internet Security News
Security researchers have uncovered an entirely JavaScript based ransomware variant that is not only being used to lock infected devices with AES encryption, but also to deliver the Pony info-stealer. Pony is used to obtain users’ passwords and login credentials to launch further attacks. This means that while a ransom may have to be paid to regain access to important files, the victim is also highly likely to suffer further losses. JavaScript based malware is nothing new. Criminals have been using JavaScript files to infect devices with ransomware for some time, yet previously JavaScript has most commonly been used to download ransomware to infected devices. The latest threat exclusively uses JavaScript and requires no additional downloads. RAA Ransomware Delivered via Spam Email The attack starts with a spam email containing a malicious attachment. The attached file appears to be a document, but it is actually a malicious JavaScript file. Opening the file will result in a fake Word document being created in the user’s My Documents folder. That file is then opened automatically leading the victim to believe that the file attachment is corrupted. However, processes will still be running in the background. The malicious JavaScript file – dubbed RAA ransomware – does not contain any cryptographic functions, instead it uses the CryptoJS library to lock files with AES encryption. First, all drives – local, network, and portable – are scanned for specific file extensions, including documents and spreadsheets (DOC, RTF, XLS, CSV, PDF), compressed files (ZIP, RAR), image files (JPG, PSD, PNG, DWG, CDR, CD), database files (DBF, MDF), and LCD disk images. Once the targeted files are identified, the JavaScript based ransomware then encrypts those files using AES encryption and replaces the extension with “.locked.” To make it harder for the victims to recover from the infection without paying the ransom, RAA ransomware also deletes the Windows Volume Shadow Copy Service (VSS) as well as all shadow copies. Finally, files are created on the Desktop which detail how much must be paid to obtain the decryption keys and instructions on how payment must be made. JavaScript...
by G Hunt |
June 17, 2016 |
Cybersecurity News, Network Security
Each year, the Ponemon Institute conducts an annual benchmark study on the cost of a data breach. The IBM-sponsored report reveals just how damaging data breaches can be to a company’s finances. Responding to a data breach costs companies millions of dollars, and each year the cost rises. Last year, the Cost of a Data Breach study placed the average cost at 3.79 million. This year, the average cost has risen to $4 million. The average cost per stolen record rose from $154 to $158 over the past 12 months. Average Cost of a Data Breach in the United States is $7.01 Million However, those figures are taken from the global data collected for the study. The costs incurred by U.S businesses are much higher. Take the figures for the United States alone, and the average cost is $7.01 million. Last year the average cost of a breach response in the United States was $6.53 million. Organizations in the United States can expect to pay costs of $221 per record, although organizations in the healthcare industry, financial, and life science sector can expect to pay far higher amounts. The cost of a data breach in the healthcare industry is a staggering $402 per record. The data also show that the average number of records exposed per incident also increased. In the United States, the total cost of a data breach rose by 7% over the space of a year, and by 2% per stolen or compromised record. The Ponemon Institute offers some suggestions why the overall cost of a data breach has increased by such a high degree. One of the main reasons is a substantial rise in indirect costs. When an organization suffers a security breach that exposes sensitive data such as credit card numbers, financial information, Social Security numbers, or medical records, consumers are increasingly taking their business elsewhere. The Ponemon Institute refers to this as the abnormal churn rate. Organizations Should Try to Reduce Churn Rate After a Data Breach One of the findings of the research is the higher the churn rate is following a data breach, the higher the cost of the breach will be. Companies that experienced an abnormal churn rate of lower than 1%, had to pay average breach costs of $5.4...
by G Hunt |
June 9, 2016 |
Cybersecurity Advice, Cybersecurity News
The security threat from bloatware was made abundantly clear last year with the discovery of a Lenovo bloatware vulnerability, affecting the Superfish Adware program that came pre-installed on Lenovo laptops. Bloatware is a term used to describe software applications and programs that are largely unnecessary, yet are pre-installed on new computer and laptops. The software programs can slow down computers and take up a lot of memory, yet offer the user little in the way of benefits. They are primarily used to update application features rather than to enhance security. Unfortunately, these pre-installed programs have been discovered – on numerous occasions – to contain security vulnerabilities that can be exploited by malicious actors and used for man-in-the-middle attacks. They can even let attackers run arbitrary code, allow privilege escalation, or perform malicious software updates. Now a new Lenovo bloatware vulnerability has been uncovered. This time it concerns the company’s software updater which has been found to contain a vulnerability that could potentially be exploited allowing man-in-the-middle attacks to be conducted. New Bloatware Vulnerability Found in Lenovo Accelerator Application Updater: Uninstall Recommended The Lenovo Accelerator Application has been pre-installed on a wide range of desktop computers and notebooks shipped pre-installed with Windows 10. In total, well over 100 different models of Lenovo notebooks and desktops have the Lenovo Accelerator Application installed. Lenovo says the application is used to speed up the launching of Lenovo applications and communicates with the company’s servers to determine whether application updates exist. The UpdateAgent pings Lenovo’s servers every 10 minutes to check whether updates have been released. However, the application has recently been discovered to contain a security vulnerability that could be exploited by attackers. DuoLabs investigated a number of companies to check for security vulnerabilities in pre-installed software applications and found that Lenovo’s UpdateAgent was particularly vulnerable to attacks. DuoLabs reported that the updater had “no native security,” and that...
by G Hunt |
June 8, 2016 |
Cybersecurity News, Internet Security News
A new WordPress plugin vulnerability was recently uncovered that is being actively exploited. The vulnerability affects the WP Mobile Detector plugin, which is used to determine whether a website is being viewed on a desktop or mobile device. The plugin then serves a compatible WordPress theme. The plugin was one of the first to be able to distinguish whether a device was a standard mobile or a Smartphone, and as of the start of May, the plugin had been installed on more than 10,000 WordPress websites. WP Mobile Detector WordPress Plugin Vulnerability Exploited to Install Porn Spam Doorways The WordPress plugin vulnerability was detected by Plugin Vulnerabilities, which noticed a HEAD request for a file called /wp-mobile-detector/resize.php, even though the plugin had not been installed on the site. Researchers at Plugin Vulnerabilities concluded that the request was made by an individual attempting to determine whether the plugin had been installed in order to exploit a vulnerability. After searching for reports of a known vulnerability and finding none, researchers investigated further and discovered the plugin had an arbitrary file upload vulnerability. The vulnerability is straightforward to exploit and can be used to upload malicious files to the cache directory, host spam content, redirect users to malicious websites, or install malware. Since the plugin performed no checks to validate input from untrusted sources, an attacker would be able to insert a src variable containing a malicious URL and PHP code. Many of the infections uncovered so far have involved the installation of porn spam doorways. Sucuri reports that the WordPress plugin vulnerability has been exploited since May 27. Since the discovery of the WP Mobile Detector plugin flaw last week, the plugin was temporarily removed from the WordPress plugin directory. The developer of the WP Mobile Detector plugin has now fixed the vulnerability. Any site owner that has the plugin installed should immediately update to version 3.6. However, simply updating to the latest version of the plugin will not remove malware if it has already been installed. If web shells have already been installed,...
by G Hunt |
June 7, 2016 |
Cybersecurity Advice, Cybersecurity News
The Federal Bureau of Investigation (FBI) has issued a new security alert warning of a new wave of extortion email schemes. The alert was issued after its Internet Crime Complaint Center (IC3) started receiving multiple reports from individuals who had been threatened with the exposure of their sensitive data. Cybercriminals are quick to respond to large-scale data breaches and use the fear surrounding the attacks to scam individuals into paying ransoms, clicking on links to malicious websites, or opening infected email attachments. In recent weeks, the Internet has been awash with news reports of major data breaches that have hit networking sites and a number of popular Internet platforms. Major data breaches affected LinkedIn, MySpace, and Tumblr, and while the stolen data are old, hundreds of millions of individuals have been affected. These cyberattacks occurred in 2012 and 2013, although the data stolen in the attacks have just been listed for sale online. These major data breaches had gone undiscovered until recently. Extortion Email Schemes Threaten Exposure of Sensitive Data Due to the volume of logins that were exposed in these attacks and the popularity of the sites, many individuals may be concerned that their login credentials may have been obtained by hackers. Cybercriminals are taking advantage of this fear and are sending out huge volumes of spam emails advising individuals that their sensitive data have been obtained. In the emails, individuals are told that their name, address, telephone number, credit card details, and other highly sensitive data are being held and that they will be distributed to friends and family if a ransom is not paid. The attackers warn their victims that access to social media accounts has been gained and that the attackers have details of all of the victim’s social media contacts. The scammers are also threatening to email and mail out details of credit card transactions and internet activity to friends, family, and employers, suggesting that the payment to prevent this from happening will be much lower than the cost of a divorce, and low in comparison to the affect it will have on relationships with friends and on...
by G Hunt |
June 2, 2016 |
Cybersecurity News, Internet Privacy
On May 12, the microblogging website Tumblr notified users of a data breach that occurred in 2013. The company had kept quiet about the number of site users that were affected, although it has since emerged that 65 million account credentials were stolen in the Tumblr data breach. Stolen email addresses and passwords were recently offered for sale on a Darknet marketplace called TheRealDeal. Tumblr Data Breach Ranks as One of the 5 Biggest Data Breaches of All Time The massive Tumblr data breach may not be the largest ever discovered, but it certainly ranks as one of the biggest, behind the breach of 360 million MySpace account details, the theft of 164-million LinkedIn account credentials, and the 152 million-record Adobe breach. All of these huge data breaches occurred in 2013 with the exception of the LinkedIn breach, which happened a year earlier. These breaches have something else in common. They were all discovered recently and the stolen data from all four data breaches have been listed for sale on illegal Darknet marketplaces by the same individual: A Russian hacker with the account “peace_of_mind” – more commonly known as “Peace”. It is not clear whether this individual is responsible for all four of these data breaches, but he/she appears to have now obtained all of the data. The person responsible for the theft appears to have been sitting on the data for some time as according to Tumblr, as the login credentials do not appear to have been used. Fortunately, the passwords were salted and hashed. Unfortunately, it would appear that the SHA1 hashing algorithm was used, which is not as secure as the latest algorithms. This means that hackers could potentially crack the passwords. The passwords were also salted so this offers more protection for individuals affected by the Tumblr data breach. However, as a precaution, site users who joined the website in 2013 or earlier should login and change their passwords. Do You Reuse Passwords on Multiple Sites? Even if victims of the Tumblr data breach have changed their password on the site before 2013, they may still be at risk of having their online accounts compromised if their password has been used for...
by G Hunt |
May 27, 2016 |
Cybersecurity News, Internet Privacy
A new phishing activity report published by the Anti-Phishing Working Group (APWG) shows that the threat from phishing websites is greater than any other time in the history of the Internet. The latest phishing activity report shows that in the past six months, the number of phishing websites has increased by a staggering 250%. Most of the new websites were detected in March 2016. The Rising Threat from Phishing Websites Should Not Be Ignored APWG was founded in 2003 in response to the rise in cybercrime and the use of phishing to attack consumers. The purpose of the organization is to unify the global response to cybercriminal activity, monitor the latest threats, and share data to better protect businesses and consumers. In 2004, APWG started tracking phishing and reporting on the growing threat from phishing websites. During the past 12 years, the number of phishing websites being created by cybercriminals has grown steadily; however, the past six months has seen a massive rise in new websites that trick users into revealing sensitive data. APWG reports that there is an increase in new malicious websites around the holiday season. In the run up to the holiday period when online shopping increases and Internet traffic spikes, there are more opportunities to relieve online shoppers of their credit card details, login credentials, and other sensitive data. In late 2015, cybercriminals increased their efforts and there was the usual spike in the number of new phishing websites. However, after the holiday period ended APWG expected activity to reduce. That didn’t happen. New sites were still being created at elevated levels. In the first quarter of 2016, APWG detected 289,371 new phishing websites were created. However, almost half of the new websites – 123,555 of them – were detected in March 2016. Aside from a slight dip in February, the number of new websites created has increased each month. March saw almost twice the number of new sites than were created in December. The figures for Q1 and for March were the highest ever seen. Retail and Financial Sectors Most Frequently Targeted by Phishers Phishers tend to favor well-known brands. The phishing activity...
by G Hunt |
May 26, 2016 |
Cybersecurity News, Internet Security News
Surprisingly, after ESET sent a request for the TeslaCrypt ransomware master key to the criminal gang behind the attacks, they responded by making the decryption key public and even issued an apology. The surprise move signals the end of the ransomware that was used primarily to target gamers TeslaCrypt Ransomware Master Key Released So does the release of the TeslaCrypt ransomware master key mean that the attacks will now stop? The answer to that is a little complicated. Attacks using TeslaCrypt will slow and stop soon, and even if some individuals have their computer files locked by the ransomware they will not need to pay a ransom. Once the TeslaCrypt ransomware master key was made public, security companies started work on decryption tools to unlock infections. ESET have added the key to their TeslaCrypt decryption tool, and Kaspersky Lab similarly used the master key to update the decryption tool it had been using to unlock earlier versions of the ransomware. That does not mean that the criminal gang behind the campaign will stop its malicious activity. It just means that the gang will stop using TeslaCrypt. There are many other types of ransomware that can be used for attacks. In fact, it would appear that TeslaCrypt has now simply been replaced with a new form of ransomware called CryptXXX. According to ESET, many of the distributers of TeslaCrypt have already switched to CryptXXX. Under normal circumstances, contacting a criminal gang and asking for the TeslaCrypt ransomware master key would not have worked. Attackers running profitable ransomware campaigns are unlikely to respond to a polite request asking to unlock an infection without paying a ransom, let alone supply a master key that can be used to unlock all infections. The reason for the release is TeslaCrypt was already being phased out. ESET researcher Igor Kabina noticed that TeslaCrypt infections were slowing, which signaled that either the gang behind the ransomware was phasing it out in favor of a new malware, or that a new and updated version of TeslaCrypt would soon be released. Kabina decided to contact the attackers through the channels set up to allow victims to contact the gang and...
by G Hunt |
May 20, 2016 |
Cybersecurity News, Internet Security News
A new study has recently been published showing the impact of security breaches on brand image, and how the behavior of consumers changes when companies experience data breaches that expose private data. Cyberattacks are now taking place with such frequency that data breaches are now to be expected. It is no longer a case of whether a security breach will occur, it is now just a case of when it will happen. Even with the best protections in place to protect sensitive data, breaches will still occur. Many consumers are aware that the current threat levels are greater than ever and that cyberattacks will occur. However, how do consumers react to breaches of their personal information? Do they forgive and forget or are they taking their business elsewhere? What is the Impact of Security Breaches on Brand Image? The FireEye study set out to examine the impact of security breaches on brand image. 2,000 interviews were conducted on consumers in the United States to find out whether security incidents changed behavior and whether data breaches altered perceptions of companies and trust in brands. The results of the survey clearly show that the failure to invest in robust cybersecurity defenses can have a major impact on revenue. 76% of surveyed consumers claimed they would take their business elsewhere if they believed a company’s data handling practices were poor or that the company was negligent with regard to data security. 75% of respondents said they would likely stop making purchases from a company if they felt that a security incident resulted from a failure of the company to prioritize cybersecurity. Loss of business is not the only problem companies will face following a data breach. If a breach of personal information occurs and data are used by criminals for identity theft or fraud, 59% of consumers would take legal action to recover losses. Even when companies take action to mitigate the risk of losses being suffered by consumers – such as providing identity theft protection services – brand image remains tarnished. Reputation damage after a data breach is suffered regardless of the actions taken by companies to mitigate risk. It can also take...
by G Hunt |
May 20, 2016 |
Cybersecurity News
The not-for-profit technology industry association CompTIA recently released its 2016 International Trends in Cybersecurity report after analyzing the current state of cybersecurity and assessing behaviors and techniques currently being used by organizations around the world to tackle the growing risk of cyberattacks. To compile the report, CompTIA surveyed 1,509 IT security professionals from 12 countries around the world, including Australia, Canada, India, Brazil, Malaysia, Japan, South Africa, the UAE and the UK. The International Trends in Cybersecurity report shows that information security is still a major concern for IT and business executives, which is perhaps no surprise given the number of cybersecurity threats they now have to deal with. The report showed that over the course of the past 12 months, 73% of organizations had experienced at least one security incident and 60% of those security incidents were classed as serious. The highest number of security incidents occurred in India, where 94% of companies experienced a security breach in the past 12 months, closely followed by Malaysia on 89%, and Brazil and Mexico with 87% of companies suffering at least one breach. Japan and the UAE fared the best, with just 39% and 40% of companies self-reporting a security breach. Security incidents involving mobile devices are becoming much more prevalent as the use of the devices increases. 76% of companies across all 12 countries experienced a mobile-related data breach in the past 12 months. In Thailand, 95% of companies had experienced a mobile-related security breach. In the UK, 64% of companies experienced a mobile-related incident. Companies in Japan and the UAE fared the best with 60% of companies experiencing breach of mobile data. Human error continues to be a major cause of security breaches and the situation is getting worse. Companies are tackling the issue with training to improve awareness of cybersecurity issues and ensure security best practices are adopted. Nearly 80% of managers responsible for data security expect cybersecurity to become even more important over the next two years. The increasing reliance on mobile technology and cloud...
by G Hunt |
May 11, 2016 |
Cybersecurity Advice, Cybersecurity News
This week, patch Tuesday saw updates issued to address actively exploited security vulnerabilities in Internet Explorer, along with a swathe of fixes for a number of other critical Microsoft security vulnerabilities. In total, Microsoft issued fixes for 51 vulnerabilities this week spread across 16 security bulletins, half of which were rated as important, the other eight being rated as critical. The updates tackle vulnerabilities in Microsoft Edge and Internet Explorer, Windows, the Microsoft .NET Framework, and MS Office; however, it is the browser fixes that are the most important. These include actively exploited security vulnerabilities that can be used to compromise computers if users visit websites containing exploit kits. Security update MS16-051 tackles the CVE-2016-0189 zero-day vulnerability in Internet Explorer, which if exploited, would allow an attacker to gain the same level of privileges as the current user. The flaw could be used to take control of the entire system. The exploit could be used to install new programs on the device, create new accounts, or modify or delete data. The vulnerability modifies the functioning of JScript and VBScript, changing how they handle objects in the computer’s memory. The IE security vulnerability was brought to the attention of Microsoft by researchers at Symantec, who had discovered an active exploit that was being used alongside spear-phishing attacks in South Korea. Users were being directed to a website containing an exploit kit that had been updated with the IE security vulnerability. The MS16-052 security update tackles a vulnerability in Microsoft Edge which similarly changes how objects in the memory are handled. These two updates should be prioritized by sysadmins, although all of the updates should be installed as soon as possible. Even the important updates could potentially be exploited and used to gain control of unpatched computers. Bulletin MS16-054 is also a priority update to patch critical vulnerabilities in Adobe Flash. Since Flash is embedded in both Edge and IE, Microsoft has started issuing updates to address Adobe Flash vulnerabilities. While these security flaws are not believed to...
by G Hunt |
May 6, 2016 |
Cybersecurity Advice, Cybersecurity News
Finding a web security service for MSPs can be a time consuming process. There are a number of solutions that allow MSPs to keep their clients protected from malware and reduce the risk from internal and external threats, yet many are far from ideal for use by MSPs. The ideal web security service for MSPs must have a relatively low cost of ownership. Clients may be more than willing to implement a web security service to deal with the growing range of web-borne threats, but the cost of implementation is a key factor. Many solutions offer all the necessary benefits for the client, but are not practical for use by MSPs. The time taken to install web security solutions and to configure them for each client can reduce profitability. The best web security service for MSPs need to be easy to install and maintain, and have a low management overhead. Low cost solutions that are quick to install and easy to maintain allow MSPs to easily incorporate into existing packages to create a more comprehensive Internet security service. This can increase the value provided to clients, boost client revenue, and help MSPs to win more business and differentiate their company in the marketplace. The ideal web security service for MSPs is available as a white label. This allows the service to be easily incorporated into existing packages. White labeling allows MSPS to strengthen their own brand image rather than promoting someone else’s. Many providers of a web security service for MSPs fall down on customer support. If any issues are experienced, it is essential that an MSP can provide rapid solutions. Industry-leading technical support is essential. WebTitan Cloud – A Web Security Service for MSPs That Ticks All the Right Boxes WebTitan Cloud is an enterprise-class web filtering solution for MSPs that can be used to enforce clients’ acceptable use policies and control the content that can be accessed via their wired and wireless networks. Our DNS-based web filtering solution allows organizations to prevent phishing, stop malware downloads, protect against ransomware and botnet infections, and block spyware and adware. Controls prevent the bypassing of the content filter by...
by G Hunt |
May 5, 2016 |
Cybersecurity Advice, Cybersecurity News
Over the past two weeks there have been three worrying instances of the Angler exploit kit being used to infect website visitors with malware and ransomware. Cybercriminals are increasingly using exploit kits to deliver their malicious payloads and all organizations need to be aware of the risk. Why AUPs May Not Be Sufficient to Keep Networks Secure Many companies advise employees of the types of websites that can be accessed via work networks and which are forbidden. Typically, employees are banned from visiting pornographic websites, using the Internet for the sharing of copyright-protected material, installing shareware or other unauthorized software, and using unauthorized web applications and gaming sites. Employees are provided with a document which they are required to read and sign. They are informed of the actions that will be taken for breaching the rules: verbal and written warnings for example, and in some cases, instant dismissal. These AUPs are usually effective and employees do heed the warnings if they value their jobs. If an employee breaches the AUPs and accesses pornography for instance, action can be taken against that individual. It is probable that no harm will have been caused and the matter can be dealt with by HR. However, if an employee breaches AUPs and visits a website that has been compromised with malware or installs shareware that includes malicious files, taking action against the employee will not undo the damage caused. To better protect networks, AUPs should be enforced with a software solution. By implementing a web filtering solution, HR departments can ensure that inappropriate website content is not accessed, while IT departments can be prevented from having to deal with malware infections. Even if AUPs are followed to the letter, malware may still be downloaded onto the network. The risk has recently been highlighted by two security incidents discovered in the past two weeks. Legitimate Websites Compromised with Angler Exploit Kit Last week, news emerged that a toy manufacturer’s website had been compromised and was being used to infect visitors with malware. The website had been loaded with the Angler exploit kit and...
by G Hunt |
April 30, 2016 |
Cybersecurity Advice, Cybersecurity News
There are some very good reasons why you should block file sharing websites. These websites are primarily used to share pirated software, music, films, and TV shows. It would be unlikely for the owner of the copyright to take action against an employer for failing to prevent the illegal sharing of copyrighted material, but this is an unnecessary legal risk. However, the main risk from using these websites comes from malware. Research conducted by IDC in 2013 showed that out of 533 tests of websites and peer-2-peer file sharing networks, the downloading of pirated software resulted in spyware and tracking cookies being downloaded to users’ computers 78% of the time. More worryingly, Trojans were downloaded with pirated software 36% of the time. A survey conducted on IT managers and CIOs at the time indicated that malware was installed 15% of the time with the software. IDC determined that overall there was a one in three chance of infecting a machine with malware by using pirated software. Even visiting torrent sites can be harmful. This week Malwarebytes reported that visitors to The Pirate Bay were served malicious adverts. An advertiser used a pop-under to silently redirect users to a malicious site containing the Magnitude exploit kit which was used to downloaded Cerber ransomware onto users’ devices. A study conducted by UC San Diego involved testing pirated software downloads using VirusTotal. VirusTotal checks files against the databases of 47 different anti-virus engines. The research team determined that 50% of pirated files were infected with malware. Dealing with malware from pirated software was determined to take around 1.5 billion hours per year. For businesses the cost can be considerable. IDC calculated the cost to enterprises to be around $114 billion in 2013 alone. And that was just for the clean-up. The cost of data breaches caused by illegal software installations was estimated to be in the order of $350 billion. Time to Block File Sharing Websites? Organizations can monitor devices and check for unauthorized software installations on individual devices; however, by the time a software installation has been discovered, malware is likely to...
