Keeping up-to-date with cybersecurity news can help protect organizations from online threats such as malware downloads and phishing campaigns. By being aware of type of threats that exist, how they operate, and what damage they can do, organizations can take precautions against the threats, educate their employees to be aware of online security, and strengthen their online defenses.
The most effective way of preventing attacks by cybercriminals is to stop Internet users from receiving emails containing phishing links or visiting websites that harbor viruses. This can be achieved with an email filter and an Internet content filter – both solutions having mechanisms in place to protect organizations and ensure they are not featured in future in our cybersecurity news section.
A Starbucks porn filter will finally be introduced in 2019 to prevent adult content from being accessed by customers hooked up to the coffee shop chain’s free WiFi network.
It has taken some time for the Starbucks porn filter to be applied. In 2016, the coffee shop chain agreed to implement a WiFi filtering solution following a campaign from the internet safety advocacy group Enough is Enough, but two years on and a Starbucks porn filter has only been applied in the UK.
Businesses Pressured to Implement WiFi Filters to Block Porn
Enough is Enough launched its Porn Free WiFi campaign – now renamed the SAFE WiFi campaign – to pressure businesses that offer free WiFi to customers to apply WiFi filters to restrict access to adult content. In 2016, more than 50,000 petitions were sent to the CEO’s of Starbucks and McDonalds urging them to apply WiFi filters and take the lead in restricting access to pornography and child porn on their WiFi networks.
After petitioning McDonald’s, the global restaurant chain took prompt action and rolled out a WiFi filter across its 14,000 restaurants. However, Starbucks has been slow to take action. Following the McDonalds announcement in 2016, Starbucks agreed to roll out a WiFi filter once it had determined how to restrict access to unacceptable content without involuntarily blocking unintended content. Until the Starbucks porn filter was applied, the coffee shop chain said it would reserve the right to stop any behavior that negatively affected the customer experience, including activities on its free WiFi network.
The apparent lack of action prompted Enough is Enough to turn up the heat on Starbucks. On November 26, 2018, Enough is Enough president and CEO, Donna Rice Hughes, issued a fresh call for a Starbucks porn filter to be implemented and for the coffee chain to follow through in its 2016 promise. Rice Hughes also called for the public to sign a new petition calling for the Starbucks porn filter to finally be put in place.
Starbucks Porn Filter to Be Applied in All Locations in 2019
Starbucks has responded to Enough is Enough, via Business Insider, confirming that it has been testing a variety of WiFi filtering solutions and has identified one that meets its needs. The Starbucks porn filter will be rolled out across all its cafes in 2019.
All businesses that offer free WiFi to their customers have a responsibility to ensure that their networks cannot be abused and are kept ‘family-friendly.’ It is inevitable that some individuals will abuse the free access and flaunt policies on acceptable use. A technical solution is therefore required to enforce those policies.
While Enough is Enough is focused on ensuring adult content is blocked, there are other benefits of WiFi filtering. A WiFi filter protects customers from malware downloads and can stop them accessing phishing websites. All manner of egregious and illegal content can be blocked.
WiFi filters can also help businesses conserve bandwidth to make sure that all customers can access the Internet and enjoy reasonable speeds.
WebTitan Cloud for WiFi – The Easy Way to Start Filtering Content on WiFi Networks
TitanHQ has long been an advocate of WiFi filtering for public WiFi hotspots and has developed WebTitan Cloud for WiFi to allow businesses to easily block access to unacceptable and illegal web content on WiFi networks.
WebTitan Cloud for WiFi allows businesses to carefully control the content that can be accessed over WiFi without involuntarily blocking unintended content. Being 100% cloud based, no hardware purchases are required and no software downloads are necessary.
The solution offers businesses advanced web filtering capabilities through an easy to use intuitive user interface. No IT consultants are required to implement and run the solution. It can be set up and operated by individuals that have little to no technical knowhow.
The solution is highly scalable and can be used to protect thousands of users, at multiple locations around the globe, all controlled through a single user interface.
If you run a business that offers free WiFi to customers and you have not yet started controlling the activities that can take place over your WiFi network, contact TitanHQ today for further information on WebTitan Cloud for WiFi.
Managed Service Providers (MSPs) that want to start offering WiFi filtering to their clients can join the TitanHQ MSP Alliance. All TitanHQ solutions have been developed to meet the needs of MSPs and make it easy for them to add new security capabilities to their service stacks.
The biggest cyber threat to SMBs is ransomware, according to Dato’s State of the Channel Report. While other forms of malware pose a serious risk and the threat from phishing is ever present, ransomware was considered to be the biggest cyber threat to SMBs by the 2,400 managed service providers that were polled for the study.
Many SMB owners underestimate the cost of mitigating a ransomware attack and think the cost of cybersecurity solutions to prevent attacks, while relatively low, are not justified. After all, according to Datto, the average ransom demand is just $4,300 per attack.
However, the ransom payment is only a small part of the total cost of mitigating an attack. The final cost is likely to be ten times the cost of any ransom payment. Datto points out that the average total cost of an attack on an SMB is $46,800, although there have been many cases where the cost has been far in excess of that amount.
One of the most common mistakes made by SMBs is assuming that attacks will not occur and that hackers are likely to target larger businesses with deeper pockets. The reality is SMBs are being targeted by hackers, as attacks are easier to pull off. SMBs tend not to invest heavily in cybersecurity solutions as larger businesses.
Anti-Virus Software is Not Effective at Preventing Ransomware Attacks
Many SMB owners mistakenly believe they will be protected by anti-virus software. However, the survey revealed that 85% of MSPs said clients that experienced a ransomware attack had anti-virus solutions installed. Anti-virus software may be able to detect and block some ransomware variants, but since new forms of ransomware are constantly being developed, signature-based cybersecurity solutions alone will not offer a sufficient level of protection.
Many SMBs will be surprised to hear just how frequently SMBs are attacked with ransomware. More than 55% of surveyed MSPs said their clients had experienced a ransomware attack in the first six months of this year and 35% experienced multiple attacks on the same day.
Some cybersecurity firms have reported there has been a slowdown in ransomware attacks as cybercriminals are increasingly turning to cryptocurrency mining. While that may be true for some cybercriminal gangs, the ease of conducting attacks using ransomware-as-a-service means many small players have started attacking SMBs. That is unlikely to change.
92% of surveyed MSPs said they thought ransomware attacks would continue at current levels or even increase throughout this year and next.
Ransomware attacks are even being conducted on Apple operating systems. In the past year, there has been a five-fold increase in the number of MSPs who have reported ransomware attacks on macOS and iOS operating systems.
“Not only have ransomware attacks increased in recent years, but the problem may even be bigger than we know, as many attacks go unreported,” explained Jeff Howard, Founder and Owner, of the Texas MSP Networking Results. Datto suggests that only one in four attacks are reported to law enforcement.
How to Protect Against SMB Ransomware Attacks
To protect against ransomware attacks, businesses need to implement a range of solutions to block the most common attack vectors. To block email-based attacks, advanced spam filtering technology is required, and end user security awareness training is essential. To block ransomware downloads from malicious websites, web filtering software should be implemented.
Business continuity and disaster recovery technology should be implemented to ensure that a quick recovery is possible in the event of an attack, and naturally intelligent backing up is required to ensure files can be recovered without paying a ransom.
MSPs need to explain the risks to SMBs, along with the solutions that need to be installed to prevent attacks and the likely cost of recovery. Many businesses are shocked to discover the true cost of a ransomware attack.
How TitanHQ Can Help Improve Defenses Against SMB Ransomware Attacks
TitanHQ has developed two innovative cybersecurity solutions that work in tandem to block the two most common attack vectors: Email and Internet attacks. SpamTitan is a powerful spam filtering solution that combines two AV engines with intelligent scanning of incoming mail using a variety of techniques to identify malicious messages and new ransomware variants and block them at source.
WebTitan is a powerful web filtering solution that can block malvertising attacks, drive-by ransomware downloads, and prevent employees from visiting malicious websites. Both solutions should be part of an SMBs arsenal to protect against ransomware and malware attacks and both solutions should be part of an MSPs security stack.
For further information on SpamTitan and WebTitan and details of TitanHQ’s MSP offerings, contact the TitanHQ today.
This year has seen several ransomware attacks on cities and municipal targets, clearly demonstrating that the threat from ransomware has not abated, despite several analyses from cybersecurity firms that suggest hackers are moving away from ransomware and concentrating on cryptomining malware attacks.
Cryptocurrency miners have certainly become more popular and their use has increased substantially in recent months, but there is still a significant threat from ransomware.
Ransomware development may have slowed, but ransomware attacks on cities and other high value targets have not. In fact, October has seen two new ransomware attacks on cities in the United States, along with several attacks on municipal targets. In the past few months. It is clear that the threat is not going away any time soon.
$2,000 Ransom Paid to Resolve City of West Haven Ransomware Attack
The city of West Haven ransomware attack started on the morning of October 16, 2018, and by the time the attack had been contained, 23 servers had been encrypted and taken out of action. Prompt action limited the scope of the attack, although it did cause major disruption as computers on the affected network had to all be shut down.
The attack affected a critical system, and after an assessment of the situation, the decision was taken to pay the ransom. Considering the number of servers affected, the ransom demand was relatively low. The city paid $2,000 in Bitcoin for the keys to decrypt its files.
Art House, Connecticut’s chief of cybersecurity, explained that this was one of several targeted ransomware attacks on cities and municipal services in the state in recent weeks. In February, around 160 computers were affected by ransomware in more than a dozen agencies in the state according to the Department of Administrative Services, and a month later the state’s Judicial Branch was attacked and had more than 100 servers encrypted.
City of Muscatine Ransomware Attack
The West Haven ransomware attack was shortly followed by a ransomware attack on the city of Muscatine in Ohio, which saw files on several government servers encrypted. The attack is understood to have started on October 17 and caused considerable disruption especially to services at City Hall.
Few details about the attack have been made public, although it is understood that the ransom demand was not paid. Instead, IT teams have had to painstakingly rebuild affected servers and workstations and restore files from backups.
Ransomware Attack on City of Atlanta
In August one of the most serious ransomware attacks on cities occurred. The City of Atlanta was attacked with SamSam ransomware, which was manually deployed on multiple computers after access had been gained to the network. The attack occurred in March and took down computers used for many city services, causing major disruption for weeks. A ransom demand of around $50,000 was issued, although the decision was taken not to pay. Initially the cost of recovery was expected to reach $6 million. Later estimates in the summer suggest that the final cost may exceed $17 million, highlighting just how costly ransomware attacks on cities can be.
Ransomware Attacks on Municipal Services Becoming More Common
Ransomware attacks on cities are becoming more common, as are attacks on municipal targets. In October, the Onslow Water and Sewer Authority in Jacksonville, North Carolina was attacked with ransomware resulting in most systems being taken out of action. In that case, a dual attack occurred, which started with the Emotet Trojan followed by the deployment of Ryuk ransomware two weeks later. The attack is expected to disrupt services for several weeks. The Indiana National Guard also suffered a ransomware attack in October. In both cases, the ransom was not paid.
Prevention and Incident Response
One of the reasons behind the rise in ransomware attacks on cities is underinvestment in cybersecurity defenses. Too little has been spent on protecting systems and updating aging hardware and software. With many vulnerabilities left unaddressed, staff receiving insufficient training, and even basic cybersecurity defenses often found lacking, it is no surprise that the attacks are increasing.
The only way that the attacks will be stopped is by spending more on cybersecurity defenses and training to make it much harder for attacks to occur. It can certainly be hard to find the money to commit to cybersecurity, but as the City of Atlanta found out, the cost of prevention is far lower than the cost of recovery from a ransomware attack.
TitanHQ, the leading provider of web filtering, spam filtering, and email archiving solutions for managed service providers (MSPs) recently partnered with Datto Networking, the leading provider of IT solutions to SMBs delivered through MSPs.
Datto Networking has now incorporated TitanHQ’s advanced web filtering technology into the Datto Networking Appliance to provide superior protection to users on the network.
Datto and TitanHQ will be hosting a webinar on October 18, 2018 to explain how the new technology provides enhanced protection from web-based threats, and how MSPs can easily deliver content filtering to their customers.
During the webinar, MSPs will find out about the enhanced functionality of the Datto Networking Appliance.
Webinar: Datto Networking & Titan HQ Deliver Enhanced Web Content Filtering
Date: Thursday, October 18th
Time: 11AM ET | 8AM PT | 4PM GMT/BST
John Tippett, VP, Datto Networking
Andy Katz, Network Solutions Engineer
Rocco Donnino, EVP of Strategic Alliances, TitanHQ
The CloudFlare IPFS gateway has only recently been launched, but it is already being used by phishers to host malicious content.Cloudflare IPFS gateway phishing attacks are likely to have a high success rate, as some of the checks performed by end users to confirm the legitimacy of domains will not raise red flags.
The IPFS gateway is a P2P system that allows files to be shared easily throughout an organization and accessed through a web browser. Content is distributed to different nodes throughout the networked systems. The system can be used for creating distributed websites, and CloudFlare has made this process easier by offering free SSL certificates and allowing domains to be easily connected to IPFS.
If phishers host their phishing forms on CloudFlare IPFS, they benefit from CloudFlare’s SSL certificate. Since the phishing page will start with cloudflare-ipfs.com, this adds legitimacy. The CloudFlare-owned domain is more likely to be trusted than domains owned by phishers.
When CloudFlare IPFS Gateway phishing forms are encountered, visitors will be advised that the webpage is secure, the site starts with HTTPS, and a green padlock will be displayed. If the visitor takes the time to check certificate information of the web page, they will find it has been issued to CloudFlare-IPFS.com by CloudFlare Inc., and the certificate is valid. The browser will not display any warning and CloudFlare IPFS Gateway phishing content will therefore seem legitimate.
At least one threat actor is using the CloudFlare IPFS Gateway for phishing and is hosting forms that claim to be standard login pages for Office 365, DocuSign, Azure AD, and other cloud-based services, complete with appropriate logos.
If a visitor completes the form information, their credentials will be forwarded to the operator of a known phishing domain – searchurl.bid – and the user will be displayed a document about business models, strategy and innovation. This may also not raise a red flag.
The CloudFlare IPFS Gateway phishing strategy is similar to that used on Azure Blob storage, which also take advantage of legitimate SSL certificates. In that case the certificate is issued by Microsoft.
It is becoming increasingly important for phishers to use HTTPS for hosting phishing content. As more businesses transition from HTTP to HTTPS, and browsers such as Chrome now display warnings to users about insecure sites, phishers have similarly had to make the change to HTTPS. Both CloudFlare IPFS Gateway and Azure Blog storage offer an easy way to do this.
In both cases, links to the malicious forms are distributed through spam email. One of the most common ways to do this is to include an email attachment that contains a button which must be clicked in order to download content. The user is advised that the content of the file is secured, and that professional email login credentials must be entered in order to view the content. The document may be an invoice, purchase order, or a scanned document that needs to be reviewed.
The increase in use of cloud platforms to host phishing content makes it more important than ever for organizations to implement advanced phishing defenses. A powerful spam filter such as SpamTitan should be used to block the initial emails and prevent them from being delivered to end users’ inboxes. These phishing tactics should also be covered in security awareness training to raise awareness of the threat and to alert users that SSL certificates do not necessarily mean the content of a web page is legitimate. Web filtering solutions are also essential for blocking access to known malicious web pages, should a user visit a malicious link.
A suspected Ryuk ransomware attack on Recipe Unlimited, a network of some 1,400 restaurants in Canada and North America, has forced the chain to shutdown computers and temporarily close the doors of some of its restaurants while IT teams deal with the attack.
Recipe Unlimited, formerly known as Cara Operations, operates pubs and restaurants under many names, including Harvey’s, Swiss Chalet, Kelseys, Milestones, Montana’s, East Side Mario’s, Bier Markt, Prime Pubs, and the Landing Group of Restaurants. All of the above pub and restaurant brands have been affected by the Recipe Unlimited ransomware attack.
While only a small number of restaurants were forced to close, the IT outage caused widespread problems, preventing the restaurants that remained open from taking card payments from customers and using register systems to process orders.
While it was initially unclear what caused the outage, a ransomware attack on Recipe Unlimited was later confirmed. An employee of one of the affected restaurants provided CBC News with a copy of the ransom note that had appeared on the desktop of one of the affected computers.
The ransom note is the same used by the threat actors behind Ryuk ransomware. They claim files were encrypted with “military algorithms” which cannot be decrypted without a key that is only held by them. While it is unclear exactly how much the attackers demanded in payment to decrypt files, they did threaten to increase the cost by 0.5 BTC (Approx. $4,000 CAD) per day until contact was made. The Recipe Unlimited ransomware attack is understood to have occurred on September 28. Some restaurants remained closed on October 1.
The ransomware attack on Recipe Unlimited is just one of many such attacks involving Ryuk ransomware. The attackers are understood to have collected more than $640,000 in ransom payments from businesses who have had no alternative other than to pay for the keys to unlock their files. The ransomware attack on Recipe Unlimited did not increase that total, as Recipe Unlimited conducted regular backups and expects to be able to restore all systems and data, although naturally that will take some time.
Ransomware attacks on restaurants, businesses, healthcare providers, and cities are extremely common and can be incredibly costly to resolve. The recent City of Atlanta ransomware attack caused widespread disruption due to the sheer scale of the attack, involving thousands of computers.
The cost of resolving the attack, including making upgrades to its systems, is likely to cost in the region of $17 million, according to estimates from city officials. The Ransomware attack on the Colorado Department of Transportation is expected to cost $1.5 million to resolve.
There is no simple solution that will block ransomware attacks, as many different vectors are used to install the malicious file-encrypting software. Preventing ransomware attacks requires defense in depth and multiple software solutions.
Spam filtering solutions should be used to prevent email delivery of ransomware, web filters can be configured to block assess to malicious websites where ransomware is downloaded, antivirus solutions may detect infections in time to block attacks, and intrusion detection systems and behavioral analytics solutions are useful to rapidly identify an attack in progress and limit the harm caused.
All operating systems and software must be kept fully up to date, strong passwords should be used, and end user must receive training to make them aware of the threat from ransomware. They should be taught security best practices and trained how to identify threats. Naturally, robust backup policies are required to ensure that in the event of disaster, files can be recovered without having to pay the ransom.
Recent research has shown that the United States is the main distributor of exploit kits and hosts the most malicious domains and cyberattacks on websites have increased sharply.
United States Hosts the Most Malicious Domains and Exploit Kits
The United States hosts the most malicious domains and is the number one source for exploit kits, according to new research conducted by Palo Alto Networks. Further, the number of malicious domains increased between Q1 and Q2 in the United States. In all countries, apart from the Netherlands, the number of malicious domains remained constant or declined.
Exploit activity is only at a fraction of the level of 2016, although the web-based kits still pose a major threat to businesses with poor patching processes and a lack of protections against web-based attacks.
Three exploit kits have been extensively used throughout Q1 and Q2, 2018: Sundown, Rig, and KaiXin. The United States is the number one source for the Sundown and Rig EKs and is number two behind China for the KaiXin exploit kit. Further, a new exploit kit was detected in Q2: Grandsoft. The United States is also the number one source for this new exploit kit.
More than twice the number of exploit kits are hosted in the United States than in Russia in second place. 495 malicious URLs were detected in the United States compared to 147 in Russia. 296 malicious URLs hosting exploit kits were detected in the United States, with Russia in second place with 139.
The Microsoft VBScript vulnerability, CVE-2018-8174, is being extensively exploited via these exploit kits. Microsoft released a patch in May 2018 to fix the flaw, but many companies have yet to install the update and are vulnerable to attack. Exploit kits are still using old vulnerabilities to install their malicious payloads. According to Palo Alto Networks’ Unit 42, two vulnerabilities are extensively used – The IE7 vulnerability – CVE-2009-0075 – and the Internet Explorer 5 vulnerability – CVE-2008-4844 – even though patches were released to fix the flaws more than 9 years ago.
The Jscript vulnerability in Internet Explorer 9 through 11 – CVE-2016-0189 – and the OleAut32.dll vulnerability – CVE-2014-6332 – have also been used in many attacks. One vulnerability known to be used in zero-day attacks was also detected.
Website Attacks on the Rise
Research conducted by SiteLock has revealed there has been a significant rise in attacks on websites in Q2, 2018. According to its study of more than 6 million websites, each website is attacked, on average, 58 times a day with one attack occurring every 25 minutes. That represents a 16% increase in website attacks since Q1, 2018.
Many search engines now alert users when websites have been discovered to contain malware, and Google sends warnings to site owners when malicious software is discovered. However, relatively few sites are being detected as malicious. SiteLock notes that out of 19.2 million sites that it has discovered to be hosting malicious files, only 3 million had been detected as malicious by the search engines.
The threat of exploit kit attacks and the rise in sites hosting malicious code highlights the need for businesses to deploy a web filtering solution to prevent employees from visiting these malicious sites and giving cybercriminals an opportunity to install malware on their networks.
Companies that take no action and fail to implement software solutions to restrict access to malicious sites face a high risk of their employees inadvertently installing malware. With the cost of a data breach now $3.86 million (Ponemon/IBM), the decision not to implement a web filter could prove incredibly costly.
Princess Locker ransomware has now morphed into Princess Evolution ransomware. The latest variant is one of several cryptoransomware threats that maximize the number of infections by using an affiliate distribution model – termed Ransomware-as-a-Service or RaaS.
RaaS sees affiliates given a percentage of the ransom payments they generate, while the author of the ransomware also takes a cut of the profits. Under this business model, the author can generate a much higher number of infections, which means more ransom payments. The affiliates get to conduct ransomware campaigns without having to develop their own ransomware and the author can concentrate on providing support and developing the ransomware further. For Princess Evolution ransomware, the split is 60/40 in favor of the affiliate. The RaaS is being promoted on underground web forums and prospective affiliates.
Ransomware attacks involving RaaS use a variety of methods to distribute the malicious payload as multiple actors conduct campaigns. Spam email is usually the main delivery mechanism for RaaS affiliates as it is easy to purchase large quantities of email addresses on darkweb sites to conduct campaigns. Brute force attacks are also commonly conducted.
Princess Evolution ransomware has also been loaded into the RIG exploit kit and is being distributed via web-based attacks. These web-based attacks take advantage of vulnerabilities in browsers and browser plug-ins. Exploits for these vulnerabilities are loaded into the kit which is installed on attacker-controlled web domains. Often legitimate sites are compromised have the exploit kit loaded without the knowledge of the site owner.
Traffic is generated to the websites through search engine poisoning, malvertising, and spam emails containing hyperlinks to the websites. If a user visits the website and has an exploitable vulnerability, the Princess Evolution ransomware will be silently downloaded.
At this stage, there is no free decryptor for Princess Evolution ransomware. If this ransomware variant is downloaded and succeeds in encrypting files, recovery is only possible by paying the ransom for the keys to unlock the encryption or rebuilding systems and recovering files from backups. The ransom demand is currently 0.12 Bitcoin – Approximately $750 per infected device.
Protecting against Princess Evolution ransomware attacks requires a combination of cybersecurity solutions, security awareness training, and robust backup policies. Multiple backups of files should be created, stored on at least two different media, with one copy stored securely off site. Infected devices may need to be re-imaged, so plans should exist to ensure the process can be completed as quickly as possible.
Cybersecurity solutions should focus on prevention and rapid detection of threats. A spam filtering solution – such as SpamTitan – will help to ensure that emailed copies of the ransomware or downloaders are not delivered to inboxes.
Care should be taken with any email sent from an unknown individual. If that email contains an attachment, it should not be opened, but if this is unavoidable, the attachment should be scanned with anti-virus software prior to opening. For greater protection, save the attachment to disk and upload it to VirusTotal for scanning using multiple AV engines.
A web filter such as WebTitan can block web-based attacks through general web browsing and by preventing end users from visiting malicious websites via hyperlinks in spam emails.
To reduce the risk of brute force attacks, strong, unique passwords should be used to secure all accounts and remote desktop protocol should be disabled if it is not required. If RDP is required, it should be configured to only allow connection through a VPN.
You should also ensure that all software, including browsers, browser extensions and plugins, and operating systems are kept patched and fully up to date.
There has been a marked rise in HTTPS phishing website detections, phishing attacks are increasing, and the threat of phishing attacks is greater than ever before.
Phishing is the biggest cyber threat that businesses must now deal with. It is the easiest way for cybercriminals to gain access to email accounts for business email compromise scams, steal credentials, and install malware.
The Threat from Phishing is Getting Worse
The Anti-Phishing Working Group – an international coalition of government agencies, law enforcement, trade associations, and security companies – recently published its phishing trends activity report for Q1, 2018. The report shows that the threat from phishing is greater than ever, with more phishing websites detected in March 2018 than at any point in the past year.
In the first half of 2017, there was an average of 48,516 phishing websites detected each month. The figure rose to 79,464 phishing websites detected on average per month in the second half of the year. In the first quarter of 2018, there was an average of 87,568 phishing websites detected, with detections peaking in March when more than 115,000 phishing sites were identified.
The number of unique phishing reports received in Q1, 2018 (262,704) was 12.45% higher than in the final quarter of 2017.
Healthcare Industry Heavily Targeted
In the United States, the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers, health insurers, healthcare clearinghouses and business associates of HIPAA-covered entities to report breaches of protected health information within 60 days of the discovery of the breach. The main enforcer of HIPAA compliance, the Department of Health and Human Services’ Office for Civil Rights (OCR), publishes summaries of those breach reports. Those summaries show just how serious the threat from phishing is.
HIPAA-covered entities and business associates have reported 45 email hacking incidents in 2018 – 21.68% of all breaches reported.
Phishers Make the Move to HTTPS
PhishLabs, an anti-phishing vendor that provides a security awareness training and phishing simulation platform, has been tracking HTTPS phishing websites. The company has recently released figures showing there has been a sharp increase in HTTPS phishing websites in the past few months with HTTPS and SSL certificates now popular with phishers.
As businesses make the switch to HTTPS, the phishers have followed. In the final quarter of 2015, a little over 1% of all phishing websites were hosted on HTTPS. By the final quarter of 2016, the percentage had increased to a shade under 5%. By the end of the final quarter of 2017, 31% of phishing sites used HTTPS. The Q1, 2018 figures show HTTPS phishing websites now account for a third of all phishing websites.
HTTPS websites ensure the connection between the browser and the website is encrypted. This offers greater protection for website visitors as information entered on the site – such as credit card numbers – is secure and protected from eavesdropping. However, if the site is controlled by a cybercriminal, HTTPS offers no protection.
The Importance of SSL Inspection
Protecting against phishing attacks and malware downloads via HTTPS websites requires the use of a web filtering solution that performs SSL inspection. If a standard web filtering solution is used that is unable to inspect HTTPS websites, it will not protect employees from visiting malicious websites.
It is certainly possible to block users from accessing all HTTPS websites, which solves the problem of SSL inspection, but with more websites now using HTTPS, many valuable internet resources and essential websites for business could not be accessed.
While many businesses may be reluctant to implement SSL filtering due to the strain it can place on CPUs and the potential for slowing internet speed, TitanHQ has a solution. WebTitan includes HTTPS content filtering as standard to ensure businesses are protected from HTTPS phishing websites and other online threats while ensuring internet speeds are not adversely affected.
You can find out more about how you can protect your business from phishing websites by contacting the TitanHQ sales team and asking about WebTitan.
Exploit kit activity may not be at the level it one was, but the threat has not gone away. Rig exploit kit activity has increased steadily in 2018 and now a new exploit kit has been detected.
The exploit kit has been named underminer by Trend Micro researchers, who detected it in July 2018. The Underminer exploit kit is being used to spread bootklits which deliver coinminer malware. The EK is primarily being used in attacks in Japan, although other East Asian countries have also seen attacks with activity now spreading beyond this region.
The underminer exploit kit was also detected by Malwarebytes researchers who note that the exploitation framework was first identified by the Chinese cybersecurity firm Qihoo360 in late 2017, when it was being used to deliver adware. Now the exploit kit is being used to deliver Hidden Bee (Hidden Mellifera) cryptocurrency mining malware. Trend Micro notes that evidence has been uncovered that strongly suggests the exploit kit was developed by the developers of Hidden Mellifera coinminer malware.
The exploit kit uses complex methods to deliver the payload with different methods used for different exploits. The developers have also incorporated several controls to hide malicious activity including the obfuscation of exploits and landing pages and the use of encryption to package exploits on-the-fly.
The EK profiles the user via a user-agent to determine if the user is of interest. If not, the user will be directed to a HTTP 404 error page. If a user is of interest, a browser cookie will be used to identify that user to ensure that the payload will only be delivered once, preventing reinfection and hampering efforts by researchers to reproduce an attack. URLs used in the attacks are also randomized to prevent detection by standard AV solutions. The coinminer is delivered via a bootkit which is downloaded through encrypted TCP tunnels.
The underminer exploit kit contains a limited number of exploits: The Adobe Flash Player exploit CVE-2018-4878, the use-after-free Adobe Flash Player vulnerability CVE-2015-5119, and the Internet Explorer memory corruption vulnerability CVE-2016-0189. Patches for all of the vulnerabilities were released in February 2018, July 2015, and May 2016 respectively.
The best defense against exploit kit attacks is prompt patching. All systems and applications should be kept 100% up to date, with virtual patching deployed on legacy systems and networks. Since there will always be a delay between the identification of a vulnerability and a patch being released, patching alone may not be sufficient to prevent all attacks, although EK developers tend to use old vulnerabilities rather than zero days.
In addition to prompt patching, cybersecurity solutions should be deployed to further reduce risk, such as a web filtering solution (WebTitan) to block users from visiting malicious websites and redirects through malvertising. In this case, one of the main ways that users are directed to the exploit kit is via adult-themed malvertising on legitimate adult websites. Using the web filter to block access to adult sites will reduce exposure.
Cybersecurity solutions should also be deployed to scan for malware installations and monitor for unusual activity and standard cybersecurity best practices should also be employed… the principle of least privilege and removing unused or unnecessary applications, plugins, and browser extensions.
The fact that a new exploit kit has been developed, and that it was recently updated with a new exploit, shows that the threat of web-based attacks has not gone away. EK activity may be at a fraction of the level of 2016, but businesses should not assume that attacks will not take place and should implement appropriate defenses to mitigate the threat.
The biggest cybersecurity risk for businesses in the United States is employee negligence, according to a recent Shred-It survey of 1,000 small business owners and C-suite executives.
The findings of the survey, detailed in its North America State of the Industry Report, show the biggest cybersecurity risk for businesses is human error such as the accidental loss of data or devices containing sensitive company information.
84% of C-Suite executives and 51% of small business owners said employee negligence was the biggest cybersecurity risk for their business. 42% of small business owners and 47% of C-suite executives said employee negligence was the leading cause of cybersecurity breaches.
Employees are the Biggest Cybersecurity Risk for Businesses in the United States
Employees often cut corners in order to get more done in their working day and take considerable security risks. Even though laptop computers can contain highly sensitive information and allow an unauthorized individual to gain access to a work network, around a quarter of U.S employees leave their computer unlocked and unattended. Documents containing sensitive information are often left unattended in full view of individuals who are not authorized to view the information.
The risks taken by employees are greater when working remotely, such as in coffee shops or at home. 86% of executives and SBOs said remote workers were much more likely to cause data breaches.
88% of C-suite executives and 48% of small business owners said they have implemented flexible working models that allow their employees to spend at least some of the week working off site. A survey conducted on behalf of the Switzerland-based serviced office provider IWG suggests that globally, 70% of workers spend at least one day a week working remotely, while 53% work remotely for at least half of the week.
Adoption of these flexible working practices is increasing, although cybersecurity policies are not being implemented that specifically cover remote workers. Even though a high percentage of workers are spending at least some of the week working remotely, the Shred-It survey shows that more than half of SMBs do not have policies in place for remote workers.
One of the most important ways that business owners and executives can improve their cybersecurity posture is through employee training, especially for remote workers. The provision of security awareness training will help to ensure that workers are aware of the organization’s policies and procedures and are taught security best practices.
However, the survey suggests training is often inadequate or in some cases nonexistent. 78% of surveyed C-suite executives and small business owners said they only provided information security training on policies and procedures once a year. Considering the risk, training needs to be far more frequent. Employees cannot be expected to retain all the information provided in a training session for the entire year. Training should cover the use of strong passwords, locking devices when they are not in use, never leaving portable devices unattended in public areas, safe disposable of electronic and physician data, and Wi-Fi security. Refresher training should be provided at least every six months.
Policies and procedures need to be developed specifically for remote workers, which cover the practices which must be adopted when working outside the office. With so many workers now spending more time working off-site, the probability of portable electronic devices being lost or stolen is greatly increased.
Businesses must ensure they maintain an accurate inventory of all devices used to access their network and implement appropriate security measures to ensure the loss or theft of those devices does not result in a data breach.
Increased use of insecure WiFi networks poses a major problem, greatly increasing the chance of a malware or ransomware download. Appropriate technologies should be implemented to protect remote workers’ devices from malicious software. TitanHQ can help in this regard.
WebTitan Cloud, TitanHQ’s 100% cloud-based web filtering solution can block malware and ransomware downloads and carefully control the websites that remote workers can access on their company-issued and BYOD devices, regardless of where the individual is located: on or off-site.
For more information on WebTitan and how it can protect your remote workers and improve your security posture, contact the TitanHQ team today for further information.
The RIG exploit kit, used on compromised and malicious websites to silently download malware, has been upgraded with a new exploit. Windows Double Kill exploit code has been added to exploit the CVE-2018-8174 vulnerability – a remote code execution vulnerability that was addressed by Microsoft on May 2018 Patch Tuesday.
To protect against exploitation of this vulnerability, Windows users should ensure they have applied the latest round of patches, although many businesses have been slow to update their Windows devices, leaving them vulnerable to attack.
The vulnerability is in the VBScript engine and how it handles objects in the memory. If the vulnerability is exploited, attackers would gain the same level of privileges as the current user, could reallocate memory, gain read/write access, and potentially remotely execute code on a vulnerable device. The vulnerability has been named ‘Double Kill’ and affects all Windows versions.
The Windows Double Kill vulnerability was being actively exploited in the wild when Microsoft released the update on Patch Tuesday. Initially, exploitation of the vulnerability was achieved through phishing campaigns using RTF documents containing a malicious OLE object. If activated, an HTML page was downloaded and rendered through an Internet Explorer library and the VBScript flaw was exploited to download a malicious payload. The attack could also be conducted via a malicious website. In the case of the latter, it does not matter what browser the user has set as default – on unpatched systems the IE exploit could still work.
The Windows Double Kill exploit code was posted online this week and it didn’t take long for it to be incorporated into the RIG exploit kit. End users could be directed to the RIG exploit kit through phishing campaigns, malvertising, web redirects, or potentially could visit malicious sites through general web browsing. In addition to the Windows Double Kill exploit, the RIG exploit kit contains many other exploits for a wide range of vulnerabilities. Any individual that lands on a URL with the kit installed could be vulnerable even if the latest Windows patch has already been applied.
The threat from email-based attacks is also likely to grow. The Double Kill exploit code has also been incorporated into the ThreadKit exploit builder, which is used to create malicious Office documents for use in phishing attacks.
Protecting systems against these types of attacks requires prompt patching, although many organizations are slow to apply updates out of fear of compatibility problems, which could cause performance issues. Consequently, prior to applying patches they need to be fully tested and that can take time. During that time, organizations will be vulnerable to attack.
A web filter – such as WebTitan – provides an additional level of protection while patches are assessed for compatibility. WebTitan provides protection against exploit kits and malware downloads by preventing end users from visiting known malicious sites, either through general web browsing, redirects, or via hyperlinks contacted in phishing emails.
There have been significant developments relating to exploit kits in the past few days. The threat actors behind the Magnitude exploit kit have now changed their malicious payload, and the EITest malware distribution network that directed traffic to exploit kits has finally been sinkholed.
Magnitude Exploit Kit Switches to GandCrab Ransomware Delivery
Exploit kit activity is at a fraction of the level of 2015 and 2016, and in 2017 there was a 62% reduction in the development of exploit kits according to research from Recorded Future.
However, exploit kit activity has not fallen to zero and the malicious code is still widely used to deliver malware and ransomware underscoring the continued need for technologies to block these attacks such as web filtering solutions and the continued need to keep on top of patching.
Exploit kits often leverage vulnerabilities in Java and Adobe Flash, although more recently it has been Microsoft vulnerabilities that have been exploited due to the fall in Java vulnerabilities and the phasing out of Adobe Flash.
One exploit kit that is still being used in extensive attacks, albeit attacks that are highly geographically targeted, is the Magnitude exploit kit.
For the past seven months, the Magnitude exploit kit has been delivering the Magniber ransomware payload almost exclusively in South Korea. However, there has been a notable change in the past few days with it also being used to distribute GandCrab ransomware, with the latter not restricted geographically and capable of infecting English language Windows devices.
While early variants of GandCrab ransomware were cracked and free recovery of files was possible, there is no known decryptor for the current version of GandCrab ransomware being distributed via Magnitude. While Adobe Flash and Microsoft exploits were commonly used, Magnitude is now using a fileless technique to load the ransomware. This technique makes it much harder to detect.
According to Malwarebytes, “The payload is encoded (using VBScript.Encode/JScript.Encode) and embedded in a scriplet that is later decoded in memory and executed.” Once run, the payload is injected into explorer.exe, files are encrypted, and the infected device is rebooted.
EITest Malware Distribution Network Disrupted
There has been some major good news on the exploit kit front this week with the announcement that the EITest malware distribution network has finally been sinkholed. EITest has been active since at least 2011 and has been used to distribute all manner of malware over the years.
EITest was a major distribution network responsible for countless Kronos, Ramnit, DarkCloud and Gootkit infections, although more recently was used to deliver ransomware variants such as CryptXXX and Cerber and send users to sites running social engineering and tech support scams.
Prior to being sinkholed, EITest was redirecting as many as 2 million users a day to a network of more than 52,000 compromised websites that had been loaded with exploit kit code and social engineering scams. Most of the compromised sites were WordPress sites based in the USA, China, and Ukraine.
The threat actors behind EITest were selling traffic to other actors in blocks of between 50,000 and 70,000 visitors at a cost of $20 per thousand.
Over a 20-day period since EITest was sinkholed, more than 44 million users were directed to the sinkhole rather than malicious websites.
Now all redirects to malicious websites have stopped. The compromised websites remain active, but rather than redirecting users to malicious domains they are directing traffic to benign domains controlled by abuse.ch and brilliantit.com.
Web-based malware attacks via exploit kits were commonplace in 2016, although in 2017 this mode of attack fell out of favor with cybercriminals, who concentrated on spam email to deliver their malicious payloads. Exploit kit activity is now at a fraction of the level of 2016, although 2017 did see an increase in activity using the Rig and Terror exploit kits.
Now, a recent discovery by Proofpoint could see exploit kit activity start to increase once again. A new traffic distribution system is being offered on darknet marketplaces that helps cybercriminals direct users to sites hosting exploit kits and conduct web-based malware attacks.
Traffic distribution systems – also known as TDS – buy and sell web traffic and are used to direct web users from one website to another. When a user clicks on a link that is part of a TDS system, they are directed to a website without their knowledge – a website that could host an exploit kit and trigger a malware download.
The new TDS – known as BlackTDS – requires threat actors to direct traffic to the service, which then filters that traffic and directs individuals to exploit kits based on their profile data. The service maximizes the probability of the exploit kit being able to download malware onto their device. The service can also be used to determine which malware will be downloaded, based on the profile of the user.
Threat actors that sign up to use the service can inexpensively select the exploit kits and malware they want installed with all aspects of the malware distribution service handled by the developers of BlackTDS. The developers also claim their cloud-based TDS includes fresh HTTPS domains that have not been blacklisted and that it is difficult for their cloudTDS to be detected by security researchers and sandboxes.
Using spam campaigns and malvertising, threat actors can direct traffic to BlackTDS with all aspects of drive-by downloads handled by the developers. Campaigns being run using BlackTDS have been directing users to the RIG-v, Sundown, and Blackhole exploit kits which are used to download a wide range of keyloggers, ransomware, and other malware variants.
The provision of this malicious service makes it cheap and easy for threat actors to take advantage of web-based malware distribution rather than relying on spam email to spread malicious software. It also makes it clear that exploit kits are still a threat and that web-based malware attacks are likely to become more of a problem over the coming months.
To find out more about how you can protect your business from exploit kits and web-based malware attacks, contact the TitanHQ team today and ask about WebTitan.
Today has seen the announcement of a new partnership between TitanHQ – the leading provider of email and web filtering solutions for MSPs – and the international consulting, coaching, and peer group organization HTG. The announcement was made at the Q1 HTG Peer Groups meeting at the Pointe Hilton Squaw Peak Resort, Phoenix, Arizona.
The partnership sees TitanHQ’s web filtering solution – WebTitan; its cloud-based anti-spam service – SpamTitan; and its email archiving solution – ArcTitan made immediately available to the HTG community.
TitanHQ has developed innovative cybersecurity solutions specifically for managed service providers to help them provide even greater protection to their clients from the ever-increasing volume of email and Internet-based threats. The multiple award-winning solutions have now been adopted by more than 7,500 businesses and 1,500 MSPs, helping to protect them from malware, ransomware, viruses, phishing, botnets, and other cyber threats.
HTG is a leading peer group association that was recently acquired by the global technology giant ConnectWise. HTG helps businesses plan and execute strategies to drive forward growth and increase profits. Its consultants and facilitators share wisdom, provide accountability, and build meaningful relationships with businesses to help them succeed in today’s highly competitive marketplace.
The new partnership will see TitanHQ join HTG Peer Groups as a Gold vendor, making the firm’s MSP-friendly cybersecurity solutions immediately available to the HTG community.
“We’re delighted to welcome TitanHQ on board for 2018. As soon as the initial discussion started we knew they would make a great match for our community, as web security is a key area for our members in 2018,” said HTG Peer Groups founder, Arlin Sorensen.
HTG Peer Groups Founder Arlin Sorensen (Left); TitanHQ CEO Conor Madden (Right)
“WebTitan web filter was built by MSP’s for MSP’s and this exciting relationship with HTG Peer Groups is a continuation of that process. It allows us to listen to the opportunities and difficulties faced by MSP senior executives while also allowing us to share how we became a successful web security vendor. Our goal is to successfully engage with HTG members to build strong and long-lasting relationships,” said TitanHQ CEO, Conor Madden.
Web security is a hot topic within the managed service provider community. MSPs are being called upon to improve web security for their clients and protect against a barrage of phishing, malware, and ransomware attacks. They are also called upon to mitigate malware and ransomware attacks when they are experienced by their clients, which can be time-consuming and costly. By implementing WebTitan, TitanHQ’s award-winning web filtering solution, MSPs can substantially reduce support and engineering costs.
WebTitan serves as a barrier between end users and the Internet, blocking attempts by users to visit malicious websites where malware and ransomware is silently downloaded. WebTitan is also a powerful content filtering solution that can be used to enforce organizations’ acceptable Internet usage policies.
The web filtering solution and TitanHQ’s anti-spam solution SpamTitan have been developed specifically with MSPs in mind. The solutions can be applied and configured in under 30 minutes without the need for additional hardware purchases, software downloads, or site visits. The solutions have a low management overhead which means MSPs can protect their clients from email and web-based threats, reduce the hands-on time they need to spend on their clients and provide greater value while improving their bottom lines.
According to Kaspersky Lab, one of the most dangerous threats to mobile users is Skygofree malware – A recently discovered Android malware threat that has been described as the most powerful Android malware variant ever seen.
Skygofree malware has only recently been detected, but it is the product of some serious development. Kaspersky Lab believes it has been in development for more than three years. The result is a particularly nasty threat that all users of Android devices should take care to avoid. Once it is installed on a device, it has access to a considerable amount of data. It also has some rather impressive capabilities, being capable of 48 different commands.
Among its arsenal is the ability to take control of the camera and snap pictures and take videos without the knowledge of the user. It has access to geolocation data so is capable of tracking your every move. Where you go, as well as where you have been.
Skygofree malware will steal call records and discover who you have spoken to and when and will read your text messages. The malware can also record conversations and background noise, both for telephone calls and when the user enters a specific location – based on geolocation data – that has been set by the attacker.
Whenever you are in range of a WiFi network that is controlled by the attacker, the device will automatically connect, even if WiFi is turned off. It also has access to all information in the phone’s memory, can check your calendar to tell what you have planned, and intercept WiFi traffic.
You also cannot privately communicate using WhatsApp with Skygofree malware installed. It abuses the Android Accessibility Service and can view your messages. Skype conversations are similarly not secure. As if that was not enough, the malware also serves as a keylogger, recording all data entered on the device.
With such an extensive range of functions, this powerful new malware variant is clearly not the work of an amateur. It is believed to be the product of an Italian intercept and surveillance company called Negg, that is known to work with law enforcement agencies.
Kaspersky Lab researcher Alexey Firsh said, “Given the artefacts we discovered in the malware code and our analysis of the infrastructure, we have a high level of confidence that the developer behind the Skygofree implants is an Italian IT company that offers surveillance solutions, rather like HackingTeam.”
Skygofree malware is spread via malicious websites that closely resemble those of mobile carriers. Several mobile carriers including Vodaphone have been spoofed.
Protecting against malware threats such as this is difficult. The best defense is to be extremely careful browsing the internet. However, with malicious adverts able to redirect users to malicious sites, careful browsing is no guarantee of safety.
How to Protect Your WiFi Network and Block Malicious Websites
WebTitan for WiFi offers protection from malware when users connect to your WiFi network. WebTitan for WiFi is a powerful web filtering solution that can be used to restrict access to a predefined list of websites or configured to prevent users from visiting categories of websites known to carry a high risk of containing malware. Blacklists are also used to ensure known phishing and malware-laced websites, including those used to spread Android malware, cannot be accessed via your WiFi network.
To find out more about WebTitan for WiFi, and web filtering solutions for your wired networks, contact the TitanHQ today.
Loapi malware is a new Android malware variant that is capable of causing permanent damage to Android smartphones.
The new malware variant was recently discovered by researchers at Kaspersky Lab. In contrast to many new malware variants that operate silently and remain on the device indefinitely, Loapi malware infections can be short-lived. Kaspersky performed a test on an Android phone and discovered that within two days the phone had been destroyed.
The aim of the malware is not sabotage. Destruction of the device is just collateral damage that results from the intense activity of the malware. Loapi malware performs a wide range of malicious functions simultaneously, including some processor-intensive activities that cause the device to overheat, causing irreparable damage.
In the test, over the two days, the constant activity caused the device to overheat and the battery to bulge; deforming the device and its cover.
The researchers said Loapi malware is likely no other malware variant they have seen, and the researchers have seen plenty. Loapi malware was called a ‘jack of all trades’ due to its extensive capabilities. The malware is used to mine the cryptocurrency Monero, a processor-intensive process. The malware uses processing power of infected devices to create new coins. While the mining process is less intensive than for Bitcoin, it still takes its toll.
Additionally, the malware allows infected devices to be used in DDoS attacks, making constant visits to websites to take down online services. The malware is used to spam advertisements, and bombards the user with banners and videos
The malware will silently subscribe to online services, and if they require text message confirmation, that is also handled by the malware. The malware gains access to SMS messages and can send text messages to any number, including premium services. Text messages are used to communicate with its C2 server. Messages are subsequently deleted by the malware to prevent detection by the user, along with any text message confirmations of subscriptions to online services. Kaspersky Lab researchers note that the malware attempted to access more than 28,000 URLs in the two days of the test.
Any apps that are installed on the device that could potentially affect the functioning of the malware are flagged with a false warning that the app contains malware, telling the user to uninstall them. The user will be bombarded with these messages until the app is uninstalled, while other security controls prevent the user from uninstalling the malware or deactivating its admin privileges.
There is little the malware cannot do. The researchers point out that the only function that Loapi does not perform is spying on the user, but since the modular malware can be easily updated, that function could even be added.
While conclusive proof has not been obtained, Kaspersky Lab strongly suspects the malware is the work of the same cybercriminal operation that was behind Podec malware.
So how is Loapi malware distributed? Kaspersky notes that as is common with other Android malware variants, it is being distributed by fake apps on third-party app stores, most commonly disguised as anti-virus apps. A fake app for a popular porn website has also been used. Additionally, fake adverts have been detected that promote these fake apps, with more than 20 separate locations discovered to be pushing the malware.
The malware has not yet been added to the Google Play store, so infections can be prevented by always using official app stores.
Kaspersky Lab has named ransomware as one of the key threats of 2017, and one that continues to plague businesses the world over. Ransomware attacks in 2017 are down year on year, but ransomware attacks on businesses are up.
Ransomware attacks in 2016 were bad, but this year there have been three major attacks that have gone global – WannaCry in May, NotPetya in June, and most recently, the Bad Rabbit attacks in October. Many of the ransomware attacks in 2017 have been far more sophisticated than in 2015 and 2016, while attackers are now using a wider variety of tactics to install the malicious code.
At the start of 2016, ransomware was primarily being installed using exploit kits, before attackers switched to spam email as the main method of delivery. Spam email remains one of the most common ways for ransomware to be installed, although each of the above three attacks used exploits for unpatched vulnerabilities.
Those exploits had been leaked online by the hacking group Shadow Brokers, all of which had been developed and used by the NSA. While not severe as WannaCry, NotPetya and BadRabbit, exploits were also used by AES-NI and Uiwix ransomware variants. Threat actors are also using remote desktop protocol to gain access to systems to install ransomware, while the use of exploit kits is once again on the rise.
There has been a noticeable change in targets since 2015 when ransomware started to be favored by cybercriminals. Consumers were the main targets, although cybercriminals soon realized there was more to be made from attacking businesses. In 2016, 22.6% of ransomware attacks were on business users. The Kaspersky Lab report shows that ransomware attacks on businesses are becoming far more common, accounting for 26.2% of all attacks in 2017.
Out of the businesses that experienced a ransomware attack in 2017, 65% said they lost access to a significant amount of data, and in some cases, all of their data. Some businesses have prepared for the worst and have developed ransomware response plans and now have multiple copies of backups, with at least one copy on an unnetworked device. In the event of an attack, data can be recovered.
Others have not been so fortunate and have been left with no alternative other than to pay the ransom demand. As we saw with NotPetya, and many other ransomware and pseudo-ransomware variants, it is not always possible to recover data. The Kaspersky Lab report shows that one in six businesses that paid the ransom demand were unable to recover their data, creating massive business disruption and also potentially privacy and compliance fines. Keys to unlock the encryption were not provided or simply did not work.
There is some good news in the report. Ransomware attacks in 2017 affected 950,000 unique users, which is a considerable reduction from last year when 1.5 million users suffered a ransomware attack. This has been attributed not to a reduction in attacks, but better detection.
Kaspersky reports that the explosion in ransomware families in 2016 did not continue at the same level in 2017. Last year, 62 new families of ransomware were discovered. While there is still a month left of the year, to date, the number of new ransomware families in 2017 has fallen to 38.
While this appears to be good news, it is not an indication that the threat from ransomware is reducing. Kaspersky Lab notes that while the creation of new ransomware families halved in 2017, in 2016 there were 54,000 modifications made to existing ransomware variants, but this year there have been 96,000 modifications detected – Almost double the number of modifications last year. Rather than develop new ransomware families, cybercriminals are tweaking existing ransomware variants.
Kaspersky Lab, McAfee, and a host of security experts predict ransomware attacks will continue to plague businesses in 2018. As long as the attacks remain profitable they will continue, although Kaspersky Lab notes that 2018 is likely to see efforts switch to cryptocurrency miners, which can prove more profitable than ransomware in the long run. Even so, ransomware attacks are likely to continue for the foreseeable future.
To prevent the attacks, businesses need to implement a host of defenses to block and detect ransomware. Anti spam software can be deployed to prevent email-based attacks, web filters can be used to block access to websites hosting exploit kits and prevent drive -by downloads, and endpoint protection systems and network monitoring can detect changes made by ransomware and alert businesses to ransomware attacks in progress. Along with good backup policies and end user training, the threat from ransomware can be reduced to an acceptable level and the majority of attacks can be blocked.
A malware threat called LockCrypt ransomware is being used in widespread attacks on businesses in the United States, United Kingdom, and South Africa. While ransomware is commonly spread via spam email, this campaign spreads the file-encrypting malware via remote desktop protocol brute force attacks.
The LockCrypt ransomware attacks were first detected in June this year, but over the past few months the number of attacks has increased significantly, with October seeing the highest number of attacks so far this year.
LockCrypt ransomware is a relatively new malware variant, having first been seen in June 2017. Once infected, users will be unable to access their files. This ransomware variant uses RSA-2048 and AES-256 cryptopgraphy, which makes it virtually impossible to recover files without paying the ransom demand if a viable backup does not exist. To make recovery more difficult, LockCrypt ransomware also deletes Windows Shadow Volume copies. Encrypted files are given the .lock extension.
The ransom payment for this campaign is considerable – typically between 0.5 and 1 Bitcoin per encrypted server. That’s between $3,963 and $7,925 per compromised server; however, since the same login credentials are often used for RDP access on multiple servers, once one password is correctly guessed, it can be used to access multiple servers and deploy LockCrypt ransomware. One of the Bitcoin addresses used by the attackers shows one company paid a ransom of $19,000 to recover files on three of its servers.
Once access to a server is gained, ransomware is deployed; however, the attackers are manually interacting with compromised servers. AlientVault security researcher, Chris Doman, reported that for one company, in addition to deploying ransomware, the attackers “manually killed business critical processes for maximum damage.” All non-core processes on an infected server are killed.
The attacks do not appear to be targeted, instead they are randomly conducted on business servers. Businesses that are most likely to have ransomware installed are those that have failed to use complex passwords for RDP access. While it may be tempting to set an easy-to-remember password, this plays into the hands of attackers.
Other security controls such as two-factor authentication can reduce the risk from this type of attack, as can rate limiting to prevent the number of failed attempts a user can make before their IP address is temporarily – or permanently – blocked.
An additional control that system administrators can apply is to white-list certain IP addresses to restrict RDP access to authorized individuals. If that is not practical, disallowing RDP connections over the Internet from abroad can help to prevent these attacks.
While implementing controls to prevent RDP brute force attacks is vital, most ransomware variants are spread via spam email, and to a lesser extent via exploit kits and drive-by downloads. Comprehensive security defenses must therefore be deployed to reduce the risk of ransomware attacks.
These should include an advanced spam filtering solution to prevent malicious emails from being delivered, web filters to block malicious websites and drive-by downloads, end user training to raise awareness of the threat from ransomware and other forms of malware, and network monitoring technology to identify unusual server and endpoint activity.
Network activity monitoring will not prevent ransomware attacks, but it will help IT teams respond quickly and halt the spread of ransomware to other vulnerable servers and end points.
The Magnitude exploit kit is being used to deliver a new malware variant – Magniber ransomware. While the Magnitude EK has been used in attacks throughout the Asia Pacific region, the latest attacks are solely taking place in South Korea.
Ransomware and malware attacks in Europe and the Americas are primarily conducted via spam email. Exploit kits having fallen out of favor with cybercriminals over the past year. However, that is not the case in the Asia Pacific region, where exploit kit attacks are still common.
An exploit kit is a website toolkit that scans visitors’ browsers for exploitable vulnerabilities. When a vulnerability is identified, it is exploited to download malware onto the user’s system. The download occurs silently and in the case of a ransomware attack, the user is only likely to discover the attack when their files have been encrypted.
Magniber ransomware takes its name from the Magnitude EK and Cerber ransomware, the ransomware variant that it has replaced. At present, Magniber ransomware is solely targeting users in South Korea. If the operating system is not in Korean, the ransomware will not execute. While it is not unusual for ransomware campaigns to involve some targeting, it is rare for attacks to be targeted on a specific country.
Up until recently, the Magnitude exploit kit was being used to download Cerber ransomware. FireEye reports that those attacks were concentrated in the Asia Pacific region. 53% of attacks occurred in South Korea, followed by the USA (12%), Hong Kong (10%), Taiwan (10%), Japan (9%), and Malaysia (5%). Small numbers of attacks also occurred in Singapore and the Philippines. At the end of September, Magnitude EK activity fell to zero, but on October 15, the payload was updated and attacks were solely conducted in South Korea.
To avoid analysis, Magniber ransomware checks whether it is running in a virtual environment. A check is also performed to identify the system language. If the system language is Korean, data is encrypted with AES128 and encrypted files are given the .ihsdj extension. After encryption, the ransomware deletes itself. If the system language is not Korean, the ransomware exists.
At present, the Magnitude Exploit Kit has been loaded with a single exploit for CVE-2016-0189 – A memory corruption vulnerability in Internet Explorer. A patch for the vulnerability was released last year. FireEye believes the ransomware is still under development and its capabilities will be enhanced and finetuned.
To prevent attacks, it is important to ensure systems are fully patched. Businesses should make sure all network nodes are updated and are fully patched. A web filtering solution should also be used as an additional protection against this and other exploit kit attacks.