Cybersecurity News

Keeping up-to-date with cybersecurity news can help protect organizations from online threats such as malware downloads and phishing campaigns. By being aware of type of threats that exist, how they operate, and what damage they can do, organizations can take precautions against the threats, educate their employees to be aware of online security, and strengthen their online defenses.

The most effective way of preventing attacks by cybercriminals is to stop Internet users from receiving emails containing phishing links or visiting websites that harbor viruses. This can be achieved with an email filter and an Internet content filter – both solutions having mechanisms in place to protect organizations and ensure they are not featured in future in our cybersecurity news section.

QBot Malware Distributed via SVG Files and Hijacked Message Threads

A phishing campaign has been detected that is being used to deliver QBot malware, one of the oldest malware families still in use. QBot malware has been around since at least 2009 and is known by many different names, including QakBot, QuackBot and Pinkslipbot. One of the primary functions of the malware is to steal passwords, although the latest variants also serve as a backdoor into victims’ systems. As is the case with many other Trojan malware variants, the group operating the malware works as an initial access broker for ransomware gangs. After the gang has achieved its aims, access to compromised devices is sold to ransomware gangs.

The threat actors behind QBot malware have previously worked with the operators of the Emotet botnet, and used the Emotet malware for delivering QBot; however, the law enforcement takedown of the Emotet botnet in January 2021 forced the group to switch attack vectors, and since then QBot malware has been primarily distributed using phishing emails. Now the group has been observed using a new tactic in its phishing campaigns that use Scalable Vector Graphics (SVG) files.

SVG files have become popular due to their ability to support interactivity and animations and are a web-friendly XML-based vector file format. It is the support for interactivity that makes SVG files a good choice for malware distribution. SVG files can include HTML tags, and JavaScript can be included in the <script> tags in the image. In this case, the JavaScript is malicious. The phishing campaign involves emails that have an HTML attachment, which loads an SVG file from the Internet. The SVG image will be specified within an <embed> or <iframe> tag and will be displayed, but the JavaScript in the image will also be executed.

In this campaign, the JavaScript within the SVG image assembles the malware directly on the user’s device, instead of downloading the malware from the Internet, as that would risk detection by security solutions. The malware is packaged into a ZIP file that is password protected, so antivirus solutions cannot scan the content. The user is provided with the password to open the zip file in the HTML. The user is told that if the file is not displayed correctly, they will need to open the downloaded file, which will trigger the installation of QBot, bypassing traditional network defenses.

One of the ways that these campaigns can be identified and avoided is through security awareness training for the workforce to educate employees about the risks of opening files sent via email. One of the standard tenets of security awareness training has been to tell employees not to open files in unsolicited emails or from unknown individuals. That advice is not particularly helpful, as employees are often required to open emails from unknown individuals or unsolicited messages as part of their jobs, and in this case, that advice would not be effective.

QBot, like Emotet, is capable of hijacking message threads on infected devices and inserting its malicious content. In this campaign, a previous email correspondence is hijacked and text is inserted and the message is sent. That text is simple, yet effective “Good afternoon, Take a look at the attached file. Thanks.” The email will have been sent from a genuine email address, the individual is known to the recipient, and the email is not unsolicited as there has been a previous conversation. The only clue that the message is not a genuine reply is the email conversation is old. In this case, from two years ago.

It is important to provide security awareness training to the workforce but in order to be effective, the training needs to be ongoing and should include examples of the latest phishing techniques, such as this technique for distributing QBot.

Erbium Malware: Dangerous New Information Stealer Being Distributed via Warez Sites

A new and dangerous new malware called Erbium is being advertised on hacking forums and has the potential to become a major threat. Erbium malware is an information stealer with extensive functionality, which is offered under the malware-as-a-service (MaaS) model.

MaaS provides hackers with an easy way to conduct attacks. The MaaS operators develop their malware and lease it out, usually charging a weekly, monthly, or annual subscription. The MaaS operator provides detailed instructions on how to conduct attacks, which means the malware can be used without having to become a programming expert. In fact, many MaaS operations make conducting attacks incredibly easy, requiring little in the way of technical skill. After signing up to use the malware, it can be operated via the web-based UI, where users can access the data stolen by the malware. Oftentimes, live chat is available to help resolve any issues.

Currently, one of the most popular information stealers available under the MaaS model is the RedLine Stealer, which is a highly capable malware variant that can be purchased or rented under a subscription model. The malware can steal information from browsers such as autocomplete data and saved credentials, steal from FTP and IM clients, and from cryptocurrency wallets. The latest variants allow users to upload and download files. RedLine has proven very popular; however, it is quite expensive.

Erbium malware is disrupting the market, offering broadly the same capabilities as RedLine but for a fraction of the cost. Initially, Erbium malware was being advertised at just $9 per week, although due to the popularity of the malware the price was increased to $100 per month. Even with the increase, the malware is far cheaper than RedLine, and based on user feedback, it is proving very popular with the cybercrime community.

Erbium malware is a work in progress, but it already has extensive capabilities. The malware can steal information from browsers such as saved credentials, cookies, credit card numbers, and autofill information. It can steal from cryptocurrency wallets installed on web browsers and attempts to steal from a wide range of cold desktop cryptocurrency wallets. The malware can also steal 2FA authentication codes from EOS Authenticator, Authy 2FA, Authenticator 2FA, and Trezor Password Manager, and steal Steam and Discord tokens, and Telegram auth files. The malware can profile the host and exfiltrate data via its API system to the command-and-control server. Users can log in to the UI and get an update on infections and access their stolen data.

As is quite common, the malware is distributed via fake software, fake cracks, and cheats for video games, so the best way to prevent infection is not to download these, and to only download software from reputable sources. Businesses can take additional steps to reduce risk, with the best defense being a web filtering solution.

Web filters are fed threat intelligence and incorporate blacklists of known malicious websites, such as sites used for distributing malware. They can also be configured to block access to certain categories of websites, such as warez sites and peer-2-peer file sharing networks, where pirated software, cracks, and product activators are made available.

Web filters allow businesses to enforce their acceptable internet usage policies and block web-based attacks, such as phishing, and malware downloads over the Internet, with WebTitan Cloud one of the easiest web filters to implement and use. WebTitan Cloud takes just a few minutes to set up and configure, and requires no technical skill to operate. Users can gain full visibility into the online activities on the network, including real-time views of Internet access, and can easily block malware downloads and restrict access to risky websites to prevent unauthorized software downloads.

WebTitan Cloud is an award-winning DNS-based web filter that is consistently highly rated on independent business software review sites and allows businesses to easily improve their security posture and reduce legal risk. The full product is available on a free trial, with full product support provided throughout the trial. For more information about web security and content control with WebTitan Cloud, give the TitanHQ team a call today.

Sophisticated DocuSign Phishing Scam Targets Microsoft 365 Credentials

A sophisticated phishing campaign is being conducted to steal Microsoft 365 credentials that bypasses multifactor authentication on accounts. Attacks on Microsoft 365 users are far from uncommon. With so many businesses using Microsoft 365, it is an attractive target for hackers. If they can develop a campaign that bypasses Microsoft’s security controls, huge numbers of businesses can be attacked. Microsoft 365 credentials are valuable. They provide an attacker with access to email accounts, and often other Microsoft products such as SharePoint, OneDrive, and Skype. A successful attack on just one Microsoft 365 user can give the attacker access to huge amounts of sensitive data and provide a foothold in the network for a much more extensive attack.

One of the latest campaigns spoofs DocuSign – a platform used by organizations to manage electronic agreements. The email requests feedback on a document, with the message crafted to look like a genuine email sent through DocuSign. This campaign appears to be a spear phishing attack, which targets executives at businesses. If the link is clicked, the user will be directed to a malicious URL where they are required to log in with their Microsoft 365 credentials. The website appears to be the genuine Microsoft login page, and if credentials are entered, they are captured. The user is then presented with a notice advising them that the authentication has failed and will likely be unaware that credentials have been stolen.

Stealing credentials alone may not be enough to gain access to Microsoft 365 accounts, as multifactor authentication may have been enabled. This is strongly encouraged by Microsoft to prevent stolen credentials from being used by unauthorized individuals to access accounts. To get around this, this campaign involves the use of a reverse proxy in a man-in-the-middle attack. The web page linked in the email used the evilginx2 proxy. When the credentials are entered on the fake login page they are fed to the genuine Microsoft 365 login, unbeknown to the victim. The session cookie from the successful login attempt is stolen and is used to assume the identity of the victim. That cookie means credentials do not need to be re-entered and no further multifactor authentication requests need to be approved.

This technique provides immediate access to the account, but the attackers go a step further to achieve persistent access. They add a secondary authentication app, which allows them to continue to access the account without going through the process again when the session expires or is otherwise revoked. This attack was investigated by Mitiga, which reports that the attackers used the compromised credentials to access SharePoint and Exchange, but they could have accessed other services had the attack not been detected and resolved quickly.

This attack shows how multifactor authentication can be bypassed. In this case, had multifactor authentication been used that requires an authorized device to be used to access the account, or a physical device such as a Yubikey for multifactor authentication, then the attack could have been thwarted.

These attacks can be difficult to identify, although in this case the initial email could have been blocked if DMARC had been correctly set up to block emails from domains not associated with the brand being spoofed. SpamTitan Incorporates DMARC controls for email authentication. End user training is also vital. All members of the workforce should be trained on how to recognize the signs of phishing. TitanHQ can assist in this regard through the SafeTitan security awareness and phishing simulation platform.

Bumblebee Loader Fast Becoming the Delivery Vehicle of Choice for Ransomware Gangs

Ransomware gangs gain initial access to business networks using a variety of techniques, with phishing one of the most common methods of gaining initial access to business networks. Phishing is used to obtain credentials, especially for cloud-based services and applications. Phishing emails are often used to deliver malware loaders. Once installed, the malware loader drops malicious payloads which ultimately results in a network-wide ransomware attack.

A relatively new malware loader – Bumblebee – is now gaining popularity with ransomware gangs and is known to be used by some of the highest profile ransomware operations. According to Symantec, Bumblebee Loader is known to be used by Conti, Quantum, and Mountlocker, and possibly others, and has fast become the ransomware delivery vehicle of choice.

The BumbleBee loader is primarily delivered via phishing emails and is used to create a backdoor in victims’ networks, allowing the attacker to take control of devices and execute commands. Bumblebee has been observed delivering the Cobalt Strike attack framework, which is used for lateral movement within networks. Once a sufficiently high number of devices and systems have been compromised, the BumbleBee loader drops the ransomware payload. After sensitive data has been exfiltrated from the victim’s systems, the file encryption process is initiated.

According to Symantec, the Bumblebee loader has replaced several other malware variants that have proven popular with ransomware gangs in the past, such as the TrickBot Trojan and BazarLoader. The replacement of those malware variants with Bumblebee the loader appears to have been pre-planned. If the Bumblebee loader is detected on any device, rapid action should be taken as it is likely that the malware could lead to a ransomware attack.

The Growing Threat of Ransomware Attacks

Ransomware attacks on businesses increased significantly in 2021. The Federal Bureau of Investigation (FBI) reported in its 2021 Internet Crime Report that the FBI Internet Crime Complaint Center (IC3) received 2,084 reports of ransomware attacks between January 1 and July 31, 2021, which represents a 62% increase year-over-year. The 2021 Ransomware Study by IDC found that 37% of global organizations had suffered at least one ransomware attack in 2021. Verizon reported in its 2021 Data Breach Investigations Report that the number of ransomware attacks doubled in 2021, and ransomware is now involved in 10% of all data breaches.

Ransomware attacks are being conducted on businesses in all industry sectors, with education, retail, professional and legal services, government, IT, manufacturing, energy, healthcare, and the financial services the hardest hit. Attacks can be extremely damaging to businesses and can cost millions of dollars to mitigate. Many businesses have been forced to close as a result of an attack.

How to Protect Against Ransomware Attacks

Many ransomware gangs operate under the ransomware-as-a-service model, where affiliates are recruited to conduct attacks in exchange for a cut of any ransom payments they generate. Having many affiliates conducting attacks means more attacks can be conducted than if ransomware gangs operated alone. Affiliates have specialist skills and excel at certain types of attacks. That means defending against attacks means blocking multiple attack vectors, which means multiple security solutions need to be deployed.

Defending against ransomware attacks requires a defense in-depth approach involving multiple layers of protection. An email security solution – such as SpamTitan – should be used for blocking attacks via email, such as emails distributing the Bumblebee loader. A DNS filter such as WebTitan should be deployed to block attacks over the Internet and prevent employees from visiting malicious and risky websites.

It is important to educate the workforce about the threat of phishing, malware, and ransomware, and train the workforce on how to recognize and avoid threats such as phishing and social engineering. TitanHQ offers the SafeTitan security awareness training and phishing simulation platform for creating a security-aware workforce.

Vulnerabilities are often exploited, so it is important to ensure that patches and software updates are applied promptly. In the event of an attack succeeding, businesses need to be able to recover quickly. One of the biggest causes of losses in ransomware attacks is lost business due to the disruption caused by an attack, not the cost of the ransom payment. To minimize damage and ensure the fastest possible recovery, an incident response plan should be developed that specifically covers ransomware attacks and that plan should be regularly tested in tabletop exercises.

It is naturally also vital for backups to be created of all data to ensure data can be recovered in the event of an attack. Multiple copies of data should be made, the backups need to be tested to ensure file recovery is possible, and the backups should be stored on a non-networked device, with one copy stored securely offsite.

RATDispenser: A New Malware Threat That Delivers 8 Secondary Malware Payloads

A new malware downloader has been identified that is being used to deliver 8 different malware payloads, including several Remote Access Trojans (RATs) and keyloggers. The malware has been named RATDispenser by security researchers at HP Wolf Security, who recently identified and analyzed the malware.

RATDispenser is a stealthy JavaScript-based malware that is primarily being used as a malware dropper to deliver a broad range of payloads, possibly under the malware-as-a-service model. Out of 155 samples analyzed by the researchers, 145 were droppers and 10 were downloaders that communicated over the network to retrieve a secondary stage of the malware.

RATDispenser is being distributed in spam emails that contain a malicious attachment – A JavaScript file with a double extension to make it appear to be a text file (.txt). In one of the emails distributing the malware, the email had the subject line “Product Specification” and related to a fake order placed by the recipient.

JavaScript files are executable files, so simply double clicking on the attachment is all that is required to start the infection process. When the JavaScript file is executed, it decodes itself at runtime and writes a Visual Basic script file to the %TEMP% folder using cmd.exe, with the VBScript file then run which delivers the malware payloads. RATDispenser drops GuLoader, Ratty, Remcos, AdWind, STRRAT, and WSHRAT and downloads the FormBook keylogger and information stealer and the Panda Stealer cryptocurrency stealer.

The malware delivered by RATDispenser can be used to obtain credentials and other sensitive data and gives the attacker backdoor access and full control of infected devices. Once sensitive data has been obtained, the threat actor could sell access to other threat groups, such as ransomware gangs.

The range of malware variants delivered by RATDispenser makes this malware particularly dangerous, made worse by the poor detection rates by many antivirus engines. Email security solutions use antivirus engines to detect malware and malicious files, but only 11% of the 77 antivirus systems on VirusTotal are currently identifying RATDispenser as malicious.

An email security solution such as SpamTitan, which includes dual antivirus engines to detect known malware variants and sandboxing to identify malicious files that pass AV controls, is the best defense against RATDispenser. In addition, SpamTitan users should configure the solution to quarantine all emails that contain executable file attachments such as JavaScript and VBScript files.

If you want to improve your defenses against malware and other email threats, give the TitanHQ team a call to find out more about SpamTitan Email Security. SpamTitan is available on a free trial to allow you to put the product to the test in your own environment and find out for yourself the difference it makes to email security.

BluStealer Malware Being Distributed in Phishing Emails

A new malware threat has been discovered that is being distributed using phishing emails. BluStealer malware can perform a range of malicious activities including logging keystrokes to obtain credentials, steal cryptocurrency and banking information, and exfiltrates sensitive files from victims’ devices via SMTP.

BluStealer malware was first identified by an infosec researcher in May and was initially named a310logger. Initially, BluStealer malware was being used in limited attacks, although it is now being distributed more widely in larger phishing campaigns. In mid-September, one phishing campaign was conducted targeting 6,000 users in a single day. The malware has been distributed in several countries, mainly Argentina, Czech Republic, Italy, Greece, Romania, Spain, Turkey, the United Kingdom and the United States.

As with many other malspam campaigns, the emails used to distribute the malware use social engineering techniques to trick recipients into opening a malicious attachment. The attached file is seemingly benign but delivers the BluStealer payload.

A variety of lures have been used in the phishing campaigns and multiple companies have been impersonated. The antivirus company Avast intercepted messages that impersonated the Mexican metal producer General de Perfiles and the international courier firm DHL.

The DHL phishing emails target businesses and closely resemble genuine email communications from the firm. The emails claim a package has been delivered to head office since the recipient was unavailable. The emails include an attached form which users are required to complete to reschedule a delivery; however, opening the attached file will allow a script to run that results in BluStealer malware being silently downloaded and executed. Avast says the General de Perfiles email also targets businesses and claims the recipient has overpaid an invoice and the money will be applied against the next purchase. Again, the user is required to open an attachment. The emails contained .iso attachments and download URLs on the Discord Content Delivery Network, along with a C# .NET loader.

The core code of the malware is written in Visual Basic and there is a C# .NET loader. The components were different in each of the phishing campaigns which suggests it is possible to customize each element individually. The .NET loader has been used by other malware families including Agent Tesla, Formbook, and Oski Stealer.

The easiest way to block BluStealer malware is to implement an advanced spam filtering solution such as SpamTitan. SpamTitan is constantly updated by multiple threat intelligence feeds to ensure new malware and phishing threats are detected and blocked. Dual anti-virus engines are used to detect malware, and sandboxing is used to conduct an in-depth analysis of suspicious attachments that pass inspection by the antivirus engines. Sandboxing ensures zero-minute threats are also detected and blocked. SpamTitan also incorporates SPF, DKIM, and DMARC to block email impersonation attacks.

To find out more about SpamTitan Email Security and how it can help to protect your business from malware and email spam, give the TitanHQ team a call. SpamTitan is available on a 100% free 14-day trial (no credit card required) and product demonstrations can be scheduled on request.

Widespread Phishing Campaign Uses Open Redirects and CAPTCHA Verification Page

A widespread phishing campaign has been identified that uses a range of tricks to fool end users and spam filters, with the ultimate goal of stealing Office 365 credentials.

Office 365 credentials are extremely valuable. Phishers can use the compromised email accounts for conducting more extensive phishing attacks on an organization or for business email compromise scams. There is also a market for these credentials and they can be sold for big bucks to other threat groups such as ransomware gangs. Office 365 email accounts also contain a wealth of sensitive data that can easily be monetized.

This campaign involves a range of social engineering techniques to fool end users into believing the emails are genuine. Well-known productivity tools such as SharePoint are impersonated, with the emails claiming to be collaboration requests. Zoom has also been spoofed to make it appear that the recipient has been invited to attend a meeting. The emails include the correct logos, and closely resemble the genuine requests they impersonate.

The emails direct users to a phishing webpage where users are required to enter their Office 365 credentials. Those phishing pages include the correct Microsoft logo and styling and appear genuine, other than the URL of the page. The scammers have also used CAPTCHA verification pages that need to be completed to prove the user is a human rather than a bot. The CAPTCHA adds legitimacy to the campaign and gives an illusion of security, whereas the purpose is to prevent security solutions from identifying the phishing content.

After passing the CAPTCHA challenge, the user is presented with a fake Office 365 login prompt. After entering their credentials, they are presented with a fake error message and are prompted to re-enter the password. This additional step helps to ensure that the correct password is captured. After completing that step, the user is sent to a legitimate domain advising them that the email message has been released.

The campaign also abuses open redirects to fool end uses and security solutions. An open redirect is a legitimate tool that is commonly used in marketing campaigns, where companies want to track responses to email messages and direct users to specific landing pages. The URL to which the user initially tries to connect may be on a trusted domain, so if the user hovers their mouse arrow over the link, they may be convinced that the URL is genuine; however, the attackers then redirect users to a malicious URL, which is added as a parameter.

Microsoft has detected more than 350 unique domains used in the campaign, including a variety of top-level domains from different countries, legitimate domains that have been compromised by the attackers with phishing content added, as well as domain-generated algorithm domains and free email domains.

The campaign incorporates several tricks to fool email security gateways, as well as a range of social engineering techniques to fool end users. It is likely that after being fooled into divulging their credentials, victims will be unaware that their credentials have been stolen.

The techniques used in this campaign highlight the importance of adopting a defense-in-depth approach. That means implementing overlapping layers of security to counter the multiple layers of deception. In addition to an advanced spam filtering solution such as SpamTitan, it is advisable to also implement a web filtering solution.

Web filters tackle phishing by preventing access to the malicious phishing domains used in these campaigns. If a phishing email evades the email security gateway, the web filter provides time-of-click protection and can block the attempt to visit the phishing webpage. Instead of allowing the user to access the phishing page they will be redirected to a local block page. These measures should be combined with end user training to raise awareness of the risk of phishing and to help employees identify malicious -or potentially malicious – emails. It is also recommended to implement multi-factor authentication on Office 365 email accounts.

If you want to improve your defenses against phishing attacks or have any questions about spam filtering or web filtering, give the TitanHQ team a call today. The SpamTitan Email Security and WebTitan Web Security solutions are both available on a free trial to allow you to see for yourself how effective they are at blocking threats and how easy they are to use.

Crackonosh Malware Turns Devices into Cryptocurrency Mining Rigs

A new malware dubbed Crackonosh is being used in attacks on gamers with the goal of hijacking the resources on their computers to turn them into cryptocurrency mining rigs.

Cryptocurrency prices have been soaring in recent months, with many reaching record prices. That makes mining cryptocurrency profitable, and even more so when using the powerful computers of gamers without their knowledge. The gamers cover the electricity costs and supply the hardware, while the coin mining profits go to the scammers.

Getting malware onto gamers’ devices is the key to this scam, and what better way to do that than to offer gamers free versions of popular games such as Grand Theft Auto V, Pro Evolution Soccer 2018, or NBA 2K19. These cracked games can be installed without having to make a purchase, with the games offered free in forums. Currently, most infections have come via forums, but games could easily be hosted on a website and traffic driven to those sites through malicious adverts in the search engines or third-party ad blocks on any number of high traffic websites.

The games are legitimate, although they have been cracked to allow them to be installed without having to purchase the game key. The correct game will be installed but bundled into the installer are several other files that will execute in the background and install Crackonosh malware, which is capable of disabling certain antivirus programs to ensure it is not detected, including Windows Defender. It also disables Windows Update to ensure that Windows Defender is not reactivated. Since the malware creates and stores an icon in the system tray, the user will most likely be unaware that their antivirus software has been disabled.

One of the main aims of Crackonosh malware is to deliver a legitimate cryptomining program named XMRig, although in this case, XMRig is used to hijack the CPU and GPU of victims’ devices and use those resources for generating cryptocurrency. Using XMRig on one gaming computer will not make much money, but at scale the operation is hugely profitable.

The malware distribution campaign has proven successful, with the malware found in more than a dozen countries, with the highest numbers of infected computers in the Philippines, Brazil, India, Poland, United States, and the United Kingdom. As of December 2020, there were more than 220,000 devices infected with Crackonosh malware and those devices had been used to generate at least $2 million in Monero coins at today’s prices.

This malware campaign targets gamers as their computers are well suited to mining cryptocurrency. Once infected, users are likely to experience a serious reduction in performance and much higher electricity bills, but cryptocurrency mining can also cause computers to overheat, components can wear out from overuse, and devices will ultimately fail.

It is not only cryptocurrency mining malware than can be installed along with cracked software. Any number of other malware variants could be delivered. Another recently identified campaign also uses cracked software as the cover but delivers a malware loader dubbed MosaicLoader. MosaicLoader is used to deliver cryptocurrency miners as well as Remote Access Trojans, cookie stealers, backdoors, and any other malware than the MosaicLoader operator sees fit to deliver.

Installing cracked software and games carries a risk of malware infections, and that is particularly bad news for businesses, especially those that have a BYOD policy or allow their employees to work remotely on corporate-issued devices.

Preventing malware infections such as Crackonosh or MosaicLoader should start with education. Employees should be told about the risks of installing cracked software or other unauthorized software on devices. Technical measures are also required. To block downloads from the Internet, it is worthwhile installing a DNS filter. DNS filters can be used to block content at the DNS lookup stage of a web request, before any content is downloaded.

They can block access to certain categories of websites – gaming sites and forums for examples – or specific files from being downloaded, such as game and software installers. DNS filters also use a variety of methods to assess whether sites are malicious and will block access to URLs and IP addresses known to be used for illegal and malicious purposes.

If you want to improve your defenses against malware, contact TitanHQ today. TitanHQ’s advanced spam filtering solution – SpamTitan – and DNS filter – WebTitan – block malware at source and keep you protected from phishing, ransomware, and other email and web based threats.

WebTitan OTG (on-the-go) for Chromebooks Now Available with WebTitan Cloud Update

TitanHQ has announced a new version of WebTitan Cloud has been released that brings new features and improved security.

The release of WebTitan Cloud version 4.16 has allowed TitanHQ to introduce a new web filtering solution for the education sector – WebTitan OTG (on-the-go) for Chromebooks.

The use of Chromebooks has been steadily increasing, especially in the education sector where they are a cost-effective option for schools to allow students to access the Internet. Internet access is important in education, but it is vital that students can access the Internet safely and securely. Controls need to be implemented to prevent students from accessing age-inappropriate content such as pornography, devices need to be protected from malware and ransomware, and phishing and other malicious websites should be blocked.

WebTitan OTG for Chromebooks allows IT professionals in the education sector to easily implement web filtering controls for individuals, user groups, or globally to ensure compliance with federal and state laws, including the Children’s Internet Protection Act (CIPA) and protect their students and their devices from threats.

WebTitan OTG for Chromebooks, like other WebTitan products, is a DNS-based web filter that applies filtering controls at the DNS lookup stage of web requests. That means there is no latency – Internet speed is unaffected. Since WebTitan is entirely cloud-based, there is no need for any additional hardware and the solution requires no proxies or VPNs.

Set up is easy and user and device level web filtering for Chromebooks can be set up in just a few minutes. The solution provides protection for students regardless of where the Internet is accessed – students will have access to a clean, safe, filtered Internet in the classroom and at home, and it is also easy to lockdown Chromebooks to prevent any bypassing of filtering controls. Administrators also have full visibility into Internet access, including locations, web pages visited, and attempts made to visit prohibited content.

Support Added for in Azure Active Directory

WebTitan Cloud version 4.16 includes DNS Proxy 2.06, which supports filtering of users in Azure Active Directory, as well as on-premise AD and directory integration for Active Directory, with further directory services due to be added to meet customers’ need.

Current WebTitan customers will be automatically updated to the latest version of WebTitan Cloud and will have instant access to the new features and the latest fixes will be applied automatically.

“This new release comes after an expansive first quarter. The launch of WebTitan Cloud 4.16 brings phenomenal new security features to our customers,” Said TitanHQ CEO, Ronan Kavanagh. “After experiencing significant growth in 2020, TitanHQ expects these product enhancements and new features to make 2021 another record-breaking year.”

TitanHQ Wins 3 Expert Insights’ 2021 Best-Of Awards for SpamTitan, WebTitan, and ArcTitan

TitanHQ has announced that three of its cybersecurity solutions have been named winners at the 2021 Expert Insights’ Best-Of” Awards, beating some of the best-known email security, web security, and email archiving products on the market.

For more than 25 years, TitanHQ has been developing innovative cybersecurity solutions to protect businesses from email and web-based threats to their networks and data. TitanHQ’s multi-award-winning products are used by more than 8,500 businesses in over 150 countries, and 2,500 Managed Service Providers (MSPs) offer TitanHQ solutions to their customers to protect them from phishing, malware, ransomware, botnets, viruses, and other cyber threats.

Expert Insights is a respected website that was created in 2018 to help businesses research and select the best cybersecurity solutions to protect their networks and data from cyber threats. Through impartial product reviews, advice from cybersecurity experts, and industry analysis, IT leaders can discover the best cybersecurity solutions to meet their unique needs. The website helps more than 40,000 businesses a month with their research into cybersecurity products and services.

Each year, Expert Insights recognizes the leading cybersecurity service and solution providers and their products at the Expert Insights’ Best-Of” Awards. Technical experts with decades of experience in the cybersecurity industry assess products based on several factors, including ease of use, range of features, the protection provided, and market position, as well as how each product is rated by verified business users. The top products then receive an Expert Insights’ Best-Of” Award.

This year, TitanHQ was recognized by Expert Insights for the powerful threat protection provided by its products, the ease-of-use of the solutions, and their cost-effectiveness, which is why the solutions have proven to be so popular with enterprises, SMBs and MSPs looking for comprehensive protection against email and web-based threats.

“2020 was an unprecedented year of cybersecurity challenges, with a rapid rise in remote working causing a massive acceleration in cybercrime,” said Expert Insights CEO and Founder Craig MacAlpine. “Expert Insights’ Best-Of awards are designed to recognize innovative cybersecurity providers like TitanHQ that have developed powerful solutions to keep businesses safe against increasingly sophisticated cybercrime.”

WebTitan, TitanHQ’s powerful DNS-filtering solution was named a winner in the Web Security category, the SpamTitan anti-phishing and anti-spam solution was named a winner in the Email Security Gateway category, and ArcTitan was named a winner in the Email Archiving category.

“The recent pandemic and the growth of remote working initiatives have further highlighted the need for multiple layers of cybersecurity and our award-winning solutions form key pillars in this security strategy,” said Ronan Kavanagh, CEO, TitanHQ. “We will continue to innovate and provide solutions that MSPs can use to deliver a consistent, secure and reliable experience to their customers.” 


DanaBot Trojan Phishing Campaign Resumes with Phishing and Internet Distribution

A phishing campaign is underway which is distributing a new variant of the DanaBot Trojan. The DanaBot Trojan was first identified in May 2018 and has been actively distributed via phishing emails for more than two years. In the summer of 2020, activity slowed but the campaigns resumed in October.

DanaBot is a modular banking Trojan used in targeted geographical attacks on businesses. The first variant that emerged in 2018 was used in targeted attacks in Australia, while the second variant was primarily used in attacks on U.S. companies. Attacks have also been conducted in Europe, primarily in Ukraine, Austria, Poland, Italy, and Germany.

The latest variant is the fourth to be identified and has been released around a year after the third variant was identified in February 2019. The latest variant has had several technical anti-analysis changes made to the main component of the malware and its method of maintaining persistence has changed. The latest variant now achieves persistence through a LNK file loaded into the user’s startup folder, which launches the malware when the device is booted.

Affiliates are used to conduct campaigns distributing the DanaBot Trojan under the malware-as-a-service model. Several new affiliate IDs have been added which suggests the malware-as-a-service operation is growing. It is therefore probable that DanaBot will grow into a much bigger threat in 2021.

Previously, DanaBot has been primarily distributed via spam emails that deliver a malware dropper, which downloads the banking Trojan via a multi-stage process. It now appears that the malware is being distributed via websites that offer cracks and software keys for pirated software such as graphics software, VPNs, antivirus software, and games.

Protecting Against Banking Trojans by Blocking Malware Delivery

Protecting against DanaBot and other Trojans requires a range of security measures. Two of the most important are an advanced spam filter and a web filtering solution. The spam filter will detect malicious emails that attempt to deliver the malware dropper, while the web filter will block access to the websites that are used to download the malware.

TitanHQ has developed a spam filtering solution – SpamTitan – that provides protection against known and unknown malware variants and a web filter – WebTitan – that prevents users from accessing malicious websites and categories of website commonly used to distribute malware.

With both of these cost-effective cloud-based cybersecurity solutions implemented, businesses can block the two most common vectors used to distribute malware and keep their networks and devices well protected.

For further information on both solutions, details of pricing, and to register for a free trial of the full solutions, give the TitanHQ team a call.

K-12 Education Sector Warned of Major Increase in Ransomware, Malware, and Phishing Attacks

The K-12 education sector has long been a target for cybercriminals, but this year has seen the sector targeted more aggressively by threat actors. 2020 has seem a major increase in attacks involving ransomware and malware, phishing incidents have risen, as have network compromises and distributed denial-of-service (DDoS) attacks.

This December, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a warning to the education sector after the massive increase in cyberattacks was identified.

Data from the Multi-State Information Sharing and Analysis Center (MS-ISAC) shows a substantial increase in ransomware attacks on K-12 schools. In August and September 2020, 57% of all reported ransomware attacks occurred at K-12 schools, compared to just 28% from the year to July.

Ransomware attacks renders essential systems and data inaccessible which can cause serious disruption to learning, especially at a time when many schools have transitioned to distance learning. K-12 schools often have little choice other than paying the ransom, and many do. Figures from the Department of Education show that between 2016 and 2017, 60% of schools attacked with ransomware paid the ransom to recover their data. A recent Department of Education alert to K12 schools called for a collective effort to ensure that all data is regularly backed up and advised schools not to pay the ransom demands if attacked. The DoE wants to send a message to ransomware gangs that attacks on the education sector are not financially viable.

Similar tactics have been used in ransomware attacks on K-12 schools that have been used to attack business and industry targets. Access to networks is gained, the attackers move laterally to identify data of interest, and exfiltrate that data prior to encrypting files. The attackers threaten to publish or sell sensitive student and employee data if the ransom is not paid.

Several ransomware gangs have stepped up attacks on K-12 schools, including REvil, Nefilim, Ryuk, and AKO. The Maze ransomware operation, which has now been shut down, has also conducted several attacks on K-12 schools in 2020.

The CISA/FBI alert also warned of an increase in Trojan malware and phishing attacks on K12 schools since the start of the school year. The ZeuS banking Trojan has been commonly used in K-12 school cyberattacks and the Shlayer malware downloader has also proven popular. Those two Trojans account for 69% of malware attacks on K-12 schools in 2020.

The increase in attacks in 2020 has been attributed to the ease at which K12 schools can be attacked. Many K-12 schools have transitioned to distance learning and have had to do so in a hurry to ensure student learning was not disrupted by the pandemic; however, that has meant cybersecurity gaps have been created which leave schools vulnerable to attack.

In addition to conducting phishing attacks on staff and students, vulnerabilities in software and remote learning solutions are also commonly exploited. Since the sector has a limited budget for cybersecurity, these vulnerabilities often persist for some time before being addressed, giving cybercriminals and easy entry point into K-12 school networks. It is also common for software to continue to be used after it has reached end of life.

The K-12 Cybersecurity Act of 2019 has been introduced which requires CISA to work with federal departments and the private sector to identify sector-specific cybersecurity risks and make recommendations to K-12 schools on how they can improve their security posture. The Act also calls for CISA to make tools and resources available to help the sector improve cybersecurity; however, the legislation is yet to be passed by Congress.

These cyberattacks on K-12 schools are likely to continue at elevated levels well into 2021. While budgets may be already stretched, it is important for defenses to be improved. The cost of improvements to cybersecurity defenses is likely to be far lower than the cost of dealing with a ransomware attack and costly data breach.

Exorcist 2.0 Ransomware Distributed via Malvertising and Fake Software Cracking Websites

The operators of Exorcist 2.0 ransomware have adopted a new tactic for distributing their ransomware. They have set up fake websites that claim to be crack sites for popular software programs. The websites offer cracking tools that can be used to generate valid license codes that allow popular software to be used free of charge.

One of the websites offers a Windows 10 activator, which can be used to generate a license code that activates windows 10 free of charge. When a user arrives on the website, they are presented with download links for the software cracking tool. Clicking on the link will generate the download of a password-protected zip file, along with a text file that provides the user with the password to open the zip file.

This method of file delivery helps to prevent the malicious contents of the zip file from being detected by antivirus solutions. Since the zip file can only be opened if the password is entered, antivirus software is unable to scan the contents. This method also bypasses the protection of Microsoft SmartScreen and Google Safe Browsing.

Once the file contents are extracted, the user must run the setup program, which is actually the Exorcist 2.0 binary. Double clicking and executing the file will start the file encryption process and a ransom demand will be presented. Contact must be made with the attackers to find out how much must be paid for the keys to decrypt files, with the attackers in control of the ransom amount. Ransom demands can be for several thousand dollars and there is no way of decrypting files without paying the ransom.

While phishing emails are commonly used to direct individuals to websites where malware and ransomware is downloaded, this campaign involves malvertising – malicious advertisements on third-party ad networks that direct web visitors to malicious websites.

These adverts are displayed in ad blocks on legitimate websites, often high traffic websites. There have recently been several major malvertising campaigns that have seen malicious adverts displayed on some of the most popular adult websites, although any website that uses third-party ad blocks could potentially have malicious adverts displayed to visitors. In this case, the threat actors have used the PopCash ad network.

The Exorcist 2.0 ransomware operators are far from the only ransomware operators to use this method of infecting victims. This tactic has also been used by the operators of STOP ransomware, who similarly used the lure of fake software cracking tools to install their malware.

One of the ways that businesses can protect against this method of malware and ransomware delivery is to use a web filtering solution. A web filter can be used to carefully control the types of web content that can be accessed by employees. In addition to blocking access to web content that does not need to be accessed for work purposes, restrictions can be placed on the types of files that can be downloaded and attempts to visit websites known to be used for malicious purposes will be automatically blocked.

Businesses that implement WebTitan Cloud have precision control over the content their employees can access, whether they are working from the office, accessing the Internet from a coffee shop, or working from home. WebTitan is available on a free trial and can be implemented in minutes to protect your employees and their devices from malware, ransomware, and phishing attacks.

For further information on the benefits of web filtering and how WebTitan can greatly improve your security posture, call the WebTitan team today.

Increase in Malvertising Highlights Importance of Strong Internet Security Measures

The massive increase employees working reportedly has not been missed by cybercriminals, who are actively targeting these workers using a variety of tactics to fool them into disclosing their credentials or installing malware. Phishing attacks remain the most common method used to attack remote workers, but there has also been a notable increase in malvertising during the COVID-19 pandemic.

Malvertising is the practice of creating malicious adverts which are syndicated across legitimate websites through third-party ad networks. The malicious adverts are used to redirect website visitors to webpages where credentials are harvested, malware is downloaded, or to other scams to obtain fraudulent payments or charitable donations.

Several COVID-19 themed ploys have been used in these malvertising campaigns to trick people into downloading malware. These scams prey on fears about SARS-CoV-19, often spoofing WHO and other COVID-19 authorities to add legitimacy to the campaigns. A common theme is an offer of important advice on how to protect against COVID-19.

There rise in malvertising activity during the COVID-19 pandemic has been significant, with some reports indicating the number of malicious adverts have doubled in March compared to standard levels of malicious advert activity prior to the pandemic.

A malvertising campaign was recently identified that spoofed the anti-malware software vendor Malwarebytes. The campaign claimed the user’s computer was infected with malware and a download of Malwarebytes’ software was required to remove the infections. The malicious webpage used for the scam was on a malwarebytes-free domain that was registered on March 29, 2020. The site used a copycat template created from stolen branding from the genuine site. Any individual that landed on the website that was using the Internet Explorer browser was redirected to a webpage hosting the Fallout exploit kit that silently downloads the Raccoon information stealer.

There was a major increase in domain registrations related to COVID-19 in March. While not all of these websites are currently being used for nefarious purposes, many are being used for scamming. NTT recently issued an alert stating that around 2,000 COVID-19 domains are being set up each day and there has been a significant rise in phishing attacks directing users to newly registered domains. The TrickBot Trojan accounts for the majority of malware infections from these sites. Figures from Palo Alto Networks’ Unit 42 team show there was a 656% increase in the number of new COVID-19 related domains registered in March.

The increase in web-based attacks calls for improvements to cybersecurity defenses to protect remote employee’s devices from malware infections. A download of malware onto a user’s device could easily see the malware transferred to the network when the user connects.

One of the easiest and most effective ways of blocking these attacks is to implement a web filtering solution such as WebTitan Cloud. With WebTitan Cloud in place, when a user attempts to visit a malicious website, or when an attempt is made to redirect a user through malvertising, rather than arriving on the website the user will be directed to a local block page.

WebTitan Cloud also allows filtering controls to be applied to control the types of websites employees can visit on their corporate-owned devices. Controls can be applied to block access to risky websites such as torrents and peer-to-peer file sharing sites, which are also being used to distribute malware.

WebTitan Cloud is a DNS-based filter that conducts filtering at the DNS lookup stage of a web request. Applying filtering controls and restricting access to certain categories of website involves no latency, which is especially important during lockdown when employees typically have far less bandwidth available than at the office.

WebTitan Cloud does not require the installation of a clients and the solution can be set up and configured in minutes to protect all workers, no matter where they choose to access the internet.

If you are interested in improving internet security and want to find out more about WebTitan Cloud and DNS filtering, call TitanHQ today to book a product demonstration, register for a free trial, and start protecting your employees from online threats.

Don’t Neglect Security Awareness Training for Remote Workers During COVID-19 Pandemic

New research has recently been published which suggests there has been a lack of security awareness training for remote workers, even with the massive increase in people working from home due to the COVID-19 pandemic and the increased threat level.

Many companies have had to make major changes to policies and allow most employees to work from home, even though doing so introduces cybersecurity risks. While this is seen by many as a temporary measure due to the pandemic, there is currently some debate about how long lockdown measures will be in place. It could well be many months before lockdowns are eased and there is a return to “normal” working life. It may also be difficult to convince workers to return to the office when measures are eased, or at least until a vaccine for the virus has been developed. That could well be a year or most likely much longer.

In the meantime, remote workers are not just encountering the odd phishing email. These workers are being actively targeted by cybercriminals and APT groups. It is important to ensure that technical controls are up to scratch and are blocking threats but also to train workers to recognize threats such as phishing.

Technical Controls Will Not Block 100% of Cybersecurity Threats

Technical solutions can block most malware and phishing attacks on remote workers and will protect devices and the networks to which those devices connect. TitanHQ has developed two solutions that provide excellent protection from email and web-based threats, and there has been a massive increase in demand for those solutions during the COVID-19 pandemic from businesses and managed service providers (MSPs).

When these solutions are coupled with other cybersecurity protections such as firewalls, antivirus software, and intrusion detection systems, businesses will be well protected; however, no matter how many layers are added to your defenses, security awareness training for remote workers should still be provided. Employees are the last line of defense and require training to help them identify threats that bypass your technical defenses.

Employees are a Weak Link, but Neglecting Security Awareness Training for Remote Workers is a Mistake

One study recently conducted on IT workers by Apricorn revealed 57% of IT decision makers in the United Kingdom believe remote workers are a security risk and will expose organizations to data breaches and that there is apathy among IT leaders about training the workforce as employees are not concerned about security. 34% of IT leaders said their remote workers do not care about security, but that is not a reason not to provide training. It is a reason to reinforce training and get employees to buy into the company’s security strategy.

Another survey, conducted by Promon on 2,000 remote workers in the United Kingdom, confirmed those findings. The study revealed 66% of employees have not been provided cybersecurity training in the last 12 months, even though cybercriminals are actively targeting remote workers. It is also concerning that 77% of respondents were not worried about the security threat from working from home. The survey also revealed that 61% of employees are using personal devices to work from home instead of corporate-issued devices, which typically have far fewer protections in place to block threats.

Given the numbers of employees working from home due to COVID-19 and the increase in threats targeting those workers, now is the time to be stepping up training and to make sure employees are working in a secure environment. TitanHQ can help you better protect employees and the devices they use to work from home, but you should also ensure that cybersecurity training is reinforced.

Cybercriminals Are Exploiting Uncertainty and Fear About Coronavirus and COVID-19

Cybercriminals are taking advantage of the 2019 Novel Coronavirus pandemic and are exploiting fear to spread malware and steal data. These tactics many not be new, but these campaigns pose a significant threat in the current climate of global fear and worry.

People are naturally worried about contracting COVID-19 and will be concerned about the wellbeing of their friends and family members. Many people crave new information to help avoid them avoid illness and protect their families. If that information arrives in an inbox, email attachments may be opened, and links clicked to malicious websites.

Even when training is provided to employees and they are taught not to respond to unsolicited messages, open email attachments, or click links in emails from unknown senders, mistakes can still be made. During the COVID-19 crisis, stress levels are high, and this can easily lead to decisions being taken that would not normally be made.

Businesses have been forced to allow their employees to work from home, many of whom are now working in a home environment where there are many distractions. Many people do not have home offices where they can quietly work, and a challenging working environment also makes mistakes more likely. Those mistakes can prove very costly.

Phishing campaigns are being conducted targeting home workers as they are seen as low-hanging fruit and an easy way to gain access to business networks to install malware, ransomware, and steal sensitive data. Several campaigns have been detected that offer important advice on the 2019 novel coronavirus that impersonate authorities on disease control and prevention such as the U.S. Centers for Disease Control and Prevention (CDC), U.S. Department of Health and Human Services, UK National Health Service, and the World Health Organization (WHO). The phishing campaigns are credible, claim to offer important advice, and are likely to be opened by many individuals. These campaigns seek remote access credentials and distribute malware.

Coronavirus maps that display the number of cases per country are being used on many websites, including a legitimate COVID-19 case tracking map on Johns Hopkins University website.  One campaign has been detected that uses a carbon copy map and urges users to download a desktop application that allows them to track new cases. The application installs the information-stealing AZORult Trojan. As the COVID-19 crisis has deepened, these phishing and malspam campaigns have increased significantly.

With more people working from home and self-isolating, the risk of malware and phishing attacks has increased significantly. It is therefore important for businesses to make sure that they are properly protected and manage risk. During this difficult time, it is important to provide security awareness training to staff to keep them aware of the threat of cyberattacks and to help them identify malicious messages. Phishing simulation exercises are a useful way of assessing risk and identifying individuals that require further training.

It is also important to implement additional control measure to block attacks at source. There are two main attack vectors being used to target remote workers: Email and the web. Due to the high risk of mistakes by employees it is essential for businesses to have an effective email security solution in place.

The key to improving email security is defense in depth. Layered defenses will greatly improve resilience to phishing and malware attacks. If you are using Office 365 and have yet to augment protection with a third-party email security solution, now is the ideal time. One 2019 study showed that Office 365 protections only block around 75% of phishing attempts. Given the increase in phishing volume, a great many malicious emails will land in inboxes unless protection is improved.

The more time people spend online, the greater the risk. With many workers housebound and self-isolating, online time has increased considerably. Unsurprisingly, the of number of malicious domains being used to distribute malware has increased and drive-by malware attacks have spiked. With corporate laptops being used at home, steps should be taken to limit what employees can do on those laptops. Blocking access to ‘risky’ websites such those distributing pirated TV shows and movies will help to reduce the risk of a malware download, along with controls to prevent the downloading of risky file times such as software installers and executable files.

A web filtering solution will allow you to control the sites that remote employees can access on their corporate laptops and prevent malicious websites from being visited. A cloud-based web filtering solution is the ideal choice as it can be easily implemented to protect all remote workers, without causing any latency issues.

TitanHQ can help you protect your telecommuting workers from email and web-based threats. SpamTitan is a powerful email security solution that compliments Office 365 anti-spam and anti-phishing controls and enhances protection against phishing, spear phishing, and zero-day malware.  WebTitan is a cloud-based DNS filtering solution that is simple to implement that allows you to carefully control the online activities of remote employees and block drive-by malware downloads and other web-based threats.

Both solutions can be implemented in a matter of minutes and will greatly improve protection against web and email-based threats. For further information, to book a product demonstration, or to register for a free trial, contact TitanHQ today.

Texas School District Loses $2.3 Million in Phishing Scam

A recent phishing attack on an 8,600-student school district in Texas ended up costing an astonishing $2.3 million. The Manor Independent School District phishing attack started in November 2019 and continued through December.

The attack was an example of a highly effective – and highly lucrative – email scam known as business email compromise (BEC) or vendor email compromise, if the attack is conducted through a vendor.

A BEC/VEC scam involves the use of a legitimate business email account to send emails to individuals within the organization (BEC) or to its clients (VEC) requesting a bank transfer. BEC attacks are also conducted to make changes to payroll or requests are sent via email asking for sensitive information such as W-2 forms for use in tax fraud.

The scam starts by sending phishing emails to individuals in the targeted organization. Emails are sent containing a credible ploy to get the recipient to click a hyperlink that directs them to a specially crafted webpage. That webpage is usually a carbon copy of a legitimate website, but on a different domain, that has been set up to harvest credentials.

Attackers often spoof Microsoft to capture Office 365 credentials. When the user visits the website via the hyperlink embedded in the email, they are presented with the standard login prompt that they receive when attempting to login to their Office 365 account. When the credentials are entered, they are captured by the attackers. The attackers then use the credentials to access the email account. The account is then used in the second phase of the attack.

Oftentimes, when attackers gain access to an email account, they set up a mail forwarding rule that will see all messages in the email account forwarded to the attackers. They check the emails until they find something of interest, such as contractors that are performing construction works.

Attackers often insert themselves into legitimate email conversations. Both parties believe they are communicating with each other, when the reality is they are communicating with the scammer. The scammer then asks for payments to be sent to a different email account. These conversations can span many messages and email exchanges can continue for several days or weeks. Since the scammer has full control of one of the email accounts, it is likely that the scam will not be detected until it is too late.

It is unclear whether a vendor’s email account was compromised in the Manor Independent School District phishing attack or if this was a standard BEC attack, with emails sent to the billings department requesting a bank account change. Details on the specifics of the phishing attack have not been released. What is known is that the bank account details of a vendor were changed, and the school district made three separate payments over the space of the following month before the scam was identified and the school district discovered it had been scammed out of $2.3 million.

A defense in depth strategy is required to prevent attacks such as this from succeeding. Technical defenses are essential. An advanced spam filter should be implemented that scans all incoming and outgoing messages, multi-factor authentication should be implemented to prevent stolen credentials from being used to remotely access accounts, and end user training is required to raise awareness of the threat. Policies and procedures should also be implemented that require all bank account changes to be verified, via telephone, before they are authorized.

Rise in Ransomware Attacks on Education Institutions Highlights Need for Improved Defenses

Ransomware attacks slowed in 2018 but the malicious file-encrypting malware is back with a vengeance. Ransomware attacks on educational institutions have soared this year, and as the attackers are well aware, these attacks can be extremely profitable.

There have been 182 reported ransomware attacks so far this year and 26.9% of those attacks have been on school districts and higher education institutions. The increase has seen education become the second most targeted sector behind municipalities (38.5%) but well ahead of healthcare organizations (14.8%).

The reason why the number of ransomware attacks on educational institutions, healthcare, and municipalities is so high compared to other sectors is because attacks are relatively easy to perform and there is a higher than average chance that the ransoms will be paid.

Attacks on municipalities mean they can’t access computer systems, and essential services grind to a halt. Police departments can’t access criminal records, courts have to be shut down, and payments for utilities cannot be taken. If hospitals can’t access patient data, appointments have to be cancelled out of safety concerns. In education, teachers cannot record grades and student records cannot be accessed. Administration functions grind to a halt and a huge backlog of work builds up.

Some of the recent ransomware attacks on school districts have seen schools forced to send students home. Monroe-Woodbury Central School District in New York had to delay the start of the school year due to its ransomware attack. If students need to be sent home, there is often backlash from parents – Not only because their children are not getting their education, but childcare then needs to be arranged.

The costs of these attacks are considerable for all concerned. Each day without access to systems costs schools, universities, municipalities, and hospitals a considerable amount of money. Downtime is by far the biggest cost of these attacks. Far greater than any ransom payment.

It is no surprise that even when ransom demands are for tens or hundreds of thousands of dollars, they are often paid. The cost of continued losses as a result of the attacks makes paying the ransom the most logical solution from a financial perspective. However, paying the ransom sends a message to other cybercriminals that these attacks can be extremely profitable, and the attacks increase.

The huge cost of attacks has seen educational institutions take out insurance policies, which typically pay the ransom in the event of an attack. While this is preferable financially for the schools, it ensures that the attackers get their pay day. Some studies have suggested that attackers are choosing targets based on whether they hold insurance, although the jury is out on the extent to which that is the case.

In total, 49 school districts and around 500 K-12 schools have been affected by ransomware attacks this year. While the ransomware attacks on school districts have been spread across the United States, schools in Connecticut have been hit particularly hard. 7 districts have been attacked, in which there are 104 schools.

Prevention of these attacks is key but securing systems and ensuring all vulnerabilities are identified and corrected can be a challenge, especially with the limited budgets and resources of most schools. Cybersecurity solutions need to be chosen wisely to get the maximum protection for the least cost.

A good place to start is by addressing the most common attack vectors, which for ransomware is Remote Desktop Protocol and email-based attacks.

Remote Desktop Protocol should be disabled if it is not required. If that is not possible, connection should only be possible through a VPN. Rate limiting should also be set to block access after a number of failed login attempts to protect against brute force password-guessing attacks.

Email security also needs to be improved. Massive spam campaigns are being conducted to distribute the Emotet banking Trojan, which serves as a downloader for Ryuk ransomware and others. Embedded hyperlinks in emails direct end users to sites where they are encouraged to download files that harbor malware, or to exploit kits where ransomware is silently downloaded.

Advanced spam filters should be deployed that incorporate sandboxing. This allows potentially suspicious email attachments to be checked for malicious activity in a safe environment. DMARC email authentication is also important as it is one of the best defenses against email impersonation attacks. SpamTitan now incorporates both of these measures.

A DNS based content filtering solution is also beneficial as an additional protection against malware downloads and phishing attacks. Not only can the content filter be used to ensure compliance with CIPA, it will prevent end users from visiting malicious websites where ransomware is downloaded.

Email attacks usually require some user interaction, which provides another opportunity to block the attacks. By educating all staff and students on the risks, they can be prepared for when malicious emails arrive in their inboxes and will be conditioned how to respond.

It is often the case that breached entities only implement these measures after an attack has occurred to prevent any further attacks from succeeding. By taking a more proactive approach and implementing these additional security measures now, costly, disruptive attacks can be avoided.

For more information on ransomware defenses such as email and DNS filters for educational institutions, give the TitanHQ team a call today. You are likely to find out that these security measures are far cheaper than you think… and naturally a great deal less expensive than having to deal with an attack.

Ransomware Modifications Double as Cybercriminals Step up Attacks on Businesses

2017 was a bad year for ransomware attacks, but as 2018 progressed it was starting to look like the file-encrypting malware was being abandoned by cybercriminals in favor of more lucrative forms of attack. Between 2017 and 2018 there was a 30% fall in the number of people who encountered ransomware compared to the previous year, and the number of new ransomware variants continued to decline throughout 2018; however, now, that trend has been reversed.

2019 has seen a sharp increase in attacks. Figures from Malwarebytes indicate there was a 195% increase in ransomware attacks in Q1, 2019 and that increase has continued in Q2. A new report from Kaspersky Lab has shown that not only are attacks continuing to increase, the number of new ransomware variants being used in these attacks is also increasing sharply.

Kaspersky Lab identified 16,017 new ransomware modifications in Q2, 2019, which is more than twice the number of new ransomware modifications detected in Q2, 2018. In addition to updates to existing ransomware variants, Q2, 2019 saw 8 brand new malware families detected.

Kaspersky Lab tracked 230,000 ransomware attacks in Q2, which represents a 46% increase from this time last year. Far from ransomware dying a slow death, as some reports in 2018 suggested, ransomware is back and is unlikely to go away any time soon.

Not only are attacks increasing in frequency, ransom demands have increased sharply. Ransom demands of hundreds of thousands of dollars are now the norm. Two Florida cities paid a combined total of $1 million for the keys to unlock files encrypted by ransomware. Jackson County in Georgia paid $400,000 for the keys to unlock the encryption that crippled its court system, and recently, a massive ransomware attack that impacted 22 towns and cities in Texas saw a ransom demand of $2.5 million issued.

Earlier this year, the developers of GandCrab ransomware shut down their popular ransomware-as-a service offering. They claimed to have made so much money from attacks that they have now taken early retirement. Despite GandCrab ransomware being one of the most widely used ransomware variants for the past 18 months, the shut down has not been accompanied with a reduction in attacks. They continue to increase, as other ransomware-as-a-service offerings such as Sodinokibi have taken its place.

Ransomware attacks are increasing because they are profitable, and as long as that remains the case, ransomware is here to stay. Businesses are getting better at backing up their data but recovering files from backups and restoring entire systems is a difficult, time-consuming, and expensive task. When major attacks are experienced, such as those in Texas, recovering systems and files from backups is a gargantuan task.

Attackers realize this and set their ransom demands accordingly.  A $400,000 ransom demand represents a sizable loss, but it is a fraction of the cost of recovering files from backups. Consequently, these sizable ransoms are often paid, which only encourage further attacks. It is for this reason that the FBI recommends never paying a ransom, but for many businesses it is the only option they have.

Businesses naturally need to develop plans for recovering from an attack to avert disaster in the event of ransomware being installed on their network, but they must also invest in new tools to thwart attacks. At the current rate that attacks are increasing, those tools need to be implemented soon, and that is an area where TitanHQ can help.

To find out more about email and web security solutions that can block ransomware and protect your network, give the TitanHQ team a call.

Phishing Campaign Uses Voicemail Notifications Trick Users into Disclosing Credentials

A new phishing campaign has been detected which uses Microsoft Office 365 voicemail notifications as a lure to get users to open a malicious HTML file attached to the email.

The phishing emails are very realistic. The emails include the Microsoft and Office 365 logos, use the Microsoft color scheme, and Microsoft contact information.  The messages inform the recipient that they have received a new voicemail message. The caller’s number and length of the voicemail message is included, along with the time and date of the message. In order to access that message, the user is required to open a HTML file attached to the email.

Many phishing campaigns use Word documents or Excel spreadsheets containing malicious macros or embedded hyperlinks that direct users to a phishing web page where credentials are harvested. Through security awareness training employees are told to look out for thee commonly used file types. HTML files are likely to be familiar to employees, but since these file types are not often used in phishing campaigns, employees may believe the attached file to be benign, when that is definitely not the case.

The HTML file uses meta refresh to redirect the user from the local HTML file to a phishing page hosted on the Internet. That phishing page contains a highly realistic spoofed voicemail management page where users are required to enter their Office 365 credentials to access the message. Doing so hands those credentials to the attacker.

Cybercriminals are constantly coming up with new ways to trick employees into clicking links in emails or opening malicious attachments. Keeping the workforce up to date on these threats is important. If employees are aware of the types of scam emails, they are likely to receive they will be more likely to correctly identify an email as malicious if it arrives in their inbox.

Keeping the workforce 100% up to date on the latest scams will not be possible as new scams and lures are constantly being developed. It is therefore important to ensure that you have an advanced spam filtering solution in place that can block these messages to ensure they never test employees.

SpamTitan incorporates DMARC to block email impersonation attacks, dual antivirus engines to identify known malware, and a sandbox where suspicious attachments can be executed safely and studied for malicious actions. In addition, a range of checks are performed to assess the content of messages and embedded hyperlinks for any malicious actions.

With SpamTitan in place, businesses will be able to block more than 99.97% of spam and phishing emails, and 100% of known malware.

If you want to improve protections against phishing attacks and ensure fewer malicious messages reach your Office 365 inboxes, give the TitanHQ team a call to find out more about SpamTitan email security and other measures you can take to improve your security posture and block these sophisticated phishing attacks.