Cybersecurity News

Keeping up-to-date with cybersecurity news can help protect organizations from online threats such as malware downloads and phishing campaigns. By being aware of type of threats that exist, how they operate, and what damage they can do, organizations can take precautions against the threats, educate their employees to be aware of online security, and strengthen their online defenses.

The most effective way of preventing attacks by cybercriminals is to stop Internet users from receiving emails containing phishing links or visiting websites that harbor viruses. This can be achieved with an email filter and an Internet content filter – both solutions having mechanisms in place to protect organizations and ensure they are not featured in future in our cybersecurity news section.

New Traffic Distribution System Helps Threat Actors Conduct Web-Based Malware Attacks

Web-based malware attacks via exploit kits were commonplace in 2016, although in 2017 this mode of attack fell out of favor with cybercriminals, who concentrated on spam email to deliver their malicious payloads. Exploit kit activity is now at a fraction of the level of 2016, although 2017 did see an increase in activity using the Rig and Terror exploit kits.

Now, a recent discovery by Proofpoint could see exploit kit activity start to increase once again. A new traffic distribution system is being offered on darknet marketplaces that helps cybercriminals direct users to sites hosting exploit kits and conduct web-based malware attacks.

Traffic distribution systems – also known as TDS – buy and sell web traffic and are used to direct web users from one website to another. When a user clicks on a link that is part of a TDS system, they are directed to a website without their knowledge – a website that could host an exploit kit and trigger a malware download.

The new TDS – known as BlackTDS – requires threat actors to direct traffic to the service, which then filters that traffic and directs individuals to exploit kits based on their profile data. The service maximizes the probability of the exploit kit being able to download malware onto their device. The service can also be used to determine which malware will be downloaded, based on the profile of the user.

Threat actors that sign up to use the service can inexpensively select the exploit kits and malware they want installed with all aspects of the malware distribution service handled by the developers of BlackTDS. The developers also claim their cloud-based TDS includes fresh HTTPS domains that have not been blacklisted and that it is difficult for their cloudTDS to be detected by security researchers and sandboxes.

Using spam campaigns and malvertising, threat actors can direct traffic to BlackTDS with all aspects of drive-by downloads handled by the developers. Campaigns being run using BlackTDS have been directing users to the RIG-v, Sundown, and Blackhole exploit kits which are used to download a wide range of keyloggers, ransomware, and other malware variants.

The provision of this malicious service makes it cheap and easy for threat actors to take advantage of web-based malware distribution rather than relying on spam email to spread malicious software. It also makes it clear that exploit kits are still a threat and that web-based malware attacks are likely to become more of a problem over the coming months.

To find out more about how you can protect your business from exploit kits and web-based malware attacks, contact the TitanHQ team today and ask about WebTitan.

New TitanHQ Partnership Sees Firm Join HTG Peer Groups as Gold Vendor

New TitanHQ Partnership Sees Firm Join HTG Peer Groups as Gold Vendor

Today has seen the announcement of a new partnership between TitanHQ – the leading provider of email and web filtering solutions for MSPs – and the international consulting, coaching, and peer group organization HTG. The announcement was made at the Q1 HTG Peer Groups meeting at the Pointe Hilton Squaw Peak Resort, Phoenix, Arizona.

The partnership sees TitanHQ’s web filtering solution – WebTitan; its cloud-based anti-spam service – SpamTitan; and its email archiving solution – ArcTitan made immediately available to the HTG community.

TitanHQ has developed innovative cybersecurity solutions specifically for managed service providers to help them provide even greater protection to their clients from the ever-increasing volume of email and Internet-based threats. The multiple award-winning solutions have now been adopted by more than 7,500 businesses and 1,500 MSPs, helping to protect them from malware, ransomware, viruses, phishing, botnets, and other cyber threats.

HTG is a leading peer group association that was recently acquired by the global technology giant ConnectWise. HTG helps businesses plan and execute strategies to drive forward growth and increase profits. Its consultants and facilitators share wisdom, provide accountability, and build meaningful relationships with businesses to help them succeed in today’s highly competitive marketplace.

The new partnership will see TitanHQ join HTG Peer Groups as a Gold vendor, making the firm’s MSP-friendly cybersecurity solutions immediately available to the HTG community.

“We’re delighted to welcome TitanHQ on board for 2018. As soon as the initial discussion started we knew they would make a great match for our community, as web security is a key area for our members in 2018,” said HTG Peer Groups founder, Arlin Sorensen.

HTG Peer Groups Founder Arlin Sorensen (Left); TitanHQ CEO Conor Madden (Right)

“WebTitan web filter was built by MSP’s for MSP’s and this exciting relationship with HTG Peer Groups is a continuation of that process. It allows us to listen to the opportunities and difficulties faced by MSP senior executives while also allowing us to share how we became a successful web security vendor. Our goal is to successfully engage with HTG members to build strong and long-lasting relationships,” said TitanHQ CEO, Conor Madden.

Web security is a hot topic within the managed service provider community. MSPs are being called upon to improve web security for their clients and protect against a barrage of phishing, malware, and ransomware attacks. They are also called upon to mitigate malware and ransomware attacks when they are experienced by their clients, which can be time-consuming and costly. By implementing WebTitan, TitanHQ’s award-winning web filtering solution, MSPs can substantially reduce support and engineering costs.

WebTitan serves as a barrier between end users and the Internet, blocking attempts by users to visit malicious websites where malware and ransomware is silently downloaded. WebTitan is also a powerful content filtering solution that can be used to enforce organizations’ acceptable Internet usage policies.

The web filtering solution and TitanHQ’s anti-spam solution SpamTitan have been developed specifically with MSPs in mind. The solutions can be applied and configured in under 30 minutes without the need for additional hardware purchases, software downloads, or site visits.  The solutions have a low management overhead which means MSPs can protect their clients from email and web-based threats, reduce the hands-on time they need to spend on their clients and provide greater value while improving their bottom lines.
 

Skygofree Malware – One of the Most Dangerous Android Malware Threats Ever Seen

According to Kaspersky Lab, one of the most dangerous threats to mobile users is Skygofree malware – A recently discovered Android malware threat that has been described as the most powerful Android malware variant ever seen.

Skygofree malware has only recently been detected, but it is the product of some serious development. Kaspersky Lab believes it has been in development for more than three years. The result is a particularly nasty threat that all users of Android devices should take care to avoid. Once it is installed on a device, it has access to a considerable amount of data. It also has some rather impressive capabilities, being capable of 48 different commands.

Among its arsenal is the ability to take control of the camera and snap pictures and take videos without the knowledge of the user. It has access to geolocation data so is capable of tracking your every move. Where you go, as well as where you have been.

Skygofree malware will steal call records and discover who you have spoken to and when and will read your text messages. The malware can also record conversations and background noise, both for telephone calls and when the user enters a specific location – based on geolocation data – that has been set by the attacker.

Whenever you are in range of a WiFi network that is controlled by the attacker, the device will automatically connect, even if WiFi is turned off. It also has access to all information in the phone’s memory, can check your calendar to tell what you have planned, and intercept WiFi traffic.

You also cannot privately communicate using WhatsApp with Skygofree malware installed. It abuses the Android Accessibility Service and can view your messages. Skype conversations are similarly not secure. As if that was not enough, the malware also serves as a keylogger, recording all data entered on the device.

With such an extensive range of functions, this powerful new malware variant is clearly not the work of an amateur. It is believed to be the product of an Italian intercept and surveillance company called Negg, that is known to work with law enforcement agencies.

Kaspersky Lab researcher Alexey Firsh said, “Given the artefacts we discovered in the malware code and our analysis of the infrastructure, we have a high level of confidence that the developer behind the Skygofree implants is an Italian IT company that offers surveillance solutions, rather like HackingTeam.”

Skygofree malware is spread via malicious websites that closely resemble those of mobile carriers. Several mobile carriers including Vodaphone have been spoofed.

Protecting against malware threats such as this is difficult. The best defense is to be extremely careful browsing the internet. However, with malicious adverts able to redirect users to malicious sites, careful browsing is no guarantee of safety.

How to Protect Your WiFi Network and Block Malicious Websites

WebTitan for WiFi offers protection from malware when users connect to your WiFi network. WebTitan for WiFi is a powerful web filtering solution that can be used to restrict access to a predefined list of websites or configured to prevent users from visiting categories of websites known to carry a high risk of containing malware. Blacklists are also used to ensure known phishing and malware-laced websites, including those used to spread Android malware, cannot be accessed via your WiFi network.

To find out more about WebTitan for WiFi, and web filtering solutions for your wired networks, contact the TitanHQ today.

Loapi Malware Infections Destroy Android Phones

Loapi malware is a new Android malware variant that is capable of causing permanent damage to Android smartphones.

The new malware variant was recently discovered by researchers at Kaspersky Lab. In contrast to many new malware variants that operate silently and remain on the device indefinitely, Loapi malware infections can be short-lived. Kaspersky performed a test on an Android phone and discovered that within two days the phone had been destroyed.

The aim of the malware is not sabotage. Destruction of the device is just collateral damage that results from the intense activity of the malware. Loapi malware performs a wide range of malicious functions simultaneously, including some processor-intensive activities that cause the device to overheat, causing irreparable damage.

In the test, over the two days, the constant activity caused the device to overheat and the battery to bulge; deforming the device and its cover.

The researchers said Loapi malware is likely no other malware variant they have seen, and the researchers have seen plenty. Loapi malware was called a ‘jack of all trades’ due to its extensive capabilities. The malware is used to mine the cryptocurrency Monero, a processor-intensive process. The malware uses processing power of infected devices to create new coins. While the mining process is less intensive than for Bitcoin, it still takes its toll.

Additionally, the malware allows infected devices to be used in DDoS attacks, making constant visits to websites to take down online services. The malware is used to spam advertisements, and bombards the user with banners and videos

The malware will silently subscribe to online services, and if they require text message confirmation, that is also handled by the malware. The malware gains access to SMS messages and can send text messages to any number, including premium services. Text messages are used to communicate with its C2 server. Messages are subsequently deleted by the malware to prevent detection by the user, along with any text message confirmations of subscriptions to online services. Kaspersky Lab researchers note that the malware attempted to access more than 28,000 URLs in the two days of the test.

Any apps that are installed on the device that could potentially affect the functioning of the malware are flagged with a false warning that the app contains malware, telling the user to uninstall them. The user will be bombarded with these messages until the app is uninstalled, while other security controls prevent the user from uninstalling the malware or deactivating its admin privileges.

There is little the malware cannot do. The researchers point out that the only function that Loapi does not perform is spying on the user, but since the modular malware can be easily updated, that function could even be added.

While conclusive proof has not been obtained, Kaspersky Lab strongly suspects the malware is the work of the same cybercriminal operation that was behind Podec malware.

So how is Loapi malware distributed? Kaspersky notes that as is common with other Android malware variants, it is being distributed by fake apps on third-party app stores, most commonly disguised as anti-virus apps. A fake app for a popular porn website has also been used. Additionally, fake adverts have been detected that promote these fake apps, with more than 20 separate locations discovered to be pushing the malware.

The malware has not yet been added to the Google Play store, so infections can be prevented by always using official app stores.

A Quarter of Ransomware Attacks in 2017 Targeted Businesses

Kaspersky Lab has named ransomware as one of the key threats of 2017, and one that continues to plague businesses the world over. Ransomware attacks in 2017 are down year on year, but ransomware attacks on businesses are up.

Ransomware attacks in 2016 were bad, but this year there have been three major attacks that have gone global – WannaCry in May, NotPetya in June, and most recently, the Bad Rabbit attacks in October. Many of the ransomware attacks in 2017 have been far more sophisticated than in 2015 and 2016, while attackers are now using a wider variety of tactics to install the malicious code.

At the start of 2016, ransomware was primarily being installed using exploit kits, before attackers switched to spam email as the main method of delivery. Spam email remains one of the most common ways for ransomware to be installed, although each of the above three attacks used exploits for unpatched vulnerabilities.

Those exploits had been leaked online by the hacking group Shadow Brokers, all of which had been developed and used by the NSA. While not severe as WannaCry, NotPetya and BadRabbit, exploits were also used by AES-NI and Uiwix ransomware variants. Threat actors are also using remote desktop protocol to gain access to systems to install ransomware, while the use of exploit kits is once again on the rise.

There has been a noticeable change in targets since 2015 when ransomware started to be favored by cybercriminals. Consumers were the main targets, although cybercriminals soon realized there was more to be made from attacking businesses. In 2016, 22.6% of ransomware attacks were on business users. The Kaspersky Lab report shows that ransomware attacks on businesses are becoming far more common, accounting for 26.2% of all attacks in 2017.

Out of the businesses that experienced a ransomware attack in 2017, 65% said they lost access to a significant amount of data, and in some cases, all of their data. Some businesses have prepared for the worst and have developed ransomware response plans and now have multiple copies of backups, with at least one copy on an unnetworked device. In the event of an attack, data can be recovered.

Others have not been so fortunate and have been left with no alternative other than to pay the ransom demand. As we saw with NotPetya, and many other ransomware and pseudo-ransomware variants, it is not always possible to recover data. The Kaspersky Lab report shows that one in six businesses that paid the ransom demand were unable to recover their data, creating massive business disruption and also potentially privacy and compliance fines. Keys to unlock the encryption were not provided or simply did not work.

There is some good news in the report. Ransomware attacks in 2017 affected 950,000 unique users, which is a considerable reduction from last year when 1.5 million users suffered a ransomware attack. This has been attributed not to a reduction in attacks, but better detection.

Kaspersky reports that the explosion in ransomware families in 2016 did not continue at the same level in 2017. Last year, 62 new families of ransomware were discovered. While there is still a month left of the year, to date, the number of new ransomware families in 2017 has fallen to 38.

While this appears to be good news, it is not an indication that the threat from ransomware is reducing. Kaspersky Lab notes that while the creation of new ransomware families halved in 2017, in 2016 there were 54,000 modifications made to existing ransomware variants, but this year there have been 96,000 modifications detected – Almost double the number of modifications last year. Rather than develop new ransomware families, cybercriminals are tweaking existing ransomware variants.

Kaspersky Lab, McAfee, and a host of security experts predict ransomware attacks will continue to plague businesses in 2018. As long as the attacks remain profitable they will continue, although Kaspersky Lab notes that 2018 is likely to see efforts switch to cryptocurrency miners, which can prove more profitable than ransomware in the long run. Even so, ransomware attacks are likely to continue for the foreseeable future.

To prevent the attacks, businesses need to implement a host of defenses to block and detect ransomware. Anti spam software can be deployed to prevent email-based attacks, web filters can be used to block access to websites hosting exploit kits and prevent drive -by downloads, and endpoint protection systems and network monitoring can detect changes made by ransomware and alert businesses to ransomware attacks in progress.  Along with good backup policies and end user training, the threat from ransomware can be reduced to an acceptable level and the majority of attacks can be blocked.

LockCrypt Ransomware Distributed Using Brute Force RDP Attacks

A malware threat called LockCrypt ransomware is being used in widespread attacks on businesses in the United States, United Kingdom, and South Africa. While ransomware is commonly spread via spam email, this campaign spreads the file-encrypting malware via remote desktop protocol brute force attacks.

The LockCrypt ransomware attacks were first detected in June this year, but over the past few months the number of attacks has increased significantly, with October seeing the highest number of attacks so far this year.

LockCrypt ransomware is a relatively new malware variant, having first been seen in June 2017. Once infected, users will be unable to access their files. This ransomware variant uses RSA-2048 and AES-256 cryptopgraphy, which makes it virtually impossible to recover files without paying the ransom demand if a viable backup does not exist. To make recovery more difficult, LockCrypt ransomware also deletes Windows Shadow Volume copies. Encrypted files are given the .lock extension.

The ransom payment for this campaign is considerable – typically between 0.5 and 1 Bitcoin per encrypted server. That’s between $3,963 and $7,925 per compromised server; however, since the same login credentials are often used for RDP access on multiple servers, once one password is correctly guessed, it can be used to access multiple servers and deploy LockCrypt ransomware.  One of the Bitcoin addresses used by the attackers shows one company paid a ransom of $19,000 to recover files on three of its servers.

Once access to a server is gained, ransomware is deployed; however, the attackers are manually interacting with compromised servers. AlientVault security researcher, Chris Doman, reported that for one company, in addition to deploying ransomware, the attackers “manually killed business critical processes for maximum damage.” All non-core processes on an infected server are killed.

The attacks do not appear to be targeted, instead they are randomly conducted on business servers. Businesses that are most likely to have ransomware installed are those that have failed to use complex passwords for RDP access. While it may be tempting to set an easy-to-remember password, this plays into the hands of attackers.

Other security controls such as two-factor authentication can reduce the risk from this type of attack, as can rate limiting to prevent the number of failed attempts a user can make before their IP address is temporarily – or permanently – blocked.

An additional control that system administrators can apply is to white-list certain IP addresses to restrict RDP access to authorized individuals. If that is not practical, disallowing RDP connections over the Internet from abroad can help to prevent these attacks.

While implementing controls to prevent RDP brute force attacks is vital, most ransomware variants are spread via spam email, and to a lesser extent via exploit kits and drive-by downloads. Comprehensive security defenses must therefore be deployed to reduce the risk of ransomware attacks.

These should include an advanced spam filtering solution to prevent malicious emails from being delivered, web filters to block malicious websites and drive-by downloads, end user training to raise awareness of the threat from ransomware and other forms of malware, and network monitoring technology to identify unusual server and endpoint activity.

Network activity monitoring will not prevent ransomware attacks, but it will help IT teams respond quickly and halt the spread of ransomware to other vulnerable servers and end points.

Magniber Ransomware Spread by Magnitude Exploit Kit

The Magnitude exploit kit is being used to deliver a new malware variant – Magniber ransomware. While the Magnitude EK has been used in attacks throughout the Asia Pacific region, the latest attacks are solely taking place in South Korea.

Ransomware and malware attacks in Europe and the Americas are primarily conducted via spam email. Exploit kits having fallen out of favor with cybercriminals over the past year. However, that is not the case in the Asia Pacific region, where exploit kit attacks are still common.

An exploit kit is a website toolkit that scans visitors’ browsers for exploitable vulnerabilities. When a vulnerability is identified, it is exploited to download malware onto the user’s system. The download occurs silently and in the case of a ransomware attack, the user is only likely to discover the attack when their files have been encrypted.

Magniber ransomware takes its name from the Magnitude EK and Cerber ransomware, the ransomware variant that it has replaced. At present, Magniber ransomware is solely targeting users in South Korea. If the operating system is not in Korean, the ransomware will not execute. While it is not unusual for ransomware campaigns to involve some targeting, it is rare for attacks to be targeted on a specific country.

Up until recently, the Magnitude exploit kit was being used to download Cerber ransomware. FireEye reports that those attacks were concentrated in the Asia Pacific region. 53% of attacks occurred in South Korea, followed by the USA (12%), Hong Kong (10%), Taiwan (10%), Japan (9%), and Malaysia (5%). Small numbers of attacks also occurred in Singapore and the Philippines. At the end of September, Magnitude EK activity fell to zero, but on October 15, the payload was updated and attacks were solely conducted in South Korea.

To avoid analysis, Magniber ransomware checks whether it is running in a virtual environment. A check is also performed to identify the system language. If the system language is Korean, data is encrypted with AES128 and encrypted files are given the .ihsdj extension. After encryption, the ransomware deletes itself. If the system language is not Korean, the ransomware exists.

At present, the Magnitude Exploit Kit has been loaded with a single exploit for CVE-2016-0189 – A memory corruption vulnerability in Internet Explorer. A patch for the vulnerability was released last year. FireEye believes the ransomware is still under development and its capabilities will be enhanced and finetuned.

To prevent attacks, it is important to ensure systems are fully patched. Businesses should make sure all network nodes are updated and are fully patched. A web filtering solution should also be used as an additional protection against this and other exploit kit attacks.

PornHub Malvertising Campaign Infects Millions with Malware

A massive Pornhub malvertising campaign has been detected that potentially resulted in millions of malware infections in the United States, Canada, UK, Australia and beyond.

Malvertising is the term given to malicious adverts that dupe website visitors into visiting websites where malware is downloaded or to sites that are used to phish for login credentials. These malverts often appear on legitimate websites, adding to their legitimacy. The malicious sites that users are directed to can download any type of malware – keyloggers, ransomware, spyware or adware.

The Pornhub malvertising campaign was used to spread click fraud malware. The hacking group behind the campaign – KovCoreG – used the Kovter Trojan. The malware has persistence and will survive a reboot.

Pornhub is one of the most popular adult websites, attracting millions of visitors. The website uses a third-party ad network called Traffic Junky. The attackers managed to sneak their malicious adverts past the controls the ad network has in place against malvertising.

The attackers detected the browser being used and redirected users to a website tailored to their browser. The Pornhub malvertising campaign worked on users of Chrome, Internet Explorer/Edge and Firefox. The webpages, which had been expertly crafted to exactly match the colors and fonts of Google, Firefox, and Microsoft and included the relevant logos and branding. The malicious webpages indicated a critical security update was required to secure the user’s browser. Clicking to download the update, and running that update, would result in infection.

The Pornhub malvertising campaign was detected by Proofpoint, which notified the ad network and Pornhub. Both acted quickly to remediate the threat, although not before many users had been infected with malware.

A Web Filtering Solution Can Block Malvertising Attacks

Implementing a web filtering solution in the workplace is not just about preventing your employees from wasting time on Facebook. A web filter is an important part of any layered cybersecurity defense strategy. The latest Pornhub malvertising campaign is a good example of how controlling the websites your employees can access can prevent malware infections.

Unless you work in the adult entertainment industry, employees should be prevented from accessing pornography at work. Most organizations include pornography in their acceptable usage policies. However, unless a filtering solution is implemented to block access, some employees are likely to break the rules. You could have a policy in place that states accessing pornography at work will result in instant dismissal. However, if anyone breaks the rules, it is not just their job that is on the line. Your network could be infected with malware.

Of course, cybercriminals do not just use adult websites for malicious adverts. Malvertising can appear on any website that includes ad blocks from third party advertisers. Since these ad blocks are an important source of revenue, many popular websites use them – Websites that are likely to feature heavily in your Internet access logs. The New York Times website for example, or the BBC and MSN.

This Pornhub malvertising campaign required a manual download, although oftentimes users are directed to sites where malware is downloaded automatically using exploit kits. If you are fully patched, you are likely to avoid an infection, but it is easy to miss a patch. The massive Equifax data breach showed how easy it is for a patch to be missed, as did the Wannacry ransomware attacks.

Considering the cost of resolving a malware infection, phishing attack, or ransomware installation, a web filtering solution is likely to pay for itself. Add to that the increase in productivity from blocking access to certain categories of websites and the improvements to your profits can be considerable.

If you are not yet using a web filter, or are unhappy with the cost of your current solution, give TitanHQ a call today and find out more about the savings you could be making.

Cost of Cybercrime Increased 23% in 12 Months

The cost of cybercrime is 23% higher than last year, according to a new study conducted by the Ponemon Institute on behalf of Accenture. The average annual cost of cybercrime is now $11.7 million per organization, having increased from $9.5 million last year.

The Ponemon Institute conducted the 2017 Cost of Cybercrime study on 2,182 security and IT professionals at 254 organizations. Respondents were asked about the number of security breaches they experienced in the past 12 months, the severity of those incidents, and the cost of mitigation.

The average number of security breaches experienced by each organization was 130 per year, which is more than twice the number of incidents that were being experienced 5 years ago and 27.4% more than this time last year.

The costs of cybercrime were split into four areas: Disruption to businesses processes, data loss, loss of revenue, and damage to equipment. Respondents were asked to rate each based on their cost. While the losses from disruption to the business were not insignificant, they were the least costly. The biggest cost was information loss.

The costliest security incidents to resolve were malware attacks, which cost an average of $2.4 million to resolve, although the attacks were considerably more expensive to resolve in the United States where the average losses were $3.82 million per incident. In second place was web-based attacks, costing an average of $2 million globally and $3.4 million in the United States.

However, in terms of the amount of disruption caused, insider incidents topped the list, taking an average of 50 days to mitigate. Ransomware attacks took an average of 23 days to resolve.

The cost of cybercrime report indicates organizations in the financial services have the highest annual costs, spending an average of $18.28 million per organization. In second place was the energy sector with an average annual cost of $17.20 million.

Organizations in the United States had the biggest annual security breach resolution costs, spending an average of $21 million each per year. Bottom of the list was Australia with average annual costs of $5 million. Organizations in the United Kingdom were spending an average of $8.7 million per year.

As we saw with the NotPetya attacks, the cost of a cyberattack can be considerably higher. Both Maersk and FedEx reported their losses from the attacks could well rise to $300 million.

The most valuable security tools were seen as threat intelligence solutions, which gather data from cyberattacks around the world and allow businesses to prioritize threats. These solutions saved businesses an average of $2.8 million per year.

Malvertising Phishing Attacks Soar, Underscoring Need for a Web Filter

Email may be the primary vector used in phishing attacks, but the second quarter of 2017 has seen a massive increase in malvertising phishing attacks.

Malvertising is the term given to malicious adverts, which are often displayed on high-traffic websites via third party advertising networks. These adverts are used to direct web visitors to malicious websites, oftentimes sites containing exploit kits that probe for vulnerabilities and silently download ransomware and other malware.

These malware attacks increased between 2015 and 2016, with the total number of malvertising attacks rising by 136%. Demonstrating how quickly the threat landscape changes, between Q1 and Q2, 2017 there was a noticeable decline in malicious advert-related exploit kit and malware attacks. Exploit kit redirects fell by 24% and malware-related adverts fell by almost 43%, according to a recent study released by RiskIQ.

However, the study shows there was a massive increase in malvertising phishing attacks with cybercriminals changing their tactics. Phishing-related adds increased by 131% in Q2, 2017, but between 2015 and 2016, malvertising phishing attacks increased by a staggering 1,978%.

The websites that these adverts direct users to often promise a free gift in exchange for taking part in a survey. Genuine market research firms tend not to offer large incentives for taking part in surveys, or when they do offer an incentive, participants are entered into a draw where they stand a chance of winning a prize. When gifts are offered, to all participants it is a warning sign that all may not be as it seems. That said, many people still fall for the scams.

The aim of the surveys is to obtain sensitive information such as bank account information, Social Security numbers, usernames, passwords and personal information. The information can be used for a wide range of nefarious purposes. It is not only personal information that is sought. Cybercriminals are keen to gain access to corporate email accounts for the data they contain and to use them to send phishing emails.

When phishing attacks occur through corporate email accounts it can seriously tarnish a company’s reputation and may result in litigation if insufficient controls have been implemented to prevent such attacks from occurring.

Businesses can protect against malicious adverts and websites by implementing a web filter. A web filter can be configured to block third party adverts as well as the malicious websites that users are directed to, thus minimizing the risk of web-based malware and phishing attacks.

Many businesses are now choosing to filter the website content that their employees access purely for security reasons, although there are many other benefits to be gained from content filtering. Web filters can help employers curb cyberslacking, control bandwidth usage, and reduce legal liability.

With the cost of DNS-based content filtering low and potentially high losses from the failure to control Internet access, it is no surprise that so many businesses are now choosing to regulate what employees can do online at work.

To find out more about the full range of benefits of web filtering and to take advantage of a free trial of WebTitan, the leading web filtering solution for businesses, contact the TitanHQ today.

The High Cost of a Ransomware Attack

Why should businesses invest heavily in technology to detect ransomware attacks when a ransom payment may only be between $500 and $1,000? While that is what cybercriminals are charging as a ransom, the cost of a ransomware attack is far higher than any ransom payment. In fact, the ransom is often one of the lowest costs of a ransomware attack that businesses must cover.

The ransom payment may seem relatively small, although the latest ransomware variants are capable of spreading laterally, infecting multiple computers, servers and encrypting network shares. The ransom payment is multiplied by the number of devices that have been infected.

The Cost of a Ransomware Attack Can Run to Millions of Dollars

When businesses suffer ransomware attacks, the attackers often set their ransoms based on the perceived ability of the organization to pay. In 2016, Hollywood Presbyterian Medical Center was forced to pay a ransom of $19,000 to unlock its infection. When the San Francisco Muni was infected, hackers demanded $50,000 for the keys to unlock its payment system. In June 2017, South Korean web host Nayana agreed to pay $1 million for the keys to unlock the encryption of its 53 Linux servers and 3,400 customer websites.

These ransom payments are high, but the ransom is only one cost of a ransowmare attack. The biggest cost of a ransomware attack is often the disruption to business services while files are taken out of action. Systems can be taken out of action for several days, bringing revenue generating activities to an abrupt stop. One Providence law firm experienced downtime of three months following a ransomware attack, even though the $25,000 ransom was paid. Lawyers were stopped from working, causing a loss in billings of an estimated $700,000.

In heavily regulated industries, notifications must be sent to all individuals whose information has been encrypted, and credit monitoring and identity theft services often need to be provided. When hundreds of thousands of users’ data is encrypted, the cost of printing and mailing notifications and paying for credit monitoring services is substantial.

Once an attack has been resolved, networks need to be analyzed to determine whether any other malware has been installed or backdoors created. Cybersecurity experts usually need to be brought in to conduct forensic analyses. Then ransomware defenses need to be improved and new security systems purchased. The total cost of a ransomware attack can extend to hundreds of thousands or millions of dollars.

Ransomware is Here to Stay

As long as ransomware attacks are profitable, the threat will not go away. The use of ransomware-as-a-service allows ransomware developers to concentrate on creating even more sophisticated ransomware variants and stay one step ahead of security researchers and antivirus companies.

Anonymous payment methods make it hard for law enforcement to discover the identities of ransomware developers, and since those individuals are usually based overseas, even if they are identified, bringing them to justice is problematic.

Ransomware developers are constantly changing tactics and are developing new methods of attack. The coming months and years are likely to see major changes to how ransomware is used, and the systems that are attacked.

Ransomware attacks mostly target Windows systems, although new variants have already been developed to encrypt Mac and Linux files. Security experts predict there will also be an increase in ransomware variants targeting Macs as Apple’s market share increases, while website attacks are becoming more common. When a website is attacked, all site files, pages, and images are encrypted to prevent access. For an e-commerce business, the attacks can be devastating.

Ransomware attacks on mobile devices are now commonplace, with screen-lockers and file-encryptors used. Screen locking ransomware prevents users from accessing any apps or functions rendering the device unusable. File encrypting variants encrypt all data stored on the device. These ransomware variants are most commonly packaged with apps sold in unofficial app stores. Risk can be substantially reduced by only downloading files from official app stores and ensuring all apps are kept up to date.

Given the increase in attacks and the massive increase in new ransomware variants, businesses must improve their defenses, block the common attack vectors, backup all data, and constantly monitor for indicators of compromise.

Tips for Preventing a Ransomware Attack

  • Ensure users only have access to data and network drives necessary for them to perform their jobs.
  • Backup devices should be disconnected when backups have been performed.
  • Keep operating systems, software applications, and plugins up to date and fully patched.
  • Block access to websites known to host exploit kits using a web filter such as WebTitan.
  • Implement a spam filtering solution to prevent malicious emails from reaching inboxes.
  • Provide regular, ongoing training to all staff on the risks of ransomware and phishing.
  • Segment your network and restrict administrator rights.

To ensure a swift recovery from a ransomware attack, make sure you:

  • Create multiple backups of all files, websites, and systems.
  • Create three backups on two different media and store one copy offsite.
  • Develop a ransomware response plan that can be implemented immediately when an attack is suspected.

Equifax Data Breach: 143 Million Consumers Affected

A massive Equifax data breach was announced yesterday, which ranks as one of the largest data breaches of 2017. Approximately 143 million consumers have been impacted and had their sensitive data exposed and potentially stolen.

A data breach at any company can cause considerable fallout, although this incident is particularly bad news for a credit reporting agency. Equifax aggregates and stores vast quantities of highly sensitive consumer data that are used by financial firms to make decisions about the creditworthiness of consumers. The data breach is sure to damage trust in the company.

Ironically, Equifax offers credit monitoring and identity theft protection services to companies that experience data breaches to help them protect breach victims. Naturally, all Americans affected by the Equifax data breach will be offered those services free of charge. In fact, Equifax has gone further by agreeing to offer those services free of charge to all U.S. consumers for a period of one year, even if they were not directed affected by the breach.

Chairman and Chief Executive Officer, Richard F. Smith, said “This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes.”

The Equifax data breach may not be the largest data breach of 2017, but the nature of the datya exposed make it one of the most serious. Highly sensitive data were exposed, including personal information, Social Security numbers, birthdates, driver’s license numbers, and 209,000 consumers had their credit card numbers exposed.

These are the exact types of information used by cybercriminals to commit identity theft and fraud. Dispute documents were also stored on the compromised system. Those documents contained a range of personal information of 182,000 consumers. The bulk of the data related to U.S citizens, although some consumers in Canada and the United Kingdom have also been affected by the Equifax data breach.

The hacker(s) responsible for the attack had access to Equifax’s systems for a considerable period of time before the breach was discovered. Access was first gained to systems in mid-May and continued until July 29, 2017 when the breach was discovered.

According to a statement released by Equifax yesterday, hackers gained access to its systems by exploiting a website vulnerability. While sensitive data were exposed and potentially stolen, Equifax reports that its core databases that are used for credit referencing purposes, were not compromised at any point.

The data breach is still being investigated and a third-party cybersecurity firm has been hired to assist with the investigation. Smith said, “I’ve told our entire team that our goal can’t be simply to fix the problem and move on. Confronting cybersecurity risks is a daily fight. While we’ve made significant investments in data security, we recognize we must do more. And we will.”

Breach notification letters are being sent to some, but not all, breach victims. Only the 391,000 individuals whose credit card numbers or dispute documents were exposed will receive notifications by mail. All other individuals will have to check an online tool to find out if their information was exposed in the breach.

Jimmy Nukebot: A New Iteration of the NeutrinoPOS Banking Trojan

Earlier this year, the NeutrinoPOS banking Trojan source code was leaked, leading to several new variants of malware being created, the latest being Jimmy Nukebot. In contrast to its predecessor, which was used to steal bank card information, the latest version has lost that functionality.

However, Jimmy Nukebot can perform a wide range of malicious functions, serving as a downloader for a wide range of malicious payloads. The malware also acts as a backdoor which will allow the actors behind the new malware to monitor activity an infected device.

Security researchers at Kaspersky Lab have analysed Jimmy Nukebot infections and have seen the malware download a wide range of modules including Monero cryptocurrency mining malware, web-injects similar to those used in NeutrinoPOS, and various other modules that modify the functions of the malware. The malware can take screenshots of an infected device and exfiltrate data and could download any malicious payload onto an infected device.

Publication of the source code of malware results in an increase in its popularity. With the malware used in more attacks, the probability of it being detected is much higher. In order to evade detection, considerable modification to the malware is required. This could well be the reason why so many changes have been made to the latest iteration. The authors of Jimmy Nukebot took the original source code of the NeutrinoPOS banking Trojan and totally restructured the malware. The way the new malware has been constructed also makes static analysis much more complicated.

The new features of the malware make it a formidable threat. Jimmy Nukebot is able to learn about the system on which it is installed and use that information for exploitation, tailoring the payload it delivers based on its environment rather than performing a pre-set malicious activity immediately upon infection.

Since the malware passively collects information and responds accordingly, it is unlikely to trigger AV alerts and may remain undetected. Organizations that have the malware installed are therefore unlikely to be aware that their systems have been compromised.

Protecting against threats such as this requires advanced malware defences, although as with most malware infections, they occur as a result of the actions of end users such as opening infected email attachments, clicking hyperlinks in emails or visiting websites that silently download malware.

Improving security awareness of employees will go a long way toward preventing malware from being installed. Coupled with an advanced spam filter to block email-based threats, a web filter to block redirects to exploit kits, regular patching, the enforced use of strong passwords, and advanced anti-malware technology, organisations can protect themselves against malware threats.

300 Google Play Store Malware Infected Apps Discovered

Downloading apps from non-official sources potentially places users at risk, but Google Play Store malware infected apps do exist. Google has controls in place to prevent malicious apps from being uploaded to its app store, but those controls are not always 100% effective. Choosing to download apps only from official stores is no guarantee that the apps will be free from malware.

Security researchers recently discovered around 300 apps offered through the Google Play store that appear to be legitimate programs, yet are infected with malware that add infected devices to a large botnet. The botnet was being used to launch distributed denial of service attacks (DDoS) on websites.

The botnet, dubbed WireX, comprises of tens of thousands of Android devices that are being used in highly damaging cyberattacks. Devices started to be infected in early July, with a steady rise in additions over the following weeks. Even though numbers of compromised devices grew steadily in July, the botnet was only discovered in early August when the WireX botnet started to be used in small scale DDoS attacks.

Since then, larger attacks have taken place, mostly targeting the hospitality sector. Those attacks have clogged websites with junk traffic preventing legitimate users from accessing the sites. Some of WireX DDoS attacks involved as many as 160,000 unique IPs. Since devices could conceivably be used to attack websites with multiple addresses, the size of the botnet has been estimated to be around 70,000 devices.

The growth of the botnet was soon attributed to malicious apps, with researchers discovering around 300 Google Play Store malware infected apps. Google has now disabled those apps and is in the process of removing them from devices.

The apps included video players, battery boosters, file managers and ringtones. The apps were not simply malware, as users would undoubtedly attempt to delete the apps if they failed to perform their advertised functions. The apps all worked and users who downloaded the apps were unaware that their devices were being used for malicious purposes. The malware used a ‘headless browser’ which was able to perform the functions of a standard browser, without displaying any information to the user allowing the actors behind the malware to operate undetected.

When the devices were needed for DDoS attacks, they would receive commands from their C2 server to attack specific websites.

Multiple security vendors including Akamai, RiskIQ, Flashpoint and Cloudflare collaborated and succeeded in taking down the WireX botnet. Without that collaboration, the botnet would still be active today and may not have been detected.

Neptune Exploit Kit Turns Computers into Cryptocurrency Miners

The Neptune Exploit kit is being used to turn computers into cryptocurrency miners, with traffic directed to the exploit kit using a hiking-themed malvertising campaign.

Exploit kit activity has fallen this year, although these web-based attacks still pose a significant threat. Exploit kits are web-based toolkits that probe browsers and plugins for vulnerabilities that can be exploited to download malware. Simply visiting a website hosting an exploit kit is all it takes for malware to be silently downloaded.

Protecting against exploit kit attacks requires browsers, plugins and extensions to be kept 100% up to date. However, even updated browsers can be vulnerable. Exploit kits can also include exploits for zero-day vulnerabilities that have not yet been patched.

Acceptable usage policies can help organizations to prevent exploit kit attacks, although website visitors are often redirected to malicious sites from legitimate websites. One of the main ways this happens is the use of malvetisements. Many high traffic websites include advertising blocks that display third-party adverts. The advertising networks serve adverts which are displayed on member sites, with the site owners earning money from ad impressions and click throughs.

While the advertising networks have measures in place to vet advertisers, oftentimes cybercriminals succeed in submitting malicious adverts. Those adverts are then pushed out and displayed on legitimate websites. Clicking one of those malicious adverts will see the user directed to a webpage hosting the exploit kit.

Exploit kits are used to download Trojans, ransomware and other malicious code, although the Neptune exploit kit is being used to download cryptocurrency miners. Infection will see computers’ processing power used to mine the Monero cryptocurrency. Infection will result in the infected computer’s resources being hogged, slowing down the performance of the machine.

The latest Neptune exploit kit campaign uses hiking club-related adverts to drive traffic to landing pages hosting the Neptune exploit kit, which in turn uses HTML and Flash exploits to download malware. These adverts closely mimic genuine domains. FireEye reports that one such campaign mimics the genuine website highspirittreks[.]com using the domain highspirittreks[.]club. Other campaigns offer a service to convert Youtube videos to MP3 files. The imageryused in the adverts is professional and the malvertising campaigns are likely to fool many web surfers.

The exploits used in the latest campaign are all old, therefore, protecting against attacks simply requires plugins and browsers to be updated. The main exploits take advantage of flaws in Internet Explorer – CVE-2016-0189, CVE-2015-2419, CVE-2014-6332 – and Adobe Flash – CVE-2015-8651, CVE-2015-7645.

Having a computer turned into a cryptocurrency miner may not be the worst attack scenario, although exploit kits can rapidly switch their payload. Other exploit kits are being used to deliver far more damaging malware, which will be downloaded silently without the user’s knowledge. Consequently, organizations should take precautions.

In addition to prompt patching and updating of software, organizations can improve their defences against exploit kits by implementing a web filtering solution such as WebTitan.

WebTitan can be configured to block all known malicious sites where drive-by downloads take place and can prevent malvertisements from directing end users to webpages hosting these malicious toolkits.

To find out more about WebTitan and how it can improve your organization’s security posture, contact the TitanHQ team today.

India’s Central Board of Secondary Education Recommends School Web Filtering Technology

India’s Central Board of Secondary Education is urging all CBSE affiliated schools to take action to improve safety for students, including implementing school web filtering technology to keep students safe online.

The Internet is home to an extensive range of potentially harmful material that can have a major impact on young developing minds. Parents can take action to keep their children safe at home by using parental control filters. However, students must receive similar or greater levels of protection while at school.

School web filtering technology can prevent students from deliberately or accidentally viewing obscene material such as pornography, child pornography or images of child abuse and other categories of potentially harmful website content. CBSE has warned school boards that when students access this material it is “detrimental to themselves, their peers and the value system.” School web filtering technology should also be implemented to prevent students from engaging in illegal activities online via school IT devices.

CBSE affiliates schools have been advised to develop guidelines for safe Internet use and make this information available to students and display the rules prominently. However, without school web filtering technology, these policies would be easy to ignore. A technological solution ensures students wishing to engage in illegal activities online, or view harmful website content, will be prevented from doing so.

Prevention is only one aspect of Internet control. Schools should also set up a monitoring system to discover when individuals are attempting to bypass Internet usage policies. A web filtering solution should therefore have the capability to generate reports of attempted accessing of prohibited material to allow schools to take action. Schools have also been advised to sensitize parents about safety norms and even go as far as suggesting disciplinary action be taken when children are discovered to have attempted to access inappropriate material.

While many school systems around the world have implemented school web filtering technology, CBSE is advising affiliated schools in India to go one step further and restrict Internet content by age groups. Schools should set filtering controls by user groups and restrict access to age-inappropriate websites. Web filtering solutions such as WebTitan allows controls to be easily set for different user groups. The solution can be used to set separate filtering controls for staff and students of differing ages with ease.

Other Internet controls that have been suggested include the rapid blocking usernames/passwords when children leave school, using antivirus solutions to reduce the risk of malware infections, using firewalls to prevent cyberattacks and the theft of children’s sensitive information, and for staff to avoid posting images and videos of their students online.

School Web Filtering Technology from TitanHQ

The benefits of implementing school web filtering technology are clear, but choosing the most cost-effective controls can be a challenge. Appliance based web filters involve a significant initial cost, there is ongoing maintenance to consider, the need for on-site IT support in many cases, and as the number of Internet users increases, hardware upgrades may be necessary.

TitanHQ offers a more cost-effective and easy to manage solution – The 100% cloud-based web filter, WebTitan. WebTitan Cloud and WebTitan Cloud for WiFi make filtering the Internet a quick and easy process. To start filtering the Internet and protecting students from harmful web content, all that is required is to point your DNS to WebTitan. Once that simple change has been made you can be filtering the Internet in minutes.

Both solutions can be easily configured to block different categories of website content, such as pornography, file sharing websites, gambling and gaming websites and other undesirable website content. The solutions support blacklists, allowing phishing and malware-infected sites to be easily blocked along with all webpages identified by the Internet Watch Foundation as containing images of child abuse and child pornography.

These powerful web filtering solutions require no software updates or patching. All updates are handled by TitanHQ. Once acceptable Internet usage policies have been set via the intuitive web-based control panel, maintenance only requires occasional updates such as adding legitimate webpages to whitelists. Even blacklists are updated automatically.

WebTitan also supports remote learning. All students’ devices can be protected while connected to a school’s wired or wireless network. To extend protection beyond the school gates, a WebTitan On-The-Go (OTG) roaming agent can be installed on devices. This will ensure that the content filtering policy will apply no matter where that device connects to the Internet.

If you are keen to implement school web filtering technology for the first time or are unhappy with your current provider, contact the TitanHQ team today and register for your no-obligation Free Trial and see the benefits of WebTitan for yourself before making a decision about a purchase.

Fake Software Updates Used to Install Invisible Man Malware

A new mobile malware threat has been discovered – Invisible Man Malware – that is being installed via fake software updates. Invisible Man malware is a keylogger that has been designed to obtain banking credentials. While the malware is not new – it has been around for four years – it is frequently updated, with a new variant discovered that takes advantage of the accessibility services on Android devices.

As the name suggests, Invisible Man malware runs silently on infected devices unbeknown to the user. The malware is an overlay that sits atop of legitimate banking apps and intercepts inputs as they are entered on the device. It also allows the attackers behind the malware to intercept text messages, in particular, those used for two-factor authentication and codes sent by banks to authorize transactions.

Once installed on a device it has administrator rights to all Android accessibility services, is installed as the default SMS app and has rights to send and receive SMS messages, make calls, and access contacts on the phone. It can also take screenshots and prevents itself from being uninstalled, according to Kaspersky Lab.

Invisible Man malware has been developed for attacks in Australia, France, Germany, Poland, Singapore, Turkey and the UK, working as a keylogger over 63 banking apps. All data collected is immediately transferred to its C2 server.

Kaspersky Lab reports that Invisible Man malware is primarily being installed on devices using fake software updates, specifically fake Flash Player updates on malicious websites via a downloaded apk file.

Beware of Fake Software Updates

The latest attacks highlight an important point. If you receive a warning on screen telling you that your software is out of date, don’t click and download the update. In this case, the user will be asked to confirm installation, and will be required to provide this app with administrator rights to accessibility services.

Fake software updates are one of the most common methods used to distribute malware, bloatware, adware, ransomware and other nasties.

Given the frequency of software updates now being released to address recently found vulnerabilities, your software may actually be out of date. However, you should visit the vendor’s website and perform a check to see if you have the latest version installed. If not, download the update directly from the vendors website.

Fake software updates are usually offered via popups – Windows that appear when you access a website. They commonly feature flashing Gifs and stern warnings of the risks of not updating your software immediately. Warnings that your computer has already been infected with malware are also common.

Warnings do not only appear when surfing the Internet, spammers use the same tactics via email. The emails often contain the correct logos, color schemes and branding as the legitimate software vendor and look highly realistic.

However, you should not trust any email asking for you to download an executable, part with login credentials or provide other sensitive information, even if it is sent from someone you know.

Cybercriminals Generate Ransomware Profits of $25 Million in 2 Years

A new study has shown that cybercriminals have generated ransomware profits in excess of $25 million over the past two years, clearly demonstrating why cryptoransomware attacks have soared. There is big money to be made in this form of cyber extortion. The bad news is that with so many organizations paying to recover their files, the ransomware attacks will continue and will likely increase.

Ransomware attacks are profitable because users are still failing to back up their data. Google’s figures suggest that even though the threat of data deletion or encryption is high, only 37% of computer users back up their data. That means if ransomware encrypts files, the only option to recover data is to pay the ransom demand.

Figures from the FBI estimated ransomware payments to have exceeded $1 billion in 2016; however, it is difficult to accurately calculate ransomware profits since the authors go to great lengths to hide their activities. Ransomware profits are difficult to track and companies are reluctant to announce attacks and whether payment has been made.

Two notable exceptions were the South Korean hosting company Nayana that was attacked and had 153 Linux servers and 3,400 customer websites encrypted. The firm paid 1.2 billion Won – approximately $1 million – for the keys to unlock the encryption. Recently, a Canadian company has reportedly paid a ransom of $425,000 to recover its files, although the identity of the firm is still unknown.

Now, a study conducted by Google, with assistance from Chainalysis, the University of California at San Diego, and New York University’s Tandon School of Engineering has shed some light on actual ransomware profits. The study involved an analysis using blockchains and Bitcoin wallets known to have been used to collect ransomware payments. The researchers also used reports from victims and monitored network traffic generated by victims of ransomware attacks to help track where payments were sent.

The study looked at the top 34 ransomware strains and determined more than $25 million has been collected in the past two years. 95% of payments were cashed out using the Bitcoin trading platform BTC-e.

Google has calculated Locky has earned $7.8 million in ransom payments over the past 24 months – 28% of the total payments made. Cerber is in second place with $6.9 million, followed by CryptoLocker on $2 million and CryptXXX and Sam Sam, both on $1.9 million. Spora ransomware may not have made it into the top five, although Google researchers warn that this is an up-and-coming ransomware variant and one to watch over the coming months.

In recent months Cerber ransomware has become the most widely used ransomware variant. The success of Cerber ransomware can be attributed to the skill of the developers in developing a ransomware variant that can evade detection and the affiliate model used to distribute the ransomware – Ransomware-as-a-Service (RaaS).

RaaS means any number of individuals can conduct ransomware campaigns. Kits are offered to anyone willing to conduct campaigns. Little technical skill is required. All that is required is a lack of moral fiber and the ability to send spam emails distributing the ransomware. Affiliates receive a percentage of the ransomware profits.

WannaCry ransomware certainly caused something of a storm when the worldwide attacks were conducted in May, and while there were more than 200,000 victims worldwide and some 300,000 computers affected, a flaw in the design meant the attacks could be halted and relatively few ransom payments were made. The ransomware profits from these attacks was calculated by Google to be around $100,000.

Ransomware profits from NotPetya were low, although making money was never the aim. NotPetya appeared to be ransomware, although it was actually a wiper. A ransomware demand was issued, but it was not possible to recover data on infected machines. Once this became clear, ransoms were not paid.

The success of Locky, Cerber and CryptXXX is due to the skill of the developers at evading detection. These ransomware variants are constantly evolving to stay one step ahead of security researchers. In the case of Cerber, the researchers discovered thousands of new binaries are being detected each month. There are 23,000 binaries for Cerber and around 6,000 for Locky. In total, the study involved an analysis of 301,588 binaries. The malware variants are capable of changing binaries automatically making detection difficult.

Ransomware attacks may still only make up a small percentage of the total number of malware-related incidents – less than 1% – but the threat is still severe and the attacks are likely to continue, if not increase. As long as it is profitable to develop ransomware and/or use existing ransomware variants, the attacks will continue.

Kylie McRoberts, a senior strategist with Google’s Safe Browsing team, said “Ransomware is here to stay and we will have to deal with for a long time to come.”

Adobe Flash Plug-In Death Date Confirmed as December 31, 2020

It has been a long time coming, and we are not quite there yet, but Adobe Flash is about to die. The long, slow drawn out death of Adobe Flash will continue for another three years yet, with Adobe finally confirming that it will be pulling the plug by December 31, 2020. By then, all updates for Adobe Flash will stop and the we will all enter a Flash free age.

Until then, Adobe is committed to working with partners to ensure Flash remains as secure as possible and updates will continue until that time. However, Adobe is already trying to encourage businesses to start switching to other standards such as HTML5.

The decision to finally put Flash out of its misery was made because other platforms and technology have “matured enough and are capable enough to provide viable alternatives to the Flash player,” according to Adobe.

In 2005, Flash was on 98% of all computers, and even three years ago it was being used by 80% of desktop users on a daily basis. Today, helped in no short part but the serious security flaws in the platform and the switch to mobile devices from PCs, usage has fallen to just 14%.

Google is not supporting Flash anymore and has not done so for Android since 2012. Apple has never supported the plug-in on its mobile devices and Firefox, Chrome, Edge and Safari no longer run Flash content automatically. Even Internet Explorer will disable Flash by default in 2019, ahead of its official death date the following year.

Of course, just stopping updates does not mean that Flash will cease to exist. But given the rate that vulnerabilities in Flash are now being discovered, anyone still using Flash by 2020 will be wide open to attack as soon as the updates stop. However, by then there will be far fewer websites using Flash and fewer devices with the Flash plug-in installed.

The Internet will most likely be a safer place without Flash, but what will happen to all the hackers who are currently developing exploits for Flash vulnerabilities? They will not also decide to retire. Instead they will put their efforts into something else. What that is of course remains to be seen.

Three years may seem like an awfully long time, but there are still many businesses that continue to use Flash and have yet to migrate to other standards. Flash is still extensively used by educational institutions for training programs, while web-based gaming websites will also need time to transition.

Govind Balakrishnan, Adobe’s vice president of product development, pointed out the importance of Flash saying, “Few technologies have had such a profound and positive impact in the Internet era.” That is certainly true, but all good things must come to an end and few will be sorry to see Flash finally die. The end came long ago, but at least now there is an official date when the final nail will be hammered into the coffin.

More than 500,000 Systems Infected with Stantinko Malware

Stantinko malware may only have recently been detected, but it is far from a new malware variant. It has been in use for the past five years, yet has only recently been identified. During the past five years, Stantinko malware has spread to more than 500,000 devices and has been operating silently, adding infected systems to a large botnet, with the majority of infected machines in Russia and Ukraine.

The botnet has primarily been used to run a largescale adware operation. The malware installs the browser extensions Teddy Protection and The Safe Surfing, which appear to users to be legitimate apps that block malicious URLs. These apps are legitimate if downloaded via the Chrome Web Store, but they are not if they are installed by Stantinko. The Stantinko versions contain different code that is used for click fraud and ad injection.

ESET reports that additional plugins known to be installed by Stantinko malware include Brute-Force and Search Parser which are used for Joomla/WordPress brute force attacks and to anonlymously search for Joomla/WordPress sites. Remote Administrator is a fully functional back door and Facebook Bot can generate fake likes, create new accounts, or add friends on Facebook, virtually undetected.

While click fraud is the primary goal of the attackers, Stantinko malware can perform a wide range of functions. Since Stantinko includes a loader, enabling threat actors to send any code to an infected device via their C2 server and run the code.

ESET researchers say the malware uses Windows services to perform backdoor activities and brute force attacks on WordPress and Joomla websites. Once access is gained, the attackers sell on the login credentials to other cybercriminal groups, according to ESET. That’s not all. ESET says Stantinko malware could be used to perform any task on an infected host.

The malware and botnet have remained undetected for so long due to their ability to adapt to avoid being detected by anti-malware solutions. The malware also uses code encryption to avoid detection. Users would be unlikely to realize that anything untoward was happening on their machine. The tasks performed by the malware involve low CPU activity and do not slow an infected device considerably.

Infection is believed to occur through illegal file sharing, especially the downloading of pirated software. However, ESET notes that infection has occurred through fake torrent files that are actually executables.

Removal of the malware is not straightforward. The malware installs two Windows services, each of which is capable of reinstalling the other service if one is deleted. If for any reason that process fails, the attackers can reinstall those services via their C2 server.

The discovery of Stantinko malware highlights the danger of failing to prevent employees from accessing file sharing websites at work. The downloading of pirated material, even accessing torrents files, has potential to infect enterprise networks with malware. Even if anti-virus and anti-malware solutions have been deployed, there is no guarantee that malware will be detected.

Organizations can protect against these types of attacks by implementing a web filtering solution and blocking access to file sharing websites and torrents sites. If these sites cannot be accessed and pirated software downloads are blocked, infection can be prevented.