Our Internet security news features the latest press releases from the world´s largest online security companies with details of the latest threats to be aware of and, unfortunately, Internet security news relating to significant data breaches. While some organizations will be grateful for the advanced warning of an online threat – and details of how to protect themselves against it – for some the warnings will come too late.
Consequently it is recommended to be protected against all manner of online threats with an email filter and web filter from TitanHQ. Our Internet security solutions prevent users from accessing unsafe sites via phishing emails and malvertising, and from visiting websites that are vulnerable to exploit kits and malware. As many organizations already using TitanHQ solutions would agree, it is better to be safe than sorry.
The notorious cybercriminal organization Evil Corp, which was responsible for the Dridex and Zeus banking Trojans and BitPaymer ransomware, have started using a brand new ransomware called Wastedlocker, so named due to the .wasted extension which is used on encrypted files.
Evil Corp has been relatively quiet in recent months following the indictment of two high-profile members of the group by the U.S. Department of Justice in December 2019 for their role in the creation and distribution of Dridex and Zeus. The group bounced back with relatively low-level campaigns in January, but there has been little activity since. It appears that the time has been spent developing WastedLocker ransomware, which appears to have been mostly written from scratch.
WastedLocker ransomware was first used in May 2020 and is believed to be a replacement for BitPaymer ransomware. In the short space of time that the new ransomware has been in use, attacks have been conducted on at least 31 organizations, according to data from Symantec. Most of the victims are located in the United States, eight of which are Fortune 500 companies and 11 are publicly listed. Attacks have been conducted on companies operating in a wide range of industry sectors, with the manufacturing, information technology, and media and telecommunications sectors experiencing the highest number of attacks.
Evil Corp appears to be targeting large organizations with deep enough pockets to pay the sizeable ransom demand, which has ranged from $500,000 to $10 million in some cases. In contrast to many other ransomware operators, Evil Corp does not steal data prior to file encryption, although that could well change in the future. The group certainly has the technical skill to adopt that tactic, but it appears that they have refrained from doing so to stay under the radar.
In addition to encrypting endpoints, the group is targeting database services, file servers, virtual machines and cloud environments to cause maximum disruption to maximize the probability of the ransom being paid. The group is careful and patient, often waiting several months before their ransomware encryption routine is triggered.
Evil Corp is one of many threat actors to have adopted ransomware, with attacks on businesses having increased over the past few months. Around 15 groups are now conducting manual ransomware attacks in which data is stolen prior to file encryption and threats are issued to publish or sell the stolen data if the ransom is not paid. This tactic has been effective, with around half of businesses paying the ransom.
The University of California San Francisco is one of the latest victims that has been forced to pay the ransom to recover data encrypted in the attack. That ransomware attack involved NetWalker ransomware, and data was stolen in that attack prior to encryption. Without access to essential research data, the university had little option other than paying the $1.14 million ransom.
Organizations are attacked in a variety of ways, often using brute force tactics on RDP or exploiting vulnerabilities in VPNs, but there has also been an increase in email-delivered ransomware and drive-by malware downloads, highlighting the need for advanced email and web security solutions, which is an area where TitanHQ can help.
The massive increase employees working reportedly has not been missed by cybercriminals, who are actively targeting these workers using a variety of tactics to fool them into disclosing their credentials or installing malware. Phishing attacks remain the most common method used to attack remote workers, but there has also been a notable increase in malvertising during the COVID-19 pandemic.
Malvertising is the practice of creating malicious adverts which are syndicated across legitimate websites through third-party ad networks. The malicious adverts are used to redirect website visitors to webpages where credentials are harvested, malware is downloaded, or to other scams to obtain fraudulent payments or charitable donations.
Several COVID-19 themed ploys have been used in these malvertising campaigns to trick people into downloading malware. These scams prey on fears about SARS-CoV-19, often spoofing WHO and other COVID-19 authorities to add legitimacy to the campaigns. A common theme is an offer of important advice on how to protect against COVID-19.
There rise in malvertising activity during the COVID-19 pandemic has been significant, with some reports indicating the number of malicious adverts have doubled in March compared to standard levels of malicious advert activity prior to the pandemic.
A malvertising campaign was recently identified that spoofed the anti-malware software vendor Malwarebytes. The campaign claimed the user’s computer was infected with malware and a download of Malwarebytes’ software was required to remove the infections. The malicious webpage used for the scam was on a malwarebytes-free domain that was registered on March 29, 2020. The site used a copycat template created from stolen branding from the genuine site. Any individual that landed on the website that was using the Internet Explorer browser was redirected to a webpage hosting the Fallout exploit kit that silently downloads the Raccoon information stealer.
There was a major increase in domain registrations related to COVID-19 in March. While not all of these websites are currently being used for nefarious purposes, many are being used for scamming. NTT recently issued an alert stating that around 2,000 COVID-19 domains are being set up each day and there has been a significant rise in phishing attacks directing users to newly registered domains. The TrickBot Trojan accounts for the majority of malware infections from these sites. Figures from Palo Alto Networks’ Unit 42 team show there was a 656% increase in the number of new COVID-19 related domains registered in March.
The increase in web-based attacks calls for improvements to cybersecurity defenses to protect remote employee’s devices from malware infections. A download of malware onto a user’s device could easily see the malware transferred to the network when the user connects.
One of the easiest and most effective ways of blocking these attacks is to implement a web filtering solution such as WebTitan Cloud. With WebTitan Cloud in place, when a user attempts to visit a malicious website, or when an attempt is made to redirect a user through malvertising, rather than arriving on the website the user will be directed to a local block page.
WebTitan Cloud also allows filtering controls to be applied to control the types of websites employees can visit on their corporate-owned devices. Controls can be applied to block access to risky websites such as torrents and peer-to-peer file sharing sites, which are also being used to distribute malware.
WebTitan Cloud is a DNS-based filter that conducts filtering at the DNS lookup stage of a web request. Applying filtering controls and restricting access to certain categories of website involves no latency, which is especially important during lockdown when employees typically have far less bandwidth available than at the office.
WebTitan Cloud does not require the installation of a clients and the solution can be set up and configured in minutes to protect all workers, no matter where they choose to access the internet.
If you are interested in improving internet security and want to find out more about WebTitan Cloud and DNS filtering, call TitanHQ today to book a product demonstration, register for a free trial, and start protecting your employees from online threats.
New research has recently been published which suggests there has been a lack of security awareness training for remote workers, even with the massive increase in people working from home due to the COVID-19 pandemic and the increased threat level.
Many companies have had to make major changes to policies and allow most employees to work from home, even though doing so introduces cybersecurity risks. While this is seen by many as a temporary measure due to the pandemic, there is currently some debate about how long lockdown measures will be in place. It could well be many months before lockdowns are eased and there is a return to “normal” working life. It may also be difficult to convince workers to return to the office when measures are eased, or at least until a vaccine for the virus has been developed. That could well be a year or most likely much longer.
In the meantime, remote workers are not just encountering the odd phishing email. These workers are being actively targeted by cybercriminals and APT groups. It is important to ensure that technical controls are up to scratch and are blocking threats but also to train workers to recognize threats such as phishing.
Technical Controls Will Not Block 100% of Cybersecurity Threats
Technical solutions can block most malware and phishing attacks on remote workers and will protect devices and the networks to which those devices connect. TitanHQ has developed two solutions that provide excellent protection from email and web-based threats, and there has been a massive increase in demand for those solutions during the COVID-19 pandemic from businesses and managed service providers (MSPs).
When these solutions are coupled with other cybersecurity protections such as firewalls, antivirus software, and intrusion detection systems, businesses will be well protected; however, no matter how many layers are added to your defenses, security awareness training for remote workers should still be provided. Employees are the last line of defense and require training to help them identify threats that bypass your technical defenses.
Employees are a Weak Link, but Neglecting Security Awareness Training for Remote Workers is a Mistake
One study recently conducted on IT workers by Apricorn revealed 57% of IT decision makers in the United Kingdom believe remote workers are a security risk and will expose organizations to data breaches and that there is apathy among IT leaders about training the workforce as employees are not concerned about security. 34% of IT leaders said their remote workers do not care about security, but that is not a reason not to provide training. It is a reason to reinforce training and get employees to buy into the company’s security strategy.
Another survey, conducted by Promon on 2,000 remote workers in the United Kingdom, confirmed those findings. The study revealed 66% of employees have not been provided cybersecurity training in the last 12 months, even though cybercriminals are actively targeting remote workers. It is also concerning that 77% of respondents were not worried about the security threat from working from home. The survey also revealed that 61% of employees are using personal devices to work from home instead of corporate-issued devices, which typically have far fewer protections in place to block threats.
Given the numbers of employees working from home due to COVID-19 and the increase in threats targeting those workers, now is the time to be stepping up training and to make sure employees are working in a secure environment. TitanHQ can help you better protect employees and the devices they use to work from home, but you should also ensure that cybersecurity training is reinforced.
Cybercriminals are taking advantage of the 2019 Novel Coronavirus pandemic and are exploiting fear to spread malware and steal data. These tactics many not be new, but these campaigns pose a significant threat in the current climate of global fear and worry.
People are naturally worried about contracting COVID-19 and will be concerned about the wellbeing of their friends and family members. Many people crave new information to help avoid them avoid illness and protect their families. If that information arrives in an inbox, email attachments may be opened, and links clicked to malicious websites.
Even when training is provided to employees and they are taught not to respond to unsolicited messages, open email attachments, or click links in emails from unknown senders, mistakes can still be made. During the COVID-19 crisis, stress levels are high, and this can easily lead to decisions being taken that would not normally be made.
Businesses have been forced to allow their employees to work from home, many of whom are now working in a home environment where there are many distractions. Many people do not have home offices where they can quietly work, and a challenging working environment also makes mistakes more likely. Those mistakes can prove very costly.
Phishing campaigns are being conducted targeting home workers as they are seen as low-hanging fruit and an easy way to gain access to business networks to install malware, ransomware, and steal sensitive data. Several campaigns have been detected that offer important advice on the 2019 novel coronavirus that impersonate authorities on disease control and prevention such as the U.S. Centers for Disease Control and Prevention (CDC), U.S. Department of Health and Human Services, UK National Health Service, and the World Health Organization (WHO). The phishing campaigns are credible, claim to offer important advice, and are likely to be opened by many individuals. These campaigns seek remote access credentials and distribute malware.
Coronavirus maps that display the number of cases per country are being used on many websites, including a legitimate COVID-19 case tracking map on Johns Hopkins University website. One campaign has been detected that uses a carbon copy map and urges users to download a desktop application that allows them to track new cases. The application installs the information-stealing AZORult Trojan. As the COVID-19 crisis has deepened, these phishing and malspam campaigns have increased significantly.
With more people working from home and self-isolating, the risk of malware and phishing attacks has increased significantly. It is therefore important for businesses to make sure that they are properly protected and manage risk. During this difficult time, it is important to provide security awareness training to staff to keep them aware of the threat of cyberattacks and to help them identify malicious messages. Phishing simulation exercises are a useful way of assessing risk and identifying individuals that require further training.
It is also important to implement additional control measure to block attacks at source. There are two main attack vectors being used to target remote workers: Email and the web. Due to the high risk of mistakes by employees it is essential for businesses to have an effective email security solution in place.
The key to improving email security is defense in depth. Layered defenses will greatly improve resilience to phishing and malware attacks. If you are using Office 365 and have yet to augment protection with a third-party email security solution, now is the ideal time. One 2019 study showed that Office 365 protections only block around 75% of phishing attempts. Given the increase in phishing volume, a great many malicious emails will land in inboxes unless protection is improved.
The more time people spend online, the greater the risk. With many workers housebound and self-isolating, online time has increased considerably. Unsurprisingly, the of number of malicious domains being used to distribute malware has increased and drive-by malware attacks have spiked. With corporate laptops being used at home, steps should be taken to limit what employees can do on those laptops. Blocking access to ‘risky’ websites such those distributing pirated TV shows and movies will help to reduce the risk of a malware download, along with controls to prevent the downloading of risky file times such as software installers and executable files.
A web filtering solution will allow you to control the sites that remote employees can access on their corporate laptops and prevent malicious websites from being visited. A cloud-based web filtering solution is the ideal choice as it can be easily implemented to protect all remote workers, without causing any latency issues.
TitanHQ can help you protect your telecommuting workers from email and web-based threats. SpamTitan is a powerful email security solution that compliments Office 365 anti-spam and anti-phishing controls and enhances protection against phishing, spear phishing, and zero-day malware. WebTitan is a cloud-based DNS filtering solution that is simple to implement that allows you to carefully control the online activities of remote employees and block drive-by malware downloads and other web-based threats.
Both solutions can be implemented in a matter of minutes and will greatly improve protection against web and email-based threats. For further information, to book a product demonstration, or to register for a free trial, contact TitanHQ today.
Phishing attacks are increasing and malware is a growing threat. A DNS filter adds an important level of protection to block these attacks. In this post we explain why.
The Growing Threat from Malware and Phishing Attacks
There are various methods used to deliver malware, but email remains one of the most common methods of distributing malware, either through malicious attachments or hyperlinks in emails that direct users to websites where malware is downloaded. The latter is a popular method of malware delivery as there is an increased chance that the hyperlink will not be detected as malicious by an email security solution. Various tactics are used to mask these URLs from email security solutions, such as adding the hyperlink to an attached file such as a PDF.
The Emotet Trojan is one of the most prevalent threats and also one of the most dangerous. Emotet is primarily spread via email through a combination of attachments and malicious URLs. The Trojan is an information stealer capable of spreading across networks to infect other vulnerable devices. Removing the malware is problematic, as there are usually multiple devices infected. As soon as the malware is removed from one device, others on the network re-infect the cleaned machine. Emotet is also a malware downloader. Once all valuable information has been obtained post-infection, other malware variants such as the TrickBot Trojan and RYUK ransomware are downloaded. All devices infected with Emotet are added to the botnet. An analysis by the SpamHaus project revealed around 6,000 malicious URLs are emitted from infected devices, which act as compromise vectors.
An advanced spam filter will ensure that the majority of malicious emails are blocked, but it is important not to totally rely on a spam filter alone to block email-based malware and phishing attacks. The key to a strong defense is to implement layered defenses. With overlapping layers of security, if one layer fails to block a threat, another is in place to provide protection. One of the most important additional protections against phishing attacks and email-based malware is a web filter.
Why a Web Filter is so Important
Phishing attacks have an email and web-based component. The email contains the lure and a hyperlink is included that directs the recipient to a webpage hosting a phishing kit. When the user visits the website credentials and other sensitive information is harvested. A spam filter will block most of these phishing emails and a web filter provides protection against emails that are not blocked, as well as protecting against accidental navigation to malicious websites through malvertising or general web browsing.
A web filter is a form of content control that prevents network users from visiting known malicious websites. When a network user attempts to visit a malicious website, rather than connecting to the site, they are directed to a block page. That block page informs the user that they have attempted to visit a prohibited website which, in this case is a phishing page or website hosting malware. It could equally be a website that violates an organization’s internet usage policies. A web filter therefore serves as an additional, and important, layer of security to block phishing attacks and malware and ransomware downloads.
Web Filtering Options
There are different web filtering options available. Appliance-based web filters were once the go-to solution, but cloud-based filtering is now much more common, more cost effective for most organizations, and easier to implement and maintain.
Appliance-based solutions are not scalable. Once capacity has been reached, another appliance must be purchased. Software-based web filters, which are usually deployed as a virtual appliance on existing hardware, are a good choice but the most popular web filtering solutions are cloud-based. With cloud-based web filters, all filtering takes place in the cloud on the service provider’s hardware. Cloud-based filters are highly scalable. If capacity is increased, additional licenses just need to be purchased which takes seconds.
DNS Filtering is the Most Flexible Web Filtering Choice
The most popular, flexible, and scalable solution is a DNS filter. When a user makes a request to visit a website, such as by clicking a hyperlink or navigating to a website through their browser, a set of procedures must be followed to display the content.
One of the first steps is to send a query to the DNS server. The DNS server matches an easy to remember domain name – google.com for instance – with an IP address that allows the site to be found. A DNS filter works at this stage of the process and will block attempts to visit prohibited websites or malicious sites before any content is downloaded. Modern DNS filters do not just block content at the domain level. They also block content at the URL and page level. This means that a page on Medium.com could be blocked, while other content on the site is allowed. This means filtering controls are very granular and there is less potential for overblocking of web content.
WebTitan – A DNS Filter for SMBs and MSPs Serving the SMB Market
TitanHQ’s DNS filtering solution – WebTitan – has been developed for use by SMBs, MSPs providing security services to SMBs, and ISPs with millions of users. WebTitan includes market-leading classification of web content and malicious URL detection, and the solution is updated in real-time with more than 60,000 malicious URLs added to the filter every day. The solution includes advanced analytics and threat intelligence feeds and covers more than 99.9% of the active web. The solution is also easy to integrate into your own systems through TitanHQ’s API, and the solution can be purchased, set up, and be providing protection in just a few minutes.
For more information on WebTitan, to sign up for a free trial, or to book a product demonstration, give the TitanHQ team a call today.
Today there is an increasingly mobile workforce. Workers are able to travel and stay connected to the office and many employees are allowed to work remotely for at least some part of the week. While workers are in the office, security is not a problem for IT departments. Workers connect to the internal network, be that a wired or wireless network, and thanks to the protection of the firewall, their devices and the network are protected. The problem comes when workers move outside the protection of that firewall. Here IT departments struggle to ensure the same level of protection.
When workers are travelling for work or are between the home and the office, they often connect to public Wi-Fi hotspots. Connecting to those hotspots introduces risks. While connected, sensitive information could potentially be disclosed which could be intercepted. Malware could also be inadvertently downloaded. When a connection is made to the work network, that malware could easily be transferred.
Connecting to untrusted Wi-Fi networks is a major risk. These could be legitimate Wi-Fi services provided on public transport, in coffee shops, or city-wide Wi-Fi networks. While these networks may be safe, there is no telling who may be connected to that network. These Wi-Fi networks are often not monitored, and cybersecurity protections may be poor.
There are several possible attack scenarios where an individual could perform malicious acts on users of the Wi-Fi network. One of the biggest risks is a man-in-the-middle attack. In this scenario, a Wi-Fi user will be connected to the network and will believe that they are securely accessing the internet, their email, or even the work network, when the reality is that their connection is anything but secure.
A hacker could be listening in and could obtain information from that connection. Through ARP poisoning, a hacker could trick the Wi-Fi gateway and the user’s device into connecting, and traffic would be routed through the hacker’s device where it is intercepted. An attacker could also create an evil twin hotspot. Here a rogue hotspot is created that closely mimics the genuine hotspot. A Wi-Fi user may mistakenly connect to the evil twin thinking they are connected to the legitimate hotspot. Since the evil twin is operated by the attacker, any information disclosed while connected can be intercepted.
Remote workers must be told never to connect to a Wi-Fi network unless they do so through a VPN than encrypts their data. Employees may forget to connect to their VPN, and if weak passwords are used, even if they are encrypted they could be cracked relatively easily, but with a VPN and password policies, risk will be reduced to a reasonable level.
Wi-Fi networks tend not to have the same protections as corporate networks, so there may be little restrictions on the types of website that can be accessed while connected. To protect remote workers, a DNS filter such as WebTitan should be used.
A DNS filter performs content control at the DNS lookup stage when a user attempts to access the internet. When a web address is entered in the browser, the DNS server looks up the fully qualified domain name (FQDN) and matches it with the IP address of the website. The browser is provided with the IP address and the server is contacted and the content is downloaded. With a DNS filter, before any content is downloaded, it is subject to certain rules. For instance, category-based filtering could be used to prevent adult content from being accessed. An attempt would be blocked before any content is downloaded. Importantly for security, the DNS filter would prevent the user from visiting any known malicious website. A phishing site for instance or a site known to harbor malware. With a cloud-based DNS filtering service, all filtering takes place in the cloud and there is no latency regardless of where the individual is located. DNS filtering protects workers on corporate networks as well as remote workers.
A further control that is useful is an email filtering solution, such as SpamTitan, that incorporates Domain-Based Message Authentication, Reporting, and Conformance (DMARC).
In the event of a user’s email credentials being obtained in a man-in-the-middle attack via a rogue Wi-Fi hotspot, their email account could be accessed by the attacker. Since legitimate credentials are being used, this would not generate any alerts and the attacker could peruse the email account in their own time. If the account is used to send phishing messages, as they often are, DMARC will prevent those messages from being delivered and will alert the company to the issue.
The DMARC element of the spam filter checks the sender’s IP address to make sure it matches the IP on the DNS servers for the sender’s organization to make sure they match. If the IP is not authorized to send messages from that domain, the messages will be rejected or quarantined, and the company would be alerted to the phishing attack. The same is true for spoofing of email addresses.
SpamTitan also includes dual anti-virus engines to identify malware sent via email and sandboxing to help catch previously unknown malware variants that have yet to have their signatures uploaded to AV engines. Any malware sent via email will also be quarantined to keep inboxes free of threats.
If you run a business and allow workers to connect remotely, speak to TitanHQ today to find out more about how you can better protect your remote workers, and your business, from cyberattacks conducted via email and the web.
Our team of highly experienced staff will walk you through the benefits of DNS and spam filtering, can schedule a personalized product demonstration, and will help you get set up for a free trial of SpamTitan and WebTitan. You can then evaluate both solutions in your own environment. Both solutions can be set up and protecting you in a matter of minutes.
The increase in cyberattacks on law firms has highlighted a need for greater security protections, especially to protect against phishing, malware, and ransomware.
According to a recent Law.com report, more than 100 law firms are known to have experienced cyberattacks in the past five years: Cyberattacks that have resulted in hackers gaining access to sensitive information and, in many cases, employee, attorney, and client information.
Investigations such as this are likely to uncover just a small percentage of successful cyberattacks, as many are resolved quietly and are not reported. Many law firms will be keen to keep a cyberattack private due to the potential damage it could do to a firm’s reputation. The reputation of a law firm is everything.
As Law.com explained, there are different data breach reporting requirements in different states. If there is no legal requirement to report the data breaches, they will not be reported. That means that only if reportable information has potentially been compromised will the breach be reported to regulators or made public. It is therefore not possible to tell how many successful cyberattacks on law firms have occurred. However, there has been a steady rise in reported cyberattacks on law firms, as is the case with attacks on other industry sectors. Law.com’s figures are likely to be just the tip of the iceberg.
From the perspective of cybercriminals, law firms are a very attractive target. The types of information stored on clients is incredibly valuable and can be used for extortion. Information on mergers and takeovers and other sensitive corporate data can be used to gain a competitive advantage. Cybercriminals are also well aware that if they can deploy ransomware and encrypt client files, there is a higher than average probability that the ransom will be quietly paid.
Based on the information that has been made public about law firm data breaches, one of the main ways that law firms are attacked is via email. Many of the data breaches started with a response to a phishing or spear phishing email. Phishing allows cybercriminals to bypass even sophisticated cybersecurity protections as it targets a well-known weakness: Employees.
Employees can be trained to be more security aware and be taught how to recognize potential phishing emails, but phishers are conducting ever more sophisticated campaigns and every employee will make a mistake from time to time. That mistake could be all that it takes to compromise a computer, server, or a large part of a network.
One firm contacted for the report explained that it had implemented advanced cybersecurity protections that were undone with a phishing email. The digital security measures it had in place greatly restricted the harm caused, and there was no evidence that the attacker had accessed sensitive information, but the attack did succeed.
In response, the law firm implemented more advanced security protocols, implemented a more aggressive spam filter, multi-factor authentication was used more widely, and it revised its policies and procedures and training. Had those measures been implemented in advance, it may have been possible to block the attack.
The response was to implement more layered defenses, which are critical for blocking modern cyberattacks. Overlapping layers of security ensure that if one measure fails, others are in place to prevent an attack from succeeding.
This is an area where TitanHQ can help. TitanHQ has developed cybersecurity solutions that can fit seamlessly into existing security stacks and provide extra layers of security to block the most common attack vectors. TitanHQ’s email and web security solutions – SpamTitan and WebTitan – provide advanced protection without compromising usability.
Since many clients prefer to communicate via email, it is important for all incoming attachments to be analyzed for malicious code. Extensive checks are performed on all incoming (and outgoing) emails, with SpamTitan able to block not only known malware but also zero-day threats. SpamTitan also includes DMARC email authentication to block email impersonation attacks and sandbox to analyze suspicious files and identify malicious or suspicious activity.
WebTitan provides protection from web-based threats. Most malware is now delivered via the internet, so a web security solution is essential. WebTitan is a DNS filtering solution that protects against all known malicious sites. It is constantly updated in real time through threat intelligence services to ensure maximum protection. The solution provides advanced protection against drive-by downloads and malicious redirects to exploit kits and other malicious sites and provides and important additional layer of security to protect against phishing attacks.
Law firms will no doubt prefer to host their cybersecurity solutions within their own environments or private clouds, which TitanHQ will happily accommodate.
For further information on TitanHQ’s cybersecurity solutions for law firms, contact the TitanHQ team today. Managed Services Providers serving the legal industry should contact TitanHQ’s channel team to find out more about the TitanShield program and discover why TitanHQ is the leading provider of cloud-based email and web security solutions to MSPs serving the SMB market.
The Spelevo exploit kit is being used to deliver Maze ransomware to unsuspecting internet users via a vulnerability in Adobe Flash Player.
The Spelevo exploit kit has been used to deliver a variety of malicious payloads since it was first detected in early 2019. Initially it was used to silently download the GootKit Trojan, and latterly the Dridex and IceD banking Trojans. Now the threat actors behind Maze ransomware have joined forces with the EK developers to deliver their malicious payload.
Spelevo has previously been loaded onto a compromised business-to-business contact website to target business users, although the latest campaign uses ad network traffic to send users to a fake cryptocurrency website, where they are then redirected to a web page hosting the exploit kit.
The Flash Vulnerability – CVE-2018-15982 – is then exploited in the browser to silently download and execute the ransomware payload. If that download occurs, the user’s files will be encrypted. There is currently no free decryptor for Maze ransomware. Recovery will depend on restoring files from backups – provided they too have not also been encrypted – or the user will face permanent file loss if they do not pay the ransom demand. The ransom doubles if payment is not made within a week.
Exploit kits used to be one of the main ways that malware was distributed, although they fell out of favor with cybercriminals who found alternate, more profitable ways to earn money. The threat never disappeared but exploit kit activity dropped to a tiny fraction of the level seen a few years ago when Angler exploit kit activity was at its peak. However, over the past year or so, exploit kit activity has been increasing. Today, there are several active exploit kits that are being used to deliver a variety of malware and ransomware payloads.
Exploit kits will only work if they have been loaded with an exploit for a vulnerability that has not been patched on a user’s device. Prompt patching will ensure that even if a user lands on a web page hosting an exploit kit, no malware download will take place. However, many businesses are slow to apply patches and it can be several months before vulnerabilities are corrected.
One of the best defenses against exploit kits is a DNS filter. A DNS filter is a control mechanism used to prevent users from visiting malicious websites. With a DNS filter in place, websites known to host malware or malicious code are blocked at the DNS lookup stage, before any content is downloaded. If a user attempts to visit a known malicious web page, they will be directed to a block screen instead.
Web filters can also be used to prevent ‘risky’ file types from being downloaded, such as .exe, .scr, or .js files. In addition to blocking malware downloads, a DNS filter can be used by businesses to enforce their acceptable internet usage policies and prevent employees from accessing productivity-draining websites and adult content.
A web filter is an important part of layered defenses against malware and other internet-based attacks such as phishing. TitanHQ’s DNS filter, WebTitan, is used by thousands of businesses and managed service providers to protect against web-based threats. WebTitan blocks more than 60,000 new malware sites every day and provides businesses and MSPs with real-time protection against the full range of web-based threats.
WebTitan can be deployed in minutes, is updated automatically, highly scalable, and costs as little as 90 cents per user per month. The productivity gains alone from using the solution mean it more than pays for itself, let alone the savings from preventing phishing attacks and costly malware downloads and data breaches.
To find out more about DNS filtering and why it is now considered an essential part of layered security defenses, give the TitanHQ team a call. Our support staff will be happy to answer your questions, book a product demonstration, and help you get set up for a free trial.
Venture online and you will be faced with a wide range of threats, some of which could result in your bank account being emptied, others could see sensitive information being compromised and your accounts being hijacked. Then there is ransomware, which could be used to stop you from accessing your data (unless you have backups or pay the ransom).
More malicious websites are now being created than legitimate sites, so how can you stay safe online? One solution used by businesses and ISPs is a web filter. A web filter can be configured to restrict access to certain categories of Internet content and block the majority of malicious websites.
While it is possible for businesses, MSPs, and ISPs to purchase web filtering appliances that sit between end users and the Internet, DNS filters allow the Internet to be filtered without having to purchase any hardware or install any software. So how does DNS filtering work?
How Does DNS Filtering Work?
DNS filtering – or Domain Name System filtering to give it its full title – is a technique of blocking access to certain websites, webpages, and IP addresses. The DNS is what allows easy to remember domain names to be used – such as Wikipedia.com – rather than typing in very difficult to remember IP addresses – such as 184.108.40.206. The DNS maps IP addresses to domain names to allow computers to find web resources.
When a domain is purchased from a domain register and that domain is hosted, it is assigned a unique IP address that allows the site to be located. When you attempt to access a website, a DNS query will be performed. Your DNS server will look up the IP address of the domain/webpage, which will allow your browser to make a connection to the web server where the website is hosted. The webpage will then be loaded. The actual process involves several different steps, but it is completed in a fraction of a second.
So how does DNS web filtering work? With DNS filtering in place, rather than the DNS server returning the IP address if the website exists, the request will be subjected to certain controls. DNS blocking occurs if a particular webpage or IP address is known to be malicious. The DNS filter will use blacklists of known malicious websites, previous crawls of new websites and web pages, or web content will be assessed in real time if the web page or website has not previously been crawled and categorized. If the website trying to be accessed is determined to be malicious or otherwise violates pre-defined policies, instead of the user being connected to the website, the browser will be directed to a local IP address that displays a block page explaining why the site cannot be accessed.
This control could be applied at the router level, via your ISP, or by a web filtering service provider. In the case of the latter, the user – a business for instance – would point their DNS to the service provider. That service provider maintains a blacklist of malicious webpages/IP addresses and access to those sites is prevented.
Since the service provider will also categorize webpages, the DNS filter can also be used to block access to certain categories of webpages – pornography, child pornography, file sharing websites, gambling, and gaming sites for instance. Provided a business creates an acceptable usage policy (AUP) and sets that policy up with the service provider, the AUP will be enforced. Since DNS filtering is low-latency, there will be next to no delay in accessing safe websites that do not breach an organization’s acceptable Internet usage policies.
Will a DNS Filter Block All Malicious Websites?
Unfortunately, no DNS filtering solution will block all malicious websites, as in order to do so, a webpage must first be determined to be malicious. If a cybercriminal sets up a brand-new phishing webpage, there will be a delay between the page being created and it being checked and added to a blacklist. However, a DNS web filter will block the majority of malicious websites.
Can DNS Filtering be Bypassed?
The short answer is yes. Proxy servers and anonymizer sites could be used to mask traffic and bypass the DNS filter unless the chosen solution also blocks access to these anonymizer sites. An end user could also manually change their DNS settings locally unless they have been locked down. Determined individuals may be able to find a way to bypass DNS filtering, but for most end users, a DNS filter will block any attempt to access forbidden or harmful website content.
No single cybersecurity solution will allow you to block 100% of malicious websites or all NSFW websites. The purpose of a web filter is to reduce risk, not eradicate it entirely. Since the vast majority of malicious web content will be blocked, risk can be significantly reduced and there will only be a low chance of a website being accessed that violates your policies.
WebTitan Cloud from TitanHQ
WebTitan Cloud is a powerful, easy to implement DNS filtering solution that allows you to filter the internet and block access to malicious content and enforce your acceptable internet usage policies. Being DNS-based, there are no hardware requirements and no software downloads are required. To get started you simply point your DNS to WebTitan, set your filtering parameters through an easy to use web-based interface, and you will be filtering the internet in minutes. WebTitan Cloud can be used to protect users on and off the network, so it is the perfect choice for protecting remote workers from online threats as well as office staff.
WebTitan incorporates an intelligent AI-based component that provides real-time classification of websites for precision control over the content that can be accessed. WebTitan Cloud provides real-time categorization of over 500 million websites, and 6 billion web pages in 200 languages, including coverage of Alexa 1 million most visited websites. Industry leading antivirus is also incorporated to identify and block malware and ransomware threats. A full suite of reports gives you full visibility into the online activities of your employees and any guest users of your network. The reports can be scheduled or run on demand.
These and more features will allow you to block web-based threats and carefully control online activities for only a few dollars per user per year.
If you have yet to implement a web filtering solution, are unhappy with your current DNS filtering service, or you have questions about DNS content filtering, contact the TitanHQ team today and ask about WebTitan Cloud. We invite you to sign up for a free 14-day trial of the solution, including full support, to see for yourself the difference WebTitan makes.
WebTitan provides a simple and easy DNS filtering solution to protect your company and employees.
2017 was a bad year for ransomware attacks, but as 2018 progressed it was starting to look like the file-encrypting malware was being abandoned by cybercriminals in favor of more lucrative forms of attack. Between 2017 and 2018 there was a 30% fall in the number of people who encountered ransomware compared to the previous year, and the number of new ransomware variants continued to decline throughout 2018; however, now, that trend has been reversed.
2019 has seen a sharp increase in attacks. Figures from Malwarebytes indicate there was a 195% increase in ransomware attacks in Q1, 2019 and that increase has continued in Q2. A new report from Kaspersky Lab has shown that not only are attacks continuing to increase, the number of new ransomware variants being used in these attacks is also increasing sharply.
Kaspersky Lab identified 16,017 new ransomware modifications in Q2, 2019, which is more than twice the number of new ransomware modifications detected in Q2, 2018. In addition to updates to existing ransomware variants, Q2, 2019 saw 8 brand new malware families detected.
Kaspersky Lab tracked 230,000 ransomware attacks in Q2, which represents a 46% increase from this time last year. Far from ransomware dying a slow death, as some reports in 2018 suggested, ransomware is back and is unlikely to go away any time soon.
Not only are attacks increasing in frequency, ransom demands have increased sharply. Ransom demands of hundreds of thousands of dollars are now the norm. Two Florida cities paid a combined total of $1 million for the keys to unlock files encrypted by ransomware. Jackson County in Georgia paid $400,000 for the keys to unlock the encryption that crippled its court system, and recently, a massive ransomware attack that impacted 22 towns and cities in Texas saw a ransom demand of $2.5 million issued.
Earlier this year, the developers of GandCrab ransomware shut down their popular ransomware-as-a service offering. They claimed to have made so much money from attacks that they have now taken early retirement. Despite GandCrab ransomware being one of the most widely used ransomware variants for the past 18 months, the shut down has not been accompanied with a reduction in attacks. They continue to increase, as other ransomware-as-a-service offerings such as Sodinokibi have taken its place.
Ransomware attacks are increasing because they are profitable, and as long as that remains the case, ransomware is here to stay. Businesses are getting better at backing up their data but recovering files from backups and restoring entire systems is a difficult, time-consuming, and expensive task. When major attacks are experienced, such as those in Texas, recovering systems and files from backups is a gargantuan task.
Attackers realize this and set their ransom demands accordingly. A $400,000 ransom demand represents a sizable loss, but it is a fraction of the cost of recovering files from backups. Consequently, these sizable ransoms are often paid, which only encourage further attacks. It is for this reason that the FBI recommends never paying a ransom, but for many businesses it is the only option they have.
Businesses naturally need to develop plans for recovering from an attack to avert disaster in the event of ransomware being installed on their network, but they must also invest in new tools to thwart attacks. At the current rate that attacks are increasing, those tools need to be implemented soon, and that is an area where TitanHQ can help.
To find out more about email and web security solutions that can block ransomware and protect your network, give the TitanHQ team a call.
A new phishing campaign has been detected which uses Microsoft Office 365 voicemail notifications as a lure to get users to open a malicious HTML file attached to the email.
The phishing emails are very realistic. The emails include the Microsoft and Office 365 logos, use the Microsoft color scheme, and Microsoft contact information. The messages inform the recipient that they have received a new voicemail message. The caller’s number and length of the voicemail message is included, along with the time and date of the message. In order to access that message, the user is required to open a HTML file attached to the email.
Many phishing campaigns use Word documents or Excel spreadsheets containing malicious macros or embedded hyperlinks that direct users to a phishing web page where credentials are harvested. Through security awareness training employees are told to look out for thee commonly used file types. HTML files are likely to be familiar to employees, but since these file types are not often used in phishing campaigns, employees may believe the attached file to be benign, when that is definitely not the case.
The HTML file uses meta refresh to redirect the user from the local HTML file to a phishing page hosted on the Internet. That phishing page contains a highly realistic spoofed voicemail management page where users are required to enter their Office 365 credentials to access the message. Doing so hands those credentials to the attacker.
Cybercriminals are constantly coming up with new ways to trick employees into clicking links in emails or opening malicious attachments. Keeping the workforce up to date on these threats is important. If employees are aware of the types of scam emails, they are likely to receive they will be more likely to correctly identify an email as malicious if it arrives in their inbox.
Keeping the workforce 100% up to date on the latest scams will not be possible as new scams and lures are constantly being developed. It is therefore important to ensure that you have an advanced spam filtering solution in place that can block these messages to ensure they never test employees.
SpamTitan incorporates DMARC to block email impersonation attacks, dual antivirus engines to identify known malware, and a sandbox where suspicious attachments can be executed safely and studied for malicious actions. In addition, a range of checks are performed to assess the content of messages and embedded hyperlinks for any malicious actions.
With SpamTitan in place, businesses will be able to block more than 99.97% of spam and phishing emails, and 100% of known malware.
If you want to improve protections against phishing attacks and ensure fewer malicious messages reach your Office 365 inboxes, give the TitanHQ team a call to find out more about SpamTitan email security and other measures you can take to improve your security posture and block these sophisticated phishing attacks.
A Google Calendar phishing campaign is being conducted that abuses trust in the app to get users to click malicious hyperlinks.
Cybercriminals are constantly developing new phishing tactics to convince end users to click links in emails or open email attachments. These campaigns are often conducted on organizations using Office 365. Campaigns are tested on dummy Office 365 accounts to make sure messages bypass Office 365 spam defenses.
Messages are carefully crafted to maximize the probability of an individual clicking the link and the sender name is spoofed to make the message appear to have been sent from a known and trusted individual.
Businesses that implement email security solutions that incorporate DMARC authentication can block the vast majority of these email spoofing attacks. Office 365 users that use a third-party anti-phishing solution for their Office 365 accounts can make sure malicious messages are blocked. Along with end user training, it is possible to mount a solid defense against phishing and email impersonation attacks.
A new phishing tactic is being used in an active campaign targeting businesses which achieves the same aim as an email-based campaign but uses a personal calendar app to do so.
Phishing campaigns have one of two main aims – To steal credentials for use in a further attack or to convince the user to install some form of malware or malicious code. This is most commonly achieved using an embedded hyperlink in the email that the user is urged to click.
In the Google Calendar phishing attacks, events are added into app users’ calendars along with hyperlinks to the phishing websites. This is possible because the app adds invites to the calendar agenda, even if the invite has not been accepted by the user. All the attacker needs to do is send the invite. As the day of the fictitious event approaches, the user may click the link to find out more. To increase the likelihood of the link being clicked, the attacker sets event reminders so the link is presented to the user on multiple occasions.
This attack method is only possible with Google Calendar in its default setting. Unfortunately, many users will not have updated their settings after installation and will be vulnerable to Google Calendar phishing attacks.
To prevent these attacks, on the desktop application settings menu click on:
Event Settings > Automatically Add Invitations
Select the option, “No, only show invitations to which I’ve responded.”
Navigate to “View Options”and ensure that “Show declined events” is not checked.
The FBI’s Internet Crime Complaint Center (IC3) has issued a warning about the increasing number of phishing websites using HTTPS.
The green padlock next to a URL once gave an impression of security. Now it is a false sense of security for many internet users.
HTTPS or Hyper Text Transfer Protocol Secure to give it its full name, indicates the website holds a valid certificate from a trusted third-party. That certificate confirms that the website is secure and any data transmitted between the browser and the website will be encrypted to prevent interception in transit.
The public has been taught to look for the green padlock and HTTPS before entering card details or other sensitive information. However, the padlock does not mean that the website being visited is genuine. It only means any information transmitted is secured in transit between the browser and the website.
If you are buying a pair of shoes from Amazon, all well and good. If you are on a website controlled by a cybercriminal, HTTPS only means that the cybercriminal will be the only person stealing your data.
Cybercriminals create realistic phishing webpages that imitate well-known brands such as Microsoft and Google to obtain login credentials or banks to obtain banking information. These phishing pages can be set up on dedicated phishing websites or phishing kits can be added to previously compromised websites. Traffic is then generated to those webpages with an email phishing campaign.
If one of the links in the email is clicked, a user will be directed to a website that requests some information. If the website starts with HTTPS and displays the green padlock, the user may mistakenly believe the site is genuine and that it is safe to disclose sensitive information.
The IC3 alert was intended to raise awareness of the threat from HTTPS phishing and make the public aware of the true meaning of the green padlock and never to trust a website because it starts with HTTPS.
Businesses should take note and make sure they include HTTPS phishing in their security awareness training programs to raise awareness of the threat with employees.
A web filter can greatly reduce the risk of HTTPS phishing attacks, provided the web filter has the capability to decrypt, scan, and re-encrypt HTTPS traffic.
WebTitan provides real-time protection against web-based attacks and uses a constantly updated database of 3 million known malicious sites to block attempts to visit phishing websites. WebTitan is capable of SSL inspection and can inspect HTTPS traffic, block specific applications within a webpage, and display alerts or block sites with fake https certificates.
If you want to improve protection against web-based attacks, contact the TitanHQ team today for more information about WebTitan.
While it is good news the GandCrab ransomware operation has been shut down, ransomware attacks are on the rise and a new threat has been detected: Buran ransomware.
Buran ransomware lacks some of the common features of more successful ransomware strains. The ransomware does not make any attempt to hide its activity and it doesn’t attempt to hamper recover by deleting Windows shadow copies. However, it is capable of encrypting a wide range of file types and there is currently no free decryptor available to unlock encrypted files.
Buran ransomware is being spread via the RIG exploit kit, with traffic to that exploit kit generated using a malvertising campaign. Malicious adverts have been injected into legitimate ad networks and are being displayed on a range of different websites. The malvertising campaign was identified by security researcher nao_sec.
The malvertising campaign directs web browsers to a domain hosting RIG, which attempts to exploit several vulnerabilities in Internet Explorer. If an unpatched vulnerability exists, Buran ransomware will be downloaded and executed.
An analysis of the malware suggests it is a new variant of Vega ransomware that was previously used in a campaign in Russia.
While Buran ransomware may not be a long-term successor to GandCrab ransomware, there are many threat actors moving to fill the void. Sodinokibi ransomware attacks are increasing and the ransomware developers are also using a malvertising campaign on the PopCash ad network to deliver traffic to domains hosting the RIG exploit kit.
Exploit kits can only download malware if they have been loaded with an exploit for a vulnerability that has not been patched on a visitor’s computer. The primary defense against these attacks is to ensure that all Windows security updates are applied promptly, along with updates and patches for plugins and other browsers.
There is invariably a delay between a patch being issued and all devices being updated. To provide protection until patches are applied, and to protect against zero-day exploits, a web filtering solution is recommended. A web filter can be used to control the websites that can be visited by employees and can block access to known malicious websites to prevent attacks on vulnerable computers.
TitanHQ is a leading provider of email security, web security, and email archiving solutions to SMBs and managed service providers (MSPs) serving the SMB market. Over the past five years, TitanHQ has significantly expanded its customer base and its solutions now protect over 7,500 businesses and are offered by more than 1,500 MSPs around the world.
TitanHQ works closely with European partners and businesses and has been expanding its footprint throughout the EU. TitanHQ is working towards becoming the leading email and web security solution provider in Europe and as part of that process, the company has recently entered into a new partnership with the French Value Added Distributor Exer.
Exer is one of the leading VADs in France and works with more than 600 value added resellers and integrators in the country. The company specializes in network security, mobile security, Wi-Fi and managed cybersecurity services and helps French VARs better serve their clients.
Under the new partnership agreement, Exer will start offering TitanHQ’s three cloud-based solutions to French VARs: SpamTitan, WebTitan, and ArcTitan.
SpamTitan is an award-winning spam filtering solution that keeps inboxes free from spam emails and malicious messages. The solution is regularly updated to incorporate further controls to ensure that it continues to provide superior protection against an ever-changing email threat landscape. The solution now blocks more than 7 billion spam and malicious messages every month and helps to keep businesses protected from phishing and malware attacks.
WebTitan is a cloud-based DNS filtering solution that protects businesses from a wide range of malicious web content. The solution can also be used to carefully control the types of web content that users can access through company wired and wireless networks. The solution now blocks more than 60 million malicious websites every month and prevents malware downloads, controls bandwidth use, and enforces acceptable internet usage policies, .
ArcTitan is a cloud-based email archiving solution that helps businesses securely store emails to ensure compliance with government and EU regulations. The solution now archives and stores more than 10 million emails each month.
With these solutions, French VARs can provide their clients with even greater value and ensure they are well protected against rapidly evolving cyberthreats.
“Collaboration with TitanHQ is an opportunity to represent a brand internationally recognized on 3 key technologies: Web Content Filtering, Anti-Spam, and Email Archiving. We are eager to propose these security solutions to ours VARs,” explained Exer CEO, Michel Grunspan. “Our regional presence and our expertise will be our strength for asserting the presence of TitanHQ in the French market”
“We are pleased to be offering the Exer partner community choice, enhanced functionality and greater overall value,” explained TitanHQ Executive VP, Rocco Donnino.
A new version of WebTitan Cloud has been released by TitanHQ. WebTitan Cloud 4.12 offers existing and new customers the opportunity to set filtering controls by location, in addition to setting organization-wide policies and role and departmental policies via links to Active Directory/LDAP.
The new feature will be especially useful to MSPs and companies with remote workers, satellite offices, bases in multiple locations, and operations in overseas countries. Organization-wide web filtering policies can be set to prevent users from accessing illegal web content and pornography, but oftentimes, the one size fits all approach does not work for web filtering. The new location filter helps solve this.
MSPs can use this new feature to set web filtering controls for customers in different locations while businesses using WebTitan Cloud can easily set a range of different policies for all users from a specific location, whether those users are accessing the Internet on or off the network.
There will naturally be times when policies need to be bypassed to enable specific tasks to be completed. Rather than making temporary changes to location or other policies, WebTitan Cloud uses cloud keys which allow policy-based controls to be temporarily bypassed.
Accompanying the location-based controls are new reporting options which allow administrators to quickly access information about web views and blocked access attempts in real time. While reports can be useful, oftentimes information needs to be accessed quickly. To help administrators find the information they need, search functionality has been enhanced.
Administrators can use the search filter on the history page to search by location name. For MSPs this allows a specific customer to be selected and for traffic information at a specific location to be quickly viewed in real time, without having to generate a report.
Location-based when filtering policies can be set and viewed for all locations through the same user interface, giving administers full visibility into traffic and settings of all customers through a single pane of glass.
It is hoped that these updates will make WebTitan even more useful for businesses and MSPs and will further improve the user experience.
TitanHQ has formed a strategic partnership with the GRIDHEART, which will see TitanHQ’s leading cloud-based email security, web security, and email archiving solutions made available to users of the Cloudmore Cloud Commerce platform.
GRIDHEART is a privately-owned Swedish company that delivers the world’s leading cloud-based solutions through its Cloud Commerce platform, Cloudmore.
For the past 10 years, GRIDHEART has been offering leading cloud solutions to its customers and resellers and now deals with more than 1,000 cloud partners. The Cloudmore platform makes selling cloud services easy and brings a wide range of cloud services together in a single unified platform.
The platform gives users complete centralized control over their cloud solutions and allows them to easily provision new customers, bill for services, automate processes, and obtain pre-and post-sales support. The platform provides a host of management tools to make control of SaaS and cloud computing simple.
The partnership with TitanHQ will see the Galway, Ireland-based cybersecurity firm add its leading cybersecurity solutions to the platform, through which users can manage the solutions for free.
GRIDHEART’s customers will be able to offer their clients the SpamTitan Cloud email security solution, the WebTitan web filtering solution, and the ArcTitan email security solution and provide multi-layered security to protect against email, web, and modern blended threats.
“By offering additional layers of cloud-based security through Cloudmore’ s unique Cloud Commerce platform, MSPs can procure and deploy IT services for their customers and quickly maximize their IT investment, enhance their security stack and lower operational costs for their customers,” said Rocco Donnino, Executive VP of Strategic Alliances at TitanHQ. “This agreement highlights the importance of delivering comprehensive security solutions to the MSP community through a single and powerful platform”
“TitanHQ fits the bill as a perfect partner with their razor focus on advanced threat protection via email and the web. We’ve very happy to have them on board,” said Stefan Jacobson, Sales Director of GRIDHEART.
The Fallout exploit kit, a toolkit used to silently deliver ransomware and malware to vulnerable devices, was first identified in September 2018. Between September and December, the toolkit was used to exploit vulnerabilities and deliver GandCrab ransomware and other malicious payloads. Towards the end of the year, the vulnerabilities most commonly exploited were a remote code execution vulnerability in the Windows VBScript engine (CVE-2018-8174) and the use-after-free vulnerability in Adobe Flash Player (CVE-2018-4878).
Around December 27, 2018, Fallout exploit kit activity stopped, but only for a few days. Now the exploit kit is back, and several updates have been made including the addition of HTTPS support, a new landing page format, and PowerShell-based malware downloads. A new exploit has also been added for a zero-day use-after-free Adobe Flash player vulnerability (CVE-2018-15982) which was patched on December 5, 2018: A vulnerability also exploited by the Underminer exploit kit.
The Fallout exploit kit is primarily delivered via malvertising campaigns – malicious adverts on third-party ad networks that are served on a variety of legitimate websites. The adverts redirect users to the exploit kit, which probes for vulnerabilities and exploits them to silently deliver malware or ransomware. The updated version of the Fallout exploit kit is delivering the latest version of GandCrab ransomware, for which there is no free decryptor. In addition to GandCrab ransomware, the Fallout exploit kit is delivering ServHelper, AZORult, TinyNuke, Dridex and Smokebot malware.
The malvertising campaigns used to generate traffic to the exploit kit include TrafficShop, Popcash, RevenueHits, and HookAds. The latter is primarily used on high-traffic adult websites that are visited millions of times a month. Users are redirected to a decoy adult site that contains the exploit kit and would be unaware that anything untoward has happened. If there is an unpatched vulnerability for which fallout has an exploit, the ransomware or malware payload will be silently downloaded.
Exploit kit activity is now much lower than in 2016 when EKs were extensively used to deliver malware, but the latest updates show EKs are still a threat and that they are regularly being updated with the latest exploits.
Exploit kits can only deliver malware if unpatched vulnerabilities are present, so prompt patching is strongly recommended. Users also need to visit the sites hosting the exploit kit. Businesses can prevent users from visiting malicious websites using a web filter.
Web filters use blacklists of websites known to host exploit kits are capable of scanning websites for malicious content. They can also prevent third-party ads from being displayed, thus preventing redirects. Since certain categories of website are often used in malvertising campaigns, adult sites and torrents sites for instance, blocking access to those categories of content with a web filter is also recommended.
For further information on web filtering and how it can protect against web-based attacks, contact the TitanHQ team today.
Web filtering is important for protecting users from web-based threats and for controlling what users can do online. There are many choices of web filtering solutions, including Cisco Umbrella. While the latter is popular, many businesses and organizations are now changing from Cisco Umbrella to WebTitan.
In this post we explain some of the main benefits of changing from Cisco Umbrella to WebTitan and illustrate this with an example from the education sector.
Web Filtering for Schools and Libraries and CIPA Compliance
Web filters are a requirement of the Children’s Internet Protection Act (CIPA). CIPA was enact by congress in 2000 and is concerned with protecting minors from harmful website content such as pornography. CIPA requires schools and libraries to implement an Internet safety policy that addresses the safety and security of minors online.
To comply with CIPA, measures must be introduced to block access to obscene content, child pornography, and other web content that is considered to be harmful to minors. Additionally, schools must educate minors about appropriate online behavior and monitor the online activities of minors.
While there are many choices of web filters for schools that can help them comply with CIPA, not all solutions are created equal. While it is usually easy to block access to harmful content, with some solutions monitoring user activity can be difficult and time consuming.
Why Did Saint Joseph Seminary College Change from Cisco Umbrella to WebTitan?
There is no doubt that Cisco has developed a powerful web filtering solution in Umbrella that can offer protection from web-based threats and allow content control, but the solution is not without its drawbacks.
One of the main downsides is usability, especially monitoring the online activities of users, something that is particularly important for CIPA compliance. It was proving to be particularly difficult for Saint Joseph Seminary College, which needed to quickly identify attempts by students to access restricted content.
“I don’t need rounded corners and elegant fonts when I am trying to see who has been visiting dangerous websites. I need to clearly see domain names and internal IPs,” explained Saint Joseph Seminary College IT Director Todd Russell. “In my opinion, after Cisco bought OpenDNS, they made some major changes to the UI which made it virtually useless for quickly looking through blocked traffic for signs of particular types of usage.” The complexity of the user interface made the solution unpopular with IT staff and the complexity was jeopardizing security.
Ease of use was a major problem, but the troubles didn’t end there. There was also the issue of cost. “We found that once Cisco bought OpenDNS, they began upping the Umbrella pricing every year at renewal time. Despite the repeated price increases, the service was not improving and there was no additional value offered,” explained Russell.
Cost and usability issues prompted Russell to look for a Cisco Umbrella alternative. After assessing various Cisco Umbrella alternatives, the decision was taken to switch from Cisco Umbrella to WebTitan. “It didn’t take long to realize that WebTitan was the best alternative for an efficient, cost-effective, and easy to use filtering solution to replace Cisco Umbrella,” explained Russell.
“I am able to quickly scan an entire previous day of blocked traffic and take a closer look at the full traffic on any users that raise a concern in a matter of minutes. This has saved me an enormous amount of time when I need to examine a user’s traffic, but it has also made it possible for me to keep close tabs on our traffic.” All the information required was accessible with just two clicks.
In terms of time savings gained from using WebTitan and the lower cost of running the solution, the college has been able to make significant cost savings as well as identify and remediate issues immediately, which means greater safety and security for students.
Are You Looking for an Alternative to Cisco Umbrella?
If you are currently using Cisco Umbrella and are frustrated with the interface and are unable to easily get the information you need, or if you are looking for a lower-cost alternative to Cisco Umbrella that will not jeopardize security, you have nothing to lose by evaluating WebTitan.
Contact the TitanHQ team today and you can arrange a product demonstration and set up a free trial of the full solution to see for yourself the difference it makes.
In the words of Todd Russell, “That brief demo was all I needed to know that WebTitan would serve my needs much better than Umbrella and I have been thrilled with the improvements to my workflow since switching over.”
It is straightforward to implement security controls to protect wired networks, but many businesses fail to apply the same controls to improve WiFi security, often due to a lack of understanding about how to improve wireless access point security. In this post we cover some of the main threats associated with WiFi networks and explain how easy it can be to improve wireless access point security.
Wireless Access Points are a Security Risk
Most businesses now apply web filters to control the types of content that can be accessed by employees on their wired networks but securing wireless networks can be more of a challenge. It is harder to control and monitor access and block content on WiFi networks.
Anyone within range of the access point can launch an attack, especially on public WiFi hotspots which have one set of credentials for all guest users. It is therefore essential that controls are implemented to improve wireless access point security and protect users of the WiFi network.
WiFi Security Threats
A single set of credentials means cybercriminals are afforded a high degree of anonymity. That allows them to use WiFi networks to identify local network vulnerabilities virtually undetected. They could conduct brute force attacks on routers, for example, or use WiFi access to inject malware on servers that lack appropriate security. If access is gained to the router, attacks can be launched on connected devices, and malware can be installed on multiple end points or even POS systems to steal customers’ credit/debit card information.
The cyberattack on Dyn is a good example of how malware can be installed and used for malicious purposes. The DNS service provider was attacked which resulted in large sections of the Internet being made inaccessible. A botnet of more than 100,000 compromised routers and IoT devices was used in the attack.
Man-in-the-Middle attacks are also common on Wi-Fi networks. Any unencrypted content can be intercepted, such as if information is exchanged between a user and a HTTP site, rather than HTTPS, if a VPN is not used.
Public WiFi networks are often used for all manner of nefarious purposes due to the anonymity provided. If users take advantage of that anonymity to access illegal content and download child pornography or perform copyright infringing downloads of music, films, and TV shows from P2P file sharing sites, an investigation would center on the hotspot provider. Questions would likely be asked about the lack of security controls to prevent illegal website access.
The Easy Way to Improve Wireless Access Point Security
The easy way to improve wireless access point security is a web filtering solution. Web filtering solutions are usually implemented by businesses to secure wired networks, but solutions also exist to improve wireless access point security.
A web filter forms a barrier between the users of the network and the Internet. Controls can be applied to stop users from accessing dangerous, illegal, or inappropriate website content. Even if each user has their own access controls, without a web filter, users will still be vulnerable to malware attacks and phishing attempts and the hotspot provider may be liable for illegal activities over the WiFi network.
There are two ways of implementing WiFi web filtering to improve wireless access point security. One is to rely on a list of categorized domain names and use that to control content. The other is DNS-layer web filtering, which uses the DNS lookup process that is required before any user is directed to a website after entering the domain name into their browser. The DNS server turns the domain name into an IP address to allow the web page to be found.
Why DNS Filtering is Best Way to Improve Wireless Access Point Security
The main difference between the two types of web filtering is the point at which access is blocked. With a traditional web filter, content is first downloaded before it is blocked, which is a risk. With DNS-layer filtering, content is blocked during the lookup process before content is downloaded.
If content is downloaded before being blocked, this will naturally have an impact on available bandwidth. DNS-layer filtering has no impact on bandwidth, since the content is blocked before it is downloaded.
DNS filtering does not need to be integrated with other systems and it works across all devices and operating systems, since they all use DNS servers to access websites.
DNS filtering is also quick and easy to implement. No appliances need to be purchased, hardware doesn’t need to be upgraded, and no software downloads are required. A simple change to the DNS is all that is required to point it to the provider’s DNS server. It is also much easier to maintain. No software updates are necessary and, in contrast to other security solutions, no patching is required. It is all handled by the service provider.
WebTitan Cloud for WiFi – The Leading Wireless Access Point Security Solution
TitanHQ has set the standard for WiFi security with WebTitan Cloud for WiFi. WebTitan Cloud for WiFi gives businesses the opportunity to implement bulletproof WiFi security to protect end users from online threats, block malware downloads, and carefully control the content that can be accessed by wireless network users.
Businesses that run WiFi hotspots can quickly and easily implement the solution and let TitanHQ secure their WiFi networks and provide the massive processing power to fight current and emerging web-based threats. With WebTitan Cloud for WiFi, businesses can instead concentrate on profit-generating areas of the business.
If you want to improve wireless access point security, contact TitanHQ for further information on WebTitan cloud for WiFi. Our security experts will be happy to schedule a product demonstration and set up for a free trial.