Internet Security News
Our Internet security news features the latest press releases from the world´s largest online security companies with details of the latest threats to be aware of and, unfortunately, Internet security news relating to significant data breaches. While some organizations will be grateful for the advanced warning of an online threat – and details of how to protect themselves against it – for some the warnings will come too late.
Consequently it is recommended to be protected against all manner of online threats with an email filter and web filter from TitanHQ. Our Internet security solutions prevent users from accessing unsafe sites via phishing emails and malvertising, and from visiting websites that are vulnerable to exploit kits and malware. As many organizations already using TitanHQ solutions would agree, it is better to be safe than sorry.
Nov 30, 2017 | Cybersecurity News, Internet Security News, Network Security
Kaspersky Lab has named ransomware as one of the key threats of 2017, and one that continues to plague businesses the world over. Ransomware attacks in 2017 are down year on year, but ransomware attacks on businesses are up.
Ransomware attacks in 2016 were bad, but this year there have been three major attacks that have gone global – WannaCry in May, NotPetya in June, and most recently, the Bad Rabbit attacks in October. Many of the ransomware attacks in 2017 have been far more sophisticated than in 2015 and 2016, while attackers are now using a wider variety of tactics to install the malicious code.
At the start of 2016, ransomware was primarily being installed using exploit kits, before attackers switched to spam email as the main method of delivery. Spam email remains one of the most common ways for ransomware to be installed, although each of the above three attacks used exploits for unpatched vulnerabilities.
Those exploits had been leaked online by the hacking group Shadow Brokers, all of which had been developed and used by the NSA. While not severe as WannaCry, NotPetya and BadRabbit, exploits were also used by AES-NI and Uiwix ransomware variants. Threat actors are also using remote desktop protocol to gain access to systems to install ransomware, while the use of exploit kits is once again on the rise.
There has been a noticeable change in targets since 2015 when ransomware started to be favored by cybercriminals. Consumers were the main targets, although cybercriminals soon realized there was more to be made from attacking businesses. In 2016, 22.6% of ransomware attacks were on business users. The Kaspersky Lab report shows that ransomware attacks on businesses are becoming far more common, accounting for 26.2% of all attacks in 2017.
Out of the businesses that experienced a ransomware attack in 2017, 65% said they lost access to a significant amount of data, and in some cases, all of their data. Some businesses have prepared for the worst and have developed ransomware response plans and now have multiple copies of backups, with at least one copy on an unnetworked device. In the event of an attack, data can be recovered.
Others have not been so fortunate and have been left with no alternative other than to pay the ransom demand. As we saw with NotPetya, and many other ransomware and pseudo-ransomware variants, it is not always possible to recover data. The Kaspersky Lab report shows that one in six businesses that paid the ransom demand were unable to recover their data, creating massive business disruption and also potentially privacy and compliance fines. Keys to unlock the encryption were not provided or simply did not work.
There is some good news in the report. Ransomware attacks in 2017 affected 950,000 unique users, which is a considerable reduction from last year when 1.5 million users suffered a ransomware attack. This has been attributed not to a reduction in attacks, but better detection.
Kaspersky reports that the explosion in ransomware families in 2016 did not continue at the same level in 2017. Last year, 62 new families of ransomware were discovered. While there is still a month left of the year, to date, the number of new ransomware families in 2017 has fallen to 38.
While this appears to be good news, it is not an indication that the threat from ransomware is reducing. Kaspersky Lab notes that while the creation of new ransomware families halved in 2017, in 2016 there were 54,000 modifications made to existing ransomware variants, but this year there have been 96,000 modifications detected – Almost double the number of modifications last year. Rather than develop new ransomware families, cybercriminals are tweaking existing ransomware variants.
Kaspersky Lab, McAfee, and a host of security experts predict ransomware attacks will continue to plague businesses in 2018. As long as the attacks remain profitable they will continue, although Kaspersky Lab notes that 2018 is likely to see efforts switch to cryptocurrency miners, which can prove more profitable than ransomware in the long run. Even so, ransomware attacks are likely to continue for the foreseeable future.
To prevent the attacks, businesses need to implement a host of defenses to block and detect ransomware. Anti spam software can be deployed to prevent email-based attacks, web filters can be used to block access to websites hosting exploit kits and prevent drive -by downloads, and endpoint protection systems and network monitoring can detect changes made by ransomware and alert businesses to ransomware attacks in progress. Along with good backup policies and end user training, the threat from ransomware can be reduced to an acceptable level and the majority of attacks can be blocked.
Nov 17, 2017 | Cybersecurity Advice, Cybersecurity News, Internet Security News, Network Security, Web Filtering
A malware threat called LockCrypt ransomware is being used in widespread attacks on businesses in the United States, United Kingdom, and South Africa. While ransomware is commonly spread via spam email, this campaign spreads the file-encrypting malware via remote desktop protocol brute force attacks.
The LockCrypt ransomware attacks were first detected in June this year, but over the past few months the number of attacks has increased significantly, with October seeing the highest number of attacks so far this year.
LockCrypt ransomware is a relatively new malware variant, having first been seen in June 2017. Once infected, users will be unable to access their files. This ransomware variant uses RSA-2048 and AES-256 cryptopgraphy, which makes it virtually impossible to recover files without paying the ransom demand if a viable backup does not exist. To make recovery more difficult, LockCrypt ransomware also deletes Windows Shadow Volume copies. Encrypted files are given the .lock extension.
The ransom payment for this campaign is considerable – typically between 0.5 and 1 Bitcoin per encrypted server. That’s between $3,963 and $7,925 per compromised server; however, since the same login credentials are often used for RDP access on multiple servers, once one password is correctly guessed, it can be used to access multiple servers and deploy LockCrypt ransomware. One of the Bitcoin addresses used by the attackers shows one company paid a ransom of $19,000 to recover files on three of its servers.
Once access to a server is gained, ransomware is deployed; however, the attackers are manually interacting with compromised servers. AlientVault security researcher, Chris Doman, reported that for one company, in addition to deploying ransomware, the attackers “manually killed business critical processes for maximum damage.” All non-core processes on an infected server are killed.
The attacks do not appear to be targeted, instead they are randomly conducted on business servers. Businesses that are most likely to have ransomware installed are those that have failed to use complex passwords for RDP access. While it may be tempting to set an easy-to-remember password, this plays into the hands of attackers.
Other security controls such as two-factor authentication can reduce the risk from this type of attack, as can rate limiting to prevent the number of failed attempts a user can make before their IP address is temporarily – or permanently – blocked.
An additional control that system administrators can apply is to white-list certain IP addresses to restrict RDP access to authorized individuals. If that is not practical, disallowing RDP connections over the Internet from abroad can help to prevent these attacks.
While implementing controls to prevent RDP brute force attacks is vital, most ransomware variants are spread via spam email, and to a lesser extent via exploit kits and drive-by downloads. Comprehensive security defenses must therefore be deployed to reduce the risk of ransomware attacks.
These should include an advanced spam filtering solution to prevent malicious emails from being delivered, web filters to block malicious websites and drive-by downloads, end user training to raise awareness of the threat from ransomware and other forms of malware, and network monitoring technology to identify unusual server and endpoint activity.
Network activity monitoring will not prevent ransomware attacks, but it will help IT teams respond quickly and halt the spread of ransomware to other vulnerable servers and end points.
Oct 24, 2017 | Cybersecurity News, Internet Security News, Network Security, Web Filtering
The Magnitude exploit kit is being used to deliver a new malware variant – Magniber ransomware. While the Magnitude EK has been used in attacks throughout the Asia Pacific region, the latest attacks are solely taking place in South Korea.
Ransomware and malware attacks in Europe and the Americas are primarily conducted via spam email. Exploit kits having fallen out of favor with cybercriminals over the past year. However, that is not the case in the Asia Pacific region, where exploit kit attacks are still common.
An exploit kit is a website toolkit that scans visitors’ browsers for exploitable vulnerabilities. When a vulnerability is identified, it is exploited to download malware onto the user’s system. The download occurs silently and in the case of a ransomware attack, the user is only likely to discover the attack when their files have been encrypted.
Magniber ransomware takes its name from the Magnitude EK and Cerber ransomware, the ransomware variant that it has replaced. At present, Magniber ransomware is solely targeting users in South Korea. If the operating system is not in Korean, the ransomware will not execute. While it is not unusual for ransomware campaigns to involve some targeting, it is rare for attacks to be targeted on a specific country.
Up until recently, the Magnitude exploit kit was being used to download Cerber ransomware. FireEye reports that those attacks were concentrated in the Asia Pacific region. 53% of attacks occurred in South Korea, followed by the USA (12%), Hong Kong (10%), Taiwan (10%), Japan (9%), and Malaysia (5%). Small numbers of attacks also occurred in Singapore and the Philippines. At the end of September, Magnitude EK activity fell to zero, but on October 15, the payload was updated and attacks were solely conducted in South Korea.
To avoid analysis, Magniber ransomware checks whether it is running in a virtual environment. A check is also performed to identify the system language. If the system language is Korean, data is encrypted with AES128 and encrypted files are given the .ihsdj extension. After encryption, the ransomware deletes itself. If the system language is not Korean, the ransomware exists.
At present, the Magnitude Exploit Kit has been loaded with a single exploit for CVE-2016-0189 – A memory corruption vulnerability in Internet Explorer. A patch for the vulnerability was released last year. FireEye believes the ransomware is still under development and its capabilities will be enhanced and finetuned.
To prevent attacks, it is important to ensure systems are fully patched. Businesses should make sure all network nodes are updated and are fully patched. A web filtering solution should also be used as an additional protection against this and other exploit kit attacks.
Oct 12, 2017 | Internet Security News, Web Filtering
A Social Community Partnership employee fired for viewing pornography at work took legal action against her employer for unfair dismissal. However, Ireland’s Workplace Relations Commission (WRC) has upheld the Partnership’s decision to fire the employee, confirming the sanction was appropriate.
In May 2016, the employee was discovered to have viewed pornography on her work computer and was promptly fired for gross misconduct. While the employee denied viewing pornography at work, a review of access logs on her computer revealed pornographic websites had been accessed on seven occasions between September and November 2015.
The material accessed included depictions of rape and the abduction of girls. While viewing pornography at work is unacceptable in any office, the nature of the material that was accessed made this an egregious violation of the Partnership’s acceptable Internet usage policy, especially considering the Social Community Partnership works to support children and families.
Lack of Individual Logins Makes it Difficult to Attribute Inappropriate Internet Access to Individual Employees
The case was not clear cut, as the computers in the reception area where she worked did not require secure logins for each employee. The employee also denied that she had viewed pornography and claimed two other workers used the same computers. She also said that other employees could have used the computers when she was not at her desk.
To determine that the employee was the person responsible for violating the company’s acceptable Internet use policy, the Partnership had to compare Internet logs against the work schedule. Multiple employees were found to have been working on four of the seven occasions, but the employee was the only person scheduled to work in the reception area on three of the occasions when pornography was accessed.
The employee suggested the sites could have been popups, although the claim was rejected by her employer. To determine whether access was due to a malware infection, an external computer expert was called in to conduct a scan of the computer. The scan confirmed no malware was present that could have redirected the browser to pornographic websites.
After hearing the unfair dismissal case and the evidence against the employee, the WRC ruled that ‘on the balance of probability,’ the employee was the person responsible for accessing the material and that, under the circumstances, the decision to fire the employee was correct.
Two Thirds of Men and One Third of Women Admit to Viewing Pornography at Work
Even though viewing pornography at work is prohibited in many organizations, employees ignore company rules and access obscene material on their work computers. The actions often result in instant dismissal when they are discovered, although many employees believe they won’t be caught or do not realize Internet logs are maintained. Many choose to anonymize their Internet activity by connecting to the Internet via VPNs and other anonymizing services.
The scale of the problem has been identified by several surveys and studies. In one notable study, conducted by Proven Men Ministries in 2014, 63% of men and 36% of women admitted having accessed pornography at work on at least one occasion. Other studies in the United States and the UK have also confirmed viewing pornography at work is commonplace.
The viewing of pornography at work can cause many problems for employers. In this case, the Social Community Partnership could have lost essential government funding. Even though that didn’t happen, there has been considerable negative publicity and the expense of fighting an unfair dismissal claim.
When employees view pornography at work it can easily lead to the creation of a hostile working environment, lawsuits could be filed by other employees who have been made to feel uncomfortable by the actions of others, and when illegal pornographic material is accessed at work – child pornography for example – the consequences for employers can be severe.
How Can Businesses Prevent Employees Viewing Pornography at Work?
Acceptable Internet usage policies can be used to ensure employees who breach the rules can be fired, but they do not prevent employees viewing pornography at work. Cases such as this show just how important it is to implement technology to prevent employees from accessing inappropriate website content – not just pornography, but also other content that should not be accessed in the workplace.
The expense and problems experienced by the Social Community Partnership could have easily been avoided if a web filter had been used. A web filter is a simple method of enforcing acceptable Internet usage policies and preventing pornography and other unacceptable content from being accessed by employees. A web filter can also block the use of anonymizers such as VPNs.
Further, a web filter is easy to implement, inexpensive, and can help organizations prevent considerable productivity losses, while reducing legal liability.
To find out more about the benefits of web filtering, and how you can stop employees viewing pornography at work, contact the TitanHQ team today and ask about WebTitan.
Oct 11, 2017 | Cybersecurity News, Internet Security News, Web Filtering
A massive Pornhub malvertising campaign has been detected that potentially resulted in millions of malware infections in the United States, Canada, UK, Australia and beyond.
Malvertising is the term given to malicious adverts that dupe website visitors into visiting websites where malware is downloaded or to sites that are used to phish for login credentials. These malverts often appear on legitimate websites, adding to their legitimacy. The malicious sites that users are directed to can download any type of malware – keyloggers, ransomware, spyware or adware.
The Pornhub malvertising campaign was used to spread click fraud malware. The hacking group behind the campaign – KovCoreG – used the Kovter Trojan. The malware has persistence and will survive a reboot.
Pornhub is one of the most popular adult websites, attracting millions of visitors. The website uses a third-party ad network called Traffic Junky. The attackers managed to sneak their malicious adverts past the controls the ad network has in place against malvertising.
The attackers detected the browser being used and redirected users to a website tailored to their browser. The Pornhub malvertising campaign worked on users of Chrome, Internet Explorer/Edge and Firefox. The webpages, which had been expertly crafted to exactly match the colors and fonts of Google, Firefox, and Microsoft and included the relevant logos and branding. The malicious webpages indicated a critical security update was required to secure the user’s browser. Clicking to download the update, and running that update, would result in infection.
The Pornhub malvertising campaign was detected by Proofpoint, which notified the ad network and Pornhub. Both acted quickly to remediate the threat, although not before many users had been infected with malware.
A Web Filtering Solution Can Block Malvertising Attacks
Implementing a web filtering solution in the workplace is not just about preventing your employees from wasting time on Facebook. A web filter is an important part of any layered cybersecurity defense strategy. The latest Pornhub malvertising campaign is a good example of how controlling the websites your employees can access can prevent malware infections.
Unless you work in the adult entertainment industry, employees should be prevented from accessing pornography at work. Most organizations include pornography in their acceptable usage policies. However, unless a filtering solution is implemented to block access, some employees are likely to break the rules. You could have a policy in place that states accessing pornography at work will result in instant dismissal. However, if anyone breaks the rules, it is not just their job that is on the line. Your network could be infected with malware.
Of course, cybercriminals do not just use adult websites for malicious adverts. Malvertising can appear on any website that includes ad blocks from third party advertisers. Since these ad blocks are an important source of revenue, many popular websites use them – Websites that are likely to feature heavily in your Internet access logs. The New York Times website for example, or the BBC and MSN.
This Pornhub malvertising campaign required a manual download, although oftentimes users are directed to sites where malware is downloaded automatically using exploit kits. If you are fully patched, you are likely to avoid an infection, but it is easy to miss a patch. The massive Equifax data breach showed how easy it is for a patch to be missed, as did the Wannacry ransomware attacks.
Considering the cost of resolving a malware infection, phishing attack, or ransomware installation, a web filtering solution is likely to pay for itself. Add to that the increase in productivity from blocking access to certain categories of websites and the improvements to your profits can be considerable.
If you are not yet using a web filter, or are unhappy with the cost of your current solution, give TitanHQ a call today and find out more about the savings you could be making.
Sep 30, 2017 | Cybersecurity News, Internet Security News, Network Security
The cost of cybercrime is 23% higher than last year, according to a new study conducted by the Ponemon Institute on behalf of Accenture. The average annual cost of cybercrime is now $11.7 million per organization, having increased from $9.5 million last year.
The Ponemon Institute conducted the 2017 Cost of Cybercrime study on 2,182 security and IT professionals at 254 organizations. Respondents were asked about the number of security breaches they experienced in the past 12 months, the severity of those incidents, and the cost of mitigation.
The average number of security breaches experienced by each organization was 130 per year, which is more than twice the number of incidents that were being experienced 5 years ago and 27.4% more than this time last year.
The costs of cybercrime were split into four areas: Disruption to businesses processes, data loss, loss of revenue, and damage to equipment. Respondents were asked to rate each based on their cost. While the losses from disruption to the business were not insignificant, they were the least costly. The biggest cost was information loss.
The costliest security incidents to resolve were malware attacks, which cost an average of $2.4 million to resolve, although the attacks were considerably more expensive to resolve in the United States where the average losses were $3.82 million per incident. In second place was web-based attacks, costing an average of $2 million globally and $3.4 million in the United States.
However, in terms of the amount of disruption caused, insider incidents topped the list, taking an average of 50 days to mitigate. Ransomware attacks took an average of 23 days to resolve.
The cost of cybercrime report indicates organizations in the financial services have the highest annual costs, spending an average of $18.28 million per organization. In second place was the energy sector with an average annual cost of $17.20 million.
Organizations in the United States had the biggest annual security breach resolution costs, spending an average of $21 million each per year. Bottom of the list was Australia with average annual costs of $5 million. Organizations in the United Kingdom were spending an average of $8.7 million per year.
As we saw with the NotPetya attacks, the cost of a cyberattack can be considerably higher. Both Maersk and FedEx reported their losses from the attacks could well rise to $300 million.
The most valuable security tools were seen as threat intelligence solutions, which gather data from cyberattacks around the world and allow businesses to prioritize threats. These solutions saved businesses an average of $2.8 million per year.
Sep 27, 2017 | Cybersecurity Advice, Cybersecurity News, Internet Security News, Network Security, Web Filtering
Email may be the primary vector used in phishing attacks, but the second quarter of 2017 has seen a massive increase in malvertising phishing attacks.
Malvertising is the term given to malicious adverts, which are often displayed on high-traffic websites via third party advertising networks. These adverts are used to direct web visitors to malicious websites, oftentimes sites containing exploit kits that probe for vulnerabilities and silently download ransomware and other malware.
These malware attacks increased between 2015 and 2016, with the total number of malvertising attacks rising by 136%. Demonstrating how quickly the threat landscape changes, between Q1 and Q2, 2017 there was a noticeable decline in malicious advert-related exploit kit and malware attacks. Exploit kit redirects fell by 24% and malware-related adverts fell by almost 43%, according to a recent study released by RiskIQ.
However, the study shows there was a massive increase in malvertising phishing attacks with cybercriminals changing their tactics. Phishing-related adds increased by 131% in Q2, 2017, but between 2015 and 2016, malvertising phishing attacks increased by a staggering 1,978%.
The websites that these adverts direct users to often promise a free gift in exchange for taking part in a survey. Genuine market research firms tend not to offer large incentives for taking part in surveys, or when they do offer an incentive, participants are entered into a draw where they stand a chance of winning a prize. When gifts are offered, to all participants it is a warning sign that all may not be as it seems. That said, many people still fall for the scams.
The aim of the surveys is to obtain sensitive information such as bank account information, Social Security numbers, usernames, passwords and personal information. The information can be used for a wide range of nefarious purposes. It is not only personal information that is sought. Cybercriminals are keen to gain access to corporate email accounts for the data they contain and to use them to send phishing emails.
When phishing attacks occur through corporate email accounts it can seriously tarnish a company’s reputation and may result in litigation if insufficient controls have been implemented to prevent such attacks from occurring.
Businesses can protect against malicious adverts and websites by implementing a web filter. A web filter can be configured to block third party adverts as well as the malicious websites that users are directed to, thus minimizing the risk of web-based malware and phishing attacks.
Many businesses are now choosing to filter the website content that their employees access purely for security reasons, although there are many other benefits to be gained from content filtering. Web filters can help employers curb cyberslacking, control bandwidth usage, and reduce legal liability.
With the cost of DNS-based content filtering low and potentially high losses from the failure to control Internet access, it is no surprise that so many businesses are now choosing to regulate what employees can do online at work.
To find out more about the full range of benefits of web filtering and to take advantage of a free trial of WebTitan, the leading web filtering solution for businesses, contact the TitanHQ today.
Sep 27, 2017 | Cybersecurity Advice, Cybersecurity News, Internet Security News, Network Security, Web Filtering
Why should businesses invest heavily in technology to detect ransomware attacks when a ransom payment may only be between $500 and $1,000? While that is what cybercriminals are charging as a ransom, the cost of a ransomware attack is far higher than any ransom payment. In fact, the ransom is often one of the lowest costs of a ransomware attack that businesses must cover.
The ransom payment may seem relatively small, although the latest ransomware variants are capable of spreading laterally, infecting multiple computers, servers and encrypting network shares. The ransom payment is multiplied by the number of devices that have been infected.
The Cost of a Ransomware Attack Can Run to Millions of Dollars
When businesses suffer ransomware attacks, the attackers often set their ransoms based on the perceived ability of the organization to pay. In 2016, Hollywood Presbyterian Medical Center was forced to pay a ransom of $19,000 to unlock its infection. When the San Francisco Muni was infected, hackers demanded $50,000 for the keys to unlock its payment system. In June 2017, South Korean web host Nayana agreed to pay $1 million for the keys to unlock the encryption of its 53 Linux servers and 3,400 customer websites.
These ransom payments are high, but the ransom is only one cost of a ransowmare attack. The biggest cost of a ransomware attack is often the disruption to business services while files are taken out of action. Systems can be taken out of action for several days, bringing revenue generating activities to an abrupt stop. One Providence law firm experienced downtime of three months following a ransomware attack, even though the $25,000 ransom was paid. Lawyers were stopped from working, causing a loss in billings of an estimated $700,000.
In heavily regulated industries, notifications must be sent to all individuals whose information has been encrypted, and credit monitoring and identity theft services often need to be provided. When hundreds of thousands of users’ data is encrypted, the cost of printing and mailing notifications and paying for credit monitoring services is substantial.
Once an attack has been resolved, networks need to be analyzed to determine whether any other malware has been installed or backdoors created. Cybersecurity experts usually need to be brought in to conduct forensic analyses. Then ransomware defenses need to be improved and new security systems purchased. The total cost of a ransomware attack can extend to hundreds of thousands or millions of dollars.
Ransomware is Here to Stay
As long as ransomware attacks are profitable, the threat will not go away. The use of ransomware-as-a-service allows ransomware developers to concentrate on creating even more sophisticated ransomware variants and stay one step ahead of security researchers and antivirus companies.
Anonymous payment methods make it hard for law enforcement to discover the identities of ransomware developers, and since those individuals are usually based overseas, even if they are identified, bringing them to justice is problematic.
Ransomware developers are constantly changing tactics and are developing new methods of attack. The coming months and years are likely to see major changes to how ransomware is used, and the systems that are attacked.
Ransomware attacks mostly target Windows systems, although new variants have already been developed to encrypt Mac and Linux files. Security experts predict there will also be an increase in ransomware variants targeting Macs as Apple’s market share increases, while website attacks are becoming more common. When a website is attacked, all site files, pages, and images are encrypted to prevent access. For an e-commerce business, the attacks can be devastating.
Ransomware attacks on mobile devices are now commonplace, with screen-lockers and file-encryptors used. Screen locking ransomware prevents users from accessing any apps or functions rendering the device unusable. File encrypting variants encrypt all data stored on the device. These ransomware variants are most commonly packaged with apps sold in unofficial app stores. Risk can be substantially reduced by only downloading files from official app stores and ensuring all apps are kept up to date.
Given the increase in attacks and the massive increase in new ransomware variants, businesses must improve their defenses, block the common attack vectors, backup all data, and constantly monitor for indicators of compromise.
Tips for Preventing a Ransomware Attack
- Ensure users only have access to data and network drives necessary for them to perform their jobs.
- Backup devices should be disconnected when backups have been performed.
- Keep operating systems, software applications, and plugins up to date and fully patched.
- Block access to websites known to host exploit kits using a web filter such as WebTitan.
- Implement a spam filtering solution to prevent malicious emails from reaching inboxes.
- Provide regular, ongoing training to all staff on the risks of ransomware and phishing.
- Segment your network and restrict administrator rights.
To ensure a swift recovery from a ransomware attack, make sure you:
- Create multiple backups of all files, websites, and systems.
- Create three backups on two different media and store one copy offsite.
- Develop a ransomware response plan that can be implemented immediately when an attack is suspected.
Sep 8, 2017 | Cybersecurity News, Internet Privacy, Internet Security News, Network Security
A massive Equifax data breach was announced yesterday, which ranks as one of the largest data breaches of 2017. Approximately 143 million consumers have been impacted and had their sensitive data exposed and potentially stolen.
A data breach at any company can cause considerable fallout, although this incident is particularly bad news for a credit reporting agency. Equifax aggregates and stores vast quantities of highly sensitive consumer data that are used by financial firms to make decisions about the creditworthiness of consumers. The data breach is sure to damage trust in the company.
Ironically, Equifax offers credit monitoring and identity theft protection services to companies that experience data breaches to help them protect breach victims. Naturally, all Americans affected by the Equifax data breach will be offered those services free of charge. In fact, Equifax has gone further by agreeing to offer those services free of charge to all U.S. consumers for a period of one year, even if they were not directed affected by the breach.
Chairman and Chief Executive Officer, Richard F. Smith, said “This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes.”
The Equifax data breach may not be the largest data breach of 2017, but the nature of the datya exposed make it one of the most serious. Highly sensitive data were exposed, including personal information, Social Security numbers, birthdates, driver’s license numbers, and 209,000 consumers had their credit card numbers exposed.
These are the exact types of information used by cybercriminals to commit identity theft and fraud. Dispute documents were also stored on the compromised system. Those documents contained a range of personal information of 182,000 consumers. The bulk of the data related to U.S citizens, although some consumers in Canada and the United Kingdom have also been affected by the Equifax data breach.
The hacker(s) responsible for the attack had access to Equifax’s systems for a considerable period of time before the breach was discovered. Access was first gained to systems in mid-May and continued until July 29, 2017 when the breach was discovered.
According to a statement released by Equifax yesterday, hackers gained access to its systems by exploiting a website vulnerability. While sensitive data were exposed and potentially stolen, Equifax reports that its core databases that are used for credit referencing purposes, were not compromised at any point.
The data breach is still being investigated and a third-party cybersecurity firm has been hired to assist with the investigation. Smith said, “I’ve told our entire team that our goal can’t be simply to fix the problem and move on. Confronting cybersecurity risks is a daily fight. While we’ve made significant investments in data security, we recognize we must do more. And we will.”
Breach notification letters are being sent to some, but not all, breach victims. Only the 391,000 individuals whose credit card numbers or dispute documents were exposed will receive notifications by mail. All other individuals will have to check an online tool to find out if their information was exposed in the breach.
Aug 31, 2017 | Cybersecurity News, Internet Security News, Web Filtering
Earlier this year, the NeutrinoPOS banking Trojan source code was leaked, leading to several new variants of malware being created, the latest being Jimmy Nukebot. In contrast to its predecessor, which was used to steal bank card information, the latest version has lost that functionality.
However, Jimmy Nukebot can perform a wide range of malicious functions, serving as a downloader for a wide range of malicious payloads. The malware also acts as a backdoor which will allow the actors behind the new malware to monitor activity an infected device.
Security researchers at Kaspersky Lab have analysed Jimmy Nukebot infections and have seen the malware download a wide range of modules including Monero cryptocurrency mining malware, web-injects similar to those used in NeutrinoPOS, and various other modules that modify the functions of the malware. The malware can take screenshots of an infected device and exfiltrate data and could download any malicious payload onto an infected device.
Publication of the source code of malware results in an increase in its popularity. With the malware used in more attacks, the probability of it being detected is much higher. In order to evade detection, considerable modification to the malware is required. This could well be the reason why so many changes have been made to the latest iteration. The authors of Jimmy Nukebot took the original source code of the NeutrinoPOS banking Trojan and totally restructured the malware. The way the new malware has been constructed also makes static analysis much more complicated.
The new features of the malware make it a formidable threat. Jimmy Nukebot is able to learn about the system on which it is installed and use that information for exploitation, tailoring the payload it delivers based on its environment rather than performing a pre-set malicious activity immediately upon infection.
Since the malware passively collects information and responds accordingly, it is unlikely to trigger AV alerts and may remain undetected. Organizations that have the malware installed are therefore unlikely to be aware that their systems have been compromised.
Protecting against threats such as this requires advanced malware defences, although as with most malware infections, they occur as a result of the actions of end users such as opening infected email attachments, clicking hyperlinks in emails or visiting websites that silently download malware.
Improving security awareness of employees will go a long way toward preventing malware from being installed. Coupled with an advanced spam filter to block email-based threats, a web filter to block redirects to exploit kits, regular patching, the enforced use of strong passwords, and advanced anti-malware technology, organisations can protect themselves against malware threats.
Aug 31, 2017 | Cybersecurity News, Internet Security News
Downloading apps from non-official sources potentially places users at risk, but Google Play Store malware infected apps do exist. Google has controls in place to prevent malicious apps from being uploaded to its app store, but those controls are not always 100% effective. Choosing to download apps only from official stores is no guarantee that the apps will be free from malware.
Security researchers recently discovered around 300 apps offered through the Google Play store that appear to be legitimate programs, yet are infected with malware that add infected devices to a large botnet. The botnet was being used to launch distributed denial of service attacks (DDoS) on websites.
The botnet, dubbed WireX, comprises of tens of thousands of Android devices that are being used in highly damaging cyberattacks. Devices started to be infected in early July, with a steady rise in additions over the following weeks. Even though numbers of compromised devices grew steadily in July, the botnet was only discovered in early August when the WireX botnet started to be used in small scale DDoS attacks.
Since then, larger attacks have taken place, mostly targeting the hospitality sector. Those attacks have clogged websites with junk traffic preventing legitimate users from accessing the sites. Some of WireX DDoS attacks involved as many as 160,000 unique IPs. Since devices could conceivably be used to attack websites with multiple addresses, the size of the botnet has been estimated to be around 70,000 devices.
The growth of the botnet was soon attributed to malicious apps, with researchers discovering around 300 Google Play Store malware infected apps. Google has now disabled those apps and is in the process of removing them from devices.
The apps included video players, battery boosters, file managers and ringtones. The apps were not simply malware, as users would undoubtedly attempt to delete the apps if they failed to perform their advertised functions. The apps all worked and users who downloaded the apps were unaware that their devices were being used for malicious purposes. The malware used a ‘headless browser’ which was able to perform the functions of a standard browser, without displaying any information to the user allowing the actors behind the malware to operate undetected.
When the devices were needed for DDoS attacks, they would receive commands from their C2 server to attack specific websites.
Multiple security vendors including Akamai, RiskIQ, Flashpoint and Cloudflare collaborated and succeeded in taking down the WireX botnet. Without that collaboration, the botnet would still be active today and may not have been detected.
Aug 24, 2017 | Cybersecurity Advice, Cybersecurity News, Internet Security News, Network Security, Web Filtering
The Neptune Exploit kit is being used to turn computers into cryptocurrency miners, with traffic directed to the exploit kit using a hiking-themed malvertising campaign.
Exploit kit activity has fallen this year, although these web-based attacks still pose a significant threat. Exploit kits are web-based toolkits that probe browsers and plugins for vulnerabilities that can be exploited to download malware. Simply visiting a website hosting an exploit kit is all it takes for malware to be silently downloaded.
Protecting against exploit kit attacks requires browsers, plugins and extensions to be kept 100% up to date. However, even updated browsers can be vulnerable. Exploit kits can also include exploits for zero-day vulnerabilities that have not yet been patched.
Acceptable usage policies can help organizations to prevent exploit kit attacks, although website visitors are often redirected to malicious sites from legitimate websites. One of the main ways this happens is the use of malvetisements. Many high traffic websites include advertising blocks that display third-party adverts. The advertising networks serve adverts which are displayed on member sites, with the site owners earning money from ad impressions and click throughs.
While the advertising networks have measures in place to vet advertisers, oftentimes cybercriminals succeed in submitting malicious adverts. Those adverts are then pushed out and displayed on legitimate websites. Clicking one of those malicious adverts will see the user directed to a webpage hosting the exploit kit.
Exploit kits are used to download Trojans, ransomware and other malicious code, although the Neptune exploit kit is being used to download cryptocurrency miners. Infection will see computers’ processing power used to mine the Monero cryptocurrency. Infection will result in the infected computer’s resources being hogged, slowing down the performance of the machine.
The latest Neptune exploit kit campaign uses hiking club-related adverts to drive traffic to landing pages hosting the Neptune exploit kit, which in turn uses HTML and Flash exploits to download malware. These adverts closely mimic genuine domains. FireEye reports that one such campaign mimics the genuine website highspirittreks[.]com using the domain highspirittreks[.]club. Other campaigns offer a service to convert Youtube videos to MP3 files. The imageryused in the adverts is professional and the malvertising campaigns are likely to fool many web surfers.
The exploits used in the latest campaign are all old, therefore, protecting against attacks simply requires plugins and browsers to be updated. The main exploits take advantage of flaws in Internet Explorer – CVE-2016-0189, CVE-2015-2419, CVE-2014-6332 – and Adobe Flash – CVE-2015-8651, CVE-2015-7645.
Having a computer turned into a cryptocurrency miner may not be the worst attack scenario, although exploit kits can rapidly switch their payload. Other exploit kits are being used to deliver far more damaging malware, which will be downloaded silently without the user’s knowledge. Consequently, organizations should take precautions.
In addition to prompt patching and updating of software, organizations can improve their defences against exploit kits by implementing a web filtering solution such as WebTitan.
WebTitan can be configured to block all known malicious sites where drive-by downloads take place and can prevent malvertisements from directing end users to webpages hosting these malicious toolkits.
To find out more about WebTitan and how it can improve your organization’s security posture, contact the TitanHQ team today.
Aug 23, 2017 | Cybersecurity Advice, Cybersecurity News, Internet Privacy, Internet Security News, Network Security, Web Filtering
India’s Central Board of Secondary Education is urging all CBSE affiliated schools to take action to improve safety for students, including implementing school web filtering technology to keep students safe online.
The Internet is home to an extensive range of potentially harmful material that can have a major impact on young developing minds. Parents can take action to keep their children safe at home by using parental control filters. However, students must receive similar or greater levels of protection while at school.
School web filtering technology can prevent students from deliberately or accidentally viewing obscene material such as pornography, child pornography or images of child abuse and other categories of potentially harmful website content. CBSE has warned school boards that when students access this material it is “detrimental to themselves, their peers and the value system.” School web filtering technology should also be implemented to prevent students from engaging in illegal activities online via school IT devices.
CBSE affiliates schools have been advised to develop guidelines for safe Internet use and make this information available to students and display the rules prominently. However, without school web filtering technology, these policies would be easy to ignore. A technological solution ensures students wishing to engage in illegal activities online, or view harmful website content, will be prevented from doing so.
Prevention is only one aspect of Internet control. Schools should also set up a monitoring system to discover when individuals are attempting to bypass Internet usage policies. A web filtering solution should therefore have the capability to generate reports of attempted accessing of prohibited material to allow schools to take action. Schools have also been advised to sensitize parents about safety norms and even go as far as suggesting disciplinary action be taken when children are discovered to have attempted to access inappropriate material.
While many school systems around the world have implemented school web filtering technology, CBSE is advising affiliated schools in India to go one step further and restrict Internet content by age groups. Schools should set filtering controls by user groups and restrict access to age-inappropriate websites. Web filtering solutions such as WebTitan allows controls to be easily set for different user groups. The solution can be used to set separate filtering controls for staff and students of differing ages with ease.
Other Internet controls that have been suggested include the rapid blocking usernames/passwords when children leave school, using antivirus solutions to reduce the risk of malware infections, using firewalls to prevent cyberattacks and the theft of children’s sensitive information, and for staff to avoid posting images and videos of their students online.
School Web Filtering Technology from TitanHQ
The benefits of implementing school web filtering technology are clear, but choosing the most cost-effective controls can be a challenge. Appliance based web filters involve a significant initial cost, there is ongoing maintenance to consider, the need for on-site IT support in many cases, and as the number of Internet users increases, hardware upgrades may be necessary.
TitanHQ offers a more cost-effective and easy to manage solution – The 100% cloud-based web filter, WebTitan. WebTitan Cloud and WebTitan Cloud for WiFi make filtering the Internet a quick and easy process. To start filtering the Internet and protecting students from harmful web content, all that is required is to point your DNS to WebTitan. Once that simple change has been made you can be filtering the Internet in minutes.
Both solutions can be easily configured to block different categories of website content, such as pornography, file sharing websites, gambling and gaming websites and other undesirable website content. The solutions support blacklists, allowing phishing and malware-infected sites to be easily blocked along with all webpages identified by the Internet Watch Foundation as containing images of child abuse and child pornography.
These powerful web filtering solutions require no software updates or patching. All updates are handled by TitanHQ. Once acceptable Internet usage policies have been set via the intuitive web-based control panel, maintenance only requires occasional updates such as adding legitimate webpages to whitelists. Even blacklists are updated automatically.
WebTitan also supports remote learning. All students’ devices can be protected while connected to a school’s wired or wireless network. To extend protection beyond the school gates, a WebTitan On-The-Go (OTG) roaming agent can be installed on devices. This will ensure that the content filtering policy will apply no matter where that device connects to the Internet.
If you are keen to implement school web filtering technology for the first time or are unhappy with your current provider, contact the TitanHQ team today and register for your no-obligation Free Trial and see the benefits of WebTitan for yourself before making a decision about a purchase.
Aug 3, 2017 | Cybersecurity News, Internet Security News
A new mobile malware threat has been discovered – Invisible Man Malware – that is being installed via fake software updates. Invisible Man malware is a keylogger that has been designed to obtain banking credentials. While the malware is not new – it has been around for four years – it is frequently updated, with a new variant discovered that takes advantage of the accessibility services on Android devices.
As the name suggests, Invisible Man malware runs silently on infected devices unbeknown to the user. The malware is an overlay that sits atop of legitimate banking apps and intercepts inputs as they are entered on the device. It also allows the attackers behind the malware to intercept text messages, in particular, those used for two-factor authentication and codes sent by banks to authorize transactions.
Once installed on a device it has administrator rights to all Android accessibility services, is installed as the default SMS app and has rights to send and receive SMS messages, make calls, and access contacts on the phone. It can also take screenshots and prevents itself from being uninstalled, according to Kaspersky Lab.
Invisible Man malware has been developed for attacks in Australia, France, Germany, Poland, Singapore, Turkey and the UK, working as a keylogger over 63 banking apps. All data collected is immediately transferred to its C2 server.
Kaspersky Lab reports that Invisible Man malware is primarily being installed on devices using fake software updates, specifically fake Flash Player updates on malicious websites via a downloaded apk file.
Beware of Fake Software Updates
The latest attacks highlight an important point. If you receive a warning on screen telling you that your software is out of date, don’t click and download the update. In this case, the user will be asked to confirm installation, and will be required to provide this app with administrator rights to accessibility services.
Fake software updates are one of the most common methods used to distribute malware, bloatware, adware, ransomware and other nasties.
Given the frequency of software updates now being released to address recently found vulnerabilities, your software may actually be out of date. However, you should visit the vendor’s website and perform a check to see if you have the latest version installed. If not, download the update directly from the vendors website.
Fake software updates are usually offered via popups – Windows that appear when you access a website. They commonly feature flashing Gifs and stern warnings of the risks of not updating your software immediately. Warnings that your computer has already been infected with malware are also common.
Warnings do not only appear when surfing the Internet, spammers use the same tactics via email. The emails often contain the correct logos, color schemes and branding as the legitimate software vendor and look highly realistic.
However, you should not trust any email asking for you to download an executable, part with login credentials or provide other sensitive information, even if it is sent from someone you know.
Jul 31, 2017 | Cybersecurity News, Internet Security News, Network Security, Web Filtering
A new study has shown that cybercriminals have generated ransomware profits in excess of $25 million over the past two years, clearly demonstrating why cryptoransomware attacks have soared. There is big money to be made in this form of cyber extortion. The bad news is that with so many organizations paying to recover their files, the ransomware attacks will continue and will likely increase.
Ransomware attacks are profitable because users are still failing to back up their data. Google’s figures suggest that even though the threat of data deletion or encryption is high, only 37% of computer users back up their data. That means if ransomware encrypts files, the only option to recover data is to pay the ransom demand.
Figures from the FBI estimated ransomware payments to have exceeded $1 billion in 2016; however, it is difficult to accurately calculate ransomware profits since the authors go to great lengths to hide their activities. Ransomware profits are difficult to track and companies are reluctant to announce attacks and whether payment has been made.
Two notable exceptions were the South Korean hosting company Nayana that was attacked and had 153 Linux servers and 3,400 customer websites encrypted. The firm paid 1.2 billion Won – approximately $1 million – for the keys to unlock the encryption. Recently, a Canadian company has reportedly paid a ransom of $425,000 to recover its files, although the identity of the firm is still unknown.
Now, a study conducted by Google, with assistance from Chainalysis, the University of California at San Diego, and New York University’s Tandon School of Engineering has shed some light on actual ransomware profits. The study involved an analysis using blockchains and Bitcoin wallets known to have been used to collect ransomware payments. The researchers also used reports from victims and monitored network traffic generated by victims of ransomware attacks to help track where payments were sent.
The study looked at the top 34 ransomware strains and determined more than $25 million has been collected in the past two years. 95% of payments were cashed out using the Bitcoin trading platform BTC-e.
Google has calculated Locky has earned $7.8 million in ransom payments over the past 24 months – 28% of the total payments made. Cerber is in second place with $6.9 million, followed by CryptoLocker on $2 million and CryptXXX and Sam Sam, both on $1.9 million. Spora ransomware may not have made it into the top five, although Google researchers warn that this is an up-and-coming ransomware variant and one to watch over the coming months.
In recent months Cerber ransomware has become the most widely used ransomware variant. The success of Cerber ransomware can be attributed to the skill of the developers in developing a ransomware variant that can evade detection and the affiliate model used to distribute the ransomware – Ransomware-as-a-Service (RaaS).
RaaS means any number of individuals can conduct ransomware campaigns. Kits are offered to anyone willing to conduct campaigns. Little technical skill is required. All that is required is a lack of moral fiber and the ability to send spam emails distributing the ransomware. Affiliates receive a percentage of the ransomware profits.
WannaCry ransomware certainly caused something of a storm when the worldwide attacks were conducted in May, and while there were more than 200,000 victims worldwide and some 300,000 computers affected, a flaw in the design meant the attacks could be halted and relatively few ransom payments were made. The ransomware profits from these attacks was calculated by Google to be around $100,000.
Ransomware profits from NotPetya were low, although making money was never the aim. NotPetya appeared to be ransomware, although it was actually a wiper. A ransomware demand was issued, but it was not possible to recover data on infected machines. Once this became clear, ransoms were not paid.
The success of Locky, Cerber and CryptXXX is due to the skill of the developers at evading detection. These ransomware variants are constantly evolving to stay one step ahead of security researchers. In the case of Cerber, the researchers discovered thousands of new binaries are being detected each month. There are 23,000 binaries for Cerber and around 6,000 for Locky. In total, the study involved an analysis of 301,588 binaries. The malware variants are capable of changing binaries automatically making detection difficult.
Ransomware attacks may still only make up a small percentage of the total number of malware-related incidents – less than 1% – but the threat is still severe and the attacks are likely to continue, if not increase. As long as it is profitable to develop ransomware and/or use existing ransomware variants, the attacks will continue.
Kylie McRoberts, a senior strategist with Google’s Safe Browsing team, said “Ransomware is here to stay and we will have to deal with for a long time to come.”
Jul 26, 2017 | Cybersecurity News, Internet Security News
It has been a long time coming, and we are not quite there yet, but Adobe Flash is about to die. The long, slow drawn out death of Adobe Flash will continue for another three years yet, with Adobe finally confirming that it will be pulling the plug by December 31, 2020. By then, all updates for Adobe Flash will stop and the we will all enter a Flash free age.
Until then, Adobe is committed to working with partners to ensure Flash remains as secure as possible and updates will continue until that time. However, Adobe is already trying to encourage businesses to start switching to other standards such as HTML5.
The decision to finally put Flash out of its misery was made because other platforms and technology have “matured enough and are capable enough to provide viable alternatives to the Flash player,” according to Adobe.
In 2005, Flash was on 98% of all computers, and even three years ago it was being used by 80% of desktop users on a daily basis. Today, helped in no short part but the serious security flaws in the platform and the switch to mobile devices from PCs, usage has fallen to just 14%.
Google is not supporting Flash anymore and has not done so for Android since 2012. Apple has never supported the plug-in on its mobile devices and Firefox, Chrome, Edge and Safari no longer run Flash content automatically. Even Internet Explorer will disable Flash by default in 2019, ahead of its official death date the following year.
Of course, just stopping updates does not mean that Flash will cease to exist. But given the rate that vulnerabilities in Flash are now being discovered, anyone still using Flash by 2020 will be wide open to attack as soon as the updates stop. However, by then there will be far fewer websites using Flash and fewer devices with the Flash plug-in installed.
The Internet will most likely be a safer place without Flash, but what will happen to all the hackers who are currently developing exploits for Flash vulnerabilities? They will not also decide to retire. Instead they will put their efforts into something else. What that is of course remains to be seen.
Three years may seem like an awfully long time, but there are still many businesses that continue to use Flash and have yet to migrate to other standards. Flash is still extensively used by educational institutions for training programs, while web-based gaming websites will also need time to transition.
Govind Balakrishnan, Adobe’s vice president of product development, pointed out the importance of Flash saying, “Few technologies have had such a profound and positive impact in the Internet era.” That is certainly true, but all good things must come to an end and few will be sorry to see Flash finally die. The end came long ago, but at least now there is an official date when the final nail will be hammered into the coffin.
Jul 26, 2017 | Cybersecurity News, Internet Security News, Network Security, Web Filtering
Stantinko malware may only have recently been detected, but it is far from a new malware variant. It has been in use for the past five years, yet has only recently been identified. During the past five years, Stantinko malware has spread to more than 500,000 devices and has been operating silently, adding infected systems to a large botnet, with the majority of infected machines in Russia and Ukraine.
The botnet has primarily been used to run a largescale adware operation. The malware installs the browser extensions Teddy Protection and The Safe Surfing, which appear to users to be legitimate apps that block malicious URLs. These apps are legitimate if downloaded via the Chrome Web Store, but they are not if they are installed by Stantinko. The Stantinko versions contain different code that is used for click fraud and ad injection.
ESET reports that additional plugins known to be installed by Stantinko malware include Brute-Force and Search Parser which are used for Joomla/WordPress brute force attacks and to anonlymously search for Joomla/WordPress sites. Remote Administrator is a fully functional back door and Facebook Bot can generate fake likes, create new accounts, or add friends on Facebook, virtually undetected.
While click fraud is the primary goal of the attackers, Stantinko malware can perform a wide range of functions. Since Stantinko includes a loader, enabling threat actors to send any code to an infected device via their C2 server and run the code.
ESET researchers say the malware uses Windows services to perform backdoor activities and brute force attacks on WordPress and Joomla websites. Once access is gained, the attackers sell on the login credentials to other cybercriminal groups, according to ESET. That’s not all. ESET says Stantinko malware could be used to perform any task on an infected host.
The malware and botnet have remained undetected for so long due to their ability to adapt to avoid being detected by anti-malware solutions. The malware also uses code encryption to avoid detection. Users would be unlikely to realize that anything untoward was happening on their machine. The tasks performed by the malware involve low CPU activity and do not slow an infected device considerably.
Infection is believed to occur through illegal file sharing, especially the downloading of pirated software. However, ESET notes that infection has occurred through fake torrent files that are actually executables.
Removal of the malware is not straightforward. The malware installs two Windows services, each of which is capable of reinstalling the other service if one is deleted. If for any reason that process fails, the attackers can reinstall those services via their C2 server.
The discovery of Stantinko malware highlights the danger of failing to prevent employees from accessing file sharing websites at work. The downloading of pirated material, even accessing torrents files, has potential to infect enterprise networks with malware. Even if anti-virus and anti-malware solutions have been deployed, there is no guarantee that malware will be detected.
Organizations can protect against these types of attacks by implementing a web filtering solution and blocking access to file sharing websites and torrents sites. If these sites cannot be accessed and pirated software downloads are blocked, infection can be prevented.
Jul 21, 2017 | Internet Privacy, Internet Security News
UK porn filtering controls are expected to be introduced next year to make it harder for minors to access – accidentally or deliberately – pornographic material over the Internet. The government has proposed a new requirement that will make it mandatory for all sites hosting adult or pornographic content to conduct age verification checks before adult content is displayed.
From April next year, a yet to be decided regulator – most likely the British Board of Film Classification – will be able to block websites hosting pornography if they do not conduct checks to ensure visitors are over the age of 18. Blocks are likely to be applied at the ISP level and the sites could be barred from taking credit card payments from the UK if they do not comply.
The change to UK porn filtering controls would mean minors would be prevented from accessing pornographic material. Digital minister, Matt Hancock, explained the move would mean “UK will have the most robust internet child protection measures of any country in the world.”
While many adult websites ask the user if they are over 18 before content is displayed to prevent accidental access, further controls would be required to verify age. One of the easiest ways to do that is by forcing the visitor to submit their credit card details. In the UK, it is not possible for individuals under the age of 18 to be issued with a credit card.
The new UK porn filtering controls have been welcomed by some groups – the National Society for the Prevention of Cruelty to Children (NSPCC) for example – but the move has raised many concerns.
Age verification checks are likely to result in the operators of the websites maintaining a database of site users, even individuals who do not pay for access. The database is likely not only to include details supplied in the verification checks, but include profiling and viewing histories. It is possible that large volumes of highly sensitive data could be collected on millions of users.
Any website that collects sensitive consumer data is a target for hackers. The databases that could be built by adult content providers would be an even bigger target. Not only could information be used for fraud, the data could be used for blackmail and extortion. One only needs to look back to the Ashley Madison data breach in 2015 to see the damage that can be caused when the databases of adult websites are hacked.
That breach resulted in personal information being exposed along with details of sexual preferences and other highly sensitive information. The fact that a user was registered on a website that is used to hook up for extramarital affairs made even the exposure of personal information even worse. The stolen information was subsequently used by criminals to blackmail users and led to many public shaming incidents. In some cases, exposed users of the site committed suicide as a direct result of the breach.
The Open Rights Group has spoken out about the proposed changes to UK porn filtering controls. Jim Killock, director of the Open Rights Group, said “The Government has repeatedly refused to ensure that there is a legal duty for age verification providers to protect the privacy of web users.” Now, the change “could lead to porn companies building databases of the UK’s porn habits, which could be vulnerable to Ashley Madison style hacks.”
Killock also pointed out, “There is also nothing to ensure a free and fair market for age verification. We are concerned that the porn company MindGeek will become the Facebook of age verification, dominating the UK market.” Were that to happen, the company would be able to decide the level of profiling that takes place, the level of controls it sees fit to introduce to protect data and what privacy risks UK citizens would face.
Jun 29, 2017 | Cybersecurity News, Internet Security News, Network Security
The NotPetya ransomware attacks on Tuesday this week initially looked like another WannaCry-style attack. They used similar NSA exploits to spread infections, ransoms were demanded and like WannaCry, the attacks rapidly spread around the globe. However, closer inspection of NotPetya ransomware has revealed that all may not be as it first appeared.
The purpose of ransomware is to lock files with powerful encryption to prevent files from being accessed. A ransom demand is then issued. Payment of the ransom will see the keys to unlock the decryption supplied. Organizations get their files back. The attackers get a big payday.
There have been many cases when ransomware has encrypted files, yet the attackers are not capable of supplying the keys. These attacks have tended to be conducted by amateurs or show the authors have been sloppy and failed to check that decryption is possible.
If attackers do not make good on their promise to supply valid keys to unlock the encryption, word will soon spread on social media and security websites that paying the ransom will not enable organizations to recover their files. That means the campaign will likely not be profitable.
Developing a new ransomware variant is not a quick and easy process. It does not make sense for a threat actor to go to all the trouble of developing ransomware, devising a sophisticated multi-vector campaign to spread the ransomware, but then forget about essential elements that make it possible to receive ransom payments. That is, unless the aim of the campaign is not to make money.
In the case of the recent NotPetya ransomware attacks, the actors behind the campaign appear to have made some serious errors if making money was their aim.
First, the ransom demand was only $300 per infected machine, which is well below the current average payment demanded by ransomware gangs.
As for the errors, they were numerous. Petya ransomware, which NotPetya closely resembles, provides the victim with an installation ID. That ID is unique to the victim. It is used to determine who has paid the ransom. In the latest attacks, the IDs consisted entirely of random characters. As Kaspersky Lab explained, that means it is not possible for the attackers to identify the victims that pay up.
Successful ransomware campaigns use a different Bitcoin address for each victim, yet only one Bitcoin account was used by the attackers. The email address used by the attacker was hosted by Posteo. The German firm quickly shut down that account, meaning it was not possible to check who had paid. That would be a serious oversight by the attackers, who surely must have suspected that would occur.
NotPetya ransomware also does not encrypt files. Like Petya, it replaces and encrypts the Master File Table (MFT). However, NotPetya ransomware corrupts the MFT, wiping out the first 24 sector blocks. Petya ransomware did not do that, instead modifications were made that could be reversed. As a result, NotPetya causes permanent damage ensuring recovery is not possible.
These factors suggest that Petya was modified and turned into a wiper to cause permanent damage rather than make money. That would suggest this was a state-sponsored attack designed attack to cause major disruption. Due to the extent to which Ukraine was attacked, that country appears to be the main target. As for who was responsible for the attack… that has yet to be established. However, many people in Ukraine have strong suspicions.
Jun 9, 2017 | Cybersecurity News, Internet Security News, Web Filtering
Hackers have been phishing for domain credentials and using the logins to gain access to websites and create malicious subdomains – a process called domain shadowing – and using those subdomains as gates that redirect users to sites loaded with the RIG exploit kit.
The RIG exploit kit probes for vulnerabilities in web browsers and exploits flaws to download malware. Those malware downloads usually occur silently without the users’ knowledge. All that is required for infection is an out of date browser or plugin and for the victim to be directed to a website hosting the exploit kit. RIG has primarily been used to download banking Trojans and Cerber ransomware. While use of the exploit kit is nowhere near the level of Angler prior to its demise, the Rig exploit kit is now the leading EK used by cybercriminals and activity has increased sharply in recent months.
Cybercriminals have been generating traffic to the malicious subdomains using malvertising campaigns – malicious adverts sneaked onto third party ad networks. Those ads are then syndicated across a wide range of high traffic websites and redirect visitors to the malicious subdomains. Other techniques used to drive traffic to the sites include malicious Chrome popups and iframes inserted into compromised WordPress, Drupal and Joomla! Websites.
Tens of thousands of subdomains have been created on legitimate websites that have been compromised by hackers. Cybercriminals are understood to have been obtaining login credentials to websites using malware.
The subdomains were mostly created on websites hosted by GoDaddy. The domain registrar has been working with RSA Security and independent security researchers to identify the compromised websites and take down the subdomains. In total, around 40,000 subdomains were taken down in May.
While this take down is certainly good news, it is unclear how much of an effect it will have on Rig EK operations as little is known about the RIG infrastructure and the total number of websites that have had malicious subdomains added. However, RSA Security says these takedowns have resulted in “a significant loss of capabilities to RIG operations”. RSA and GoDaddy are working to prevent cybercriminals from using domain shadowing and are monitoring for new subdomains that are created. It is unclear if sites purchased through other domain registrars have been targeted in a similar way.
Domain shadowing is a problem because content filters typically have problems identifying malicious subdomains on a genuine website. Since the subdomains only remain active for around 24 hours before being shut down, cybercriminals can avoid domain blacklisting.
However, content filters can prevent users from visiting known malicious websites and they offer protection against webpages hosting exploit kits. They can also be configured to block the downloading of specific file types.
Organizations care also strongly advised to ensure browsers and plugins are kept up to date, especially Java, Silverlight and Adobe Flash plugins. Malware downloaded by the RIG exploit kit most commonly leverages the CVE-2015-8651 vulnerability, although other common exploits include CVE-2016-0189, CVE-2015-2419, and CVE-2014-6332
