Web Filtering

Web filtering is an ideal solution to prevent Internet users from visiting unsafe website that potentially harbor viruses and malware. A web filter works by comparing a request to visit a website against a list of predetermined parameters. If the request fails to pass the criteria defined by the parameters, the request is denied.

This process prevents Internet users from accessing websites they have been invited to visit in a phishing email or when clicking on an advertising link. Web filtering can also be configured to prevent cyberslacking, to block certain types of files from being downloaded or bandwidth-hogging web applications from being used.

To find out more about how your organization can strengthen its online defenses, enhance productivity and limit bandwidth loss, speak with one of our team today about web filtering.

Watering Hole Attacks Deliver Keylogger and Malware Loader

A watering hole attack, as the name suggests, is a cyberattack involving a place that is frequently visited. A threat actor uses a website that is often visited by the targeted business or individual and malware is loaded to that site and will be inadvertently downloaded or executed when a user lands on the site. The website is usually compromised by exploiting an unpatched vulnerability or by obtaining website administrator credentials.

These attacks are often conducted by Advanced Persistent Threat (APT) actors in cyber espionage campaigns and one such campaign has recently been detected that has been attributed to the Chinese APT group tracked as TA423 which delivers the JavaScript-based reconnaissance tool, ScanBox. The campaign targets offshore energy firms that operate in the South China Sea.

While watering hole attacks often see malware written to disk, this campaign is different as ScanBox is executed in the web browser and requires no malware to be downloaded. Once executed, ScanBox logs keystrokes and records all activity on the infected website, including any passwords that are entered. As is often the case with these watering hole attacks, the user is directed to the website via a phishing email. In this campaign targeted individuals receive messages requesting collaboration that appear to have been sent by an Australian media organization – the fictional Australian Morning News. The website to which the user is directed includes news content that has been scraped from legitimate news outlets and landing on the site will see the user served with the ScanBox framework, which is used for reconnaissance and browser fingerprinting.

In addition to collecting information about the browser, operating system, extensions, and plugins, that attack sets up interactive connectivity establishment (ICE) communications with STUN servers, allowing communication with victim devices without having to go through network address translator (NAT) gateways and firewalls.

Watering hole attacks have been conducted by a range of different APT groups and these attacks have been the initial access vector of choice for Iranian threat actors for several years. Earlier this year, a campaign was detected that targeted Israeli websites and attempted to collect data from logistics companies involved with shipping and healthcare, and attempted to deliver malware that provided persistent access to victim devices.

Watering hole attacks can also be conducted by cybercriminal groups for distributing malware and one such campaign was recently detected that targets law firms with the goal of delivering Gootloader malware, a first-stage malware loader that can be used for delivering a variety of malware payloads. Rather than using phishing emails to drive traffic to a malicious site, compromised WordPress websites were used. Once access to the websites was gained, the threat actors used search engine optimization (SEO) techniques targeting specific search terms that are likely to be used by law firms. The SEO techniques used ensured that the malicious websites appeared high in the search engine listings for searches for legal information online, especially legal contact templates.

Defending against watering hole attacks requires a defense in-depth strategy that includes end-user security awareness training, web filtering to block access to known malicious websites, endpoint detection software, and spam filters. TitanHQ can help by providing several of these layers, including the SafeTitan security awareness training and phishing simulation platform, the WebTitan DNS-based web filter, and SpamTitan email security.

For more information, give the TitanHQ team a call. Product demonstrations can be arranged on request, and all TitanHQ cybersecurity solutions are available on a no-obligation, 100% free trial.

ChromeLoader Malware on the Rise: How to Prevent Infection

ChromeLoader is a family of malware that is extremely prevalent and persistent. The malware installs malicious browser extensions and removing them can be problematic as users are denied access to the Google Chrome extension list to prevent the removal of the malicious extensions if they are discovered. These malicious extensions are used to deliver unwanted ads, and redirect users to websites that they would otherwise not visit. At best, infection is a nuisance; however, the malware can increase the attack surface of a system and can easily lead to other malware being delivered.

ChromeLoader was first observed in January 2022 and infections are now extremely widespread. The malware is most commonly spread via sites that offer pirated software – torrents and warez sites – with the malware usually delivered through infected ISO image files. Several campaigns have been detected that advertise pirated software, games, and movies on social media networks, especially Twitter, with the posts/tweets including links to download sites. When the installation file is downloaded and installed, the user will likely get the software, operating system, or game they are expecting, but ChromeLoader and/or other malware will also be installed.

A new ChromeLoader distribution campaign has recently been detected by HP’s Wolf Security team. They report that the campaign has been active since at least March 2023 and delivers ChromeLoader, which installs a malicious adware browser extension called Shampoo. Shampoo will perform unwanted redirects to a variety of websites, including fake giveaways, games, and dating sites. These redirects can simply be annoying but can risk other malware infections. The malicious browser extension is also difficult to uninstall as the user will be prevented from accessing Chrome Extensions.  If the user does manage to uninstall the adware, it will simply be reloaded when the device is rebooted via a Windows scheduled task. According to HP, this campaign uses a network of malicious websites that offer pirated material. The download sites deliver VBScripts that execute PowerShell scripts that fetch Shampoo and install the malicious Chrome extension. While this campaign only installs adware at present, tactics could change, and more damaging malware could be delivered.

While ChromeLoader could be distributed in multiple ways, the primary method of delivery is via pirated software, so the easiest step to take to prevent infection is never to download pirated material and to only install software/operating systems from official sources. Businesses should implement controls to prevent illegal software downloads. These downloads carry a high risk of installing malware and pirated software is also a legal risk. Businesses should also implement controls to prevent the use of shadow IT – IT solutions that are installed without the knowledge of the IT department, as they can introduce vulnerabilities that can be exploited by malicious actors.

The IT department should have a list of all versions of software and operating systems used by the company. When patches or updates are released, the IT department will need to ensure that the company is running the latest versions. If the IT department is unaware that employees have downloaded programs, vulnerabilities could easily go unaddressed. Employees may install additional software to make their jobs easier and improve productivity, but it introduces considerable security and legal risks.

How to Prevent ChromeLoader Infections

One way that businesses can control shadow IT and prevent ChromeLoader infections is to implement controls to use a web filter such as WebTitan Cloud. WebTitan Cloud is used to control access to the Internet. Categories of websites can be blocked such as torrents/warez sites, along with other risky websites that serve no work purposes. URLs and domains that are known to be malicious are blocked automatically. WebTitan is constantly updated with new malicious websites as soon as they are discovered. WebTitan Cloud can also be configured to block certain file downloads from the Internet, such as executable files that are used to install software (.msi, .iso etc) to control shadow IT along with other executable files that are often used for malware installation (.js, .exe, etc).

WebTitan Cloud is easy to implement and requires no additional hardware, configuration is very straightforward, and this is a low-cost solution that will provide excellent protection against web-based threats. For more information on WebTitan Cloud or to arrange a product demonstration, give the TitanHQ team a call. WebTitan Cloud is also available on a free trial to let you put the solution to the test before deciding on a purchase.

Review Your Cybersecurity Strategy to Ensure it is Still Effective

There has been an increase in the use of information-stealing malware by cybercriminals. Info stealers are typically installed to steal a range of sensitive data from a user’s device, such as system information, usernames and passwords, and cryptocurrency wallets. Infostealers typically have keystroke logging capabilities, allowing usernames and passwords to be obtained, which are then exfiltrated to the attacker’s command and control server, allowing the user’s accounts to be accessed.

In 2022, cybercriminals increasingly used these types of malware in their attacks on businesses. The latest information stealers have been developed specifically for this purpose and instead of targeting individual accounts, they are being used for much more extensive attacks on businesses, and steal system information and session cookies that allow multifactor authentication controls to be bypassed.

If the malware is installed, changing passwords will have little effect, as the attacker will already be in the system. Multifactor authentication can prevent stolen credentials from being used to access accounts, but modern malware is capable of stealing session cookies allowing accounts to be accessed. While multifactor authentication is important, it is not effective if the system has already been compromised. Further, phishing kits are now used that are capable of obtaining session cookies and bypassing multifactor authentication.

Phishing attacks have also become more sophisticated and it is now common for a wide range of malicious attachments to be used for distributing malware and directing users to malicious websites. While Office documents are commonly used, now compressed files, ISO files, ZIP files, OneNote files, image files, HTML files, and more are used for malware distribution, many of which are not blocked by email security solutions. To protect against these new malware variants and multifactor authentication-bypassing phishing attacks, businesses need to rethink their protections.

An email security solution is required to block malware delivery via email and identify and block the phishing emails that are used for credential theft. Email security solutions will block previously seen phishing emails, and are regularly updated with the latest threat intelligence; however, many are not effective at detecting zero-day threats. An email security solution with machine-learning capabilities is required to block more of these new threats, and for malware protection, sandboxing is required in addition to standard antivirus protection. Any attachments that pass AV inspection – which looks for signatures of known malware –  are sent to the sandbox for behavioral analysis. This allows zero-day malware threats to be identified and blocked. SpamTitan has AI/machine learning capabilities and provides AV protection and sandboxing.

Even advanced email security solutions such as SpamTitan should not be used in isolation, as no email security solution will block every threat. Email security solutions will massively reduce the number of malicious emails that are delivered to inboxes, but will not block SMS-based phishing attacks and web-based attacks. One way of improving protection is to use a web filter. A web filter is used to carefully control access to the Internet and can restrict access to websites that serve no work purpose. Web filters are updated with the latest threat intelligence and will block access to known malicious websites, and can be configured to block downloads of risky files from the Internet. They will also significantly improve protection against malicious hyperlinks in emails, providing time-of-click protection. WebTitan Cloud is one of the easiest web filters to implement, and can be set up in just a few minutes and will protect against cyberattacks over the Internet.

Multifactor authentication is important and will protect against the majority of automated attacks on accounts, but not all MFA is the same. The latest phishing kits can steal session cookies and bypass multifactor authentication controls. Businesses should consider implementing phishing-resistant MFA based on FIDO standards, as this will provide a much higher degree of protection.

An often neglected layer of security is security awareness training. Businesses are increasingly realizing the importance of security awareness training and more businesses now provide training to their employees, but providing once-a-year training sessions is not enough. Security awareness training needs to be regular if it is to be effective, so training courses should run continuously throughout the year. A modular course that delivers training every month in short sessions will be far more effective than a once-a-year training session. Businesses should also provide targeted training, with training courses developed based on an individual’s role and the threats they are likely to encounter. Phishing simulations should also be conducted to identify areas where training is not proving to be effective and to allow targeted training to be provided to individuals who fail to recognize threats. TitanHQ can help in this area through the SafeTitan security awareness training and phishing simulation platform.

With cyberattacks increasing in number and sophistication, there is no better time to revise your defenses than now. For more information on how you can improve your defenses against phishing, malware, business email compromise, and other cyberattacks, give the TitanHQ team a call.

Common Web-Based Attacks That You Should Be Protecting Against

Cybercriminals have a diverse arsenal for conducting attacks. Phishing is a leading attack vector used by ransomware gangs, nation-state threat actors, and other cybercriminals, and even the protection provided by multifactor authentication is now being bypassed in some sophisticated campaigns. Unpatched vulnerabilities are often exploited to gain access to networks, then there are brute force attacks to guess weak credentials, but many attacks are conducted over the web.

Common Web-Based Threats

Malicious adverts are added to advertising networks, which see the adverts displayed in the third-party ad blocks on many of the most popular websites. Termed malvertising, these adverts redirect users to malicious websites where malware is downloaded or to phishing content. The adverts often advertise fictitious software solutions, which users are tricked into downloading and installing. Oftentimes, genuine programs are installed, albeit with malware installed in the background.

Despite the controls Google has in place for detecting malicious content, some malicious ads are displayed in the search engine listings. These malicious adverts are displayed at the top of the Google listings, so can attract considerable traffic. In the fall of 2021, one such campaign targeted cryptocurrency investors, and saw losses incurred of more than $500,000 before Google detected and removed the malicious adverts from its Google Ads platform.

Malicious websites are also displayed in the search engine listings for specific business searches, with SEO poising techniques used to get the sites to appear high up in the listings. These websites may only have a short shelf life before they are detected and removed from the listings, but they are added in such volume that they do pose a significant risk. These campaigns are commonly used for distributing malware, with users tricked into thinking they are downloading the content or program they have been searching for.

Another common web-based attack involves pirated software and copyright-infringing material that is added to peer-to-peer file-sharing networks, where the user is tricked into installing the malware in the belief they are getting licensed software for free. The product activators or cracks used for generating license codes often install malware in the background. Users may get the genuine software they are seeking, but malware is silently installed in the background.

Another tried and tested web-based attack – which has been used by cybercriminals for almost as long as the web itself – is known as typosquatting or URL hijacking. Typosquatting targets careless typists. The threat actor registers a swathe of domains that are very similar to the domains used by the brands they are spoofing. These domains often have transposed letters – Microsfot.com – for instance – or domains are registered with missing or additional letters.

These websites do not need to appear in the search engine listings as they target people who type the website into the address bar. Since these websites may look almost identical to the sites they spoof they can be very convincing. These campaigns are especially effective for targeting mobile users, as misspellings are much easier to make on mobile phones and users are much less likely to check the URL after typing.

Last weekend, a massive typosquatting campaign was discovered that included more than 200 separate domains, each of which was a clone of the brand being spoofed or a very close approximation. The domains included common misspellings and typos of 27 different brand names, including PayPal, Snapchat, Google Wallet, the Tor Project browser, and TikTok. In this campaign, the goal was to trick visitors into downloading Windows or Android malware – a banking Trojan called ERMAC that targets accounts and cryptocurrency wallets.

These are just a few examples of web-based attacks and despite the risks posed by these types of attacks, many businesses do not have the cybersecurity solutions in place to detect and block these threats. Security awareness training will go a long way toward improving defenses against these attacks and should be provided regularly to the workforce. Businesses should also consider implementing a web filter.

A web filter is a software solution that allows businesses to control the content their users can access, like a parental control filter that prevents minors from accessing age-inappropriate content. The web filter is fed extensive threat intelligence from a global network of endpoints. When a malicious site is detected, it is added to the blocklist and any attempt to connect to the site will be prevented.

Web filters such as WebTitan Cloud, TitanHQ’s DNS-based web filter, will also perform scans of websites and scores the sites on their potential to be malicious. This provides protection against new URLs that have yet to be detected as malicious. WebTitan Cloud can also be configured to block downloads of certain file types, such as executable files that are used to install “shadow IT” – software unauthorized by the IT department – and malware. Content can also be blocked by category, to help improve productivity and prevent access to inappropriate web content such as pornography.

Importantly, WebTitan Cloud protects businesses from all of the above web-based attacks. For more information on web filtering, to arrange a product demonstration, or to sign up for a free trial of the solution, give the TitanHQ team a call.

Erbium Malware: Dangerous New Information Stealer Being Distributed via Warez Sites

A new and dangerous new malware called Erbium is being advertised on hacking forums and has the potential to become a major threat. Erbium malware is an information stealer with extensive functionality, which is offered under the malware-as-a-service (MaaS) model.

MaaS provides hackers with an easy way to conduct attacks. The MaaS operators develop their malware and lease it out, usually charging a weekly, monthly, or annual subscription. The MaaS operator provides detailed instructions on how to conduct attacks, which means the malware can be used without having to become a programming expert. In fact, many MaaS operations make conducting attacks incredibly easy, requiring little in the way of technical skill. After signing up to use the malware, it can be operated via the web-based UI, where users can access the data stolen by the malware. Oftentimes, live chat is available to help resolve any issues.

Currently, one of the most popular information stealers available under the MaaS model is the RedLine Stealer, which is a highly capable malware variant that can be purchased or rented under a subscription model. The malware can steal information from browsers such as autocomplete data and saved credentials, steal from FTP and IM clients, and from cryptocurrency wallets. The latest variants allow users to upload and download files. RedLine has proven very popular; however, it is quite expensive.

Erbium malware is disrupting the market, offering broadly the same capabilities as RedLine but for a fraction of the cost. Initially, Erbium malware was being advertised at just $9 per week, although due to the popularity of the malware the price was increased to $100 per month. Even with the increase, the malware is far cheaper than RedLine, and based on user feedback, it is proving very popular with the cybercrime community.

Erbium malware is a work in progress, but it already has extensive capabilities. The malware can steal information from browsers such as saved credentials, cookies, credit card numbers, and autofill information. It can steal from cryptocurrency wallets installed on web browsers and attempts to steal from a wide range of cold desktop cryptocurrency wallets. The malware can also steal 2FA authentication codes from EOS Authenticator, Authy 2FA, Authenticator 2FA, and Trezor Password Manager, and steal Steam and Discord tokens, and Telegram auth files. The malware can profile the host and exfiltrate data via its API system to the command-and-control server. Users can log in to the UI and get an update on infections and access their stolen data.

As is quite common, the malware is distributed via fake software, fake cracks, and cheats for video games, so the best way to prevent infection is not to download these, and to only download software from reputable sources. Businesses can take additional steps to reduce risk, with the best defense being a web filtering solution.

Web filters are fed threat intelligence and incorporate blacklists of known malicious websites, such as sites used for distributing malware. They can also be configured to block access to certain categories of websites, such as warez sites and peer-2-peer file sharing networks, where pirated software, cracks, and product activators are made available.

Web filters allow businesses to enforce their acceptable internet usage policies and block web-based attacks, such as phishing, and malware downloads over the Internet, with WebTitan Cloud one of the easiest web filters to implement and use. WebTitan Cloud takes just a few minutes to set up and configure, and requires no technical skill to operate. Users can gain full visibility into the online activities on the network, including real-time views of Internet access, and can easily block malware downloads and restrict access to risky websites to prevent unauthorized software downloads.

WebTitan Cloud is an award-winning DNS-based web filter that is consistently highly rated on independent business software review sites and allows businesses to easily improve their security posture and reduce legal risk. The full product is available on a free trial, with full product support provided throughout the trial. For more information about web security and content control with WebTitan Cloud, give the TitanHQ team a call today.

Why Businesses Should Take Steps to Block Pirated Software and Product Activators

Software can be expensive, which is why many people choose to download pirated software. Naturally, downloading pirated software is illegal, but many people think there is little chance of getting caught especially if they do not use their own computer to download the software. Most people have access to a computer at work and that is a common place where pirated software is downloaded, both for home use and also for using unauthorized software at work.

Employees at small- to medium-sized businesses may struggle to get authorization to purchase certain software due to the high license cost, even though the use of that software may make employees’ jobs easier. It is not uncommon for employees to go behind their employer’s back and simply download a pirated version of the software they want. The Business Software Alliance conducted a study that suggested 39% of software on computers is unlicensed, and another study suggested 3 in 10 employees use software at work that their employers do not know about. Not all of these ‘shadow IT’ tools will be pirated, as many are available for free, but this is a concern.

Free software may only be free for consumer use. Business use often requires a paid license, and if a license is not purchased businesses are exposed to legal risk. Any software that is installed without the knowledge of the IT department will mean patches for the software to fix known vulnerabilities may not be installed – that would be the responsibility of individual users, not the IT department. Vulnerabilities could remain unaddressed that could potentially be exploited by threat actors to gain access to the user’s device or provide a foothold for a more extensive compromise.

There is also a risk of malware being introduced. This is especially risky with pirated software, which is often bundled with adware, spyware, potentially unwanted programs (PUPs), and malware, which are either included with the software or are installed via software cracks and product activators.

Software cracks and product activators are well-known for installing malware. KMSPico is a software piracy tool that used for activating all features of Windows and Microsoft Office without requiring a license key. The tool uses Windows Key Management Services (KMS), which is a legitimate feature of Windows that is used to license Microsoft products across an enterprise network. This is achieved by installing a KMS server and through Group Policy Objects. KMSPico emulates a local KMS server to fraudulently activate the software.

Many anti-malware solutions detect KMSPico as potentially malicious for good reason. The tool can disable antimalware products to prevent it from being detected, and that alone can open the door for malware. Further, there are many versions of KMSPico available online, and identifying a clean version can be a challenge. There are versions available for download that have been bundled with malware, including the Cryptbot stealer. The Cryptbot stealer is commonly packaged with KMSPico and other product activators and cracks. The user will get the KMSPico, but malware will be silently installed in the background.

Cryptbot stealer is a dangerous malware that can perform a range of functions, including stealing data from web browsers such as Opera, Chrome, Firefox, and Vivaldi. The malware steals browser histories, passwords, credit card information, cookies, and cryptocurrency wallets. The Cryptbot stealer has also recently been updated to make it stealthier and a more effective stealer and it can now search for file paths and exfiltrate a range of files. The Cryptbot stealer is far from the only malware distributed in this manner and malware delivery is not limited to KMSPico. Many cracks and warez are used to install malware.

There are steps businesses should take to make it harder for employees to download pirated software. To prevent downloads from the Internet, WebTitan can be installed. WebTitan is a DNS-based web filter that is used to control the web content that can be accessed by users of business networks. At its simplest, businesses can use the category-based controls to block access to certain categories of websites where pirated software is downloaded such as peer2peer file-sharing networks and any other undesirable categories of websites. WebTitan can also be configured to prevent the downloading of certain files associated with malware, including software installers and other executable files.

It is also important for IT departments to create a full inventory of software to identify any pirated or unauthorized software that has already been installed. This will allow them to remove potentially risky software and to ensure all legitimate software is identified and included in the patch management policy.

Malicious QR Codes are Being Used for Phishing and Malware Distribution

Cybercriminals are constantly developing new tactics to trick individuals into divulging sensitive information or installing malware. One of the latest tactics to be observed is the use of QR codes to direct people to malicious websites where sensitive information is harvested or to sites hosting malware.

A QR code is a machine-readable matrix barcode that is often used for tracking products in a supply chain, but in recent years has been adopted as a convenient way to direct people to web resources without them having to enter a URL or click a link. QR codes have been widely adopted during the COVID-19 pandemic for carrying out contactless operations, such as registering attendance at a venue and for viewing menus in restaurants to help prevent the spread of COVID-19.

Many smartphones have in-built QR code readers and apps can be downloaded for free to allow QR codes to be read. When a smartphone camera picks up a QR code, the user will be directed to whatever web resource has been programmed into the code. While QR codes have many important uses, QR codes can be easily tampered with to direct individuals to malicious websites.

Phishing emails often contain links to malicious websites that have been masked by changing the text in the hyperlink. Hovering a mouse arrow over the hyperlink on a computer will display the URL to which the user will be directed; however, with a QR code the user may be instantly directed to the website and could be prompted to enter their banking credentials, Microsoft 365 credentials, or other sensitive information.

Since QR codes are often used to direct individuals to hosted files, such as PDF restaurant menus, it would be easy to trick people into downloading malicious files through QR codes. The malware could provide a cybercriminal with access to the victim’s mobile device, allowing them to steal sensitive information such as passwords or bank account information.

Many businesses use QR codes to direct customers to websites where payments can be processed, and the use of QR codes for this purpose has increased significantly during the pandemic to avoid contact with Point-of-Sale card readers. QR codes could be abused to direct customers to malicious websites that mimic those used by the business in order to steal payment card information.

The Federal Bureau of Investigation (FBI) has recently issued a warning about the increase in the use of QR codes for conducting malicious activities. The FBI emphasized that QR codes are not malicious in nature but can be abused, so precautions should be taken when using QR codes and not to assume that QR codes are secure.

A study conducted by Ivanti in 2021 revealed 87% of people felt secure conducting financial transactions using QR codes. Given the rise in abuse of QR codes, that confidence is worrying. As with embedded hyperlinks in emails, it is important to exercise caution and to check the URL of the resource that the user is directed to before taking any actions. The domain should be checked to ensure it is correct, and care should be taken to look for any typos or misplaced or substituted letters.

The FBI recommends checking a QR code before scanning to make sure it has not been doctored with, such as by overlaying a sticker on the original QR code. If prompted to download a file after using a QR code, be aware that the file may be malicious. If prompted to download an app, it is more secure to visit an official app store. It is also not necessary to download a QR scanner on most mobile phones, as this increases risk. The apps may be malicious, and many automatically direct users to a resource without requiring confirmation or providing information about the URL that the user will be directed to.

Businesses can protect their corporate-owned devices against QR code scams by installing a web filter. A web filter such as WebTitan can be used to prevent mobile devices from being used to visit malicious websites or web pages that violate acceptable internet usage policies. WebTitan will protect against any redirect to a malicious website, whether via a link in a phishing email or QR code and will also block malware downloads and potentially malicious files.

Phishing Campaign Uses Spoofed Government Unemployment Websites for Fraud and Malware Distribution

A phishing campaign has been identified that uses spoofed unemployment benefits websites to trick people into disclosing sensitive personal and financial information. These websites have been designed to closely resemble official U.S. government websites that are used to apply for unemployment benefits.

Individuals arriving on the websites are prompted to enter personal and financial information as part of the claims process. The information provided can be used by the scammers to file fraudulent unemployment benefits claims and have payments directed to their accounts. The credentials and information harvested through the sites can also be used or sold to other cybercriminals to commit identity theft and fraud, with some of the sites used for installing malware onto victims’ devices, including ransomware.

The U.S. Federal Bureau of Investigation (FBI) has received an increased number of complaints about these scams through its Internet Crime Complaints Center in recent weeks, prompting the FBI to issue an alert about the scams. At the time of issuing the alert, the FBI had identified 385 domains hosted on the same IP address, 8 of which impersonated official government websites that host unemployment benefit platforms. Those sites have an .xyz top-level domain (TLD) rather than .gov, and mostly impersonate state-level websites.

The malicious websites include employ-nv[.]xyz, gov2go[.]xyz, illiform-gov[.]xyz, mary-landgov[.]xyz, and newstate-nm[.]xyz, which were all still active at the time of the alert, along with employ-wiscon[.]xyz, marylandgov[.]xyz, and newstatenm[.]xyz which are no longer active.

Campaigns such as this are nothing new, but the number of complaints received about the scams is increasing, as are the number of reported cases of identity theft. Figures from the U.S. Federal Trade Commission show identity theft reports doubled between 2019 and 2020, with more than 1.4 million reports received last year.

Several steps can be taken to avoid becoming a victim of these scams. It is important to exercise caution when visiting any website and ensure that the spelling of the web address is correct, and the website has a .gov TLD. The U.S. government does not use .xyx TLDs on its websites.

While the padlock icon next to a URL is a sign that the site has an SSL certificate and the connection between the website and the browser is secure, it does not indicate the website is genuine. Cybercriminals often obtain SSL certificates for their websites to make them appear to be legitimate. The padlock should be present before any sensitive data is disclosed to avoid interception of that information, but other checks should be performed to make sure the site is genuine.

Malware downloads can be blocked by using antivirus software, which should be set to update automatically. Any security updates should be applied promptly, and browsers and plugins regularly updated to the latest version. To prevent stolen credentials from being used to access accounts, multi-factor authentication should be implemented and strong passwords should be set on accounts.

It is important to stop and think before taking any action suggested on a website or in an email. In the case of the latter, never open attachments in emails or click links to websites in messages from unknown individuals. Even if an email appears to have been sent by a trusted individual, checks should be performed on the email header information, especially in unsolicited messages.

Many of these campaigns target individuals, but employees are often targeted in phishing attacks that seek email credentials and other sensitive business information. In addition to providing security awareness training to the workforce and implementing an advanced email security solution such as SpamTitan, businesses should consider implementing a web filter.

WebTitan is a powerful DNS-based web filtering solution that is used by many businesses and Managed Service Providers to improve Internet security. Web filters are used to control the content that users can access over wired and wireless networks. They block attempts to visit known malicious websites, can be configured to block access to risky categories of websites, and also block malware downloads. They serve as an important extra layer of security to block phishing attacks and provide greater protection than email security solutions alone.

If you want to improve protection against phishing and web-based attacks, give the TitanHQ team a call today to find out more about SpamTitan Email Security and WebTitan Web Filtering.

If you already have email and web security solutions in place, you might be surprised to find out that you can get the same or better protection and a much-reduced price with TitanHQ solutions.

Widespread Phishing Campaign Uses Open Redirects and CAPTCHA Verification Page

A widespread phishing campaign has been identified that uses a range of tricks to fool end users and spam filters, with the ultimate goal of stealing Office 365 credentials.

Office 365 credentials are extremely valuable. Phishers can use the compromised email accounts for conducting more extensive phishing attacks on an organization or for business email compromise scams. There is also a market for these credentials and they can be sold for big bucks to other threat groups such as ransomware gangs. Office 365 email accounts also contain a wealth of sensitive data that can easily be monetized.

This campaign involves a range of social engineering techniques to fool end users into believing the emails are genuine. Well-known productivity tools such as SharePoint are impersonated, with the emails claiming to be collaboration requests. Zoom has also been spoofed to make it appear that the recipient has been invited to attend a meeting. The emails include the correct logos, and closely resemble the genuine requests they impersonate.

The emails direct users to a phishing webpage where users are required to enter their Office 365 credentials. Those phishing pages include the correct Microsoft logo and styling and appear genuine, other than the URL of the page. The scammers have also used CAPTCHA verification pages that need to be completed to prove the user is a human rather than a bot. The CAPTCHA adds legitimacy to the campaign and gives an illusion of security, whereas the purpose is to prevent security solutions from identifying the phishing content.

After passing the CAPTCHA challenge, the user is presented with a fake Office 365 login prompt. After entering their credentials, they are presented with a fake error message and are prompted to re-enter the password. This additional step helps to ensure that the correct password is captured. After completing that step, the user is sent to a legitimate domain advising them that the email message has been released.

The campaign also abuses open redirects to fool end uses and security solutions. An open redirect is a legitimate tool that is commonly used in marketing campaigns, where companies want to track responses to email messages and direct users to specific landing pages. The URL to which the user initially tries to connect may be on a trusted domain, so if the user hovers their mouse arrow over the link, they may be convinced that the URL is genuine; however, the attackers then redirect users to a malicious URL, which is added as a parameter.

Microsoft has detected more than 350 unique domains used in the campaign, including a variety of top-level domains from different countries, legitimate domains that have been compromised by the attackers with phishing content added, as well as domain-generated algorithm domains and free email domains.

The campaign incorporates several tricks to fool email security gateways, as well as a range of social engineering techniques to fool end users. It is likely that after being fooled into divulging their credentials, victims will be unaware that their credentials have been stolen.

The techniques used in this campaign highlight the importance of adopting a defense-in-depth approach. That means implementing overlapping layers of security to counter the multiple layers of deception. In addition to an advanced spam filtering solution such as SpamTitan, it is advisable to also implement a web filtering solution.

Web filters tackle phishing by preventing access to the malicious phishing domains used in these campaigns. If a phishing email evades the email security gateway, the web filter provides time-of-click protection and can block the attempt to visit the phishing webpage. Instead of allowing the user to access the phishing page they will be redirected to a local block page. These measures should be combined with end user training to raise awareness of the risk of phishing and to help employees identify malicious -or potentially malicious – emails. It is also recommended to implement multi-factor authentication on Office 365 email accounts.

If you want to improve your defenses against phishing attacks or have any questions about spam filtering or web filtering, give the TitanHQ team a call today. The SpamTitan Email Security and WebTitan Web Security solutions are both available on a free trial to allow you to see for yourself how effective they are at blocking threats and how easy they are to use.

Benefits of DNS Filtering with Web Filtering Myths Busted

To those unfamiliar with DNS filtering, it is a form of web filtering that is used to filter out unwanted and undesirable web content, whether that is webpages containing objectionable material such as pornographic images or cyber threats such as websites used for phishing or malware distribution.

The Domain Name System (DNS) is what makes it possible for websites to have easy-to-remember domain names. A domain name, such as google.com, is easy for people to remember, but no use to a computer, which requires an IP address to find that resource on a remote server. The DNS is used to convert a domain name into its corresponding IP address, and DNS filtering is web filtering that takes place at the DNS lookup stage of a web request before a connection is made to the server hosting the web content.

DNS Filtering Myths

DNS filtering has several advantages over standard web filtering. Filtering occurs before any content is downloaded, which is better for speed and security. With DNS filtering, there is next to no latency – page load speeds are unaffected.

Many businesses fail to appreciate the importance of DNS filtering, after all, what is the point of blocking malware and ransomware threats on the Internet when antivirus software is installed on all end points? While AV software is effective at blocking known malware threats, it will not block new threats that have not been seen before, as the signatures of those malware variants are not in the virus definition lists of AV software. New variants of old malware versions are constantly being released to bypass signature-based AV defenses, so additional protection is needed. DNS filters can block these threats based on the reputation of IP addresses and will block downloads of file types associated with malware.

DNS filtering also improves defenses against phishing attacks, which all too commonly result in costly data breaches. Phishers are constantly devising new methods to get their emails into inboxes and trick end users into clicking on links and disclosing their credentials. Spam filters will block most of these messages but not all, and security awareness training only goes so far. A web filter will block access to phishing content and can significantly improve an organizations’ phishing defenses. When links to phishing websites are clicked the request is blocked and DNS filter logs will show which links were clicked. That can help to improve the effectiveness of spam filters and security awareness training programs.

DNS filters are also used for content control. Most businesses will have acceptable Internet usage policies in place, and employees will be aware of the risks of accessing prohibited web content, but DNS filters are ideal for enforcing those policies. Thew can prevent lawsuits from downloads of copyright infringing cracked software and other pirated content onto business network or users’ devices.

There is a common misconception that DNS filtering is complicated and time consuming when that is not the case. A DNS filtering solution is actually very quick and easy to configure. Simply point the DNS to the service provider, and you can set your filtering controls quickly and easily through the user interface. WebTitan for instance can be up and running in around 30 minutes and after the initial set up and little ongoing maintenance is required.

Another common misconception is that DNS filters are easy to bypass. While no web filtering solution is impossible to bypass, it is fairly easy to ensure that most users will not be able to bypass the filtering controls. You just need to configure the solution to block proxies and anonymizers and lock down the DNS settings. It is also recommended to block DNS requests to anything other than your approved DNS service at the firewall for good measure.

If you have your own, locally hosted, internal DNS server, you should allow only port 53/UDP outbound requests from your internal DNS server’s internal IP address to the external IP addresses of the primary and secondary DNS servers that your internal DNS server is configured to use. That means local computers query your local DNS server, and only your DNS server queries the web filtering DNS service on the Internet.

Key Benefits of DNS Filtering

  • Block access to malicious and risky websites with no latency
  • Enforce acceptable Internet usage policies
  • Block malware downloads and file downloads associated with malware
  • Prevent users from visiting phishing websites
  • Block copyright infringing file downloads
  • Protect against zero-day malware threats
  • Have highly granular control over the content that network users can access
  • Protect employees and devices when they are working off-site
  • Stop employees from accessing productivity-draining websites

DNS Filtering with WebTitan

WebTitan Cloud offers a quick, easy, and painless way for businesses to filter the Internet and block malicious and undesirable web content. WebTitan can be used to apply filtering controls to users of wired and wireless networks, with controls effective no matter where employees use their devices to access the Internet – in the office, while travelling, or working remotely.

WebTitan Cloud uses three mechanisms for filtering the Internet – First there are SURBL & URIBL filters to block access to known malicious web content, then there are category filters – 53 pre-set categories plus customizable categories – that are used to block content such as pornography, gambling, gaming, and dating sites, and the third tier involves keyword filters that fine tune category controls and block sites based on the presence of keywords and web pages that exceed certain keyword scores.

WebTitan Cloud can be configured to block certain files from being downloaded, acceptable Internet usage policies can easily be applied, and sites can be easily blacklisted using third-party blacklists, or whitelisted to ensure they can always be accessed.

When an attempt is made to visit a prohibited website, the request will be denied, and the user will be directed to a customizable local block page. All web activity is logged, and it is easy to see what requests have been made, the access attempts that have been allowed or blocked, and what content has been viewed, with extensive reporting and real time views of Internet activity.

The result is total control over what users can access and full visibility into Internet activity, while greatly improving cybersecurity by blocking web-based threats.

With WebTitan you get:

  • Best-in-class malicious URL detection
  • Malware, phishing, and ransomware protection
  • Real-time filtering
  • Instant categorization of web content
  • Infinitely scalable DNS filtering
  • Flexible policies
  • An extensive web filtering API allowing incorporating into existing monitoring systems
  • Immediate live updates
  • Zero-day updates to protect your customers as threats arise.
  • No bandwidth limits
  • No latency issues
  • Remote management and monitoring
  • SSL is supported
  • Multiple hosting options
  • Flexible pricing policies
  • Low-cost web filtering

For more information about DNS filtering in general, the WebTitan suite of DNS filtering solutions, or to book a product demonstration or to register for a free trial, give the TitanHQ team a call.

Crackonosh Malware Turns Devices into Cryptocurrency Mining Rigs

A new malware dubbed Crackonosh is being used in attacks on gamers with the goal of hijacking the resources on their computers to turn them into cryptocurrency mining rigs.

Cryptocurrency prices have been soaring in recent months, with many reaching record prices. That makes mining cryptocurrency profitable, and even more so when using the powerful computers of gamers without their knowledge. The gamers cover the electricity costs and supply the hardware, while the coin mining profits go to the scammers.

Getting malware onto gamers’ devices is the key to this scam, and what better way to do that than to offer gamers free versions of popular games such as Grand Theft Auto V, Pro Evolution Soccer 2018, or NBA 2K19. These cracked games can be installed without having to make a purchase, with the games offered free in forums. Currently, most infections have come via forums, but games could easily be hosted on a website and traffic driven to those sites through malicious adverts in the search engines or third-party ad blocks on any number of high traffic websites.

The games are legitimate, although they have been cracked to allow them to be installed without having to purchase the game key. The correct game will be installed but bundled into the installer are several other files that will execute in the background and install Crackonosh malware, which is capable of disabling certain antivirus programs to ensure it is not detected, including Windows Defender. It also disables Windows Update to ensure that Windows Defender is not reactivated. Since the malware creates and stores an icon in the system tray, the user will most likely be unaware that their antivirus software has been disabled.

One of the main aims of Crackonosh malware is to deliver a legitimate cryptomining program named XMRig, although in this case, XMRig is used to hijack the CPU and GPU of victims’ devices and use those resources for generating cryptocurrency. Using XMRig on one gaming computer will not make much money, but at scale the operation is hugely profitable.

The malware distribution campaign has proven successful, with the malware found in more than a dozen countries, with the highest numbers of infected computers in the Philippines, Brazil, India, Poland, United States, and the United Kingdom. As of December 2020, there were more than 220,000 devices infected with Crackonosh malware and those devices had been used to generate at least $2 million in Monero coins at today’s prices.

This malware campaign targets gamers as their computers are well suited to mining cryptocurrency. Once infected, users are likely to experience a serious reduction in performance and much higher electricity bills, but cryptocurrency mining can also cause computers to overheat, components can wear out from overuse, and devices will ultimately fail.

It is not only cryptocurrency mining malware than can be installed along with cracked software. Any number of other malware variants could be delivered. Another recently identified campaign also uses cracked software as the cover but delivers a malware loader dubbed MosaicLoader. MosaicLoader is used to deliver cryptocurrency miners as well as Remote Access Trojans, cookie stealers, backdoors, and any other malware than the MosaicLoader operator sees fit to deliver.

Installing cracked software and games carries a risk of malware infections, and that is particularly bad news for businesses, especially those that have a BYOD policy or allow their employees to work remotely on corporate-issued devices.

Preventing malware infections such as Crackonosh or MosaicLoader should start with education. Employees should be told about the risks of installing cracked software or other unauthorized software on devices. Technical measures are also required. To block downloads from the Internet, it is worthwhile installing a DNS filter. DNS filters can be used to block content at the DNS lookup stage of a web request, before any content is downloaded.

They can block access to certain categories of websites – gaming sites and forums for examples – or specific files from being downloaded, such as game and software installers. DNS filters also use a variety of methods to assess whether sites are malicious and will block access to URLs and IP addresses known to be used for illegal and malicious purposes.

If you want to improve your defenses against malware, contact TitanHQ today. TitanHQ’s advanced spam filtering solution – SpamTitan – and DNS filter – WebTitan – block malware at source and keep you protected from phishing, ransomware, and other email and web based threats.

Cost of a Ransomware Attack? $600 Million for Ireland’s Health Service Executive

Ransomware is now one of the biggest threats faced by businesses. When hackers gain access to business networks, it is now common for large quantities of data to be stolen prior to file encryption. Ransomware gangs know all too well that businesses with good backup policies will be able to restore their encrypted data from backups, but they will need to pay the ransom in order to prevent the release or sale of the stolen data. Even when files can be recovered from backups, many businesses feel they have no alternative other than paying the ransom to ensure stolen data are deleted. Data from Coveware indicates 70% of ransomware attacks now involve data theft.

Ransomware attacks are incredibly costly, even if the ransom is not paid. Universal Health Services Inc. in the United States suffered a Ryuk ransomware attack in September 2020 and the health system choose not to pay the ransom. Add up the recovery costs which included data restoration, cybersecurity consultants, notification letters to patients, and the loss of many services during the remediation process, and the cost of the attack rose to $67 million.

While expensive, that high cost is just a fraction of the cost of the recent Conti ransomware attack on Ireland’s Health Service Executive. The May 2021 ransomware attack caused massive disruption to healthcare services in Ireland. Without access to patient records, patient safety was put at risk, non-urgent appointments had to be cancelled, and there were major delays getting test results.

A few days after issuing a ransom demand of €20 million, the Conti ransomware gang gave the HSE the decryption tools free of charge. Even with the valid tools to decrypt data, recovery has been slow and incredibly costly. It has been around a month since the tools were provided to decrypt files, but many systems are still inaccessible. HSE Chief executive Paul Reid said it is likely to take months before all systems are brought back online.

Simply eradicating the attacker from the network and recovering encrypted data is only part of the story. IT systems need to be upgraded, security greatly improved, and a security operation center needs to be set up to monitor the network to prevent any further attacks. The initial costs incurred as a result of the attack were reported to be well over €100 million, but the overall cost of the attack is expected to rise to around half a billion Euros – Around $600 million.

An attack on such a major healthcare provider is naturally going to be incredibly costly, but ransomware attacks on small businesses can be catastrophic. Following a ransomware attack, an estimated 60% of small businesses fail within 6 months. One study showed the cost of remediating a ransomware attack doubled between 2020 and 2021, with the average cost now around $1.85 million. Attacks are also increasing. An analysis of the data leak sites used by ransomware gangs by cybersecurity firm Mandiant showed there has been a 422% increase in ransomware-related data leaks between Q1, 2020 and Q1, 2021.

How to Improve Your Defenses Against Ransomware

The most prolific ransomware gangs operate under the ransomware-as-a-service model. The creators of the ransomware do not conduct attacks, instead they employ affiliates to do they attacks for them. That means more attacks can be conducted. The creators run the operation and take a cut of any ransom payments generated, with the affiliates retaining the bulk of the ransom payments from their attacks.

Affiliates conduct attacks using a variety of methods and no two attacks will be exactly the same. Preventing ransomware attacks therefore requires a range of different measures to block all of the attack vectors, but the best place to start is by improving phishing defenses. Phishing emails are increasingly used as the initial entry point into business networks, so if these malicious emails can be blocked at the email gateway, they will not be delivered to inboxes where they can be opened by employees.

That is an area where TitanHQ can help. TitanHQ has developed two advanced solutions that are effective at preventing ransomware attacks. SpamTitan is a powerful email security solution that filters out malicious messages to stop them from causing harm. Rather than be delivered, emails with malicious links and attachments are quarantined.

WebTitan is a DNS-based web filtering solution that complements SpamTitan to provide even greater protection against ransomware and malware attacks. WebTitan prevents employees from visiting the malicious websites where malware and ransomware are downloaded.

Both solutions are consistently given top marks on software review sites such as G2 Crowd, with the solutions given a maximum of 5 stars by users of Spiceworks and Capterra. SpamTitan has also received over 37 consecutive Virus Bulletin Spam awards.

If you want to improve your defenses against phishing, ransomware, and web-based attacks, give the TitanHQ team a call. If you would like more information about protecting against attacks, also be sure to attend the upcoming TitanHQ/Osterman Research webinar on June 30, 2021:

How to Reduce the Risk of Phishing and Ransomware. REGISTER YOUR PLACE HERE.

WebTitan OTG (on-the-go) for Chromebooks Now Available with WebTitan Cloud Update

TitanHQ has announced a new version of WebTitan Cloud has been released that brings new features and improved security.

The release of WebTitan Cloud version 4.16 has allowed TitanHQ to introduce a new web filtering solution for the education sector – WebTitan OTG (on-the-go) for Chromebooks.

The use of Chromebooks has been steadily increasing, especially in the education sector where they are a cost-effective option for schools to allow students to access the Internet. Internet access is important in education, but it is vital that students can access the Internet safely and securely. Controls need to be implemented to prevent students from accessing age-inappropriate content such as pornography, devices need to be protected from malware and ransomware, and phishing and other malicious websites should be blocked.

WebTitan OTG for Chromebooks allows IT professionals in the education sector to easily implement web filtering controls for individuals, user groups, or globally to ensure compliance with federal and state laws, including the Children’s Internet Protection Act (CIPA) and protect their students and their devices from threats.

WebTitan OTG for Chromebooks, like other WebTitan products, is a DNS-based web filter that applies filtering controls at the DNS lookup stage of web requests. That means there is no latency – Internet speed is unaffected. Since WebTitan is entirely cloud-based, there is no need for any additional hardware and the solution requires no proxies or VPNs.

Set up is easy and user and device level web filtering for Chromebooks can be set up in just a few minutes. The solution provides protection for students regardless of where the Internet is accessed – students will have access to a clean, safe, filtered Internet in the classroom and at home, and it is also easy to lockdown Chromebooks to prevent any bypassing of filtering controls. Administrators also have full visibility into Internet access, including locations, web pages visited, and attempts made to visit prohibited content.

Support Added for in Azure Active Directory

WebTitan Cloud version 4.16 includes DNS Proxy 2.06, which supports filtering of users in Azure Active Directory, as well as on-premise AD and directory integration for Active Directory, with further directory services due to be added to meet customers’ need.

Current WebTitan customers will be automatically updated to the latest version of WebTitan Cloud and will have instant access to the new features and the latest fixes will be applied automatically.

“This new release comes after an expansive first quarter. The launch of WebTitan Cloud 4.16 brings phenomenal new security features to our customers,” Said TitanHQ CEO, Ronan Kavanagh. “After experiencing significant growth in 2020, TitanHQ expects these product enhancements and new features to make 2021 another record-breaking year.”

Worrying Number of Employees Using Work Devices for Non-Work Purposes

The pandemic forced many businesses to accelerate their digital transformation strategies to support an at home workforce and survive the pandemic; however, this new approach to working was not without risk.

Cybercriminals took advantage of companies that failed to address vulnerabilities, with some of the most widely exploited vulnerabilities in 2020 in remote access solutions such as the Pulse Secure VPN. Brute force attacks against Remote Desktop Protocol skyrocketed as more businesses switched to remote working, and while many businesses have opened their offices once again, the brute force attacks are still occurring at levels far above those before the pandemic.

Threat actors also stepped up their attacks on remote workers early on in the pandemic and attacks are continuing as lockdowns persist and employees continue to work from home. Many businesses address these risks through security awareness training and teach employees cybersecurity best practices and how to identify threats such as phishing. A little security awareness can go a long way and can be the difference between a threat being recognized and avoided or a link in a phishing email being clicked without thinking by an employee.

There are many threats that businesses may not be aware of, one of which was highlighted by a recent YouGov survey. Throughout a large part of the pandemic, schools have been closed and children have been home schooled. The survey revealed a quarter of UK workers have allowed their children to use their corporate device as part of home schooling and for other purposes such as socializing and gaming.

An employee may be aware not to engage in risky online activities, but children using work devices for Internet access leaves businesses vulnerable to cyberattacks. The survey, conducted on 2,000 UK employees, also revealed 70% of employees could access social media websites on their corporate devices and despite being one of the most fundamental aspects of security, 74% of employees said they did not use a unique password for all accounts.

During the pandemic when employees are isolated and may ben struggling with home schooling as well as working, it is understandable for employers to take a more relaxed view on the use of work computers for non-work purposes, but risks do need to be managed. Having no visibility into Internet access and failing to implement any controls over the content that can be accessed by remote workers and other household members on work laptops is a serious risk, and one that could easily lead to a malware or ransomware attack.

One of the ways that security can be improved for remote workers is to place certain restrictions on uses of corporate laptops with a web filter. A web filter such as WebTitan gives IT teams visibility into the sites that their employees are accessing, which allows them to identify potential risks and apply controls to reduce those risks to an acceptable level.

WebTitan can be used to prevent downloads of certain file types to reduce the risk of a malware infection and to block access to high-risk websites, such non-sanctioned file sharing services. Categories of website can be blocked at the click of a mouse, such as social media websites, and it is straightforward to block messenger services.

WebTitan is a powerful, yet easy to use security solution that is easy to apply to protect devices issued to employees no matter where they work and can greatly improve security with a remote workforce as well as when employees return to the office.

For further information on improving security for remote workers, including web filtering and email security, give the TitanHQ team a call. You can also sign up for a free trial of WebTitan here and immediately reduce risk.

Network Segmentation Best Practices to Improve Internal Network Security

What is Network Segmentation?

Network segmentation is the act of dividing a computer network into smaller physical or logical components. Two devices on the same network segment can then talk directly to each other. For communication to happen between segments, the traffic must flow through a router or firewall. This passage allows for traffic to be inspected and security policies to be applied.

Network segmentation is one of the mitigation strategies in terms of protecting against  data breaches and multiple types of cyber security threats. In a  segmented network, device groups have the connectivity required for legitimate business use only. The ability of ransomware to spread is greatly restricted. However all too often organizations operate an unsegmented  network.

Network segmentation can also help to boost performance. With fewer hosts on each subnet, local traffic is minimized. It can also improve monitoring capabilities and helps IT teams identify suspicious behavior.

If you follow network segmentation best practices and set up firewall security zones you can improve security and keep your internal network isolated and protected from web-based attacks.

Looking to get enterprise-grade protection from malware and phishing? Sign up for a free WebTitan demo today.
Book Free Demo

Network Segmentation Benefits

There are many benefits to be gained from network segmentation, of which security is one of the most important. Having a totally flat and open network is a major risk. Network segmentation improves security by limiting access to resources to specific groups of individuals within the organization and makes unauthorized access more difficult. In the event of a system compromise, an attacker or unauthorized individual would only have access to resources on the same subnet. If access to certain databases in the data center must be given to a third party, by segmenting the network you can easily limit the resources that can be accessed, it also provides greater security against internal threats.

Network Segmentation Best Practices

Most businesses have a well-defined network structure that includes a secure internal network zone and an external untrusted network zone, often with intermediate security zones. Security zones are groups of servers and systems that have similar security requirements and consists of a Layer3 network subnet to which several hosts connect.

The firewall offers protection by controlling traffic to and from those hosts and security zones, whether at the IP, port, or application level. There are many network segmentation examples, but there is no single configuration that will be suitable for all businesses and all networks, since each business will have its own requirements and functionalities. However, there are network segmentation best practices that should be followed. We have outlined these and firewall DMZ best practices below.

Suggested Firewall Security Zone Segmentation

Network Segmentation Best Practices

Suggested Firewall Security Zone Segmentation

In the above illustration we have used firewall security zone segmentation to keep servers separated. In our example we have used a single firewall and two DMZ (demilitarized) zones and an internal zone. A DMZ zone is an isolated Layer3 subnet.

The servers in these DMZ zones may need to be Internet facing in order to function. For example, web servers and email servers need to be Internet facing. Because they face the internet, these servers are the most vulnerable to attack so should be separated from servers that do not need direct Internet access. By keeping these servers in separate zones, you can minimize the damage if one of your Internet facing servers is compromised.

In the diagram above, the allowed direction of traffic is indicated with the red arrows. As you can see, bidirectional traffic is permitted between the internal zone and DMZ2 which includes the application/database servers, but only one-way traffic is permitted between the internal zone and DMZ1, which is used for the proxy, email, and web servers. The proxy, email, and web servers have been placed in a separate DMZ to the application and database servers for maximum protection.

Traffic from the Internet is allowed by the firewall to DMZ1. The firewall should only permit traffic via certain ports (80,443, 25 etc.). All other TCP/UDP ports should be closed. Traffic from the Internet to the servers in DMZ2 is not permitted, at least not directly.

A web server may need to access a database server, and while it may seem a good idea to have both of these virtual servers running on the same machine, from a security perspective this should be avoided. Ideally, both should be separated and placed in different DMZs. The same applies to front end web servers and web application servers which should similarly be placed in different DMZs. Traffic between DMZ1 and DMZ2 will no doubt be necessary, but it should only be permitted on certain ports. DMZ2 can connect to the internal zone for certain special cases such as backups or authentication via active directory.

The internal zone consists of workstations and internal servers, internal databases that do not need to be web facing, active directory servers, and internal applications. We suggest Internet access for users on the internal network to be directed through an HTTP proxy server located in DMZ 1.

Note that the internal zone is isolated from the Internet. Direct traffic from the internet to the internal zone should not be permitted.

The above configuration provides important protection to your internal networks. In the event that a server in DMZ1 is compromised, your internal network will remain protected since traffic between the internal zone and DMZ1 is only permitted in one direction.

Looking to get enterprise-grade protection from malware and phishing? Sign up for a free WebTitan demo today.
Book Free Demo

Risks of an Unsegmented Network

A real world example of an unsegmented network and resulting attack is the massive Target data breach of 2013.  Reportedly, the Target breach had its origin in a phishing email opened by an employee at a small HVAC company that did business with Target. The malware lurked in the HVAC network for two months before moving on to attack the Target network.

Once inside they were able to move laterally through Target’s internal network, eventually installing malware on point-of-sale (POS) terminals throughout the stores. In the wake of the attack, Target implemented network segmentation to prevent the lateral movement that allows the attackers move with the system in this breach.

It’s no surprise a breach this huge is massively expensive and the cleanup represents an almost overwhelming challenge. Bloomberg BusinessWeek reported that Target spent $61 million through Feb. 1 on the breach.

The damage?

  • The data of 110 million customers was compromised.
  • Over 100 lawsuits have been filed.
  • Banks have already spent $200 million related to the Target breach, and it’s unclear if there’s an even bigger payout on the horizon.

Effective network segmentation also makes it easier to detect signs of an attack. It’s not uncommon for a company’s Intrusion Detection System to generate such a large number of alerts that many go uninvestigated.

By concentrating on alerts related to  sensitive parts of the network, security teams can prioritize incidents likely to be the most dangerous. Network segment traffic can also be monitored for unusual patterns or activity potentially indicating an attack.

Effective Network Segmentation is not enough

 

Many sectors including manufacturing, retail and industrial are prime target for cyberattacks. Often organizations in these sectors are not up to date in terms of implementing key cybersecurity controls in order to be prepared for advanced and evolving attack methods.

By adhering to network segmentation best practices, you can optimize network security. There's no silver bullet to take down every attacker, but it’s possible to implement several layers of security that work together as a whole to defend against a myriad of attacks.

Looking to get enterprise-grade protection from malware and phishing? Sign up for a free WebTitan demo today.
Book Free Demo

Layered Security to Prevent Data Breaches

 

Layered security allows for each security layer to compound with the others to form a fully functioning, complete sphere of security. The internal network (ideally segmented) and its data are surrounded by powerful, interwoven layers that an attacker must defeat. These layers make security much more complex for a successful breach.

Cybercriminals are already exploiting the lack of security at the DNS layer to conduct phishing attacks and gain access to proprietary enterprise data. Not securing the DNS layer is making it far too easy for hackers to take advantage.  Securing the DNS layer is a straightforward process that requires no additional computer hardware or even any software installations. Many vendors now offer cloud based DNS filtering solutions that can be set up in minutes.

Isn’t it about time you started securing the DNS layer and making it much harder for cybercriminals to compromise your network? If you’re looking to get enterprise-grade protection from malware and phishing, check out >WebTitan Cloud DNS filtering today.

 

FAQs

What does network segmentation mean?

Network segmentation is concerned with dividing a network up into smaller segments called subnets. This can improve network performance and is important for security. By using firewalls between each segment, you can carefully control access to applications, devices, and databases and can block lateral movement in the event of a successful cyberattack.

What is logical network segmentation?

Logical network segmentation is a popular way of segmenting a network. Instead of segmenting physical parts of the network such as routers and access points, logical segmentation uses concepts built into network infrastructure for segmentation, such as creating virtual local area networks (VLANS) that may share physical hardware.

Is network segmentation necessary for PCI compliance?

Organizations that store, process, and/or transmit cardholder data must comply with PCI DSS. One of the requirements is to use network segmentation to keep the cardholder data environment (CDE) separate from other parts of the network. Through network segmentation, organizations can isolate credit card data from all other computing processes.

Can network segmentation protect against ransomware attacks?

Network segmentation is a best practice that can help to reduce the damage caused by a malware or ransomware attack. If a computer is compromised, attackers will attempt to more laterally and access other devices and parts of the network. With network segmentation, lateral movement is much harder, so it is easy to contain malware and limit file encryption by ransomware.

What are the main benefits of network segmentation?

There are three main benefits of network segmentation. First is security. It reduces your attack surface and limits lateral movement in the event of a breach. Second, you can improve network performance, as traffic will be confined to the part of the network where it is required. Thirdly, it makes compliance easier by allowing you to separate regulated data from other computer systems.

TitanHQ Wins 3 Expert Insights’ 2021 Best-Of Awards for SpamTitan, WebTitan, and ArcTitan

TitanHQ has announced that three of its cybersecurity solutions have been named winners at the 2021 Expert Insights’ Best-Of” Awards, beating some of the best-known email security, web security, and email archiving products on the market.

For more than 25 years, TitanHQ has been developing innovative cybersecurity solutions to protect businesses from email and web-based threats to their networks and data. TitanHQ’s multi-award-winning products are used by more than 8,500 businesses in over 150 countries, and 2,500 Managed Service Providers (MSPs) offer TitanHQ solutions to their customers to protect them from phishing, malware, ransomware, botnets, viruses, and other cyber threats.

Expert Insights is a respected website that was created in 2018 to help businesses research and select the best cybersecurity solutions to protect their networks and data from cyber threats. Through impartial product reviews, advice from cybersecurity experts, and industry analysis, IT leaders can discover the best cybersecurity solutions to meet their unique needs. The website helps more than 40,000 businesses a month with their research into cybersecurity products and services.

Each year, Expert Insights recognizes the leading cybersecurity service and solution providers and their products at the Expert Insights’ Best-Of” Awards. Technical experts with decades of experience in the cybersecurity industry assess products based on several factors, including ease of use, range of features, the protection provided, and market position, as well as how each product is rated by verified business users. The top products then receive an Expert Insights’ Best-Of” Award.

This year, TitanHQ was recognized by Expert Insights for the powerful threat protection provided by its products, the ease-of-use of the solutions, and their cost-effectiveness, which is why the solutions have proven to be so popular with enterprises, SMBs and MSPs looking for comprehensive protection against email and web-based threats.

“2020 was an unprecedented year of cybersecurity challenges, with a rapid rise in remote working causing a massive acceleration in cybercrime,” said Expert Insights CEO and Founder Craig MacAlpine. “Expert Insights’ Best-Of awards are designed to recognize innovative cybersecurity providers like TitanHQ that have developed powerful solutions to keep businesses safe against increasingly sophisticated cybercrime.”

WebTitan, TitanHQ’s powerful DNS-filtering solution was named a winner in the Web Security category, the SpamTitan anti-phishing and anti-spam solution was named a winner in the Email Security Gateway category, and ArcTitan was named a winner in the Email Archiving category.

“The recent pandemic and the growth of remote working initiatives have further highlighted the need for multiple layers of cybersecurity and our award-winning solutions form key pillars in this security strategy,” said Ronan Kavanagh, CEO, TitanHQ. “We will continue to innovate and provide solutions that MSPs can use to deliver a consistent, secure and reliable experience to their customers.” 

 

What is DNS Filtering?

DNS filtering – or Domain Name System filtering to give it its full title – is a technique of blocking access to certain websites, webpages, and IP addresses. The DNS is what allows easy to remember domain names to be used – such as Wikipedia.com – rather than typing in very difficult to remember IP addresses – such as 198.35.26.96. The DNS maps IP addresses to domain names to allow computers to find web resources.

How DNS Filtering WorksWhen a domain is purchased from a domain register and that domain is hosted, it is assigned a unique IP address that allows the site to be located. When you attempt to access a website, a DNS query will be performed. Your DNS server will look up the IP address of the domain/webpage, which will allow your browser to make a connection to the web server where the website is hosted. The webpage will then be loaded. The actual process involves several different steps, but it is completed in a fraction of a second.

So how does DNS Web Filtering Work?

With DNS filtering in place, rather than the DNS server returning the IP address if the website exists, the request will be subjected to certain controls. DNS blocking occurs if a particular webpage or IP address is known to be malicious. The DNS filter will use blacklists of known malicious websites, previous crawls of new websites and web pages, or web content will be assessed in real time if the web page or website has not previously been crawled and categorized. If the website trying to be accessed is determined to be malicious or otherwise violates pre-defined policies, instead of the user being connected to the website, the browser will be directed to a local IP address that displays a block page explaining why the site cannot be accessed.

This control could be applied at the router level, via your ISP, or by a web filtering service provider. In the case of the latter, the user – a business for instance – would point their DNS to the service provider. That service provider maintains a blacklist of malicious webpages/IP addresses and access to those sites is prevented.

Since the service provider will also categorize webpages, the DNS filter can also be used to block access to certain categories of webpages – pornography, child pornography, file sharing websites, gambling, and gaming sites for instance. Provided a business creates an acceptable usage policy (AUP) and sets that policy up with the service provider, the AUP will be enforced. Since DNS filtering is low-latency, there will be next to no delay in accessing safe websites that do not breach an organization’s acceptable Internet usage policies.

Block web-based threats and carefully control online activities. Sign up for a free WebTitan demo today.
Book Free Demo

Will a DNS Filter Block All Malicious Websites?

Unfortunately, no DNS filtering solution will block all malicious websites, as in order to do so, a webpage must first be determined to be malicious. If a cybercriminal sets up a brand-new phishing webpage, there will be a delay between the page being created and it being checked and added to a blacklist. However, a DNS web filter will block the majority of malicious websites.

The purpose of a web filter is to reduce risk, not eradicate it entirely. Since the vast majority of malicious web content will be blocked, risk can be significantly reduced and there will only be a low chance of a website being accessed that violates your policies.

Can a DNS Filtering Service be Bypassed?

The short answer is yes. Proxy servers and anonymizer sites could be used to mask traffic and bypass the DNS filter. Your DNS filtering service should allow you to easily block access to anonymizer websites and prevent the use of proxy servers and virtual private networks (VPNs). Configuring the DNS filtering service to block access to these services will prevent all but the most determined employees from bypassing the DNS filtering service.

The other key way of bypassing a DNS filtering service is to manually change the DNS settings locally, so it is important for these settings to be locked down. Determined individuals may be able to find a way to bypass DNS filtering, but for most end users, a DNS filter will block any attempt to access forbidden or harmful website content.

There may be a legitimate need to bypass a DNS filtering service. Some DNS content filtering solutions have a feature that allows administrators to temporarily remove content filtering controls. WebTitan Cloud uses cloud keys for this. The cloud key can be issued to a user to bypass content filtering settings for a set time period, such as if research needs to be conducted.

Block web-based threats and carefully control online activities. Sign up for a free WebTitan demo today.
Book Free Demo

DNS Content Filtering for CIPA Compliance

Schools and libraries in the United States are required to comply with the Children's Internet Protection Act (CIPA) in order to receive E-rate discounts and qualify for federal grants.  There are several requirements of CIPA, one of the most important being to block or filter Internet access to prevent access to images that are obscene, involve child pornography or child abuse, or could otherwise be harmful to minors.

DNS content filtering is the easiest and most cost-effective way of complying with this requirement of CIPA and applying content filtering controls for both wired and Wi-Fi networks. DNS content filtering solutions require no hardware purchases, no software needs to be installed, and they are easy to implement and maintain. DNS content filtering solutions have highly granular filtering controls and allow precision control over content, without overblocking.

DNS Web Filtering Software from TitanHQ

Now you have a better idea about how DNS filtering works, we will introduce you to WebTitan Cloud. WebTitan Cloud is a powerful, easy to implement DNS filtering solution that allows you to filter the internet and block access to malicious content and enforce your acceptable internet usage policies. Being DNS-based, there are no hardware requirements and no software downloads are required. To get started you simply point your DNS to WebTitan, set your filtering parameters through an easy to use web-based interface, and you will be filtering the internet in minutes.

WebTitan Cloud can be used to protect users on and off the network, so it is the perfect choice for protecting remote workers from online threats as well as office staff. The WebTitan  DNS web filtering solution - WebTitan Cloud - is a feature-rich, cloud-based solution with a low maintenance overhead and a three-tiered filtering mechanism for maximum granularity. Universally compatible and infinitely scalable, WebTitan Cloud has SSL inspection to provide the highest level of defense against online threats.

WebTitan Cloud can be integrated with multiple management applications (Active Directory, LDAP, etc.) for easier administration. WebTitan can also be  remotely configured and adjusted from any Internet-enabled device. An unlimited number of users can be filtering at any time.

Block web-based threats and carefully control online activities. Sign up for a free WebTitan demo today.
Book Free Demo

Try DNS Filtering Software with SSL Inspection for Free

If you would like to evaluate the benefits of the WebTitan DNS filtering solution in your own environment, please get in touch. Our team of experienced security professionals will answer any questions you have about DNS Internet filtering  and guide you step by step through the process of registering for your free trial.

Once you are registered, we will walk you through the process of redirecting your DNS to receive our service. There are no credit cards required, no contracts to sign and no commitment from you to continue with our DNS filtering software once the trial period is over. Simply call us today, and you could be adding an extra level of security to your organization´s web browsing activity within minutes.

WebTitan incorporates an intelligent AI-based component that provides real-time classification of websites for precision control over the content that can be accessed. WebTitan Cloud provides real-time categorization of over 500 million websites, and 6 billion web pages in 200 languages, including coverage of Alexa 1 million most visited websites. Industry leading antivirus is also incorporated to identify and block malware and ransomware threats. A full suite of reports gives you full visibility into the online activities of your employees and any guest users of your network. The reports can be scheduled or run on demand.

These and more features will allow you to block web-based threats and carefully control online activities for only a few dollars per user per year.

Why WebTitan is a Vital DNS Web Security Layer for Your Business

  • DNS Security Layer - Filter URLs, detect malicious threats, create flexible policies, and more with an API driven DNS security filter
  • Full Path Detection - Provide analytical credibility to any activity marked as malicious with page and path-level reporting.
  • User Identification - Assign custom policies to a user or group of users with uniquely identifiable user names.
  • Scaleable Support - Handle any volume of usage with no latency and receive support from our top-class team.
  • Reporting - full suite of reports including behavior, trend and security reports.
  • API Driven - robust API set that allows our MSP customers to easily incorporate WebTitan DNS filtering directly into their existing cloud offering.
  • URL Filtering - block access to websites known to contain malware.
  • Remote & Roaming Users - allows off-network roaming by users while continuing to apply their policy.
  • Content Filtering - highly granular content controls with multiple integration options and comprehensive malware protection.
  • AI Threat Intelligence - real time AI driven DNS protection from malicious online threats such as viruses, malware, ransomware, phishing attacks and botnets.

What WebTitan Customers Have to Say

"WebTitan is an outstanding tool for most reliable content filtering. The monitoring feature of this specific product is quite unique that totally monitors all the process of online working and also secures all the data. Additionally, its set-up is superb easy and it can be done in just few minutes that save my time and energy as well." Kristie H. Account Manager

"WebTitan is fairly easy to setup. It is available as a cloud based solution or on prem. You can get as simple or as complicated with your filtering as you like, it will handle most situations with ease. [It] has provided us with a stable web filtering platform that has worked well for us for many years. "Derek A. Network Manager

If you have yet to implement a web filtering solution, are unhappy with your current DNS filtering service, or you have questions about DNS content filtering, contact the TitanHQ team today and ask about WebTitan Cloud.

Why not try our web filtering solution for free?

 

How Does DNS Filtering Work FAQ

What 3 things are most important about employee internet access?

Employees need internet access to complete their work duties, but it is essential to develop an acceptable Internet usage policy and get employees to sign it, that policy should be enforced using a web filtering solution, and you should have a sanctions policy for when employees violate the rules.

What is best, a web filtering appliance of cloud-based web filter?

Both options will provide clean, safe Internet access, but cloud-based web filtering does not require the purchase of a costly appliance, it is more flexible and scalable, and there is no patching burden. For SMBs and MSPs, cloud-based web filtering is the easiest and most cost-effective Internet filtering solution.

Does web filtering slow Internet speed?

Some web filtering solutions involve a degree of latency, but a DNS filtering solution will not slow internet speed as all filtering takes place at the DNS lookup stage of a web request before any content is downloaded. Filtering occurs in the same time as it takes to perform a standard DNS lookup so there is no latency.

How can I provide DNS filtering as a managed service as an MSP?

Adding the WebTitan DNS filtering service to your service stack couldn’t be easier. WebTitan is can be set up in minutes, APIs allow easy integration into your existing back office systems, you will be provided with a white label version ready to take your branding, and you can even host the solution in your own environment.

How much does DNS content filtering cost?

There is considerable variation in price between different web filtering solutions. The most expensive solution will not necessarily be the best option for your business. Price depends on contract term, the number of users, and add-ons. TitanHQ’s DNS content filtering solution, WebTitan, typically costs around $1 per user, per month.

What is Cloud Web Filtering Software?

Cloud web filtering software is now an important cybersecurity measure used by businesses of all sizes, but what exactly is it and why is it important? In this post we will explain exactly what cloud web filtering is, what it is used for, and why most businesses need to use it.

What is Cloud Web Filtering?

Cloud web filtering is a software-as-a-service (SaaS) solution that acts as a semi-permeable barrier between an individual and the Internet. For much of the time, users will not know this solution is in place, as there is no noticeable delay when browsing the Internet. Websites can be accessed as if the solution was not in place.

Cloud web filtering software is only noticed by a user when they attempt to visit a website that violates their organization’s acceptable internet use policy. When a request is made to access a website that falls into a category that an employer does not permit – pornography for example – rather than connect to the website, the user will be directed to a local block page and will discover that particular website cannot be accessed due to a content policy violation.

Cloud web filtering software acts as a form of internet content control which is used to reduce productivity losses due to personal Internet use, prevent HR issues, and reduce legal liability, but a cloud web filter it is not just used for restricting access to NSFW websites. It also has an important security function.

Why is Cloud Web Filtering Important?

The Internet can be a dangerous place. There are many threats lurking online that could compromise a business’s systems and lead to a costly data breach or catastrophic data loss. Malware and ransomware are often downloaded from websites, even from legitimate sites that hackers have been able to compromise. A visit to one of those malicious sites by an employee could easily result in a malware infection, and once installed on one device it could easily spread across the network.

Phishing is also a major risk for businesses. Phishing forms are loaded onto websites to harvest sensitive data such as login credentials to Office 365. Links to these sites are often sent to business email accounts.

A web filter acts as an additional layer of protection against these attacks, but in contrast to antivirus software that identifies malware that has been downloaded, cloud web filter software blocks the malware at source, preventing it from being downloaded in the first place. It also works in conjunction with anti-spam software to prevent visits to phishing websites when phishing emails sneak past the spam filter.

With cloud web filter software, all filtering takes place in the cloud (on the service provider’s server), which is important for a distributed workforce. Regardless of where an employee accesses the internet – office, home, airport, coffee shop – the cloud web filter will be active and providing protection.

How Much Does Cloud Web Filtering Software Cost?

Cloud web filtering software is a low-cost solution that can pay for itself by preventing costly malware infections and phishing attacks and stopping productivity losses by blocking access to certain types of web content.

The cost of a cloud web filter can vary considerably from provider to provider with the price starting at around $1 per user, per month.

WebTitan: Web Filtering for SMBs, ISPs, and MSPs

TitanHQ developed WebTitan Cloud web filtering software to help SMBs and MSPs serving the SMB market control what users can access online and to protect business networks from web-based cyberattacks. The solution is quick and easy to implement, as being cloud-based, there are no software downloads. Simply point your DNS to WebTitan Cloud and you can be filtering the Internet in minutes.

Administrators can use an easy-to-use interface to configure the solution, which can be accessed through any web browser. Log in, navigate to the content control section, and you can use the checkboxes to block access to any of 53 pre-defined categories of website (and create your own categories if you so wish).

Integration with LDAP and Active Directory makes it easy to set controls for individual users, user groups, departments, or different offices. You can set time-based controls to limit bandwidth usage or ease up on restrictions at certain times of the day. Cloud keys can be generated to bypass standard controls temporarily, should you ever need access to otherwise prohibited sites.

Whitelist and blacklists are supported, you can block downloads of certain file types, and access to websites known to be used for malicious purposes will be automatically blocked. A full suite of reports gives administrators full visibility into web access, including real-time views and automatic alerts.

AI-powered protection is provided against active and emerging Phishing URLs and zero-minute threats, allowing you to sanitize Internet access and provide your employees, customers, and guest users with clean, filtered internet access.

If you have yet to start using cloud web filtering software or you are unhappy with your current provider, give the TitanHQ team a call. You can also take advantage of a 14-day free trial to try out the solution for yourself before deciding on a purchase. Product demonstrations can also be arranged on request.

WastedLocker Ransomware Delivered Using Fake Software Updates

The notorious cybercriminal organization Evil Corp, which was responsible for the Dridex and Zeus banking Trojans and BitPaymer ransomware, have started using a brand new ransomware called Wastedlocker, so named due to the .wasted extension which is used on encrypted files.

Evil Corp has been relatively quiet in recent months following the indictment of two high-profile members of the group by the U.S. Department of Justice in December 2019 for their role in the creation and distribution of Dridex and Zeus. The group bounced back with relatively low-level campaigns in January, but there has been little activity since. It appears that the time has been spent developing WastedLocker ransomware, which appears to have been mostly written from scratch.

WastedLocker ransomware was first used in May 2020 and is believed to be a replacement for BitPaymer ransomware. In the short space of time that the new ransomware has been in use, attacks have been conducted on at least 31 organizations, according to data from Symantec. Most of the victims are located in the United States, eight of which are Fortune 500 companies and 11 are publicly listed. Attacks have been conducted on companies operating in a wide range of industry sectors, with the manufacturing, information technology, and media and telecommunications sectors experiencing the highest number of attacks.

Evil Corp appears to be targeting large organizations with deep enough pockets to pay the sizeable ransom demand, which has ranged from $500,000 to $10 million in some cases. In contrast to many other ransomware operators, Evil Corp does not steal data prior to file encryption, although that could well change in the future. The group certainly has the technical skill to adopt that tactic, but it appears that they have refrained from doing so to stay under the radar.

WastedLocker ransomware is downloaded using the JavaScript framework SocGholish under the guise of a browser update. Symantec has identified more than 150 websites that have been compromised that are being used as part of the campaign to deliver the ransomware payload. Once a network has been compromised, the attackers use living-off-the-land tactics to move laterally and gain access to as many endpoints as possible, including tools such as PsExec and PowerShell. The gang has been observed using the penetration testing tool Cobalt Strike to log keystrokes and obtain credentials and escalate privileges, before the WastedLocker ransomware is executed and files across the network are encrypted.

In addition to encrypting endpoints, the group is targeting database services, file servers, virtual machines and cloud environments to cause maximum disruption to maximize the probability of the ransom being paid. The group is careful and patient, often waiting several months before their ransomware encryption routine is triggered.

Evil Corp is one of many threat actors to have adopted ransomware, with attacks on businesses having increased over the past few months. Around 15 groups are now conducting manual ransomware attacks in which data is stolen prior to file encryption and threats are issued to publish or sell the stolen data if the ransom is not paid. This tactic has been effective, with around half of businesses paying the ransom.

The University of California San Francisco is one of the latest victims that has been forced to pay the ransom to recover data encrypted in the attack. That ransomware attack involved NetWalker ransomware, and data was stolen in that attack prior to encryption. Without access to essential research data, the university had little option other than paying the $1.14 million ransom.

Organizations are attacked in a variety of ways, often using brute force tactics on RDP or exploiting vulnerabilities in VPNs, but there has also been an increase in email-delivered ransomware and drive-by malware downloads, highlighting the need for advanced email and web security solutions, which is an area where TitanHQ can help.

Web Filtering Myths and the Truth About DNS Filtering

There are several common web filtering myths that have led businesses to believe that it is not worth their while implementing a web filtering solution. It is important to bust these myths as they are preventing businesses from adding an essential extra layer of security that can prevent downloads of malware, ransomware infections, and block phishing attacks. The failure to filter the internet is often a costly mistake.

Once upon a time, having a firewall, antivirus solution, and spam filter would ensure your business was well protected, but the sophisticated nature of today’s cyber threats and the massive increase in cyberattacks has meant that these solutions alone are no longer sufficient to block cyber threats and prevent data breaches. The key to blocking these threats is to implement layered defenses. If the outer layer fails to block a threat, other layers exist to provide protection. A web filter should be one of those layers.

Why Web Filtering is Now Essential

Finding vulnerabilities and exploiting them is a difficult and labor-intensive way of attacking a business. Attacks on employees are much easier and require far less skill. All that is needed is a carefully written email to direct an employee to a malicious website and credentials can be easily harvested and malware downloaded. You don’t need to be a skilled hacker to conduct a phishing attack or set up a website for distributing malware.

Email security solutions are great for blocking phishing attacks, but many malicious emails bypass email security defenses. Phishing emails usually have a web-based component and various tactics are used to hide malicious URLs in emails. A web filter provides protection against the web-based component of phishing attacks by providing time-of-click protection. When an attempt is made to visit a malicious website linked in an email, the web filter blocks that request. A web filter will also prevent users from visiting malicious website through web browsing and also block visits to malicious websites through malvertising redirects. Without a web filter in place, there is nothing to stop an employee from visiting a malicious website.

Pervasive Web Filtering Myths

There are some pervasive web filtering myths that need to be busted, the most common of which are detailed below.

Web Filtering is Expensive

OK, so we are not going to tell you that a web filter is a zero cost solution as you will need to pay for this extra level of protection, but the cost is actually low, no hardware needs to be purchased, and what you spend will pay for itself in terms of the data breaches you will prevent and the productivity gains that can be made. In terms of the real cost, less than $1 per user per month is all that needs to be spent to protect your users with WebTitan.

Web Filtering is Complicated

A DNS-based web filter is not complicated to set up, configure, or maintain. In fact, web filtering could not be any simpler. All you need to do is point your DNS to WebTitan. Even during the COVID-19 lockdown, making this change for all of your remote users is a simple process, and one that we can easily talk you through.

Once that small change has been made, here is what happens:

  • A user enters a web address into their browser and a DNS query is made to locate that web resource
  • A DNS lookup is performed through WebTitan to find the IP address associated with the domain
  • If the resource exists, WebTitan will provide the IP address to the browser. If the domain or web page is malicious or violates your organization’s policies, no IP address will be provided, a connection to the site will not be made, and the user will be presented with a local block page telling them why that resource cannot be accessed.

Your standard DNS request will go through all of those steps aside from applying filtering controls. All that changes with a web filter is filtering controls are applied.

Web Filters are Easy to Bypass

Once you set up your DNS to point to WebTitan, all internet traffic will be subject to filtering controls. For most businesses that will be sufficient, however, web filters can be bypassed by using an anonymizer/proxy website. Connect to the anonymizer site, and through that site any other website can be accessed, thus bypassing the filter. The solution? Click the checkbox in WebTitan to block access to anonymizer sites.

A web filter can be used to block the use of shadow IT by preventing downloads of unauthorized software, including unauthorized VPNs, to prevent this method of web filter bypass.

Maybe, one of your employees will try to change the DNS settings on their laptop to access the unfiltered internet. This is why you need to lockdown your laptops to make sure that is not possible. You should also block DNS requests to anything other than your approved DNS service. If you use an external DNS server, only allow port 53/UDP to access the IP addresses of your chosen DNS filtering service servers. If you host your DNS server internally, ensure that local computers query your local DNS server, and only your DNS server queries the web filtering DNS service on the Internet.

No web filter is infallible, but by taking these steps it will be much harder to bypass the filter and it will be beyond the ability of most employees.

Internet Speeds will be Greatly Reduced

One of the web filtering myths that is based in fact is the slowing of internet speed. Filtering the internet can result in latency and a slowing of internet speed. If you require your users to login remotely using a VPN, then connect to your secure web gateway appliance, this will naturally result in latency. Backhauling traffic to the office, especially when your remote workers have slow home internet connections, will result in significant latency.

The solution is to use a DNS-based filtering solution on your employees’ laptops. With a DNS filter there is no backhauling of traffic, as the DNS filter can be integrated into the laptop. When a request is made to view a website, filtering takes place as part of the DNS lookup process. Point your DNS to WebTitan and filtering takes place before any content is downloaded, with zero latency.

Web Filtering Myths