Practical Approach Vital for Network Security

The best security against malware, spam, hacker attacks, policy breaches and other email and web threats is a layered set of defenses in which software, services, hardware and policies are incorporated to safeguard data and other assets at the network, system and application tiers. However, an obvious – but often-disregarded – layer in this cake of protection is the common sense of your staff – one of the critical layers to stop threats from gaining a foothold. As the picture says ‘just because you can, doesn’t mean you should’, this is where common sense is important.

Spear phishing is an increasing issue where a targeted false email that seems to be legitimate is sent to individuals or a company in order to obtain data. For instance e, by looking at a Facebook page of someone with whom I am not connected. I can see that she is a realtor, has listed a home at 657 Noble in [city name withheld], was born on January 26th, has a cat named Lou, is a member of the Agent Leadership Council at a southern California realty organization, likes ice skating, resides in Thousand Oaks, speaks French, and took a vacation to Orlando on February 11th. If I was a hacker intent on sending her a spearphishing email – perhaps with the intent of infecting her PC with Zeus – I could use these details to craft an email that she would be likely to click on. For example, an email with the title “Need to schedule a vet appointment for Lou” or “We mistakenly overcharged you on your recent trip to Orlando”, or maybe even a LinkedIn invitation that includes personal details, would likely get her attention and increase the possibility of her becoming a victim of a spear phisher. This is not to say that this Facebook customer lacks common sense, but the details she has posted could be used against her and her company and needs to be looked at in that light.

Spam filtering technology is successful at preventing spam emails that include links to malware sources (albeit with some spam filters more effective than others). The RSA exploit in April 2011, in which some staff members received an email with an Excel attachment, was due to spearphishing emails that were effectively quarantined by spam filtering technology, but later opened by staff members from the quarantine. A spearphishing email at the Oak Ridge National Laboratory in April 2011 was received by 530 workers, 11% of whom clicked on a malicious link. Many users are not adequately when asked for information. For instance, before last year’s royal wedding between Prince William and Kate Middleton, a Facebook hacking scam was doing the rounds asking respondents to create their royal wedding guest name. This name consisted of one grandparent’s name, the name of a first pet, and the name of the street on which the victim lived when they were younger – all likely responses to security questions one might get asked when resetting a password.

TitanHQ 2019 Schedule of MSP Roadshow Events

TitanHQ kickstarted its 2019 MSP roadshow program on February 14 with events in London and Florida. The 2019 season will see the TitanHQ team attend 15 roadshows and conferences in Ireland, Canada, the Netherlands, the UK, and the USA and meet new and prospective MSP partners, Wi-Fi providers, and ISPs.

In the summer of 2018, TitanHQ formed a strategic alliance with Datto which saw WebTitan Cloud and WebTitan Cloud for WiFi web filtering solutions incorporated into the Datto networking range. TitanHQ has been working closely with Datto MSPs ever since and has been helping them add web filtering to their security stacks and start providing their clients with world-class web filtering services.

Following on from a highly successful series of Datto roadshows in 2017, the TitanHQ team is back on the road and will be attending 7 Datto roadshow events over the coming 5 months, finishing off at DattoCon in June. The campaign started today at the TitanHQ-sponsored Datto Roadshow in Tampa, Florida. TitanHQ Alliance Manager Patrick Regan attended the roadshow and has been meeting with MSP to explain about WebTitan Cloud, WebTitan Cloud for WiFi, SpamTitan, and ArcTitan, and how they can benefit MSPs an help them build a high margin security practice.

For two years now, TitanHQ has been a member of the IT Nation community and has been helping MSPs get the most out of TitanHQ products to better serve the needs of their clients. It has been a great learning experience and a thoroughly enjoyable couple of years. The first of three IT Nation event took place today – The IT Nation Q1 EMEA Meeting in London. The event was attended by TitanHQ Alliance Manager Eddie Monaghan, who will be helping MSPs discover TitanHQ email security, DNS filtering, and email archiving solutions all week.

TitanHQ Alliance Manager, Eddie Monaghan.

If you were unable to attend either of these events, there are plenty more opportunities to meet with TitanHQ over the coming months. The full schedule of events that will be attended by members of the TitanHQ team are detailed below. We look forward to meeting you at one of the upcoming roadshow events in 2019.

TitanHQ 2019 MSP Roadshow Dates

February 2019

Date Event Location
February 14, 2019 IT Nation (HTG) Q1 EMEA Meeting London, UK
February 14, 2019 Datto Roadshow Tampa, FL, USA

March 2019

Date Event Location
March 5, 2019 CompTIA UK Channel Community Manchester, UK
March 7, 2019 Datto Roadshow EMEA Dublin, IE
March 11, 2019 CompTIA Community Forum Chicago, IL, USA
March 12, 2019 Datto Roadshow NA Norwalk, CT, USA
March 19, 2019 Datto Roadshow EMEA London, UK
March 26, 2019 Datto Roadshow EMEA Houten, Netherlands
March 26, 2019 Datto Roadshow NA Toronto, Canada

April 2019

Date Event Location
April 25, 2019 Datto Roadshow Long Island, NY, USA
April 29, 2019 IT Nation Evolve (HTG 2) Dallas, TX, USA

May 2019

Date Event Location
May 6, 2019 Connect IT Global (Kaseya Connect) Las Vegas, NV, USA
May 13, 2019 IT Nation (HTG) Q1 EMEA Meeting Birmingham, UK
May 14, 2019 Wifi Now Washington DC, USA

June 2019

Date Event Location
June 17, 2019 DattoCon San Diego, CA, USA

New Ovidiy Stealer Password Stealing Malware Priced to Boost Sales

The malware known as ‘Ovidiy Stealer’ is password stealing software that will capture login details and send the information to the hacker’s C2 server. As with most other password stealers, information is captured as it is entered into websites such as banking portals, web-based email accounts, social media accounts and other online services.

However, even if a device is infected, the Ovidiy Stealer will not capture information entered via Internet Explorer or Safari. The malware is also not persistent and if the computer is rebooted the malware will stop trying to complete its task.

Sadly, if you use Chrome or Opera, your confidential personal data is likely to be compromised. Other browsers known to be supported include Orbitum, Torch, Amigo and Kometa. However, sd the malware is being regularly updated it is likely other browsers will come online soon.

Ovidiy Stealer is a new malware, first identified only a month ago. It is chiefly being implemented in attacks in Russian-speaking regions, although it is possible that multi-language versions will be developed and attacks will soon be seen in other regions.

Proofpoint Researchers, who first detected the password stealing malware, are of the opinion that email is the primary attack vector, with the malware packaged in an executable file shared as an attachment. Proofpoint also thinks that rather than email attachments, links to download pages are also being implemented. Samples have been seen bundled with LiteBitcoin installers and the malware is also being sent through file-sharing websites, in particular via Keygen software cracking programs.

New password stealers are regularly being released, but what make the Ovidiy Stealer different and makes it particularly dangerous is it is being made available online at a particularly low price. Just $13 (450-750 Rubles) will get one build bundled into an executable ready for delivery using a spam email campaign. Due to the low cost there are likely to be many malicious actors carrying out campaigns to spread the malware, hence the range of attack vectors.

Would be hackers willing to part with $13 are able to see the number of infections using a web control panel complete with login. using the control panel they can control their account, view the number of infections, build more stubs and review the logs generated by the malware.

Safeguarding against malware such as Ovidiy Stealer demands caution as it requires time before new malware are discovered by AV solutions. Some AV solutions are already identifying the malware, but not all of them. As ever, when receiving an email from an unknown sender, do not click on attachments or visit hyperlinks.

Threat of Exposure with Multiple Malware Infections Visible in Sextortion

Sextortion scams have been in the rise in the last six months and these scams normally implement the technique of threatening to expose a user’s online activities (pornography habits, dating/adultery site usage) to all their contacts and friends/family unless a payment is completed.

A number of the recent sextortion scams have boosted their credibility by claiming to have users’ passwords. However, new sextortion scams have been discovered that are using a different tactic to get users to pay up. The email template seen in this scam is similar to other recent sextortion scams. The scammers say that they have a video of the victim viewing adult content. The footage was captured using the victim’s webcam and has been spliced with screenshots of the content that was being looked at.

In the new campaign the email includes the user’s email account in the text of the email, a password (probably an old password compromised in a previous breach), and a hyperlink that the victim is asked to click to download the video that has been created and see exactly what will soon be shared via email and social media networks.

Clicking the link in the video will lead to the downloading of a zip file. The compressed file includes a document including the text of the email and the supposed video file. That video file is really an information stealer – The Azorult Trojan.

This type of scam is even more likely to be successful than past campaigns. Many people who receive a sextortion scam email will see it as fake. However, the a link to download a video  being included may lead to many people downloading the file to see if the threat is real.

If the zip file is downloaded and the Azorult Trojan executed, it will silently gather data from the user’s computer – similar information to what the hacker claims to have already obtained: Cookies from websites the user has visited, chat histories, files stored on the computer, and login information entered through browsers such as email account and bank details.

The Azorult Trojan will also install a secondary payload: GandCrab ransomware. Once data has been gathered, the user will have their personal files encrypted: Documents, spreadsheets, digital photos, databases, music, videos, and more. Recovery will only be possible if these files having been backed up and not also encrypted by the ransomware. Apart from permanent file loss, the only other option will be to pay a sizeable ransom for the key to decrypt the files.

If the email was issued to a business email account, or a personal email account that was accessed at work, files on the victim’s work computer will also be encrypted. As a record of the initial email will have been extracted on the device, the reason why the malware was downloaded will be made clear to the IT department.

The key to not being tricked is to disregard any threats sent using email and never click links in the emails or click on email attachments.

B

Schools Using Web Filtering

Web filtering for schools has been a requirement in order to qualify for E-Rate discounts on telecommunications and Internet services since the Children´s Internet Protection Act (CIPA) was passed in 2000.

Following this, many states have also passed their own legislation making it a requirement for schools to filter the Internet to ensure children are safeguarded from harmful website content. So far, 24 states have developed legislation to stop children from accessing harmful images including pornography in schools and libraries.

Even in those states where web filtering for schools is not obligatory, lobby groups and parents’ associations have asked for more stringent controls in relation to the content that can be accessed on school computers and through school networks. Web filtering for schools a requirement rather than an option.

While the chief purpose of web filtering for schools is to prevent access to obscene or harmful website content, many schools have opted to put in place a content filtering solution as a cybersecurity tactic. Web filters are used to stop malware downloads and obstructing phishing attacks.

Previously, web filtering required a physical appliance to be placed on a firewall. Appliance based web filters have a number of weaknesses. Appliances are not cheap and need to be updated and maintained by IT support staff. They also restrict the number of users that can access the Internet. When capacity needs to be strengthened, new hardware needs to be bought.

Now a rising number of schools are choosing a lower cost solution. Cloud based web filtering for schools does not necessitate the purchasing of any additional hardware, saving schools thousands of dollars in equipment investment. There is also no obligation for IT teams to be on site. When using a cloud-based solution, everything is cloud based and no software installations are required. DUe to this the entire system can be managed remotely. In order to begin all that you need is for a simple change to be made to the DNS to point it to the solution provider’s servers. That process usually takes just a very short period of time.

Is DNS Filtering an Effective Solution?

If you are browsing online and you will be have to tackle a wide range of threats, some of which could lead to your bank account being emptied or sensitive information being exposed and your accounts being compromised. Then there is ransomware, which could be used to prevent you from accessing your files should you not have backups or opt not to pay the ransom.

The majority of websites now being created are malicious websites, so how can you stay safe online? One solution deployed by businesses and ISPs is the use of a web filter. A web filter can be set up to restrict access to certain categories of Internet content and block most malicious websites.

While it is possible for companies or ISPs to purchase appliances that are located between end users and the Internet, DNS filters allow the Internet to be filtered without having to buy any hardware or install any software. So how is DNS filtering operated?

How is DNS Filtering Operated?

DNS filtering – or Domain Name System filtering to give it its full tname – is a technique of preventing access to certain websites, webpages, or IP addresses. DNS is what permits easy to remember domain names to be used – such as Wikipedia.com – rather than typing in IP addresses – such as 198.35.26.96. DNS maps IP addresses to domain names.

When a domain is bought from a domain register and that domain is hosted, it is given a unique IP address that allows the site to be found. When you try to access a website, a DNS query will be carried out. Your DNS server will look up the IP address of the domain/webpage, which will permit a connection to be made between the browser and the server where the website is hosted. The webpage will then be opened.

So how does DNS filtering operate? With DNS filtering set up, rather than the DNS server returning the IP address if the website exists, the request will be subjected to certain security measures. If a particular webpage or IP address is recognized as malicious, the request to access the site will be denied. Instead of connecting to a website, the user will be sent to a local IP address that will display a block page explaining that the site cannot be opened.

This control could be implemented at the router level, via your ISP, or a third party – a web filtering service provider. In the case of the latter, the user – a business for example – would point their DNS to the service provider. That service provider keeps a blacklist of malicious webpages/IP addresses. If a site is known to be malicious, access to malicious sites will be prevented.

Since the service provider will also group webpages, the DNS filter can also be implemented to block access to certain categories of webpages – pornography, child pornography, file sharing websites, gambling, and gaming sites for example. Provided a business sets up an acceptable usage policy (AUP) and sets that policy with the service provider, the AUP will be live. Since DNS filtering is low-latency, there will be next to no delay in logging onto safe websites that do not breach an organization’s acceptable Internet usage policies.

Can a DNS Filter Prevent Access to All Malicious Websites?

Sadly, no DNS filtering solution will stop access to all malicious websites, as in order for this to be accomplished, a webpage must first be identified as malicious. If a cybercriminal creates a brand-new phishing webpage, there will be a delay between the page being set up and it being reviewed and added to a blocklist. However, a DNS web filter will prevent access to the majority of malicious websites.

Can DNS Filtering be Avoided?

Proxy servers and anonymizer sites could be deployed to mask traffic and bypass the DNS filter unless the chosen solution also prevents access to these anonymizer sites. An end user could also manually amend their DNS settings locally unless they have been locked down. Determined persons may be able to find a way to bypass DNS filtering, but for the majority of end users, a DNS filter will block any effort to access forbidden or harmful website material.

No single cybersecurity solution will let you to block 100% of malicious websites but DNS filtering should definitely form part of your cybersecurity operations as it will allow most malicious sites and malware to be blocked.

 

Case Study: Data Breach Cost Home Depot $179 Million

When pondering how much to spend on cybersecurity defenses, be sure to consider the cost of a retail data breach. Ill-advised security practices and a lack of  proper cybersecurity defenses can cost a company quite a bit.

A data breach of the scale of that which impacted Home Depot in 2014 will cost hundreds of millions of dollars to address. The home depot data breach was huge. It was the largest retail data breach involving a point of sale system that has been seen so far. Malware had been downloaded that allowed cyber criminals to obtain over 50 million credit card numbers from home depot customers and around 53 million email addresses.

The attack was completed using stolen credentials from one of the retailer’s vendors. Those credentials were used to obtain access to the network. Those privileges were subsequently elevated, the Home Depot network was explored, and when access to the POS system was obtained, malware was downloaded to record credit card details. The malware infection went unnoticed for five months between April and September 2014.

Last year, Home Depot agreed to pay out $19.5 million to customers that had been impacted by the breach. The payout included the costs of providing credit monitoring services to those affected by the breach. Home Depot has also paid out a minimum of $134.5 million to credit card companies and banks. The latest settlement amount will permit banks and credit card companies to submit claims for $2 per compromised credit card without having to show proof of losses suffered. If banks can show losses, they will have up to 60% of losses compensated.

The total cost of the retail data breach is approximately $179 million, although that figure does not incorporate all legal fees that Home Depot must pay, and neither does it include undisclosed settlements. The final cost of the retail data breach will be much bigger. It is already getting closer to the $200 million mark.

Then there is the reputation damage due to the breach. Following any data breach, customers often take their business to a different company. Many consumers impacted by the breach have chosen to shop elsewhere. A number of studies have been carried out on the fallout from a data breach. One HyTrust study states that companies may lose 51% of customers following a breach of sensitive data.

 

Software for Cloud-Based Web Filtering

The next step in the evolution from hardware-based and software-based solutions for filtering Internet content is cloud-based web filtering software. Similar to the majority of cloud-based technologies, cloud-based web filtering software is convenient, trustworthy and scalable. It does not have the high costs of hardware-based solutions nor the high maintenance overheads of software-based programmes; and, although all three solutions pretty much operate the same way, cloud-based web filtering software has its benefits.

Cloud-Based Web Filtering Software

Cloud-based web filtering software is operated from in the cloud rather than physically attached to – or downloaded to – your network. In order to log on to the service, you simply need to redirect your DNS server settings to point to our servers. The cloud-based software then implements itself automatically, and you can either begin filtering the Internet using the software´s default settings, or set up and apply your own user policies via the web-based management portal.

As with most solutions for filtering Internet content, cloud-based web filtering software deploys a three-tier mechanism to enhance defenses against online threats, improve productivity and stop users accessing inappropriate material:

  • The first line of defense is SURBL and URIBL filters. These look at each request to visit a web page against lists of IP addresses known to lead to malware downloads, phishing attacks and spam emails. When a match is identified, the request to visit the web page is not allowed. The lists of IP addresses are automatically updated as new threats are spotted.
  • Behind the “blacklists”, category filters can be used to stop users looking at websites in certain categories. Administrators may want to stop users visiting websites known to have a high likelihood of harboring malware (pharmaceutical and travel websites), those likely to affect productivity (gaming and social networking) or those including inappropriate material.
  • Keyword filters can be employed used to fine-tune the category filters and stop users looking at websites containing exact word matches, specific apps or specific file extensions. This fine-tuning mechanism adds granularity to the Internet filtering process to set up Internet filtering without obstructing workflows.

Category filters and keyword filters can be switched on by individual users, user-group or company-wide according to your existing user policies. Most products for filtering Internet content can be integrated with management tools such as Active Directory in order to speed up the process of applying roles. Thereafter, administrators can review web activity in real-time via the management portal, or schedule customized reports by user, user-group, organization-wide, bandwidth usage, category or time.

Improve Network Performance with Cloud-Based Web Filtering Software

One unexpected benefit of cloud-based web filtering software is how it enhances network performance – or, strictly speaking, how it reduces the workload put on servers by other solutions for filtering Internet content. This is due to way in which encrypted web pages are reviewed by cloud-based web filtering software to deduce the nature of their content.

Most software for filtering Internet content use a process called SSL inspection to decrypt, review, and re-encrypt the content of “secure” web pages. SSL inspection is now an obligatory part of Internet filtering because hackers have been able to obtain fake SSL certificates and their malware payloads would avoid detection if it were not for SSL inspection.

A heavy workload is put on servers by hardware and software solutions for filtering Internet content is because there is such a high volume of encrypted web pages that need inspecting. Since Google revelead it would enhance the rankings of encrypted websites in search engine results pages, more than 50% of the most-visited web pages in the world are encrypted.

The decryption, inspection and re-encryption of half the world´s most-visited Internet pages place an incredible strain on servers. Often it will lead to delays in some web-based activities – i.e. email – or users will find Internet access is temporarily unavailable. Although cloud-based web filtering software also utilizes SSL inspection to figure out the content of encrypted web pages, the process is carried out on the cloud – eliminating the workload on network servers and allowed an Internet service with excellent latency.

 

Homebuyers and Sellers Targeted ub Solicitor Email Scam

Home purchasers and real estate agents in the United Kingdom and Ireland are being targeted by cybercriminals using a new solicitor email campaign. The scam, which includes mimicking a solicitor, is costing victims thousands. Additionally, there have some cases seen where cybercriminals are contacting solicitors emails claiming to be their clients and asking for changes in their bank details. Any pending transfers are then sent to the criminals’ accounts.

As funds for home purchases are sent to solicitors’ accounts before being shared with the sellers, if cybercriminals can amend the bank details for the transfers, the funds for the purchase will be paid straight into their bank accounts.

While email spoofing is not unusual, this solicitor email scam often includes the hacking of solicitors’ email accounts. Once access has been obtained, cybercriminals search for emails shared from buyers and sellers of homes to identify possible targets.  While the hacking of email accounts is taking place, there have also been instances where emails between buyers, sellers and their solicitors have been captured. When bank details for a transfer are sent, the hackers amend the bank information in the email to their own and then send the email on.

The solicitor email scam is sophisticated and communications are monitored until the crucial point in the purchasing process when a bank transfer is about to be completed. Since the possible rewards are considerable, cybercriminals are willing to invest the time and effort into the scam and be patient. Buyers, vendors and solicitors are well researched and the emails appear authentic.

This conveyancing scam has been on the rise in recent months and it has now become the most common cybercrime impacting the legal sector. The Law Society, a representative organization for solicitors in the UK, has issued a warning about the conveyancing scam due to an rising number of complaints, although it is currently unclear how many fraudulent transfers have been completed.

The simple way to prevent such a scam from being successful is to contact the homebuyer or seller before any transfer is made and to verbally confirm the bank details. Additionally policies can be developed requiring bank account information to only be sent via postal mail.

The Solicitors Regulation Authority has issued guidance that advises against the use of email for property transactions due to the potential for cybercriminals to intercept and spoof messages. Email may be simple, but with such large sums being transferred it pays to use an abundance of caution.

While this solicitor email scam has been seen in many places across the UK and Ireland, legal firms in the United States should also use caution.

Threat of Exposure with Multiple Malware Infections Combined in Recent Sextortion Scams

Sextortion scams have been very popular with cybercriminals during 2018. A well written email and an email list are all that is needed for this to be successful. The latter can easily be bought almost nothing via darknet marketplaces and hacking forums. No expertise is required to run sextortion scams and as scammers’ Bitcoin wallets show, they are successful.

Many sextortion scams threaten to reveal a user’s online activities (pornography habits, dating/adultery site usage) to all their contacts and friends/family unless a payment is completed. Some of the recent sextortion scams have increased credibility by claiming to have users’ passwords. However, new sextortion scams have been discovered in the past few days that are using a different tactic to get users to pay the ransome.

The email template used in this scam is very like those in other recent sextortion scams. The scammers say that they have a video of the victim viewing adult content. The footage was captured through the victim’s webcam and has been spliced with screenshots of the content that was being looked at.

In the new campaign the email includes the user’s email account in the copy of the email, a password (most likely an old password accessed in a previous breach), and a hyperlink that the victim is encouraged to click to download the video that has been created and see what will soon be distributed via email and social media networks.

VIsiting the link in the video will trigger the downloading of a zip file. The compressed file includes a document including the text of the email along with the supposed video file. That video file is really an information stealer – the Azorult Trojan.

This sort of the scam is even more likely to be successful than past campaigns. Many individuals who receive a sextortion scam email will see know what it is: A mass email including an empty threat. However, the inclusion of a link to download a video could lead to many individuals download the file to find out if the threat is authentic .

If the zip file is downloaded and opened and the Azorult Trojan executed, it will quietly gather information from the user’s computer – similar information to what the hacker claims to have already obtained: Cookies from websites the user has seen, chat histories, files stored on the computer, and login information entered through browsers such as email account and bank details.

However, it doesn’t stop there. The Azorult Trojan will also install a secondary payload: GandCrab ransomware. Once information has been gathered, the user will have their personal files encrypted: Documents, spreadsheets, digital photos, databases, music, videos, and more. Recovery will depend on those files having been backed up somewhere else and not also encrypted by the ransomware. Aside from permanent file loss, the only other option will be to pay a sizeable ransom to decrypt the hacked files.

If the email was sent to a company email account, or a personal email account that was logged onto at work, files on the victim’s work computer will be encrypted. As a record of the original email will have been extracted on the device, the reason why the malware was downloaded will be made clear to the IT department.

The key to not being tricked is to ignore any threats sent using the email and never click links in the emails nor open unexpected email attachments.

Companies can tackle the threat by using cybersecurity solutions such as spam filters and web filters. The former stops the emails from being sent while the latter blocks access to sites that host malware.

Gift Card Scams Warning Issued for Holiday Season

Giving gift vouchers as Christmas presents is always popular and this year is no exception. Many gift card-themed scams were detected over Thanksgiving weekend that offered free or cheap gift cards to lure online shoppers into parting with their credit card details.

2018 has seen a surge in business email compromise (BEC) style tactics, with emails seeming to have been sent from within a company. The emails purport to have been sent from the CEO (or another executive) asking for accounts and administration staff purchase gift cards for clients or requesting gift cards be purchased to be used for charitable donations.

To minimize the risk from gift card scams and other holiday-themed phishing emails, companies must ensure they have strong spam filtering technology in place to block the emails at source and prevent them from landing in inboxes.

Consumers can be tricked into parting with credit card details, but businesses too are in danger. Most of these campaigns are carried out in order to gain access to login credentials or are used to install malware. If an end user responds to such a scam while at work, it is their employer that will be hit with the cost of being hacked.

2018 has seen many businesses targeted with gift card scams. The latest reports from Proofpoint suggest that out of the organizations that have been targeted with email fraud attacks, almost 16% had witnessed a gift card-themed attack: Up from 11% in Q2, 2018.

Many corporations businesses have Office 365 installed, but even Microsoft’s anti-phishing security has allowed phishing emails to slip through the net, especially at businesses that have not paid extra for advanced phishing protection. Even with the advanced anti-phishing security measures, emails still make it past Microsoft’s filters.

To obstruct these malicious messages, an advanced third-party spam filter is necessary.

ArcTitan Offers Lightning-Fast, Enterprise-Class Microsoft Exchange Email Archiving for your Business

Is your business looking for a lightning-fast, enterprise-class method of email archiving? Nowadays, it is a requirement in business to have an email archiving solution in order to ensure that emails are not lost, emails can be retrieved on demand and storage space is kept to a minimum. Although native Microsoft Exchange Email Archiving is already available, most businesses will find the archiving options are not up to standard. The only alternative is to adopt a third-party email archiving solution. This will provide all the features required by businesses, as well improve efficiency and save on cost. In order to improve efficiency and meet the requirements of businesses, TitanHQ developed ArcTitan: A secure, fast, cloud-based email archiving solution.

What Email Archiving is and its Importance

Businesses have been required by federal, state, and industry regulations to retain emails for many years. Often a considerable amount of storage space is taken up through storing emails, especially when you consider the number of emails that are typically sent and received by employees daily. Although it suffices for businesses to store emails in backups to meet legal requirements, backups are not searchable. When a business needs to recover a certain email, it needs to be recovered quickly. This is simply not possible with backups, they are not searchable. The solution to this problem is an email archive. In comparison to backups, email archives are searchable and messages can be retrieved quickly and with minimal effort.

Email Archiving Necessary for eDiscovery and GDPR Compliance

An email archiving solutions for eDiscovery is essential. There have been a number of cases where, as part of the eDiscovery process, businesses have received heavy fines for the failure to produce emails. An example of this can be seen in the Zubulake v. USB Warburg case where the plaintiff was awarded $29 million as a result of the failure to produce emails.

In order to comply with GDPR legislation, email archives are now vital. Since May 25, 2018, when the EU’s General Data Protection Regulation came into effect, companies have been required on request to produce (and delete) every element of an individual’s personal data, including personal data contained in emails. This can be incredibly time consuming without an email archive and may result in data being unlawfully retained since backups are not searchable. The fines for GDPR compliance failures can reach as high as €20 million or 4% of global annual revenue, whichever is more substantial.

Native Microsoft Exchange Email Archiving Drawbacks

Native Microsoft exchange email archiving provides businesses with journaling and personal archive functions, but there are drawbacks to each. While the functions meet some business requirements such as freeing up space in mailboxes, they lack the full functions of a dedicated archive and do not meet all eDiscovery requirements.

When using native Microsoft Exchange email archiving, end users have too much control over the information that is loaded into an archive and they can’t delete emails unless a legal hold is activated. For admins, retrieving emails can be complicated and extremely time consuming.

With native Microsoft Exchange email archiving, functions fail to meet the needs of a lot of businesses particularly those in highly regulated industries. Although the native Microsoft Exchange email archiving functions have improved over the years, the limitations remain with most product versions and archiving can be complex with certain email architectures.

Any business that uses multiple email systems alongside Microsoft Exchange will require a third-party email archiving solution. This is due to Microsoft Exchange not supporting the archiving of emails from other platforms.

There has been an improvement in email archiving with Office 365. SMBs that use Office 365 already have email archiving functionality included in their plans, but it is only free of charge with E3-E5 plans. Additional plans charge around $3 per user, which is more expensive than custom-built archiving solutions such as ArcTitan.

Native Microsoft Exchange email archiving is an option for businesses, but Microsoft Exchange was not developed specifically for email archiving. However, despite the improvements that have been made by Microsoft, a third-party solution for email archiving on Microsoft Exchange is still required.

A third-party email archiving solution will make managing your email archiving significantly more efficient. It will save your IT department a considerable amount of time trying to locate old messages, especially for the typical requests that are received which are light on detail. The advanced search options in ArcTitan make search and retrieval of messages much faster and easier.

ArcTitan: Lightning-Fast, Enterprise-Class Email Archiving

ArcTitan has been specifically developed for email archiving making it more specialised than competitors. ArcTitan has been designed to meet all the archiving needs of businesses and allow managed service providers to offer email archiving to their clients.

The benefits of ArcTitan include extremely fast email archiving and message retrieval, secure encrypted storage and compliance with industry regulations such as HIPAA, SOX, FINRA, SEC and GDPR. ArcTitan allows businesses meet eDiscovery requirements without having to pay for additional eDiscovery services from Microsoft. ArcTitan also maintains an accurate audit trail. This allows businesses to have near instant access to all of their emails. ArcTitan serves as a black box recorder for all email to meet the various eDiscovery requirements and ensures compliance with federal, state, and industry regulations.

ArcTitan Features

ArcTitan requires no hardware or software, is quick and easy to install, and slots in to the email architecture of businesses with ease. The solution is highly scalable (there are no limits on storage space or users), it is easy to use, lightning fast and stores all emails safely and securely.

Businesses that have not yet implemented a Microsoft Exchange email archiving solution typically save up to 75% storage space. Costs are also kept to a minimum with a flexible pay as you go pricing policy, with subscriptions paid per live user.

  • Unlimited cloud based email archiving including inbound/outbound/internal email, folders, calendars and contacts
  • A full data retention and eDiscovery policy
  • HIPPA, SOX (and more) standard compliance and audited access trail
  • SuperFast Search™ – email is compressed, zipped, uses message de-duplication and attachment de-duplication ensuring the fast search and retrieval
  • Web console access with multi-tiered and granular access options – You decide user access permissions
  • No hardware / software installation required
  • Works with all email servers including MS Exchange, Zimbra, Notes, SMTP/IMAP/Google/PO
  • Secure transfer from your email server
  • Encrypted storage on AWS cloud
  • Instantly searchable via your browser – You can find archived emails in seconds
  • Maintains a complete audit trail
  • Optional Active Directory integration for seamless Microsoft Windows authentication
  • Optional Outlook email client plugin

If you have not yet implemented an email archiving solution, if you are unhappy with the native Microsoft Exchange email archiving features, or if you are finding your current archiving solution too expensive or difficult to use, contact TitanHQ today to find out more about the benefits of ArcTitan and the improvements it can offer to your business.

HookAds Malvertising Campaign Sending People to Trojans, Info Stealers and Ransomware Websites

One of the ways that threat actors download malware is using malvertising. Malvertising is the positioning of malicious adverts on legitimate websites that send visitors to websites where malware is installed. The HookAds malvertising campaign is one such example and those responsible for the campaign have been particularly active recently.

The HookAds malvertising campaign has one aim – to direct people to a website hosting the Fallout exploit kit. An exploit kit is malicious code that operates when a visitor arrives on a web page. The visitor’s computer is explored to determine whether there are any flaws – unpatched software – that can be exploited to silently download files.

In the case of the Fallout exploit kit, users’ devices are explored for several known Windows vulnerabilities. If one is discovered, it is exploited and a malicious payload is installed. Several malware variants are currently being shared via Fallout, including data stealers, banking Trojans, and ransomware.

According to threat analyst nao_sec, two different HookAds malvertising campaigns have been identified: One is being used to broadcast the DanaBot banking Trojan and the other is sending two malware payloads – The Nocturnal data stealer and GlobeImposter ransomware via the Fallout exploit kit.

Exploit kits can only be implemented to deliver malware to unpatched devices, so businesses will only be under threat from of this web-based attack vector if they are not 100% up to date with their patching. Sadly, many businesses are slow to run patches and exploits for new vulnerabilities are frequently uploaded to EKs such as Fallout. Due to this, a security solution is needed to obstruct this attack vector.

The threat actors responsible for the HookAds malvertising campaign are taking advantage of the low prices for advertising blocks on websites by low quality ad networks – those often utilized by owners of online gaming websites, adult sites, and other types of websites that should not be logged onto by employees. While the site owners themselves are not actively working with the threat actors behind the campaign, the malicious adverts are still displayed on their websites along with legitimate ads. The use of a web filter is advisable to mitigate this threat.

Easy Way to Win Business and Boost Revenue for MSPs With Email Archiving

Email archiving is a great way for a company to win business and boost revenue. Although it is often an overlooked service, it can add value and improve profits for MSPs. Email archiving has a high margin, generates regular additional income, is easy to implement and manage and is an easy sell to clients.

Email Archiving in SMBs

Email archiving is now essential for organisations of all sizes, from SMBs to the largest enterprises. Large numbers of emails are sent and received on a daily basis by companies. Copies of those emails need to be stored, saved, and often retrieved. Storage of emails in mailboxes can often pose problems. Emails and attachments often need a considerable amount of storage, which means hardware must be purchased and maintained. Storing large volumes of emails in mailboxes is not a secure way of storing emails.

Although storing emails in backups is an option, it is far from ideal. Space is still needed and recovering emails when they are required is not a straightforward task as backup files are not indexed and searching for messages can take a considerable amount of time.

An email archive, in comparison, is indexed and searchable and therefore emails can be retrieved on demand quickly and with ease. If there is a legal dispute or when an organisation needs to demonstrate compliance (with GDPR or HIPAA for example) businesses need to be able to recover emails in an efficient manner. Additionally, an email archive also provides a clear chain of custody, which is also required to comply with a lot of regulations.

Cloud-based archives offer secure storage for emails and have no restrictions on storage space. The cloud storage offered is also highly scalable and emails can be easily retrieved, regardless of the location.

In summary, email archiving can enhance security, lower costs, improve efficiency and is an invaluable compliance tool.

Email Archiving in MSPs

Due to the benefits of email archiving it should be an easy sell for MSPs, either as Office 365 archiving-as-a-service as an add-on or incorporated into existing email packages. This is in order to offer greater value and make your packages unique compared to those of your competitors.

Office 365 archiving-as-a-service will generate regular income for very little effort as an add-on service. It will also improve the meagre returns from simply offering Office 365 to your clients. Overall, it can help you to attract more business when put as part as a package.

Email Archiving Made Simple Made Simple for MSPs by ArcTitan

TitanHQ is a leading provider of cloud-based security solutions for MSPs. TitanHQ products such as SpamTitan, WebTitan and ArcTitan SaaS email archiving have all been developed from the group up to specifically meet the various needs of MSPs.

ArcTitan has been developed by TitanHQ to be easy to implement and manage. It seamlessly integrates into MSPs service stacks, allowing them to provide greater value to clients and make email services a much more lucrative offering. As a result of this, TitanHQ is able to offer generous margins on ArcTitan for MSPs.

Benefits of ArcTitan for MSPs

  • Easy implementation
  • Software downloads not necessary
  • No hardware requirements
  • Secure, cloud-based storage
  • Easy to operate centralised management system
  • Increases profitability of Office 365
  • Highly scalable email archiving
  • Easy set up for MSPs
  • Usage easy for clients
  • Improved margins for MSPs
  • Full suite of APIs supplied for simpler integration
  • Multiple hosting options: TitanHQ Cloud, dedicated private cloud, or host the solution in your own data centre
  • Fully rebrandable (ArcTitan can be supplied in white-label form ready for your own branding)
  • Usage-based pricing and monthly billing available
  • World class customer service and support

If you are yet to start offering email archiving to your clients or if you are unhappy with your current provider, contact the TitanHQ MSP team today for full ArcTitan product information, pricing details and further information on our MSP Program.

New WebTitan and ArcTitan Integrations as Z Services Expands Partnership with Titan HQ

TitanHQ has recently expanded its partnership with Z Services, the leading SaaS provider of cloud-based cybersecurity solutions in the MENA region, which will result in new WebTitan and ArcTitan integrations.

Z Services operates 17 secure data centers in the UAE (base location), Qatar, Egypt, Saudi Arabia, Morocco, Jordan, Kuwait, Oman, Bahrain, and Kuwait. It is the only company in the Middle East and North Africa to offer a multi-tenant, cloud-based, in-country, cybersecurity architecture.

Z Services partnered with TitanHQ in February of 2017 and integrated TitanHQ’s award-winning email filtering technology into its service stack. Through doing this, it enabled Z Services to start offering SpamTitan-powered Z Services Anti-Spam SaaS to its clients. TitanHQ’s email filtering technology now also enables Z Services’ clients to filter out spam email and protect against sophisticated email-based threats such as malware, viruses, ransomware, botnets, phishing and spear phishing.

Due to the integration proving to be such a great success for Z Services, the firm has now decided to take its partnership with Titan HQ to the next level by integrating two new TitanHQ-powered SaaS solutions into its service stack. WebTitan – TitanHQ’s award-winning web filtering technology and ArcTitan – its innovative email archiving solution, have now both been incorporated Z Services’ MERALE SaaS offering. MERALE has been specifically developed to meet the needs of small to medium sized enterprises, such as cybersecurity, threat protection, and compliance solutions.

“With cybersecurity growing as a critical business concern across the region, there is a clear need to make security an operational rather than a capital expense. Hence the paradigm shift in the delivery of effective security solutions from the traditional investment and delivery model to an agile SaaS model through the primary connectivity provider of SMEs – the ISPs,” explained Z Services’ President for the Middle East and North Africa, Nidal Taha. “MERALE will be a game-changer in how small and medium businesses in the region ensure their protection, and as a subscription-based service, it removes the need for heavy investments and long-term commitments.”

Speaking from Titan HQ’s point of view, CEO Ronan Kavanagh said “We are delighted to continue our successful partnership with Z Services and share their vision for serving the SME segment with leading edge SaaS based security solutions. With this development Z Services is strengthening its leadership position as an innovative cloud-based cybersecurity solutions provider in the Middle East and North Africa.”

TitanHQ’s cloud-based cybersecurity solutions have been developed specifically to meet the needs of Managed Service Providers. More than 7,500 businesses worldwide are currently using the email filtering, web filtering, and email archiving solutions supplied by TitanHQ and more than 1,500 MSPs are now offering TitanHQ solutions to their clients.

When compared to many other cybersecurity solution providers, TitanHQ offers its products with a range of hosting options (including within an MSP’s own infrastructure), as full white label solutions ready for MSPs to apply their own branding. Through offering their clients TitanHQ solutions MSPs are able to significantly reduce costs related to support and engineering. They achieve this by blocking a wide range of cyber threats at source. MSPs also benefit from generous margins and world class customer service and support.

If you are an MSP and have not yet incorporated email filtering, web filtering, and email archiving solutions into your service stack, if you are unhappy with your current providers, or are looking to increase profits significantly while also ensuring your clients have the best protection against email and web-based threats, contact TitanHQ today for further information.

Chinese and English Speakers Targeted New RaaS Variant of FilesLocker Ransomware

FilesLocker, a new ransomware threat has been discovered is currently being offered as ransomware-as-a-service (RaaS) via a TOR malware forum. FilesLocker ransomware is not a extremely sophisticated ransomware variant, but it still poses a major threat.

FilesLocker ransomware is a dual language ransomware variant that shows ransom notes in both Chinese and English. MalwareHunterTeam has found a Chinese forum on TOR where it is being offered to affiliates to distribute for a percentage of the ransom payments.

Unless advertised more widely, the number of affiliates that sign up may be restricted, although it may prove popular. There are a number of features which could see the ransomware variant favored over other RaaS offerings, notably a sliding scale on commissions. The developers are offering a 60% cut of ransoms, which will go up by 75% if sufficiently high numbers of infections can be generated.

While relatively straightforward, FilesLocker ransomware still uses an RSA 2048+AES algorithm to lock files and it erases Windows shadow copies to hamper efforts to recover files without paying the ransom. FilesLocker is also capable of file encryption in a broken network environment.

No server is needed and the ransomware is working on all Windows versions later than XP plus 32-bit and 64-bit Windows Server. Users are also able to easily keep an eye for infections through a tracking feature which displays infections by country.

There is no free decryptor for FilesLocker ransomware in existence. Recovery can only be completed by restoring files from backups.

While news of a new RaaS offering is never welcome, there has at least been some good news on the ransomware front this recently at least for some victims.

GandCrab ransomware is another RaaS offering that has been for sale since January 2018. It has been widely adopted, with many affiliates using it to distribute the ransomware over the past 10 months.

A GandCrab ransomware decryptor was designed by Bitdefender in February that was able to unlock files encrypted by version 1.0 and v1.1 of GandCrab ransomware. The decryptor was developed after private keys were released online. However, it didn’t take long for v2.0 to be released, for which no free decryptor is available. There have been a number of further updates to GandCrab ransomware over the past few months, with v5.0 of the ransomware variant released in late September.

This week, Bitdefender has revealed that after collaboration with the Romanian Police, Europol and other law enforcement bodies, a new decryption tool has been developed that permits GandCrab ransomware victims to decrypt files for free, provided they have been hacked with version 1, 4, or 5 of the ransomware.

The version can be deduced by the extension used on encrypted files. V1=GDCB; v2/3=CRAB; v4=KRAB; and v5 uses a completely random 10-character extension.

The free GandCrab ransomware decryptor has been placed to the NoMoreRansom Project website. Bitdefender is currently attempting to put in plsvr on a free decryptor for v2 and v3 of GandCrab ransomware.

New Version of Azorult Malware Being Distributed via RIG Exploit Kit

An undated strain of Azorult malware has been discovered which downloader has already been used in attacks and is being shared using the RIG exploit kit.

Azorult malware is mainly an information gatherer which is used to obtain usernames and passwords, credit card details, and other data including browser histories. Newer versions of the malware have seen cryptocurrency wallet-stealing capabilities included.

Azorult malware was first discovered in 2016 by researchers at Proofpoint and has since been utilized in a large number of attacks through exploit kits and phishing email campaigns. The latter have used links to malicious sites, or more typically, malicious Word files including malware downloaders.

Back in 2016, the malware variant was first installed in tandem with the Chthonic banking Trojan, although later campaigns have seen Azorult malware deployed as the primary malware payload. 2018 has seen multiple threat actors pair the information stealer with an accompanying ransomware payload.

Campaigns have been identified using Hermes and Aurora ransomware as secondary payloads. In both attacks, the initial target is to steal login details to raid bank accounts and cryptocurrency wallets. When all useful data has been obtained, the ransomware is enabled, and a ransom payment is requested in order to decrypted files.

A new strain of the Azorult was issued in July 2018 – version 3.2 – which contained major improvements to both its stealer and downloader functions.  Now Proofpoint researchers have discovered a new variant – version 3.3 – which has already been included with RIG. The new variant was released just after the source code for the previous version was leaked on the Internet.

The new variant uses an alternative method of encryption, has enhanced cryptocurrency stealing functionality to allow the contents of BitcoinGold, electrumG, btcprivate (electrum-btcp), bitcore, and Exodus Eden wallets to be obtained, a new and improved loader and an updated admin panel. The latest version is more difficult for AV software to notice ensuring more installations.

The RIG exploit kit uses exploits for known flaws in Internet Explorer and Flash Player, which use JavaScript and VBScripts to install Azorult.

If your operating systems and software are kept fully updated you will be safeguarded against these exploit kit downloads as the vulnerabilities exploited by RIG are not new. However, many businesses are slow to apply patches, which need to be extensively tested. It is therefore important to also deploy a web filtering solution.

U.S. Bank Customers Targeted by DanaBot Trojan

Last May, security specialists at Proofpoint identified a spam email campaign that was sharing a new banking Trojan titled DanaBot. At first it was thought that a single threat actor was using the DanaBot Trojan to target groups in Australia to obtain online banking details.

That campaign has persisted, but in addition, campaigns have been noticed in Europe targeting customers of banks in Italy, Germany, Poland, Austria, and the UK. Then last month a further DanaBot Trojan campaign was carried out targeting U.S. banks.

The DanaBot Trojan is a modular malware programmed in Delphi that can install additional components to add various different functions.

The malware can capture screenshots, obtain form data, and record keystrokes in order to obtain banking credentials. That data is sent back to the attackers’ C2 server and is then used to steal money from corporate bank accounts.

A review of the malware and the geographical campaigns shows alternative IDs are used in the C2 communication headers. This strongly suggests that the attacks in each region are being carried out by different individuals and that the DanaBot Trojan is being provided as malware-as-a-service. Each threat actor is charged with running campaigns in a specific country or set of countries. Australia is the only country where there are two affiliates conducting campaigns. Overall, there appears to currently be nine hackers running distribution campaigns.

The country-specific campaigns are using a variety of tools to distribute the malicious payload, which include the new Fallout exploit kit, web injects, and spam email. The latter is being used to share the Trojan in the United States.

The U.S. campaign sends a fax notice lure with the emails seeming to come from the eFax service. The messages look authentic and are complete with appropriate formatting and logos. The emails include a button that must be clicked to download the 3-page fax message.

Clicking on the button will install a Word document with a malicious macro which, if permitted to run, will initiate a PowerShell script that downloads the Hancitor downloader. Hancitor will then install the Pony stealer and the DanaBot Trojan.

Proofpoint’s review of the malware revealed similarities with the ransomware groups Reveton and CryptXXX, which suggests that DanaBot has been developed by the same group to blame for both of those ransomware threats.

The U.S. DanaBot campaign is focused on customers of various U.S. banks, including RBC Royal Bank, Royal Bank, TD Bank, Wells Fargo, Bank of America, and JP Morgan Chase.  It is probable that the campaigns will spread to other countries as more threat actors begin to use the malware.

Stopping attacks requires detailed defense against each of the attack vectors. An advanced spam filter is necessary to block malspam. Subscribers to Office 365 should increase protection with a third-party spam filter such as SpamTitan to supply better protection against this threat. To stop web-based attacks, a web filtering solution should be implemented. WebTitan can block efforts by end users to visit websites known to include exploit kits and IPs that have previously been used for malicious aims.

End users should also advised to never open email attachments or visit hyperlinks in emails from unknown senders, or to enable macros on documents unless they are 100% certain that the files are authentic. Companies in the United States should also think about warning their employees about fake eFax emails to increase awareness of the threat.

The Margin for MSPs with Office 365 Lies in Security

It is becoming increasingly clearer that the margin for MSPs with regards to Office 365 lies in the security aspect of the application. Office 365 is currently in huge demand with over 135 million commercial monthly users. Through trusted advisers such as MSPs, resellers and Microsoft Cloud Solution Providers, its adoption amongst small and mid-size businesses continues to grow at a rapid pace.

Currently, partners can purchase from Microsoft Cloud Service Providers such as AppRiver, Intermedia, Pax8, etc. and can then resell 0365 licenses to their downstream customers. However, the margins made from this activity are very small. Office 365 is a reliable solution for the customer base of many VARs and MSPs. Although it allows them to capture new business, it lacks the ability to make significant margin. This leads to many VARs and MSPs questioning the point of 0365.

Despite it being evident that 0365 is a great email and productivity application, MSPs can’t build a sustainable business on such small margins. Cloud backup, migrations and other services can add to the value of an Office 365 offer, however:

  • 73% of 2018 MSP 501 listees rated their fastest growing service as security
  • 55% chose professional services
  • only 52% selected Office 365

For MSPs, consultants and resellers, O365 represents an opportunity to help build a profitable practice based around subscription sales to SMBs. It also helps clients to learn how to protect their investment within their IT budget and secure their network through a “defense in depth” approach.

Due to the continuing onslaught of phishing attacks and ransomware, IT budgets are being built with security in mind. Given the regular headlines reporting countless exploits where hackers have sabotaged an O365 environment with ease, this doesn’t come as a surprise. Security is a feature that Microsoft has added to 0365 but unfortunately this does not meet the security benchmarks set by most organizations. A recent study showed that a third of business owners do not have safeguards in place to combat cyber breaches. What’s more is that 60% of small businesses that suffer a breach go out of business within six months of the attack.

As email security experts who have gained over 20 years’ experience, we are aware new malware can penetrate the usual email filtering mechanisms. It has been the case for quite an amount of time that older email protection technologies, analysis reputation and fingerprinting as examples, are no longer effective against the evolution of these threats. Recent research conducted by Osterman shows that Microsoft’s EOP can detect 100% of all known viruses and updates every 15 minutes. However, the research also discovered it didn’t have the same security effects against unknown or new malware delivered by email.

As trusted providers, MSPS have a huge opportunity to provide a “full suite” of cloud productivity tools such as 0365, Dynamics, Azure and cloud security and compliance such as email security and web security, DLP, and archiving to their downstream SMB customers at combined margins of over 75 to 100%. This can be achieved without massive increases to their monthly spend.

Small to medium-sized businesses are focused only on the necessary to keep the lights on and to grow the business. Microsoft’s main messages to organizations choosing Office 365 is the cost savings that are achievable from moving to a cloud-based solution. A move such as this would save the company money and allow IT staff to work on business problems and, ultimately, add more value to the company. Web and email security and compliance do not need to be detrimental to those looking to save costs in their IT spend and productivity.

How MSPs can boost margins on 0365 business

It is evident the Margin for MSPs to be made with Office 365 lies in security. If MSPs fail to invest in security as a service and a defense in depth approach, it could prove almost impossible to make their 0365-business profitable. The dilemma for partners has moved past whether to offer security for 0365, it is now at point where partners need to discover how to best deliver a cost-effective advanced security platform that can handle todays advanced threats. This should be achieved while also keeping IT security budgets in check for their SMB customers.

In todays world consultants, managed service providers and resellers have the opportunity to offer customers a very cost-effective defense in depth approach to security. MSPs can now deliver advanced security with TitanHQ’s Private Cloud Security services – SpamTitan (email security), WebTitan (content filtering) and ArcTitan (email archiving) – alongside O365 subscriptions. Through doing this they can ensure they make healthy margins, while continuing to keep monthly costs down for their customers.

Currently, Office 365 continues to be the leader in the productivity and collaboration space. However, for partners selling and managing this service, margins remain tight. As partners sell and manage more 0365 mailboxes, offering add-on security is the answer to making the process more profitable.

Be Mindful of Gaps in Security with 0365

For MSPs looking to take their business further, offering security in depth service to plug the Office 365 security gaps is the answer. Email has become central to running an organization and, as a result, is constantly targeted by attackers. Because of this, it is vital for MSPs to use a reliable third-party security vendor like TitanHQ, who’ve been specializing in email and web security for 25 years. Unlike Microsoft, security is our area of expertise.

Today, we work with over 2000 MSP’s worldwide daily. We protect your customers from malware, phishing, viruses, ransomware, botnets and other cyber threats. A lot of these customers are Office 365 users. Our products were built from the ground up with MSP’s for MSP’s, which we feel is crucial. We save MSP’s time by stopping problems with support and engineering at source. We also provide ideal products to sell in your technology stack which allows you to increase margin. Contact us today to learn how MSPs like you can boost margins on Office 365 business.

New Xbash Malware Threat Includes Coin Mining and Ransomware Functionality

Xbash malware is one of many new malware threats to be discovered in recent times that uses the file-encrypting properties of ransomware with the coin mining functionality of cryptocurrency mining malware.

In 2018, several cybersecurity and threat intelligence companies have discovered that ransomware attacks have plateaued or are dropping. Ransomware attacks are still profitable, although there is potential to make more money through cryptocurrency mining.

The recent Internet Organized Crime Threat Report published by Europol notes that cryptojacking is a new cybercrime trend and is now a commonly-seen, low-risk revenue stream for cybercriminals, but that “ransomware remains the key malware threat”.  Europol states in its report that a decline has been witnessed in random attacks via spam email, instead cybercriminals are focusing on attacking businesses where greater profits lie. Those attacks are highly concentrated.

Another new trend offers cybercriminals the best of both worlds – the use of versatile malware that have the elements of both ransomware and cryptocurrency miners. These highly versatile malware variants provide cybercriminals with the chance to obtain ransom payments as well as the chance to mine for cryptocurrency. If the malware is downloaded on a system that is not ideally suited for mining cryptocurrency, the ransomware function is enabled and vice versa.

Xbash malware is one such danger, albeit with one major caveat. Xbash malware cannot restore files. In that respect it is more similar to NotPetya than Cerber. As was the case with NotPetya, Xbash malware just masquerades as ransomware and requests a payment to restore files – Currently 0.2 BTC ($127). Payment of the ransom will not lead to keys being supplied to unlock encrypted files, as currently files are not encrypted. The malware simply erases MySQL, PostgreSQL, and MongoDB databases. This function is enabled if the malware is installed on a Linux system. If it is downloaded on Windows devices, the cryptojacking function is turned on.

Xbash malware can also self-propagate. Once downloaded on a Windows system it will spread throughout the network by exploiting flaws in Hadoop, ActiveMQ and Redis services.

Xbash malware is programmed in Python and compiled into a portable executable (PE) format using PyInstaller. The malware will complete its file encrypting/deletion routine on Linux systems and use JavaScript or VBScript to download and run a coinminer on Windows systems. Palo Alto Networks’ Unit42 has said that the malware is being spread by a threat group known as Iron Group, which has previously been linked with ransomware attacks.

At present, infection takes place through the exploitation of unpatched flaws and brute force attacks on systems with weak passwords and unprotected services.  Protection from this threat requires the use of strong, unique non-default passwords, prompt patching, and endpoint security solutions. Restricting access to unknown hosts on the Internet will stop communication with its C2 if it is installed, and naturally it is important that multiple backups are regularly made to ensure file recovery can happen.

Kaspersky Lab have said that there has been a doubling of these multi-purpose remote access tools witnessed over the past 18 months and their popularity is likely to continue to rise. This sort of versatile malware could well become the malware of choice for advanced threat actors over the course of the next year.

Spam Email Campaigns in Europe Started using Python-Based PyLocky Ransomware

A new strain of Python-based ransomware has been discovered that appears to be Locky, one of the most widely deployed ransomware variants in 2016. The new ransomware variant has been labelled PyLocky ransomware by security researchers at Trend Micro who have noticed using it in hacking campaigns in Europe, particularly France, throughout July and August.

The spam email campaigns were, at first, sent in comparatively small batches, although over time the volume of emails sharing PyLocky ransomware has surged significantly.

Various social engineering tactics are being employed by the hackers to get the ransomware installed, including fake invoices. The emails identified by Trend Micro have included an embedded hyperlink which sends users to a malicious webpage where a zip file is installed. The zip file includes PyLocky ransomware which has been compiled using the PyInstaller tool, which allows Python applications to be changed to standalone executable files.

If downloaded, PyLocky ransomware will encrypt around 150 different file types including Office documents, image files, sound files, video files, databases, game files, archives, and program files. Files saved on all logical drives will be encrypted and the original copies will be replaced. A ransom note is then placed on the desktop which has been copied from the note used by the threat actors behind Locky, although the two cryptoransomware threats are not linked. Ransom notes are written in French, English, Korean, and Italian so it is likely that the attacks will become more widespread over the coming days.

While Python is not normally used to create ransomware, PyLocky is not the only Python-based ransomware variant to have been developed. Pyl33t was used in a number of attacks in 2017, and CryPy emerged in 2016. What makes the latest ransomware variant different is its anti-machine learning capabilities, which help to stop analysis using standard static analysis methods.

The ransomware attacks Windows Management Instrumentation (WMI) to figure out the properties of the system on which it is downloaded. If the total visible memory of a system is 4GB or greater, the ransomware will execute instantly. If it is lower than 4GB, the ransomware will remain dormant for 11.5 days – an attempt to figure out if it is in a sandbox environment.

 

Spam Email Campaigns in Europe Using Python-Based PyLocky Ransomware

A new Python-based form of ransomware has been discovered that closely resembles as Locky, one of the most commonly seen ransomware variants during 2016. The new ransomware variant has been titled PyLocky ransomware by security specialists at Trend Micro who have seen it being deployed in Europe, particularly France, during July and August.

The spam email campaigns were, at first, sent in relatively small batches, although over time the number of emails sending PyLocky ransomware has increased drastically.

Many social engineering tactics are being used by the hackers to get the ransomware downloaded to devices, including fake invoices. The emails captured by Trend Micro have included an embedded hyperlink which directs users to a malicious webpage where a zip file is installed. The zip file contains PyLocky ransomware which has been put together using the PyInstaller tool, which allows Python applications to be changed to standalone executable files.

If downloaded, PyLocky ransomware will encrypt around 150 different file variants including Office documents, image files, sound files, video files, databases, game files, archives, and program files. Files kept on all logical drives will be encrypted and the original files will be overwritten. A ransom note is then placed on the desktop which has been copied from the note used by the threat actors responsible for Locky, although the two cryptoransomware threats are not linked. Ransom notes are presented in French, English, Korean, and Italian so it is probable that the hacking campaigns will become more widespread going forward.

While Python is not normally used to develop ransomware, PyLocky is not the only Python-based ransomware variant to have been noticed. Pyl33t was used in many attacks in 2017, and CryPy was first seen in 2016. This, most recent ransomware variant is different in that is has anti-machine learning capabilities, which help to stop analysis using standard static analysis methods.

The ransomware uses Windows Management Instrumentation (WMI) to calculate the properties of the system on which it is downloaded. If the total visible memory of a system is 4GB or more, the ransomware will execute instantly. If it is less than 4GB, the ransomware will sleep for 11.5 days – an effort to determine if it is in a sandbox environment.

Stopping attacks can be done using a variety of cybersecurity measures. An advanced spam filtering solution like SpamTitan will help to stop the spam emails being send to end users’ inboxes. A web filter, such as WebTitan, can be implemented to control the websites that can be accessed by end users and block malicious file downloads. Security awareness training will allow end users recognize the threat for what it is. Advanced malware detection tools are necessary to spot the threat due to its anti-machine learning capabilities.

At present, there is no free decryptor for PyLocky available.

New Malware Variant CamuBot Trojan Being Used in Targeted Attacks on Companies

Spam or junk email may be the primary method of sharing delivering banking Trojans, however there are many other ways of convincing employees to download and install malware on their computers.

The CamuBot Trojan the method used is vishing. Vishing is the voice equivalent of phishing – the use of the telephone to trick people, either by convincing them to reveal sensitive information or to take some other steps such as downloading malware or making fraudulent bank transfers.

Vishing is regularly used in tech support scams where people are convinced to install fake security software to delete fictitious viruses on their computers. The campaign used to install the CamuBot Trojan is a different type of malware was identified by IBM X-Force researchers.

The attack begins with some reconnaissance. The hackers identify a business that uses a specific bank. Individuals within that group are then identified that are likely to have access the bank accounts used by the business – payroll staff for example. Those people are then contacted by telephone.

The hackers tell people that they are calling from the bank and are completing a check of security software on the user’s computer. The user is told to visit a webpage where a program will run a scan to find out if they have an up-to-date security module downloaded on their computer.

The fake scan is finished, and the user is informed that their security module is an out of date version. The caller then tells them that they must download the latest version of the security module and install it on their device.

Once the file is installed and executed, it runs just like any standard software installer. The user is told about the minimum system requirements required for the security module to work and the installer includes the bank’s logo and color scheme to make it appear authentic.

The user is taken through the installation process, which first requires them to disable certain processes that are running on their computer. The installer shows the progress of the fake installation, but in the background, the CamuBot Trojan is being downloaded. Once the process is finished, it connects to its C2 server.

The user is then brought to what appears to be the login portal for their bank where they must enter their login credentials. The portal is a phishing webpage, and the details to access the users bank account are recorded by the hacker.

Many banks ask a second factor for authentication. If such a security measure is in place, the hackers will instruct the user that a further installation is needed for the security module to work. They will be talked through the installation of a driver that enables a hardware-based authentication device to be remotely shared with the hacker. Once that has been installed and approved, the attackers are able to intercept any one-time passwords that are broadcasted from the bank to the user’s device, allowing the attackers to take full control of the bank account and permit transactions.

The CamuBot Trojan indicates that malware does not need to be stealthy to be successful. Social engineering methods can be just a effective at getting staff members to install malware.

The CambuBot Trojan campaign is mainly being carried out in Brazil, but the campaign could be rolled out and used in attacks in other countries. The methods used in this campaign are not new and have been used in several malware campaigns previously.

 

Coin Mining and Ransomware Functionality Included in New Xbash Malware

Xbash malware is one of many new malware threats to be discovered in recent weeks that uses the file-encrypting features  of ransomware with the coin mining functionality of cryptocurrency mining malware.

In 2018, several cybersecurity and threat intelligence companies have reported that ransomware attacks have fallen. Ransomware campaigns are still profitable, although it is possible to make more money through cryptocurrency mining.

The recent Internet Organized Crime Threat Report issued by Europol notes that cryptojacking is a new cybercrime trend and is now a regular, low-risk revenue generator for hackers, but that “ransomware remains the key malware threat”.  Europol has reported that a decline has been seen in random attacks using spam email, instead cybercriminals are focusing on attacking businesses where greater profits lie. Those attacks are highly concentrated.

Another emerging trend provides cybercriminals the best of both worlds – the use of versatile malware that have the features of both ransomware and cryptocurrency miners. These highly versatile malware variants provide cybercriminals with the chance to obtain ransom payments as well as the ability to mine for cryptocurrency. If the malware is downloaded on a system that is not ideally suited for mining cryptocurrency, the ransomware function is enabled and vice versa.

Xbash malware is one of these threats, albeit with one major caveat. Xbash malware cannot to restore files. In that regard it is closer to NotPetya than Cerber. As was the case with NotPetya, Xbash malware just masquerades as ransomware and requests a payment to restore files – Currently 0.2 BTC ($127). Payment of the ransom will not lead to keys being given to unlock encrypted files, as currently files are not encrypted. The malware simply erases MySQL, PostgreSQL, and MongoDB databases. This function is switched off if the malware is installed on a Linux system. If it is downloaded on Windows devices, the cryptojacking function is enabled.

Xbash malware can also self-propagate. Once downloaded on a Windows system it will spread throughout the network by exploiting weaknesses in Hadoop, ActiveMQ and Redis services.

Xbash malware has been developed in Python and compiled into a portable executable (PE) format using PyInstaller. The malware will run its file encrypting/deletion process on Linux systems and use JavaScript or VBScript to download and run a coinminer on Windows systems. Palo Alto Networks’ Unit42 has attributed the malware to a threat group referred to as Iron Group, which has previously been linked with ransomware attacks.

At present, infection takes place through the exploitation of unpatched flaws and brute force attacks on systems with weak passwords and unprotected services.  Protection against this threat requires the use of strong, unique non-default passwords, swift patching, and endpoint security solutions. Preventing access to unknown hosts on the Internet will stop communication with its C2 if it is downloaded, and naturally it is important that multiple backups are regularly made to ensure file recovery is possible.

Kaspersky Lab discovered there has been a doubling of these multi-purpose remote access tools over the past 18 months and their popularity is likely to continue to rise. This type of versatile malware could well prove to be the prevalent malware for hacker over the next year.

Email Archiving and its Importance for Businesses

It is evident that email archiving has become vital in today’s business environment, but what is email archiving and what is its importance to businesses?

What Email Archiving is

An email archive is a store for old emails which are not needed on a day to day basis but may need to be accessed from time to time. An email archive saves all email conversations securely in a searchable format that allows companies to satisfy various state, federal, and industry requirements.
Saving Storage Space with Email Archiving

Although emails could be left in personal mailboxes, the number of emails received on a daily basis means the storage space required for each mailbox would be considerable. This is especially the case considering the requirement in many industries to store emails for several years. If this approach was used, employees would have to exercise strict control over their inboxes and mailbox folders and diligently deleted spam and non-official emails. Even with these terms, storage space would still likely become an issue in a short space of time.

Emails are Easily Searchable in Archives

Another common solution to preserve emails is a mailbox backup. Email backups can be used to recover emails that have been accidentally deleted and can even allow an entire mailbox to be restored in the event of a disaster.

However, as is the case with any store, knowing that an item is in storage does not mean it is necessarily easy to find. While you may need to invest a little time to find a particular item in your work storeroom, it can take awfully long time to find a single email in an email backup containing thousands or even tens of thousands of messages. The reason behind this; backups are not searchable.

An email archive differs from a backup as messages can be searched due to them being indexed. Finding a message in a backup file can take hours, even days. However, locating a message in an archive takes a matter of seconds, a minute or two at most. An email archive allows emails to be quickly found if it is ever required to produce them.

Usually, IT staff have much more important things to be working on than recovering accidentally deleted emails. An archive means an email can be easily searched and accessed by employees without any involvement from the IT department. What’s more, emails can be accessed from any location and emails found even when the mail server is down, if a cloud-based archive is used.

Of course, there are also situations when more formal searches are required, such as when issues are identified with an employee and HR needs further information on the matter. Legal requests from eDiscovery require large quantities of emails to be resurfaced and provided to attorneys, also customer disputes require email conversations to be found quickly. Having an archive within the business significantly reduces the time taken for these tasks to be performed. A company-wide search of emails takes 80% less time, typically, when an archive is used.

Importance of Email Archives for GDPR Compliance

Since the General Data Protection Regulation has come into effect in May of 2018, email archives are even more critical. As soon as a request is received from an individual who wants to exercise their right to be forgotten, all data must be erased. This, of course, includes data contained in email accounts. An email archive can make this process much more efficient by allowing emails to easily be found and deleted.

The email archive ensures that regardless of what may happen, all emails can be located. Emails in the archive are also court admissible and tamper-evident which makes email archives important for compliance with state, federal, and industry regulations.

Email Archive: Time and Money Saver for Companies

Improvement in mail service efficiency, reduction in server management costs, minimised storage costs; these are results of using an email archiving system in your business. Companies can save up to 75% on storage space when an archive is used. Additionally, it is a much quicker process to migrate emails to a new server when the majority of emails have been placed in an archive.

Overall, an email archiving system’s importance to businesses cannot be underestimated. It ensures emails are never lost or deleted, provides a failsafe in the event of disaster, maintains an audit trail and and ensures emails can be found quickly and efficiently. An email archive can save companies time, money, along with helping compliance with state, federal, and industry regulations.

ArcTitan: An Efficient, Low Cost Solution to Email Archiving for Businesses

For businesses who have not yet started using an email archiving solution, TitanHQ has an optimal solution. ArcTitan is a fast, efficient, scalable, and low-cost archiving solution for SMBs and enterprises.

A cloud-based email archiving solution that integrates seamlessly with Outlook, ArcTitan allows emails to be quickly archived and retrieved on demand with ease via super-fast, user-friendly search screens.

Storage space is reduced through the de-duplication and compression of all emails and all messages and attachments are stored securely in IL5 certified datacenters.

If you are searching for an easy-to-use email archiving solution that can be implemented in minutes, get in touch with the TitanHQ team today for further information.

New AdvisorsBot Malware Threat Distributed Through Spam Email

Hotels, restaurants, and telecommunications businesses are the focus of a new spam email campaign that broadcasts a new form of malware titled AdvisorsBot. AdvisorsBot is a malware downloader which, like many malware variants, is being sent using spam emails containing Microsoft Word attachments with malicious macros.

Clicking on an infected email attachment and enabling macros on the document will allow the Advisorsbot to be downloaded. The software’s main role is to carry out fingerprinting on an infected device. Information will be gathered on the infected device is then sent to the threat actors’ command and control servers and further instructions are supplied to the malware based on the data gathered on the system. The malware records system information, details of programs downloaded to the device, Office account details, and other data. It can also capture screenshots on an infected device.

It has been given the title ‘AdvisorsBot’ due to the early samples of the malware that were first discovered in May 2018 which contacted command and control servers that included the word advisors.

The spam email campaign is mainly being aimed at targets in the United States, although infections have been seen globally. Several thousands of devices have been affected with the malware since May, according to the security researchers at Proofpoint who identified the new malware threat. The threat actors thought to be behind the attacks are a APT group called TA555.

Various email traps are being used in this malware campaign to encourage the recipients to open the infected attachment and turn on macros. The emails shared with hotels appear to be from individuals who have been doubly charged for their stay. The campaign targeting restaurants uses emails which claim that the sender has suffered food poisoning after eating in a particular establishment, while the campaign targeting attacks on telecommunications companies use email attachments that seem to be resumes from job applicants.

AdvisorsBot is programmed using C, but a second form of the malware has also been detected that is programmed in .NET and PowerShell. The second variant has been labelled PoshAdvisor. PoshAdvisor is executed via a malicious macro which runs a PowerShell command that installs a PowerShell script which executes shellcode that enables the malware in the memory without writing it to the disk.

These malware threats are still under development and are common to many recent malware threats which have a wide range of capabilities and the versatility to be used for various types of attack such as data stealing, ransomware delivery and cryptocurrency mining. The malicious actions carried out are determined based on the system on which the malware has been downloaded. If that system is perfectly suited for mining cryptocurrency, the relevant code will be downloaded. If the business is of particular interest, it will be earmarked for a more thorough compromise.

The action to take in order to guard against this campaign is the deploy an advanced spam filtering solution to stop the emails from being delivered and security awareness training for employees to condition them how to respond when such a threat is received to their inbox.

WhatsApp Users Targeted as Hackers Focus on Lack of Anti-Phishing Protections

Most phishing attempts are carried out using email. However, recently there has been a significant surge in the use of other messaging services with WhatsApp phishing scams now rising in popularity amongst phishers.

WhatsApp phishing attacks are increasing for two main reasons. Firstly, the massive amount of platform subscribers. In January 2018, the number of monthly users of WhatsApp worldwide topped 1.5 billion, up from 1 billion users in mid-2017. Secondly, is the absence of anti-phishing measures to prevent malicious messages from being sent.

Many businesses have put in place spam filtering solutions, while personal users are happy due to the spam filtering on webmail services such as Gmail. Spam filtering solutions are highly effective at spotting phishing emails and other malicious messages and send them to the spam folder rather than sending them to inboxes.

Messaging services often do not have spam filtering controls. Therefore, malicious messages have a much greater potential for being delivered. many tactics are used to entice recipients to click the links in the messages, usually an offer of a free gift, a very good special offer on a product – the new iPhone for instance – or a money off voucher or gift card is available.

The messages include a link that sends the recipient to the phishing website. The link usually includes a preview of the website, so even if a shortlink is used for the URL, the recipient can see some details about the site. A logo may be displayed beside the page title. That makes it much more likely that the link will be visitied.

Additionally, the message often comes from a known person – a contact in the user’s WhatsApp friends. When a known individual vouches for the site, the chance of the link being clicked is much higher.

To add further authenticity to the WhatsApp phishing scams, the websites often use fake comments from social media sites stating that a gift card has been won or a reward has been received. Some of those comments are positive, and some are neutral, as you would expect from a real prize draw where not everyone is successful.

The websites used in WhatsApp phishing scams often use HTTPS, which show a green tick next to the URL to show that the site is ‘secure.’ Even though the green tick is no guarantee of the legitimacy of a site, many people believe the green tick means the site is genuine.

Gift cards are often handed out for participating in legitimate surveys, so the offer of either a gift card or entry into a free draw is not unusual. In return, the visitor to the site is necessary to answer some standard questions and provide information that would permit them to be contacted – their name, address, phone number, and email address for instance.

The data gathered through these sites is then used for additional phishing attempts via email, telephone, or snail mail which aim to obtain even more personal data. After answering the questions, the website may claim that the user has one, which needs entry of bank account information or credit card details so that the prize money can be paid.

These new WhatsApp phishing scams often have an additional component which assists in spreading the messages much more efficiently to other potential victims. Before any person can claim their free prize or even send their details for a prize draw, they must first agree to share the message with some of their WhatsApp contacts.

Should you receive an unsolicited link from a contact that offers a free gift or money-off voucher, there is a very good chance it may not be authentic and is a WhatsApp phishing scam.

Datto’s Network Security Solutions adds WebTitan

It has been announced, by TitanHQ, that as part of its working alliance with networking and security solution supplier Datto, WebTitan Cloud and WebTitan Cloud for Wi-Fi have been included in the Datto networking range and are available to MSPs as of now.

Datto is the leading supplier of enterprise-level technology to small to medium sized businesses through its MSP partners. Datto provides data backup and disaster recovery solutions, cloud-to-cloud data protection tools, managed networking services, professional services automation, and remote monitoring and management utilities.

This means means that MSP partners can now provide their clients another level of security to safeguard them from malware and ransomware downloads and phishing campaigns.

WebTitan is a completely cloud-based DNS web filtering tool developed with MSPs in mind. Along with In addition allowing businesses to carefully manage the types of websites their employees can access through corporate wired and wireless networks, the solution provides high level t protection against phishing attacks and web-based threats.

With phishing now the main threat faced by SMBs and a rise in ransomware attacks, businesses are asking their MSPs to provide security solutions to counter the threat. Companies that put in place the solution are given real-time protection against malicious URLs and IPs, and employees are stopped from accessing malicious websites through general web browsing and via malicious URLs included in phishing emails.

TitanHQ CEORonan Kavanagh said: “We are delighted that Datto has chosen TitanHQ as a partner in web security. By integrating TitanHQ’s secure content and web filtering service, we are well positioned to offer Datto MSPs a best of breed solution for their small to mid-size customers. We pride ourselves in equipping our community of Managed Service Provider partners with the right products and tools to allow each and every customer to succeed,” said John Tippett, VP, Datto Networking. “With that in mind, I’m delighted to welcome TitanHQ as a security partner and look forward to growing our partnership.”

MSPs will be able to see WebTitan in action at the TitanHQ-sponsored DattoCon 2018 conference in Austin, TX – the largest MSP event in the United States. TitanHQ’s full team will be present.

Fatboy Ransomware Being Sold on Russian Darknet Forums

A new email-borne threat has recently been identified. Known as Fatboy ransomware , this new ransomware-as-a-service (RaaS) being sold on darknet forums in Russia. The RaaS provided would-be cybercriminals the chance to conduct ransomware campaigns without having to formulate their own malicious code.

RaaS has proven hugely popular. By providing RaaS, malicious code authors can inpact more end users by increasing the number of people sharing the ransomware.  In the instance of Fatboy ransomware, the code author is offering restricted partnerships and is dealing with affiliates directly via the instant messaging platform Jabber.

Fatboy ransomware encrypts files via AES-256, generating an individual key for the files and then encrypting those keys  via RSA-2048. A different bitcoin wallet is used for each client and a guarantee is made to transfer funds to the affiliates as soon as the money is transferred. By offering to deal directly with the affiliates, being transparent about the RaaS and offering support, it is envisaged that the code author is trying to earn trust.

Additionally, the ransomware interface has been translated into 12 different languages, allowing campaigns to be carried in many countries globally. Many RaaS offerings are restricted geographically by language.

Fatboy ransomware also has a new feature that aims to maximize the chance of the victim paying the ransom demand. This RaaS permit attackers to set the ransom payment automatically based on the victim’s location. In places with a high standard of living, the ransom payment will be higher.

To calculate the cost of living, Fatboy ransomware implements the Big Mac Index. The Big Mac Index was  devised by The Economist as a method of determining whether currencies were at their correct values. If all currencies are at their correct value, the price of a product in each country should be identical. The product picked was a Big Mac. So the higher the cost of a Big Mac in the victim’s country, the higher the ransom demand that is sent out.

New ransomware variants are always being developed and RaaS permits many more individuals to conduct ransomware campaigns. It is no surprise that the number of ransomware attacks has increased.

The price of resolving a ransomware infection can be significant. Businesses must see to it that they have defenses in place to block attacks and ensure they can recover quickly.

Backup must  be made regularly to ensure files can be easily rescued. Employees should be trained on security best practices to prevent them inadvertently downloading ransomware. Anti-spam solutions should also be put in place to stop malicious emails from reaching end users’ inboxes. Luckily, even with a predicted rise in ransomware attacks, companies can effectively mitigate risk if appropriate defenses are put in place.

Porn Viewers Victims of Safari Scareware

A weakness in the mobile Safari browser has been targeted by cybercriminals and used to extort money from people who have previously used their mobile device to access pornography or other illegal content. The Safari scareware stops the user from logging on to the Internet on their device by loading a series of pop-up messages.

A popup is shown the user that Safari cannot open the requested page. Clicking on OK to shut the message triggers another popup warning. Safari is then locked in an endless loop of popup ads that cannot be shut.

A message is shown in the background stating that the device has been locked because the user has been identified as having viewed illegal web content. Some users have reported messages including Interpol banners, which are intended to make the user believe the lock has been put on their phone by law enforcement. The only way of regaining access to the device, according to the messages, is to pay a fine.

One of the domains used by the hackers is police-pay.com; however, few users would likely be tricked into thinking the browser lock was put in place by a police department as the fine had to be paid in the form of an iTunes gift card.

Other messages tell the user that police action will be taken if the payment is not made. The hackers claim they will send the user’s browsing history and installed files to the Metropolitan Police if the ransom is not paid.

This sort of Safari scareware is nothing new, although the zero-day flaw that was included to display the messages was. The hackers loaded code onto a number of websites which targeted a flaw in the way the Safari browser handles JavaScript pop-up windows. The code targeted iOS versions 10.2 and earlier versions also.

The Safari scareware campaign was recently discovered by Lookout, which passed details of the exploit onto Apple last month. Apple has now issued an update to its browser which stops the attack from taking place. Users can safeguard their devices against attack by updating their device to iOS version 10.3.

Scareware is not the same as ransomware, although both are used to extort money. In the case of ransomware, access to a device is obtained by the hacker and malicious file-encrypting malware is installed. That malware then locks users’ files with powerful encryption. If a backup of the encrypted files is not maintained, the user faces loss of data if they do not pay the hackers for the key to decrypt their locked files.

Scareware may incorporate malware, although more commonly – as was the case with this Safari scareware campaign – it involves inserting malicious code on websites. The code is implemented when a user with a vulnerable browser visits an infected webpage. The thinking behind scareware is to scare the end user into paying the ransom demand to unlock their computer. In contrast to ransomware, which cannot be unlocked without the necessary decryption key, it is usually possible to unlock scareware-locked browsers with a little computer knowledge. In this instance, control of the phone could be obtained by clearing the Safari cache of all cookies and data.

Major Increase in Malicious Spam Email Volume in 2016

A recent report on spam email published by anti-virus software developer Kaspersky Lab revealed that the drop in spam email over the past few years appears to have reversed, with the first quarter of 2016 seeing a major rise in malicious spam email volume.

In recent years there has been a drop in the number of spam emails, as hackers have sought other ways to send malware and defraud computer users. In 2015, the volume of spam emails being broadcast fell to a 12-year low. Spam email volume dropped under 50% for the first time since 2003.

In June 2015, the volume of spam emails fell to 49.7% and in July 2015 the figures declined further still to 46.4%, according to anti-virus software developer Symantec. The decline was put down to the taking down of major botnets charged with sending spam emails in the billions.

Malicious spam email volume has stayed reasonably constant during 2015. Between 3 million and 6 million malicious spam emails were identified by Kaspersky Lab during 2015; however, toward the end of the year, malicious spam email volume went up. That trend has persisted in 2016.

Kaspersky Lab figures indicate that spam email messages including malicious attachments – malware, ransomware, malicious macros, and JavaScript – started to rise in December 2015. That rise has persisted, and in March 2016 malicious spam email volume had grown to four times the level seen in 2015. In March, 2016, Kaspersky Lab discovered 22,890,956 malicious spam emails. Spam email volume as a whole surged over the quarter, climbing to an average of 56.92% for the first three months of 2016.

malicious spam email volume in Q1, 2016

Image source: Kasperky Lab

Wide Variety of Malicious Files Being Included in Spam Email

While it was typical for virus-loaded executable files to be broadcast as email attachments, these are now usually detected by email filters and are labelled as spam. However, spammers have been developing new methods of getting past traditional webmail spam filters. The spam emails detected by Kaspersky Lab now included a wide variety of malicious files.

One of the most commonly seen methods now used by spammers is to send office documents that have malicious macros. Microsoft Word files with the extension DOC and DOCX are normally used, as are rich text format files RTF, Adobe PDF files, and Microsoft Excel spreadsheets with the extensions XLS and XLSX.

These file formats are typically opened as many end users are less suspicious of office documents than they are about ZIP, RAR, and EXE files. Most office workers would be aware enough not to open a EXE file that was sent to them by a stranger, yet an office document – a file format they use on a daily basis – is less likely to create suspicion.

Instead of the emails including the actual malware, virus, or ransomware payload, they include Trojan downloaders that download JS scripts. Those scripts then complete the final stage of infection and download the actual malware or ransomware. This sort of attack is used to bypass anti-virus protections.

Email Spam Filters and Web Filters Important for Preventing Malware Infection

There has been a rise in drive-by downloads in recent years as hackers have lured victims to websites containing exploit kits that probe for flaws in browsers and browser plugins. Visitors are sent to these malicious websites when visiting compromised websites, using malvertising, and malicious social media posts. While drive-by downloads are still a significant threat, the use of web filters and anti-virus software browser add-ons are restricting these malware downloads and malicious websites.

Email is still a very effective way of bypassing past security defenses and getting end users to download malware on their devices. Carefully crafted emails that include unique text increase the chance of the scammers getting users to open malicious attachments. Commonly, the messages include personal details about the recipient including their name or address. This has helped the hackers to get the victims to take the desired action and run malicious macros and download malware.

It may be too soon to tell whether spam email volume has only temporarily gone up or if there is a reversal in the decline of spam, but groups and individuals should remain vigilant. The rise in malicious spam email volume should not be disregarded.

 

Reasons Why Your Organization Needs to Archive Emails

There are various different reasons why organizations need to archive their emails nowadays. Emails can contain valuable intellectual property that needs to be protected against loss. Intellectual property, a set of ideas, inventions, and designs, is the thing which gives your business value. For example, Google’s intellectual property is the secrets of their search algorithm.

The term intellectual property can include intangible property such as patents, trademarks and copyrights. These are registered in government coffers, where the government is responsible for enlisting such properties. If we take, for example, the case of a new sorting algorithm or a new chip design, those detailed design documents become a matter of public record where details of that invention will be noted so that someone cannot steal or copy it. In the case that these are stolen or copied, the rights holder can claim infringement.

But trade secrets take on many different formats, such as emails and documents attached to emails. Regardless of what system you use for messages, Exchange or Zimbra, they contain the complete chronological history of the development of your product from conception, to its release, all the way to its revision.

The importance of a reliable archive

Technologies have changed a lot over the years. As a result of this, these documents have been stored in different repositories over the years. Originally, it was stored in shared drives. Following this it was stored in Lotus Notes, then SharePoint. Data should be migrated as a company switches from one platform to another. However, there is the risk that the document or email you wrote 7 years ago and saved on a shared mount point on the LAN could, accidently, go missing. There lies the importance for a reliable system. In addition to this, losing archived documents and their attachments could potentially subject the company to significant regulatory and legal risk.

Legislation related to document retention

The government has specific requirements for document retention. These requirements exist in the EU but are stricter in the US.

As a consequence of the Enron bankruptcy, the Sarbanes-Oxley (SOX) act was passed. This was so companies could document the accuracy of their financial statements. In terms of health care, reform came in the shape of the Health Insurance and Patiently Portability Act (HIPPA).

As a result of the recent Recession and the collapse of Lehman brothers came Franks-Dodds, which is an update to Gramm-leach-Bliley.

The reasoning behind all of this legislation is to make it obligatory for companies to keep electronic records so that they can produce them in the case of litigation, accusations of fraud or whatever dispute a company has with stockholders, stakeholders, or regulators. If you happen to be accused of tampering with any electronic records, it is possible you could face jail time of up to 20 years. Sox record retention requirements is 5 years, for HIPAA it is 6. However, to avoid breaking litigation legislation, it is best to keep a permanent archive.

Protection of intellectual property

You should not only protect the blueprint for a product that needs protection, you should also protect its evolution. In the case of your company bringing action against a competitor for patent infringement or copyright violations, you will require email to document the trail that led to the development of this product. The emails between executives, customers and vendors will help the attorneys make the case that the competitor is profiting through another’s intellectual property.

From discovery to e-discovery

E-discovery is the new phrase that has replaced what attorneys used to call discovery. Archive is becoming more and more crucial. Failure to maintain an archive could constitute a breach of regulations or even result in contempt of court.

There are a number of different archive email systems. One method is the copying of PST and NSF data files to long term storage, then the importing of this data back online when you are looking for something from a few months or a few years ago. The drawbacks to this method is that it can prove inflexible and quite awkward. This method is comparable to exporting an Oracle database to archive format and then importing it back when you are looking for something that is offline.

A superior method of archive email is to sort it in a manner that appears to be not offline at all to the user. This is precisely what an archive email cloud vendor does. The benefit of this kind of configuration is that it lets users search the archive and retrieve documents into the active email folders. Using a cloud email archiving system such as ArcTitan will automatically put you in compliance with the rules for off-site, secure, and tamperproof archives.

Benefits to keeping a protected archive

  • Your company may need the documents kept in the archive in the case of lawsuits. For example unlawful dismissal, product liability, criminal complaints.
  • The archive is also vital in the case of vendor or contract disputes and issues surrounding product warranties. These are almost always found in emails, e.g. invoices, scanned contracts, and agreements.
  • The archive is also important if your company were to lose the technical details of how to do something today that may have been done 5 years ago, when the employee who designed that was still a part of the company.

In summary, there is a wide array of reasons showing that organizations need to archive emails. Therefore you should aim to reduce risk to your business by putting your email archive in the secure cloud with a company that focuses on that such as ArcTitan.

New Saturn Ransomware Variant Offered as RaaS

A new threat, Saturn ransomware, has been recently identified by security researchers at MalwareHunterTeam. This malware derives its name from the extension added to encrypted files (.saturn).

Though it is simple enough to determine the ransomware variant used in an attack, this will be of little use to unsuspecting device owners as there is currently no decryptor available to rescue files.

Just one infection can rapidly spread laterally, encrypting files on an infected device as well as database shares. Rescuing files from backups may prove difficult as the Saturn ransomware searches for and erases shadow volume copies. Then is clears the Windows backup catalog and turns off Windows startup repair.

If no viable backup is maintained, the victim must pay a ransom payment in bitcoin of around $300 per infected device. If payment is not completed within 7 days of infection, the ransom payment doubles.

As is the case with many new ransomware variants, attacks can come from anywhere. This is due to the fact that the new ransomware variant is being provided to affiliates as ransomware-as-a-service.

Ransomware-as-a-service gives malware developers the power to maximize the number of infections – and profits – by hiring a large team of distributors to send spam emails, load the ransomware onto malicious websites and download the malicious software by taking advantage of weak security defenses. In exchange for their efforts, affiliates are allocated a percentage of the ransom payments that are made.

The developers of Saturn ransomware have made it very simple for affiliates. A portal has been produced that allows affiliates to obtain copies of the ransomware binary either embedded in exe files or Office, PDF files or other documents. To encourage individuals to using this ransomware variant as opposed to other RaaS offerings, the developers are offering a large percentage of the ransom payments to affiliates – 70%.

The simplicity of running campaigns along with the possible rewards for infection means many affiliates are likely to start utilizing the new ransomware variant in hacking campaigns. The new variant of malware is already being provided on various darknet forums.

Rockingham School District Loses $314,000 to Emotet Malware Infection

The Rockingham school district in North Carolina identified that Emotet malware had been downloaded to its network in late November. The cost of tackling the infection was a massive $314,000.

The malware was sent using spam emails, which arrived in multiple users’ inboxes. The attack incorporate a commonly used ploy by cybercriminals to get users to download malware.

The emails seemed to have been sent by the anti-virus vendor used by the school district, with the subject line ‘incorrect invoice’ and the correct invoice included as an attached file. The emails seem genuine and were similar to many other legitimate emails received everyday.

The emails requested that the recipient open and review the attached invoice; however, doing so would see malware downloaded and installed on the email recipient’s computer.

Soon after those emails were received and opened, staff started to experience problems. Internet access appeared to have been blocked for some users. Reports from Google saying email accounts had been shut down due to spamming started to be received. The school district investigated and discovered several devices and servers had been infected with malware.

Emotet malware is a network worm that can spread across a network. Infection on one machine will see the virus sent to other vulnerable devices. The worm installs a type of banking malware on infected devices that is used to steal victims’ credentials such as online banking information.

Emotet is a very advanced malware variant that is hard to detect and erase. The Rockingham school district discovered just how troublesome Emotet malware infections can be when efforts were made to remove the worm. The school district was able to successfully clean some infected machines by re-imaging the devices; however, the malware simply re-infected those devices.

Resolving the attack required assistance from security specialists, but even with expert help the recovery process is expected to take up to four weeks. 10 ProLogic ITS engineers will spend around 1,200 on site re-imaging machines. 12 servers and possibly up to 3,000 end points must be reimaged to remove the malware and stop reinfection. The cost of cleanup will be as high as $314,000.

Attacks such as this are far from rare. Cybercriminals target a wide range of flaws to install malware on business computers and servers. In this case the attack used gaps in email defenses and a lack of security awareness of staff. Malware can similarly be downloaded by exploiting unpatched flaws in software, or by drive-by downloads using the Internet.

To safeguard against Emotet malware and other viruses and worms layered defenses is necessary. An advanced spam filtering solution can ensure malicious emails are not broadcasted, endpoint detection systems can identify atypical user behavior, antivirus solutions can possibly detect and prevent infections, while web filters can block web-based attacks and drive-by downloads. End users are the last line of security and should therefore be trained to identify malicious emails and websites.

Only a combination of these and other cybersecurity defenses can keep companied secure. Luckily, with layered defenses, it is possible to avoid expensive malware and phishing attacks such as the one suffered by the Rockingham school district.

Dating and Valentine’s Day Email Scams Pose Problems for Businesses

Dating scams are on the rise significantly in January and this trend has continued in February. Most people would have notice a significant increase in the amount of emails arriving into their inboxes on a daily basis.

The emails seem to have been broadcasted sent by Russian women who are looking for a romantic interest. Unsolicited emails from attractive women who include attached of suggestive pictures and messages stating that the recipient is particularly attractive are certain to be spam, yet the emails are quite  effective. The FBI’s figures  show that around $230 million is lost to these scams alone on an annual basis. In 2016, the FBI were contacted with almost 15,000 complaints in relation to financial losses as a result of dating and romance cyber scams.

There were two major increases in spam email volume between January 15 and 17 and January 29 and February 2 when around 35 million dating spam messages were broadcast using the Necurs botnet. Over 230 million messages were sent in a two-week long campaign in January. The chief focus of the campaign is to obtain credit card details, payments for airplane flights to bring the women over to the US, but in many cases the purpose is to trick the email recipient into downloading malware.

Criminals use all manner of tactics to entice users to open files. Another effective technique, emphasized by security awareness training firms KnowBe4 and PhishMe, is the use of eCards, particularly on Valentine’s Day. Links are sent that appear to be from authentic eCard sites that ask users to click the link to view a Valentine’s day card from a secret admirer. The aim is to deliver malware.

Valentine’s day email hacking campaigns in 2016 also include messages alerting the recipient about the failed delivery of flowers from Interflora and email attachments purporting to be delivery receipts.

It is probably that these emails are being opened that makes defending against them a significant security worry for businesses. One single click is all it takes for malware to be downloaded, and since many malware variants can quickly spread laterally, one click could be all it takes to compromise an entire database.

Rockingham School District Pay $314,000 to Resolve Emotet Malware Infection

In November 2017 the Rockingham school district in North Carolina discovered Emotet malware had been installed on its network, resulting in a payment of $314,000 to resolve the infection.

The malware was sent via spam emails, which landed in multiple users’ inboxes. The attack involved a regularly used ploy by cybercriminals to get users to downlad malware.

The emails seemed to have been shared by the anti-virus vendor used by the school district, with the subject line ‘incorrect invoice’ and the correct invoice included as an attachment. The emails appeared genuine and were similar to many other legitimate emails received on a consistent basis.

The emails requested the recipient to open and check the attached invoice; however, doing so would see malware installed on the email recipient’s computer.

Not long after those emails were received and opened, staff started to experience issues. Internet access appeared to have been disabled for some users. Reports from Google saying email accounts had been shut down due to spamming began to be received. The school district investigated and saw that several devices and servers had been infected with malware.

Emotet malware is a network worm that can spread across a network. Infection on one machine alone will see the virus transmitted to other vulnerable devices. The worm leaves a type of banking malware on infected devices that is used to obtain victims’ credentials including online banking details.

Emotet is a very advanced malware variant that is difficult to identify and hard to delete. The Rockingham school district noticed just how problematic Emotet malware infections can be when efforts were made to remove the worm. The school district was able to properly clean some infected machines by reimaging the devices; however, the malware then easily re-infected those computers.

Tackling the attack required assistance from security specialists, but even with expert help the recovery steps are expected to take up to a month. 10 ProLogic ITS engineers will spend around time on site reimaging 1,200 machines. 12 servers and potentially up to 3,000 end points must be reimaged to delete the malware and stop reinfection. The estimated cost of cleanup will be $314,000.

Attacks such as this quite common. Cybercriminals attack a wide range of vulnerabilities to install malware on business computers and servers. In this instance the attack took advantage of gaps in email defenses and a lack of security awareness of staff. Malware can similarly be downloaded by exploiting unpatched flaws in software, or by drive-by downloads over the Internet.

To safeguard against Emotet malware and other viruses and worms layered defenses are needed. An advanced spam filtering solution can make sure malicious emails are not issued, endpoint detection systems can detect atypical user behavior, antivirus solutions can possibly detect and prevent infections, while web filters can prevent web-based attacks and drive-by downloads. End users are the last line of defense and should therefore be trained to spot malicious emails and websites.

Only a combination of these and other cybersecurity measure can keep organizations well safeguarded. Luckily with layered defenses, costly malware and phishing attacks such as the one experienced by the Rockingham school district can be avoided.

Redboot Malware Encrypts Files and Replaces MFT

RedBoot, a new malware threat, been identified by cyber security researchers. This threat is not unlike NotPetya as it appears to be a form of ransomware, when in it is really a wiper.

RedBoot malware can encrypt files, making them inaccessible, encrypted and allocated the .locked extension. Once the encryption process is finished, a ‘ransom’ note is displayed to the user, providing an email address to use to discover how to unlock the encrypted files. Like NotPetya, RedBoot malware also alters the master boot record.

RedBoot incorporates a module that overwrites the current master boot record and it also seems that changes are carried out on the partition table, but there is currently no mechanism for undoing those changes. There is also no command and control server and even though an email address is given, no ransom demand appears to be be made. RedBoot is therefore a wiper, not ransomware.

In it’s current guise the malware causes permanent damage, even if it is the intention of the developer is to use this malware to extort money from victims. It is strange that an incomplete version of the malware has been released and advance notice has been released about a new version that is about to be made public, but it does give businesses time to ready themselves.

The attack vector has yet to be identified, so it is not possible to give specific instructions on how to prevent RedBoot malware attacks. The security measures that should be put in place are therefore the same as for stopping any malware variant.

A spam filtering solution should be put in place to block malicious emails, users should be warned to the threat of phishing emails and should be shown how to identify malicious emails and told never to open attachments or click on hyperlinks sent from unknown people.

IT teams should make sure all computers and servers are fully patched and that SMBv1 has been turned off or SMBv1 vulnerabilities have been addressed and antivirus software should be downloaded on all computers.

It is also important to back up all systems to ensure that in the event of an attack, systems can be restored and data rescued.

Malware Attack at Forever 21 POS Continued for 7 Months

A recently identified Forever 21 POS malware attack has resulted in customers’ credit card data being accessed. While malware attacks on retail POS systems are now a regular occurance, in the case of the Forever 21 POS malware attack, the security breach is significant due to the length of time malware was enabled on its systems. Hackers first obtained access to its POS system seven months before the infection was noticed.

The Forever 21 POS malware infections were first discovered in October, when a third-party connected credit card fraud to customers who had previously visited Forever 21 stores. The possible malware infections were reviewed and a third-party cybersecurity firm was called in to help.

Forever 21 first made the public announcement about a data breach in November, although the investigation has been constant and now new details about the attack have been released.

The investigation has shown that the attack was extensive and impacted many POS devices used in its U.S. stores. The Forever 21 POS malware attack began on April 3, 2017, with further devices infiltrated over the following 7 months until action was taken to safeguard its systems on November 18, 2017. Forever 21 reports that some POS devices in its stores were only accessed for a few days, others for a few weeks, while some were compromised for the entire seven months.

Reacting to the increased threat of cyber attacks on retailers, Forever 21 started deploying encryption technology on its payment processing systems in 2015; however, the investigation showed the encryption technology was not always enabled.

While the encryption technology was enabled, the hackers would have been unable to obtain the credit card details of its customers, although the information could be stolen at times when the encryption technology was switched off.

Additionally, some devices that were compromised by the malware maintained logs of completed credit card transactions. When the encryption technology was not enabled, details of completed transactions were stored in the logs and could therefore be read by the hackers. Since those logs included details of transactions prior to the malware infections, it is possible that customers who visited affected Forever 21 stores before to April 3, 2017 may also have had their credit card details obtained.

Each store uses many POS devices to take payments from customers, and in most cases only one device per store was infiltrated. The attackers focused their efforts on stores where POS devices did not have encryption turned on. Additionally, the hackers main aim appeared to be to find and infect devices that kept logs of transactions.

On the majority of POS devices, the hackers searched for track data read from payment cards, and in most instances, while the number, expiry date and CVV code was obtained, the name of the card holder was not.

The review into the Forever 21 POS malware attack is still active, and currently it is unclear exactly how many of the company’s 700+ stores have been impacted, how many devices were infected, and how many customers have had their credit and debit card details obtained. However, it is reasonable to expect that an attack of this duration will have impacted many thousands of customers.

The exact type of malware used in the attack is not known, and no reports have been issued that indicate how the hackers obtained access to its systems. It is not yet known if stores outside the US have been impacted.

Million Email a Month Campaign Distributing Adwind RAT

Antivirus software vendor Symantec has discovered a huge spam email campaign that is distributing Adwind RAT variants. While the Adwind RAT may appear to be a relatively harmless adware, this is not the case.

The most recent Adwind RAT variants have a wide variety of malicious functions, and act as keyloggers that can record login credentials and monitor user activity, capture screenshots, hijack the microphone and webcam to record audio and video, and as if that was not sufficient, the Adwind RAT allows the hacker to install further malicious files.

As is now common, the emails spreading Adwind RAT variants are realistic and appear to be authentic communications from actual firms. At a time when parcels are likely to arrive in the mail, the hackers have chosen a particularly relevant tactic to maximize the chance of emails being opened. Alerts about parcels that could not be sent.

Companies are also being targeted with malicious attachments claiming to be account statements, invoices, purchase order details, and payment receipts. The emails are well articulated and appear to have been sent from legitimate firms.

The spam emails have two malicious email attachments, a JAR file and what seems to be a PDF file. In the case of the latter, it has a double file extension, which will look like a PDF file if file extensions are not displayed. It is actually another JAR file. The files include layers of obfuscation in an attempt to bypass antivirus controls.

If the JAR files are run, they place a further JAR file and run VBS scripts which initiate legitimate Windows tools to review  the environment, discover the firewall in use, and other security products downloaded to the device. They then set about turning off monitoring controls.

The scheduling of this Adwind RAT campaign is perfect to catch out as many people as possible. The festive period is a particularly busy time, and the rush to identify bargains and purchase gifts online sees many Internet users let their guard down. Further, as many companies close over the festive period it gives the hackers more time to explore networks.

Infection with the Adwind RAT can result in sensitive data being stolen, and login credentials accessed, email accounts to be pilfered and abused and permission to be gained for viewing corporate bank accounts. A single successful download of the Adwind RAT can be lethal.

Recent MS Office Patch Vulnerability Exploited by Cobalt Malware

A spam email campaign has been discovered that is distributing a variety of Cobalt malware. The hackers use the Cobalt Strike penetration testing tool to take full management of an infected device. The attack uses an exploit for a recently patched Microsoft Office flaw.

The spam emails seem to have been sent by Visa, advising the recipient about recent changes to its payWave service. The emails include a compressed file attachment that is password-secured. The password required to extract the contents of the zip file is included in the body of the email.

This is an apparent attempt to trick email recipients into thinking Visa had included security controls to stop unauthorized individuals from viewing the information in the email – a reasonable security measure for a financial communication. Also included in the email is a RTF file that is not password secured. Opening that file will initiate a PowerShell script that will install a Cobalt Strike client that will ultimately give the hackers full control of the infected device.

The hackers leverage a flaw in Microsoft Office – CVE-2017-11882 – which was patched by Microsoft earlier this month. The hackers use legitimate Windows tools to execute a wide range of commands and spread laterally through a network.

The campaign was discovered by researchers at Fortinet, who report that by exploiting the Office flaw, the hackers download a Cobalt Strike client and multiple stages of scripts which are then used to install the main malware payload.

The vulnerability has existed in Office products for 17 years, although it was only recently discovered Microsoft. Within a few days of the weakness being detected, Microsoft issued a patch to correct the flaw. Within a few days of the patch being released, threat actors started attacking the vulnerability. Any device that has a vulnerable version of Office installed is susceptible to attack.

This campaign shows just how important it is for patches to be applied quickly. As soon as a vulnerability is made public, malicious actors will use the vulnerability in attacks. When patches are made public, malicious actors get straight to work and reverse engineer the patch, allowing them to identify and exploit flaws.  As these attacks indicate, it may only take a few hours or days before vulnerabilities are attacked.

The recent WannaCry and NotPetya malware attacks indicated just how easy it is for vulnerable systems to be attacked. Both of those attacks targeted a vulnerability in Windows Server Message Block to obtain access to systems. A patch had been issued to address the flaw eight weeks before the WannaCry ransomware attacks happened. Had patches been applied swiftly, it would not have been possible to download the ransomware.

 

Smoke Loader Malware Malvertising Campaign Using Health Tips as Bait

Cybercriminals are broadcasting Smoke Loader malware using a new malvertising campaign that uses health tips and advice to bait end users to visiting a malicious website hosting the Terror Exploit Kit.

Malvertising is the label given to malicious adverts that seem genuine, but redirect users to phishing sites and websites that have toolkits – exploit kits – that search for unpatched flaws in browsers, plugins, and operating systems.

Spam email is the chief vector used to spread malware, although the threat from exploit kits should not be disregarded. Exploit kits were used widely in 2016 to deliver malware and ransomware, and while EK activity has fallen significantly toward the end of 2016 and has remained fairly low in 2017, attacks are still taking place. The Magnitude Exploit it is still extensively used to share malware in the Asia Pacific region, and recently there has been an spike in attacks elsewhere using the Rig and Terror exploit kits.

The Smoke Loader malware malvertising campaign has now been ongoing for almost two months. ZScaler first noticed the malvertising campaign on September 1, 2017, and it has remained live throughout October.

Fake advertisements are often used to lure users to the malicious sites, although the most recent campaign is using weight loss promises and help to quit smoking to attract clicks. Obfuscated JavaScript is included in adverts to redirect users to malicious websites hosting the Terror exploit kit.

Exploit kits can be loaded with several exploits for known flaws, although the Terror EK is currently trying to exploit two key weaknesses: A scripting engine memory corruption vulnerability (CVE-2016-0189) that impacts Internet Explorer 9 and 11, and a Windows OLE automation array RCE vulnerability (CVE-2014-6332) affecting unpatched versions of Windows 7 and 8. ZScaler also reports that three Flash exploits are also deployed.

Patches have been published to address these vulnerabilities, but if those patches have not been applied systems will be susceptible to attack. Since these attacks take place without any user interaction – other than visiting a site hosting the Terror EK – infection is all but guaranteed if users respond to the malicious advertising.

Smoke Loader malware is a backdoor that if downloaded, will give cybercriminals full access to an infected device, allowing them to take data, launch further cyberattacks on the network, and install other malware and ransomware. Smoke Loader malware is not a new development – it has been around since at least 2011 – but it has recently been upgraded with several anti-analysis mechanisms to stop detection. Smoke Loader malware has also been linked with the installation of the TrickBot banking Trojan and Globelmposter ransomware.

To safeguard against attacks, organizations should ensure their systems and browsers are updated to the most recent versions and patches are applied swiftly. Since there is normally a lag between the release of a new patch and installation, organizations should think about the use of a web filter to restrict malicious adverts and restrict web access to staff members from visiting malicious websites.

Social Media Accounts Hijacks by Banking Terdot Trojan

The Terdot Trojan is a form of Zeus, a highly successful banking Trojan that first was seen in 2009. While Zeus is no longer doing the rounds, its source code has been available since 2011, allowing cyber criminals to produce new banking Trojans using its sophisticated code.

The Terdot Trojan is not brand new, having first being seen in the middle of 2016, although a new variant of the credential-stealing malware has been produced and is being actively used in attacks, mostly in Canada, the United States, Australia, Germany, and the United Kingdom.

The new variant incorporates many new features. Not only will the Terdot Trojan steal banking details, it will also spy on social media activity and includes the functionality to change tweets, Facebook posts, and posts on other social media platforms to contact the victim’s contacts. The Terdot Trojan can also alter emails, targeting Yahoo Mail and Gmail domains, and the Trojan can also inject code into websites.

Additionally, once downloaded on a device, Terdot can download other files. As new strains are produced, the modular Trojan can be automatically updated.

The latest guise of this dangerous malware was discovered by security researchers at Bitdefender. Bitdefender researchers have revealed that, in addition to modifying social media posts, the Trojan can create posts on most social media platform  and expect that the stolen social media details are likely sold on to other malicious actors, spelling further misery for vtjose impacted.

Apart from social media infections, the Trojan is shared using phishing emails. One such spam email campaign incorporate buttons that appear to be PDF files, although a click will initiate JavaScript which starts the infection process. However, Bitdefender researchers have stated that the primary infection vector appears to be the Sundown exploit kit – exploiting flaws in web browsers.

Sadly, spotting the Terdot Trojan is difficult. The malware is installed using a complex chain of droppers, code injections and downloaders, to minimize the risk of detection. The malware is also installed in chunks and assembled on the infected device. Once downloaded, it can remain undetected and is not currently picked up by many AV solutions.

Bitdefender. said: “Terdot goes above and beyond the capabilities of a Banker Trojan. Its focus on harvesting credentials for other services such as social networks and e-mail services could turn it into an extremely powerful cyber-espionage tool that is extremely difficult to spot and clean.”

Safeguarding against threats like banking Trojans requires powerful anti-malware tools to detect and obstruct downloads, although businesses should consider  extra measure to block the main attack vectors: Exploit kits and spam email.

Spam filtering software should be implemented in order to block phishing emails containing JavaScript and Visual Basic downloaders. A web filter is also strongly recommended to block access to web pages known to host malware and exploit kits. Even with powerful anti-virus, web filters, and spam filters, staff members should be trained to be more security aware. Constant training and cybersecurity updates can help cut out risky behavior that can lead to malware infections on servers.

New Ordinypt Malware Wiper Disguised as Ransomware Discovered

Ordinypt malware is, at present, seen to being deployed in targeted attacks on businesses in Germany. Despite that, at first, this Ordinypt malware looking like ransomware, the malware is really a wiper.

Once the wiper has been installed, files on the infected device are made inaccessible and a ransom demand is issued. The hackers ask for 0.12 Bitcoin – around $836 – to restore files.

Ordinypt malware does not encrypt files – it simply erases the original file name and puts a random string of letters and numbers in its place. The contents of attacked files are also replaced with random letters and numbers.

Even if the ransom demand is met, the hackers do not have a mechanism to allow victims to recover their original files. The only sure-fire way to recover files is to restore them from an external backup. This is different to many ransomware variants that make it difficult to rescue files by deleting Windows Shadow Volume copies, those are left intact, so it may be possible for users to rescue some of their files.

Ordinypt malware – or HSDFSDCrypt as it was first known – was detected by Michael Gillespie. A sample of the malware was gathered and analyzed by German security researcher Karsten Hahn from G Data Security. G Data Security retitled the malware Ordinypt.

Hahn says that Ordinypt malware is badly written with a bad coding style, suggesting this is not the work of a skilled hacker. Hahn commented: “A stupid malware that destroy information of enterprises and innocent people and try steal money.”

The hackers are using a common technique to increase the number of infections. The malware is hidden as PDF files which are distributed via spam email. The messages claim to be applications in reply to job vacancy adverts. Two separate files are included in a zip file attachment, which look like a resume and a CV.

While the files look like PDFs, and are displayed as such, they actually have a double extension. If the user’s computer has file extensions turned off, all that will be displayed is filename.pdf, when in actual fact the file is filename.pdf.exe. Clicking on either of the files will run the executable and initiate Ordinypt malware.

In recent times there have been many wiper malware variants detected that pretend to be ransomware. The hackers are taking advantage of the media coverage surrounding ransomware attacks, and are fooling end users into meeting the ransom demands, when there is no way of recovering files. It is not clear whether the reason for the hacking campaign is to make money. It is possible that these attacks are simply aimed at causing disruption to businesses, as was the case with the NotPetya wiper campaign.

Regardless of how badly written this malware is, it is still effective and can cause major disruption to businesses. Safeguarding against this, and other email-based malware threats, requires a combination of end user training and information technology.

End users should be aware of the dangers of opening attachments from unknown senders and should assume that all such emails could be harmful. In this instance, the malware is poorly written but the emails are not. They use perfect German and appear authentic. HR staff could be easily fooled by a ruse such as this.

The best security against threats such as these is using an advanced spam filter such as SpamTitan. Stopping these emails from reaching inboxes is the best security.

By setting up the spam filter to stop executable files, the messages will be sent to a quarantine folder rather than being delivered, stopping the threat.

 

Focused Attacks on Manufacturing and Aerospace Sectors Using FormBook Malware

FormBook malware software is being used in focused attacks on the manufacturing and aerospace sectors according to Internet security experts at FireEye, although malware attacks are not restricted to these sectors.

So far, the malware attacks seem to have been targeting organizations in the United States and South Korea, although it is highly probably that attacks will spread to other regions due to the low cost of this malware-as-a-service, the simplicity using the malware, and its extensive functionality.

FormBook malware is being made available on underground forums and can be rented for as little as $29 per month. Executables can be set up using an online control panel, a process that requires next to no expertise. Due to this, this malware-as-a-service is likely to be used by many cybercriminals.

FormBook malware is a data stealer that can log keystrokes, take data from HTTP sessions and steal clipboard content. Using the connection to its C2 server, the malware can receive and run commands and can download files, including other malware variants. Malware variants found to have already been downloaded by FormBook include the NanoCore RAT.

FireEye researchers have also revealed that the malware can obtain passwords and cookies, start and stop Windows processes, and force a reboot of an infected computer.

FormBook malware is being spread using spam email campaigns and compressed file attachments (.zip, .rar), .iso and .ace files in South Korea, while the cyber attacks in the United States have mostly involved .doc, .xls and .pdf files. Large scale spam campaigns have been carried out to spread the malware in both countries.

The U.S campaigns identified by FireEye used spam emails linked to shipments sent via DHL and FedEx – a common choice for cybercriminals. The shipment labels, which the emails say must be printed so they can be used to collect the packages, are in PDF form. Concealed in the document is a tny.im URL that sends victims to a staging server that installs the malware. The campaigns using Office documents send the malware via malicious macros. The campaigns carried out in South Korea normally include the executables in the attachments.

While the manufacturing industry and aerospace/defense contractors are the main focus, attacks have also been aimed at a wide range of sectors, including education, services/consulting, energy and utility companies, and the financial services. All groups, regardless of their sector, should be ready for this threat.

Organizations can safeguard against this new threat by implementing good cybersecurity best practices such as setting up a spam filtering solution to prevent malicious messages and stop files such as ISOs and ACE files from being sent to end users. Organizations should also warn their staff about the threat of attack and supply training to help employees recognize this spam email campaign. Macros should also be turned off on all devices if they are not required for general work duties, and at a minimum, should be set to be run manually.

Shadow Brokers Release UNITEDRAKE Malware

Shadow Brokers are after developing a new National Security Agency (NSA) hacking tool – UNITEDRAKE malware – following through on their promise to publish monthly releases of NSA exploits. The most recent  malware variant is one of many that were allegedly stolen from the NSA during 2016.

Shadow Brokers previously made the ETERNALBLUE exploit available which was deployed in the WannaCry ransomware attacks in May that impacted thousands of businesses around the world. There is no reason to think that this new hacking tool is not exactly what they say it is.

UNITEDRAKE malware is a modular remote access and management tool that can record microphone and webcam output, log keystrokes, and obtain access to external drives. Shadow Brokers say that UNITEDRAKE malware is a ‘fully extensive remote collection system’ that incorporates a variety of plugins offering a range of functions that permit malicious actors to carry out surveillance and gather date for use in further cyberattacks. UNITEDRAKE malware gives hackers the ability to take full management of an infected device.

Plugins include CAPTIVATEDAUDIENCE, which captures conversations using an infected computer’s microphone, GUMFISH gives the hackers control of the webcam and allows them to record video and take images. FOGGYBOTTOM saves data such as login credentials, browsing histories and passwords, SALVAGERABBIT can access data on external drives including flash drives and portable hard drives when they are linked, and GROK is a keylogger plugin. The malware can also able to self-destruct when its tasks have been carried out.

The malware can be enabled on older Windows versions including Windows XP, Vista, Windows 7 and 8 and Windows Server 2012.

Documents released by Edward Snowden in 2014 state that the malware has been used by the NSA to infect millions of computers globally. The malware will soon available to any cybercriminal willing to pay the asking price of 500 Zcash – around $124,000. Shadow Brokers have published a manual for the malware outlining how it works and its various functions.

TrendMicro said in a recent blog post there is, at present, no way of blocking or preventing the malware from being installed. When attacks take place, they will be reviewed by security researchers looking for clues as to how the malware operates. That should finally lead to the development of tools to block attacks.

Until that time, groups need to enhance their security posture by ensuring all systems are patched and operating systems are upgraded to the most recent versions. An incident response programme should also be developed to ensure it can be put in place promptly following an attack.

A further NSA exploit is due to be released later in September, with the monthly dumps predicted to be published for at least the next eight weeks.

Healthcare and Education Sectors hit by Defray Ransomware

Defray ransomware is being used in targeted hacking campaigns on groups in the healthcare and education sectors. The new ransomware variant is being shared via email; however, in contrast to many ransomware campaigns, the emails are not being distributed in the millions. Rather than use the spray and pay method of broadcast, smaller scale campaigns are being carried out consisting of just a few emails.

To boost the chances of a successful infection, the hackers behind Defray ransomware are carefully crafting messages to target to specific victims in a group. Researchers at Proofpoint have captured emails from two small campaigns, one of which includes hospital logos in the emails and claims to have been shared to the Director of Information Management & Technology at the hospital.

The emails include an Microsoft Word attachment that seems to be a report for patients, relatives and carers. The patient report incorporates an embedded OLE packager shell object. If the link is clicked on, this executable downloads and downloads Defray ransomware, naming it after an authentic Windows file.

The ransom demand is large. Victims are directed to pay $5,000 per infected device for the keys to unlock the encryption, although the ransom note does imply the hackers are prepared to negotiate on price. The hackers suggest victims should create a backup of their files to avoid having to pay ransoms going forward.

At present there is no known decryptor to tackle defray ransomware. Files are encrypted using AES-256 with RAS-2048 used to encrypt the AES-256 encrypted password while SHA-2 is used to control file integrity. ALong with to encrypting files, the ransomware variant can create other disruption and will erase volume shadow copies to prevent the restoration of files without paying the ransom.

The developers of the ransomware have not given their malicious code a title and in contrast to most ransomware variants, the extensions of encrypted files are not amended. Proofpoint named the variant Defray ransomware from the C2 server used by the hackers.

A second campaign has been discovered targeting the production and technology sector. In this case, the email seems to have been sent by a UK aquarium (Sea Life) with facilities around the world. The emails and attachments are not the same, although the same OLE packager shell object is used to infect end users.

The hackers have been sending these malicious emails to people, user groups and distribution lists. Attacks have happened in both the United States and United Kingdom and are likely to go on.

Safeguarding against these targeted attacks requires a combination of spam filtering software and end user training. Healthcare, education, technology and manufacturing companies should think about sending an email alert to end users warning of the dangers of ransomware attacks, advising end users to use caution and not to open email attachments from unknown senders and never to click on a link to allow content on email attachments.

Disdain Exploit Kit Available for Hire on Darknet Forums

Exploit kit activity has dropped considerably since 2017, but new variants are being formulated, one of the latest vesions being the Disdain exploit kit.

An exploit kit is a web-based toolkit capable of probing web users’ browsers for weakness. If flaws are found, they can be targeted to silently download ransomware and malware.

All that is necessary for an attack to take place is for web users to be sent to the domain hosting the exploit kit and for them to have a vulnerable browser outdated plugin. At present, the author of the Disdain exploit kit believes his/her toolkit can exploit more than a dozen separate weaknesses in Firefox, IE, Edge, Flash and Cisco WebEx – Namely, CVE-2017-5375, CVE-2016-9078, CVE-2014-8636, CVE-2014-1510, CVE-2013-1710, CVE-2017-0037, CVE-2016-7200, CVE-2016-0189, CVE-2015-2419, CVE-2014-6332, CVE-2013-2551, CVE-2016-4117, CVE-2016-1019, CVE-2015-5119, and CVE-2017-3823. Many of those exploits are recent and would have a high probability of success.

No malware distribution campaigns have so far been discovered using the Disdain exploit kit, although it is likely to just be a matter of time before attacks are carried out. The Disdain exploit kit has only just begun being offered on underground forums.

Luckily, the developer does not have a particularly good reputation on the dark forums, which is likely to slow the use of the exploit kit. However, it is being sold at a low price which may be attractive to some malware distributors to start conducting campaigns. The EK can be hired for as little as $80 a day, with discounts being given for weekly and monthly use. The Disdain exploit kit is being sold for considerably less than some of the other exploit kits currently being sold on the forums, including the Nebula EK.

All that is needed is for someone to hire the kit, activate the malicious payload, and send  traffic to the domain hosting the Disdain exploit kit – such as through a malvertising campaign or botnet. The price and capabilities of the EK mean it could become a major threat.

Mamba Ransomware Attacks Seen Again

In November 2016, Mamba ransomware targeted the San Francisco Municipal Transportation Agency (Muni). The hackers issued a ransom demand of 100 Bitcoin – $73,000 – for the keys to disable the encryption. Muni refused to pay up, instead choosing to recover files from backups. However, the Mamba ransomware attack still proved expensive to the company. The attack took its fare system out of action and passengers were permitted to travel for free for more than a day, a normal weekend day’s takings would be around $120,000.

Since then the Mamba ransomware has not been seen so much. However, this month has seen several Mamba ransomware attacks, suggesting that the gang behind the malware is operating again. Those attacks are geographically focused with companies in Saudi Arabia and Brazil currently in the firing line, according to Kaspersky Lab researchers who first noticed the attacks.

Mamba ransomware uses DiskCryptor for full disk encryption instead of searching for and encrypting certain file types. That means a Mamba ransomware attack will stop the operating system from running.

Once downloaded, the malware forces a reboot of the system and changes the Master Boot Record and encrypts disk partitions and reboots again, this time victims are shown a warning screen advising data have been encrypted. The attacks share some commonalies with the NotPetya (ExPetr) attacks of June.

The algorithms which used to encrypt the data are strong and there is no known decryptor for Mamba Ransomware. If the disk becomes encrypted, victims face complete file loss if they do not have a viable backup and refuse to pay the ransom demand. However, the most recent attacks make no mention of payment of a ransom. Victims are just told to email one of two email addresses for the decryption key.

The reason for this approach is it enables ransoms to be set by the hackers on an infection by infection basis. Once the extent of encryption is seen and the victim is identified, the hackers can set the ransom payment accordingly.

It is not yet known whether the hackers hold the keys to unlock the encryption and whether payment of the ransom will lead to file recovery. Kaspersky reports that the group responsible for this ransomware variant has not been identified. This may be a criminal attack by an organized crime gang or a nation-state sponsored cyberattack where the aim is not to obtain ransoms but to sabotage companies.

 

Worrying New RaaS Satan Ransomware Discovered

A new type of hacking campaign using Satan Ransomware is being sold to any would-be hacker or cybercriminal free of charge using an affiliate model known as ransomware-as-a-service or RaaS. The idea behind RaaS is basic. Developers of ransomware can infect more computers and networks if they get a team to help to distribute their malicious software. Anyone willing to spend a little time to distributing the ransomware will receive a portion of any profits.

Ransomware authors usually charge a nominal fee for individuals to take part in these RaaS schemes, Along with taking a percentage of any ransomware payments that are generated. In the case of Satan ransomware, the developers offer RaaS completely free of charge. Anyone who wants to share the malicious software is free to do so. In exchange for their efforts they get to keep 70% of the ransom payments they generate. The other 30% goes to the ransomware authors. The group behind the RaaS also offers higher percentages as infections rise as a reward for effort. All that is required to begin is to create a username and password. Access to the ransomware kit can then be obtained.

What is worrying is how easy it is to take part in this RaaS scheme and custom-craft the malware. The gang responsible for the campaign has developed an affiliate console that allows the malware to be amended. The ransom amount can be easily fixed, as can the time frame for making payments and how much the ransom will rise if the payment deadline is exceeded.

Help is also give to for the distribution of the malware. Assistance is supplied to make droppers that install the malware on victims’ systems. Help is provided to create malicious Word macros and CHM installers that can be used in spam email campaigns. Help is also given to encrypt the ransomware to avoid detection. Even multi-language support is available. Any would-be hacker can craft ransom demands in multiple languages via the RaaS affiliate console.

Satan ransomware carries out a check to determine if it is running on a virtual machine. If it is, the ransomware will disable itself. If not, it will run and will look for over 350 different file types. Those files will be locked with powerful encryption. File extensions are altered to. stn and the file names are scrambled to make it harder for victims to pinpoint individual files. The ransomware will also delete all free space on the hard drive before the ransom demand is placed onto the desktop.

There is no decryptor available for Satan ransomware. Recovery without paying the ransom will depend on groups being able to restore files from backups. As the ransomware also encrypts backup files, those backups will have to be located in the cloud or on isolated devices.

 

IRS Instructed to Implement an Enterprise Email Archiving Solution by TIGTA

The Treasury Inspector General for Tax Administration (TIGTA) have recently been calling for the IRS to implement an enterprise email archiving solution, according to reports. An email archiving solution for enterprise allows emails to be retrieved on demand as well as ensuring messages remain usable. Emails must be able to be produced by companies in the event of an audit and during the legal discovery process. An email archive is searchable and allows emails to be quickly and easily located and accessed if they are required.

Recovering emails from backups can be a long and complicated process for businesses. Because of this, many companies simplify the process through using an enterprise email archiving solution such as ArcTitan. ArcTitan ensures archiving emails is a quick and easy process by freeing up valuable storage space on mail servers. Recovering emails is also made a quick and straightforward task as the archive is searchable. Although recovering multiple emails from backups can take several days, with ArcTitan even large numbers of emails from multiple email accounts can be recovered in minutes.

Currently, federal laws require emails to be produced on demand. The IRS has recently been discovered to have failed to comply with federal regulations on email storage. It is becoming evident that many companies are yet to switch to an email archive and the IRS is not setting a good example in this regard.

In an audit recently conducted by the Treasury Inspector General for Tax Administration (TIGTA) on the Inland Revenue Service, it was discovered that IRS policies on email storage does not allow it to consistently ensure records are retained. Additionally, in several cases, the IRS has been unable to produce emails on request.

The Chairman of the Senate Committee on Finance and the Chairman of the House Committee on Ways and Means requested the audit after the IRS reported that it was unable to produce some documents after receiving Freedom of Information requests. The IRS discovered documents had been accidentally deleted upon searching for them on their system.

It was also discovered by the auditors that emails are not automatically archived for all employees and some employees had been instructed to manually store emails on their hard drives or network drives. Some emails and documents were consequently permanently lost when hard drives were damaged or destroyed.

Additionally, the audit portrayed that even though a new executive e-mail retention policy had been introduced that should have resulted in emails being automatically archived, that didn’t ever occur due to some executives failing to turn on the automatic archiving feature.

The IRS also failed to apply polices on email archiving consistently. In fact, it was discovered that it had failed to follow its own policies on email archiving in more than half of the 30 Freedom of Information requests assessed by auditors. All documents and emails would have been recoverable and could have been quickly been located, had an enterprise email archiving solution been used.

Following the findings of the audit, the IRS have been instructed to implement an enterprise email archiving solution by TIGTA. This is something which all organizations in the United States should consider. In the event of a Freedom of Information request, an audit or a lawsuit, all relevant emails can be quickly produced and regulatory fines can be avoided.

How an Enterprise Archiving Solution can Help IRS´ Compliance with GDPR

The EU´s General Data Protection Regulation (GDPR) is due to be introduced in May 2018. Under this new Regulation, the IRS, and any other US organization maintaining the personal data of EU citizens, have a duty to protect EU citizens’ personal data from theft, loss or unauthorized disclosure. The implementation of an enterprise email archiving solution will help the IRS to comply with these new regulations.

EU citizens now also have the right to request access to personal data held by the IRS. In addition, they also hold a “right to be forgotten” if the IRS no longer has a lawful basis for retaining the data. TIGTA´s audit of email practices within the IRS came in perfect time for them as, should the IRS be unable to produce an email on request or fail to respond to a data access request within thirty days, the Service could be liable for a fine of up to 4% of global turnover. The IRS collected $3.3 trillion in taxes in 2015, making the amount they could be fined a substantial figure.