Blog

European & US Banks Under Attack from SharkBot Android Banking Trojan

SharkBot, a new Android banking Trojan, has been discovered in campaigns created to steal money from bank accounts and cryptocurrency services in locations including the United States, United Kingdom, and Italy, and targets 27 financial institutions – 22 banks and 5 cryptocurrency apps.

This new Android malware is different from other mobile banking Trojans due to its use of an Automatic Transfer System (ATS) tactic that enables the bypassing of multi-factor authentication measures and automates the stealing of money from victims’ accounts. This does not require any human input as SharkBot auto-completes fields required for completing financial transactions.

SharkBot can capture text messages, such as those sending financial institution multi-factor authentication codes, and can mask those SMS messages to make it seem as if they were never received. SharkBot can also conduct overlay attacks, where a benign pop-up is shown over an application to fool a user into performing tasks, such as alocatting access authorizations. SharkBot is also a keylogger and can capture and exfiltrate sensitive information such as details to the hacker’s command and control server and bypasses the Android doze component to ensure it stays logged on to its C2 servers.

During the configuration process, the user is bombarded with popups to allocate the malicious app the permissions it requires, with those popups only ending when the user shares the required authorizations, such as enabling Accessibility Services. When the malicious app is downloaded, the app’s icon is not shown on the home screen. Users are stopped from removing the malware via settings by abusing Accessibility Services.

The ATS technique deployed by the malware allows it to redirect payments. When a user tries to complete a financial transaction, information is auto-filled to direct payments to an hacker-managed account, with the recipient being aware of it.

The malware was examined by experts at Cleafy, who identified no similarities with any other malware strains. Since the malware has been created from scratch, it currently has a low detection rate. The experts believe the malware is still in the initial stages of development, and new capabilities could well be added to make it even more dangerous.

One of the main issues for developers of malware attacking Android devices is how to get the malware downloaded on a device. Google carries out checks of all apps available before including them in the Google Play Store, so getting a malicious app on the Play Store is tricky. On occasions when they do make it to the store, Google is quick to identify and delete malicious apps.

SharkBot has been witnessed pretending to be a range of apps such as an HD media player, data recovery app, and live TV streaming app, which is delivered via sideloading on rooted devices and by using social engineering tactics on compromised or hacker-owned websites to trick victims to install the fake app.

SharkBot is able to avoid detection and analysis, such as obfuscation to hide malicious commands, by virtue of downloading malicious modules once it has been installed, and by encrypting all communications between the malware and the C2 servers.

 

 

 

Scampage Tools & Brand Phishing Attacks Alert Warning Released

An official warning has been issued by the Federal Bureau of Investigation (FBI) in relation to a spike well known brand being used in spear phishing attacks, focused on tricking people to hand over sensitive data or download malware.

The campaigns work by leveraging the trust that is placed in well-known brands in order to make them complete an action. Typically they include the actual logo of the targeted brand in the same format as real messages from the company. However, they will include links that take those who click on them to a malicious web portal. These web portals will attempt to steal sensitive data. 

Hackers sell scampage tools on the dark web that will allow other hackers to operate successful phishing campaigns. The FBI has confirmed that the scampage tools in question have the ability to spot if a person is their email address as their login ID for a web platform. If this is detected the user is sent to a scam page with the same email domain. The user is then asked to share their login credentials that the hacker can use to access the victim’s email. This in turn allows hackers to receive 2-factor authentication codes, thus rendering this security method useless. With 2FA codes, the cybercriminal can obtain access to accounts and make changes, including updating passwords to lock users out of their accounts or altering security rules before the owner of the account can be alerted.

The FBI release said: “Much like the threat with ransomware-as-a-service, this type of product-as-a-service distribution of scampage and credential harvesting tools presents an increased nationwide risk to private sector businesses and their consumers. Brand-phishing email campaigns and scampage tools that help bypass 2FA security measures represent another aspect to this emerging cyber threat.”

In order to prepare for an attack like this, companies must configure an advanced spam filtering solution to prevent phishing emails and stop them from landing in employee inboxes. Password policies should be set up that make strong passwords mandatory, and reviews carried out to police this and root out commonly used or weak passwords cannot be created on accounts. Employees should be warned to never use passwords on multiple accounts and to see to it that all company accounts have 100% unique passwords. Security awareness training should be conducted for all staff members to make them aware of email security best practices and how to spot  phishing emails and other scams.

Due to the spike in the use of scampage campaigns, all staff members should create a unique username for an account that is not connected to their main email address. 2-factor authentication should be enabled if it is available, and where possible, a software-based authenticator program or a USB security key should be in place as the second factor. 

 

900% in Ransomware Attacks During First Six Months of 2021

2021 has borne witness to a massive spike in the number of ransomware campaigns being initiated.

According to research data produced by CybSafe‘s, there has been a 900% growth in this type of attack during the first half of 2021 when compared with the same time period from 2020. In tandem with this there has also been significant increases in cost of the cybersecurity required to keep organization safe from this type of attack and the cybercriminals have also been demanding larger ransoms be paid in order to release the locked data.

So far in 2021 there have been major ransomware attacks on many healthcare service providers, including the Health Service Executive, resulting in concerns related to the impact this might have on the provision of patient care. The attack in Ireland took place after one person replied to an email from the Conti ransomware group, allowing them to encrypt files. Recovery of the files took up to nine months, however it is not believed that the $20m ransom demand was met.

There has been a measure of success in relation to holding ransomware groups to account for their crimes. The U.S. government has elevated this type of crime to the same status as that of terrorist attacks and dedicated more manpower to dealing with them. Some Of The success encountered so far include:

  • Taking down the REvil ransomware infrastructure
  • Dismantling the Darkside operation and BlackMatter
  • Arresting suspected members of the Clop ransomware group

Additional in Europe authorities apprehended twelve people believed to be working on the LockerGoga, MegaCortex, and Dharma ransomware campaigns. These successes will have an impact in the short term but it will not be long before some group, or new strain of ransomware, fills the vacuum that has been created. This is why steps are required in order to address the potential for organizations being infiltrated by the cybercriminals responsible. 

Companies face a daunting challenge to protect themselves from attacks like this due to the wide variety of tactics that hackers can use. The starting point should be ensuring that phishing emails are being tackled head on as they are the point of origin for the vast majority of ransomware attacks. This email will be used to deploy malware or steal the credentials needed to access corporate networks and databases.

A cybersecurity solution like SpamTitan will route out malicious messages and stop them from landing in the inboxes of unsuspecting staff members. While staff training can help it will always need to be backed up with a technical solution like this. SpamTitan, for instance, completes an in-depth analysis of all email content and can spot malicious links and email attachments which will be placed in a quarantine folder where they can be reviewed. This means security teams can see how these types of threats are aiming to take advantage of the organization. Additionally, it means that false positives to be identified so filtering rules can be amended appropriately. This solution uses dual antivirus engines, sandboxing that allows suspicious attachments to be analyzed to identify new malware strains, and machine learning technology to ensure that spam filtering learns more the longer that it is used.

In the background, a huge variety of reviews and controls see to it that malicious messages are removed. Managers can control this via a clean, easy-to-use interface that requires no technical skills to navigate and use. All information and controls are simple to learn and control.

Contact the TitanHQ team now to find out more about using this solution.TitanHQ solutions can be trialled for free.

 

Chromium-Based Web Browsers Vulnerable to Updated Magnitude Exploit Kit

After they were first created during 2006, exploit kits have evolved into the main weapon of choice for automated malware delivery.

These kits are composed of programs that can be installed on web portals in order to identify and take advantage of recognised vulnerabilities. This takes place when a browser comes onto the portal and triggers a scan by the exploit kit to identify specific software vulnerabilities that have yet to be addressed with an update or patch. Once this is found the exploit kit will be able to install a malware payload without any further interaction from the browser. 

This method of attack was widely witnessed from 2010-2017, after which the use of this method dropped somewhat. However they are still very much an active threat when it comes to cybersecurity. Some of the best-known exploit kits are constantly refreshed to add new exploits for known vulnerabilities. In recent times these kits have been mainly deployed in order to install malware that can activate ransomware. One of these is the Fallout exploit kit that was used to share Maze Locker ransomware, and the Magnitude EK which was deployed to spread ransomware in the Asia Pacific region from 2013 onwards. 

Typically, exploit kits are placed on authentic web portals that have been hacked, in addition to malicious hacker-owned websites laced with malware. Due to this it can be the case that someone visits these web portals without realizing it.

One of the most popular kits currently is the Magnitude EK. Previously it was only deployed on Internet Explorer. Recently it has been discovered that the exploit kit has now been updated to be installed using Chromium-based web browsers on Windows PCs.

Anti-virus expert group Avast has revealed that the Magnitude EK has recently added two new exploits. One aimed to take advantage of a vulnerability in Google Chrome – CVE-2021-21224 – and the other focused on the Windows kernel memory corruption vulnerability labelled CVE-2021-31956. A cybercriminal could obtain system privileges using the remote code execution vulnerability Google Chrome bug or the Windows bug that allows bypassing the Chrome sandbox.

Google and Microsoft have made patches available to mitigate these vulnerabilities. The onus is on users to run these updates. If not it will only be a matter of time before Magnitude EK takes advantage of the weaknesses to install malware. For businesses an additional layer of cybersecurity to prevent this type of attack would be using a web filter. These are similar to spam filters in that they stop malware delivery from malicious websites and are one of the strongest anti-phishing measures you can use.

WebTitan, one of the best web filters available, was created by TitanHQ to keep companies safe in the face of these cyberattacks and manage web access levels for office-based and remote workers – a key feature for tools designed to prevent browsers visiting malicious websites. This web filter solution is DNS-based and is very straightforward to configure, so much so that it is in operation on the databases of more than 12,000 companies and MSPs to complete tasks for content filtering, malware prevention and to provide an extra obstacle for phishers.

In order to enhance your cybersecurity protection measures with WebTitan and block malware contact the TitanHQ experts as soon as you can. There is also a 100% free 30-day trial for you to avail of so you can test the solution in your own environment.

 

Spam Emails Spreading Squirrelwaffle Malware Loader

 

Squirrelwaffle, a new strain of malware that is being distributed using spam email messages, has been discovered in the last six weeks.

The disabling of the Emotet botnet last January 2021 created a vacuum within the malware-as-a-service market, a gap that a number of malware strains have attempted to take advantage of. Squirrelwaffle boasts similar capabilities to the Emotoet banking malware. Squirrelwaffle allows threat actors to gain a foothold in networks, which the operators of the malware can abuse. However, the access is being sold to other cybercriminals.

A review of this campaign has indicated that it is being leveraged to download Qakbot and Cobalt Strike. However, there is nothing to suggest that these are the only two malware strains that are being delivered by this malware. The Squirrelwaffle emails feature a hyperlink to a malicious website which is used to download a .zip file that includes either a .doc or .xls file. The Office files contain a malicious script that will install the Squirrelwaffle payload.

The Word documents implement the DocuSign signing service to trick recipients into enabling macros, stating that the document was set up with an older version of Microsoft Office Word so the user must “enable editing” then click “enable content” to access the contents of the file. Doing so will run code that will install and execute a Visual Basic script, which downloads the Squirrelwaffle payload from one of 5 hardcoded URLs. Squirrelwaffle is sent as a DLL which is then executed when downloaded and then silently places Qakbot or Cobalt Strike on the device/network, which will allow constant access to compromised devices.

As happened with the Emotet Trojan, Squirrelwaffle can take over message threads and insert malware. As replies to authentic messages are sent from a legitimate email account, a reply to the message is more likely. This attack method was very successful for the Emotet Trojan. In most cases, the attacks take place in English; however, security experts have discovered emails in different languages such as French, German, Dutch, and Polish.

Due to the similarities with Emotet, it is likely that those responsible for the deactivated botnet are trying to make a comeback. However, it is possible that this is an attempt by unrelated threat actors to fill the market vacuum that was created when Emotet was taken down. At present, the malware is not being distributed to the same extent that Emotet was but that may change in the near future. 

The best way to protect devices and servers from an attack like this is to configure email security measures to block the malspam at source and see to it that the malicious messages do not land in inboxes. It is important to implement a spam filtering solution that also scans outbound emails to identify compromised devices and stop attacks on other employees and business contacts from corporate email accounts.

Making Hotel Wi-Fi Safe & Easy to Use

 

Hotel guests tend to take Wi-Fi security as a given when they are staying overnight. However, if there is no secure connection in place, anyone using the network could be in danger of leaving themselves exposed to malware infection or another type of cyberattack. A cloud-based web content filtering solution mitigates the risk of a guest inadvertently downloading malware onto their own device and also protects guests from being exposed to inappropriate website content on other guests´ mobile devices.

it should not be taken for granted by guests that Wi-Fi is secure. Research will inform the speed and reliability of the network that each hotel is offering, and any checks should also determine if they offer a filtered Internet service. Every hotel offers some level of Wi-Fi but a lot of these solutions are not completely secured Wi-Fi networks. Hotel Wi-Fi can be very susceptible to cyberattacks and malware installations. It is crucial that hotels put in place enterprise cloud-based web filtering and limit the websites that guests are allowed to access.

There are five steps that hotels should take to see to it that the Wi-Fi they are providing for their guests is fully secure.

  • Step 1: Configure cloud-based content filtering: This should be the foundation that hotel Wi-Fi is built upon. This can be implemented for a reasonable level of investment. and there are many different cloud-based web filtering solutions that will allow you to send all of your traffic through their filtering system.  A solution such as WebTitan can prevent access to malware and credential phishing web portals.  The majority of cloud-based filtering solutions incorporate a malware gateway that checks all web traffic for malicious code threats. Another advantage is that these solutions can be utilized to prevent access to certain website categories. This can be implemented using a simple web GUI interface using your web browser.
  • Step 2: Make Wi-Fi security stronger: The reputational damage that unsecured internet access can inflict is massive and can be tricky for businesses to come back from. A hotel or campsite will not be able to state that they are a family-friendly establishment if they permit pornography or illegal websites to be viewed using their Wi-Fi network. Corporate guests must be happy that they can safely access sensitive data. 
  • Step 3: Configure a cloud-based content filter: This will result in the provision of a secure Wi-Fi service that allows guests to browse safely online by forbidding inappropriate content from being loaded. It requires NO software installation and NO need for technical expertise to set up or manage customer accounts. You set up new accounts easily and manage any number of hotels.
  • Step 4: More Secure Wi-Fi is faster Wi-Fi: Cloud-based web filtering for malware and ads not only makes the hotel network safer, but it also boosts network speed by cutting the amount of data that is being shared.  With WebTitan Cloud for Wi-Fi, web access policy can be configured for each Wi-Fi access point. This can be a competitive advantage for hotels that are marketed to families. Parents can be happy that their children are using the web in a safe environment. Cloud-based web filtering allows hotels the chance to create tiered Wi-Fi services. 
  • Step 5: Guide your guests to use Wi-Fi: Ensure that your guests are aware of the correct name of your Wi-Fi network. Provide a secure login page for entering credentials: The “https://” prefix ensures the login page is encrypted to protect guests’ personal information. Hotels can exercise total control over Internet content by using WebTitan, a cloud-based web content filtering solution.

WebTitan is a cloud-based web filter solution that can be used by every kind of hotel that comes with flexible controls. To discover more about the advantages of WebTitan Cloud based filtering for Wi-Fi call the TitanHQ team now.

 

 

 

Lots of Awards for TitanHQ at Expert Insights Annual Awards

TitanHQ’s products have ranked No1 in their respective categories by Expert Insights for the Fall 2021 Best-of Cybersecurity Awards.

This means that TitanHQ has now completed a clean sweep and headed the list for Best Email Security Gateway, Best Web Security Solution, and Best Email Archiving Solution for Business for two years running. Additionally the Best Email Security Solution for Office 365 category was won by SpamTitan.

Ronan Kavanagh, TitanHQ CEO commented on the achievement saying: “TitanHQ are proud to have received continued recognition for all three of our advanced cybersecurity solutions. As the threat landscape continues to be a significant risk to organizations across the globe, we are dedicated to continuous innovation to provide consistent, secure, and reliable protection to our customers”. The annual awards aim to award the best cybersecurity and their solutions, with the winners chosen after taking into account industry recognition, customer feedback, and research conducted by its editorial team and independent technical specialists.

Expert Insights is a recognized online cybersecurity publication and industry analyst that has technical and editorial teams in both the United States and United Kingdom. The publication covers cybersecurity and cloud-based technologies, and its website is used by more than 80,000 business owners, IT admins, and others each month to research B2B solutions. Expert Insights produces editorial buyers’ guides, blog posts, conducts interviews, and publishes industry analyses and technical product reviews from industry experts.

SpamTitan Email Security and WebTitan Web Security were both recognized for their powerful threat protection, and along with ArcTitan Email Archiving, were praised for ease-of-use, cost-effectiveness, and industry-leading technical and customer support.

The high standard of threat protection, simplicity-of-use, and competitive pricing of the solutions are just some of the factors that make TitanHQ the leading provider of cloud-based security products solutions for managed service providers currently on the SMB market. These factors have resulted in the TitanHQ product range being marked as the gold standard for SMBs looking to enhance security and make compliance easier.

Cyberattacks: MSP Guidance

Cyberattacks: MSP Guidance

One of the main focuses of cybercriminals in recent times has been on infiltrating the databases of MSPs. This is due to the large customer base that the cybercriminals are hoping to access and the high probability of these customers having valuable data on their servers. 

So it has become very important for MSPs to be aware of how they should address the risk of cyberattacks focusing on their databases. Here are three of the best ways:

1. Cybersecurity Training

MSPs are vulnerable to phishing attacks that aim to trick staff members into installing ransomware and other types of malware attacks.  If infiltrated, staff accounts can be used to turn off security monitoring tools and permit cybercriminals to access the databases that hold client information without being noticed.  Other things that can be completed include changing security settings, local firewalls, and other services.  

MSPs should be conducting cybersecurity awareness training for all members of staff to address this point of attack. Phishing simulations are a smart move so staff can see what is happening in real-time.

2. Cybersecurity Solutions

The massive amount of enterprise cybersecurity solutions to consider for MSPs can be daunting, so it is crucial to recognize what your organization needs. Using TitanHQ’s cybersecurity suite across your group will allow MSP to use the group’s know-how in order to sell, implement and deliver advanced network security solutions such as SpamTitan and WebTitan to their client base and provide a product that their client will be safe and secure with.  These solutions are provided via the cloud-based which means they can be controlled remotely for workers who travel or are based away from the main office(s).

3. Cybersecurity Audits

A risk assessment is necessary to spot, review and assess any danger that may be present in relation to cybersecurity, particularly vulnerabilities in the existing cybersecurity defenses that a group has in place.  A risk assessment should include:

  • Listing the network area that is most likely to be targeted in a cyberattack
  • Evaluate the dangers, specifically, to these areas
  • Prioritize the importance of addressing each vulnerability 

Doing this will allow a group to see how the MSP must be sure that cybersecurity is enhanced as much as possible to prevent a cybersecurity incident from taking place. SMEs need to find the right happy medium between how much they can reasonably invest in cybersecurity and the minimum level of safety that they need to keep their customers safe.

An audit should be completed at least once annually by an MSP in order to see to it that a secure cybersecurity system is in place for its customers. After identifying potential vulnerabilities, these should be mitigated to prevent hackers from taking advantage of them.  Doing so will provide MSP personnel valuable experience that they can then use to assess their clients.  

If you would like to find out more about adding TitanHQ MSP Security to your offering, get in touch with us now so that we can discuss safeguarding your organization, and your clients from cybercriminals.

 

Advantages of an Email Archiving Solution for Exchange

The importance of email archiving in today’s business world is undeniable, but many businesses may be questioning why a third-party email archiving solution for Exchange is far superior to using the Exchange archiving feature.

The term archive refers to ‘a collection of information that is permanently stored and unalterable.’ Archives are necessary for all businesses to comply with regulations and in the case of litigation, although the degree to which they are necessary depends on the sector the business operates in, with archives essential in highly regulated industries. 

The terms “backup” and “archive” shouldn’t be confused with one another. The purpose of a backup is to restore entire mailboxes in the event of data corruption or loss. It is also worth noting that backups are overwritten with more recent information as time progresses. In contrast, archives preserve data in its original form for longer periods of time. In contrast to backups, archives can easily be searched to identify and recover individual emails.

Why Archiving is Necessary for Businesses

By moving emails to archives, you are helping to limit the amount of data storage needed for mailboxes and that will help to improve the performance of your mail server. A good archiving solution can also help pinpoint the source of data leaks or even security breaches; however these are side benefits.

Archiving is necessary for regulatory compliance and as a repository of information to meet eDiscovery requirements, which is a legal requirement in many countries. eDiscovery is defined as the process of obtaining electronically stored information for use in litigation. This is not only restricted to email. For example, Word and Excel files on your server may also need to be produced in the event of litigation.

Without archives in place, the cost of eDiscovery can be huge. It would, in fact, require the analyzing of each computer in the company to find emails and searching for emails by restoring data from backups, provided of course that backups exist. The search and organizational aspects of archiving are invaluable. In the Nortel Networks executive criminal case, the prosecution delivered 23 million pages of electronic records. Ontario Superior Court Justice Cary Boswell understandably described this as an “unsearchable morass” and requested the prosecution to organize the information and re-present it to the defense.

Issues with Microsoft Exchange 2010 and 2013 Archiving

Microsoft has applied the term “archiving” to describe the journaling and Personal Archive functions of Microsoft Exchange since its 2007 version.

Email copies can be created in Exchange Standard with journaling. Furthermore, with Exchange Premium, these copies can be directed to specific mailboxes or distribution lists. However, journaling does not provide the same functions as archiving because:

  • It lacks the indexing and searching capabilities necessary for fast email recovery
  • Journaling has no data retention configuration settings
  • Users can still create their own PSTs (copies of email that they keep on their own computer). These copies may not necessarily satisfy eDiscovery requirements.

The Personal Archive function addresses some of the shortcomings of journaling. Exchange 2010 has more capabilities than Exchange 2007 in this regard. In terms of Exchange 2010, each user can establish an “archive” for the mailbox. Microsoft TechNet’s description of these is “secondary mailboxes in which users can store messages they need to keep for a longer duration.”  Additionally, Microsoft explains, “the whole idea behind creating personal archive mailboxes is to avoid the constraints of mailbox quotas.” This does not provide an archiving function.

The Personal Archive doesn’t necessarily need to reside in the same production database, it can even live in the cloud. Users have two options: they can move the emails manually or let them be moved automatically based on retention tags. The major downside of Personal Archive lies in the cost. The reason for this is using Personal Archive requires enterprise client access licenses (CALs) and Office 2010 Professional Plus for Outlook.

Microsoft also states that Personal Archive “may not meet your archiving needs”. Since users have control over their own Personal Archives, they are questionable repositories for compliance and eDiscovery as users are able to delete items and modify retention tags.

Microsoft maintains that users with a Discovery Management role can take advantage of indexing and multiple mailbox searching to meet eDiscovery needs. However, Exchange 2010's Exchange Control Panel is clunky and difficult to use, making it far from ideal for eDiscovery.

Exchange 2013 and Exchange Online Improvements

With the newer Exchange versions, users still have a large amount of control over their mailboxes. Not only can they define their own policies, users can also use creative ways to try bypass imposed corporate policies, e.g. “archiving” items in the Deleted Items folder. Although the Exchange administrator can use Policy Tips to notify users of possible compliance issues with data in their e-mails, the administrator still can’t override user settings unless Litigation Hold or In-Place Hold is applied to a mailbox.

Microsoft Exchange has added improved features for eDiscovery, requiring a SharePoint 2013-based portal to search across all mailboxes. There are two main drawbacks with this approach:

  1. Companies must purchase/upgrade to SharePoint 2013
  2. It makes it necessary to have a monolithic mail store with rapidly growing online storage. Data must be held on an online Exchange server to use Exchange’s In-Place Discovery tools.

Advantages of True Email Archiving

Microsoft Exchange “archiving” is not a complete compliance and eDiscovery tool by any means. A true email archiving solution is far superior to Exchange for archiving.

The approach made by Microsoft towards eDiscovery presupposes that all email that ever passed through your organization resides on an Exchange server. The issue with this idea is data storage requirements will skyrocket over time. It is worth noting that an estimated 90 percent of the information stored in Exchange is never accessed again. True archiving removes a large chunk of that 90 percent through deduplication and archives are compressed. By doing this it reduces not only storage, but greatly increases search and recovery times.

TitanHQ has developed a solution that provides true email archiving for Exchange. ArcTitan will ensure you can achieve all your eDiscovery and data storage needs, improve the performance of your mail server, and significantly reduce email storage costs. 

Here are some of the features of the product:

  • Unlimited cloud based email archiving including inbound/outbound/internal email, folders, calendar and contacts
  • Complete Audit trail
  • Data retention and eDiscovery policy
  • Encrypted storage on AWS cloud
  • HIPAA, SOX (and more) standards compliance and Audited access trail
  • Instantly searchable via your browser - find archived emails in seconds
  • No hardware / software  required
  • Secure transfer from your email server
  • SuperFast Search™ – email compressed, Zipped, message de-duplication, attachment de-duplication allowing for the fastest search and retrieval
  • Web console access with multi-tiered and granular access options; you decide user access permissions.
  • Works with All Email Servers including MS Exchange,Zimbra, Notes, SMTP/IMAP/Google/PO
  • Optional Active Directory integration for seamless Microsoft Windows authentication
  • Optional Outlook email client plugin

If you have not yet implemented an email archiving solution, if you are unhappy with the native Microsoft Exchange email archiving features, or if you are finding your current archiving solution too expensive or difficult to use, contact TitanHQ today to find out more about the benefits of ArcTitan and the improvements it can offer to your business.

Frequently Asked Questions (FAQs)

Will archiving emails delete the messages from the Exchange server?

This will depend on how your Exchange server has been configured. Typically, the message will be deleted from the Exchange server once the message has been transferred to the archive and deleted from an inbox, but a copy may be retained for a period of time to allow for a backup to be created. If there are multiple copies of the same message, such as an email sent to a distribution list, a copy will remain on the server until everyone has archived and deleted the message.

Is email archiving compliant with the GDPR?

Email archiving can be GDPR-compliant with the right policies and procedures in place. Bear in mind that personal data can only be kept for as long as necessary to achieve the purpose for collecting the information and personal data, including information in email accounts, must be deleted if requested by an individual. Email retention periods must also be defined.

What happens if someone responds to an archived email?

When you have an email archiving solution in place, emails that need to be retained will be sent to the archive for long term storage and can be deleted from inboxes. If someone replies to an archived message or reactivates an old message thread, the email will simply reappear in your inbox.

Does email archiving save on storage space?

Email archiving can save a considerable amount of storage space, which can greatly improve the performance of your mail server. For example, ArcTitan typically reduces mail server email storage space by up to 80% - That means 1,000 GB of email storage space is reduced to around 200 GB.

Are there any limits on storage space with ArcTitan?

ArcTitan is 100% cloud based and provides incredibly scalability. Storage space will automatically increase as required and there are essentially no limits on storage space in the cloud, nor the number of users. You just pay for the number of active mailboxes.

Cybersecurity & Email Archiving

Performing backups is a vital part of disaster recovery and this is well known by all IT departments. However, another important aspect of archiving emails is the possibility that they will be needed for incident response and data breach audits.

The majority of companies recognise the importance of creating backups but are unaware of their importance in relation to regulatory compliance. Backups can be implemented to restore a network to its pre-breach status and avoid the chance of users not being able to access older files.

Email archives work a bit differently in that they are a copy of email messages that is held in a different location. This means that the emails are not on the existing network so they are not taking up storage space or hindering network speeds. They are also accessible over the web in most cases.  

Email archives save metadata that can be implemented in order to efficiently organize records and conduct searches for particular messages in the event of an audit being required during an investigation. As a lot of larger companies are being sent millions of emails on a daily basis this allows for a much cleaner search system to be in place.

In order to be compliant with legislation such as HIPAA and GDPR, among others, companies must maintain archives of messages for a long period of time. As these archives take up a lot of network space it is important to be able to store them elsewhere in case they are needed at some point in the future. Archives fulfil this need and ensure that all regulatory requirements are in place. 

It is important to maintain audit trails that can be used to ascertain a vulnerability in the aftermath of a data breach occurring. This will allow third-party software to complete searches and control archive backups. The metadata is used to tag messages with specific words and phrases so that messages will be produced using relevant search queries.

Email Archives Advantages

  • Quicker data recovery following a breach, minimizing downtime.
  • They can be used for data loss prevention if backups fail or the backup files are corrupted. Archives are a copy of email data, so they can be used as failover during disaster recovery.
  • Save network space by holding data on a cloud solution
  • Lower costs as cloud storage is much cheaper than housing storage infrastructure on-site.

 

 

Email Retention Legislation in the U.S.

Email retention legislation in the U.S. requires companies to maintain copies of emails for many years. There are federal laws that apply to all companies, data retention laws for specific industries, and a swathe of email retention laws in the United States at the individual state level. Ensuring compliance with all the proper email retention laws in the United States is vital. Noncompliance can prove incredibly expensive and multi-million-dollar fines await any company found to have breached federal, industry, or state regulations.

Certain types of data must be retained by U.S companies in case the information is required by the courts, and that includes email. eDiscovery requests often require massive volumes of data to be provided for use in lawsuits and the failure to provide the data can land a company in serious trouble. Not only are heavy fines issued if data cannot be produced in eDiscovery, companies  can face criminal proceedings if certain data has been erased.

For decades, U.S companies have been required to store documents by law. Document retention laws are included in numerous legislative acts such as the Civil Rights Act of 1964, the Executive Order 11246 of 1965, the Freedom of Information Act of 1967, the Occupational Safety and Health Act of 1970, and the Reform and Control Act of 1986, and data retention laws in the United States were updated a dozen years ago to expand the definition of documents to include electronic communications such as emails and email attachments.

To enhance awareness of the many different email retention laws in the United States, a summary has been included below. Please remember that this is for information purposes only and does not constitute legal advice. For legal counsel on data retention laws in the United States, we recommend you get in touch with your legal representatives and industry and federal electronic data and email retention legislation in the United States are periodically updated.

As you can see from the list below, there are several federal and industry-specific email retention legislative acts in the United States. These laws apply to emails that are sent and received, and include internal as well as external emails.

Federal Email Retention Legislation in the U.S.

Email retention legislation Who it is applicable to How long emails must be kept
IRS Regulations All companies 7 Years
Freedom of Information Act (FOIA) Federal, state, and local agencies 3 Years
Sarbanes Oxley Act (SOX) All public companies 7 Years
Department of Defense (DOD) Regulations DOD contractors 3 Years
Federal Communications Commission (FCC) Regulations Telecommunications companies 2 Years
Federal Deposit Insurance Corporation (FDIC) Regulations Banks 5 Years
Food and Drug Administration (FDA) Regulations Pharmaceutical firms, food manufacturers, food storage and distribution firms, manufacturers of biological products Minimum of 5 years rising to 35 years
Gramm-Leach-Bliley Act Banks and Financial Institutions 7 Years
Health Insurance Portability and Accountability Act (HIPAA) Healthcare groups (Healthcare providers, health insurers, healthcare clearinghouses and business associates of covered bodies) 7 Years
Payment Card Industry Data Security Standard (PCI DSS) Credit card businesses and credit card processing groups 1 Year
Securities and Exchange Commission (SEC) Regulations Investment banks, investment advisors, brokers, dealers, insurance agents & securities companies Minimum of 7 years up to a lifetime

Email retention legislation in the United States at the state level has not been included in this article. You should seek legal advice about any state-level laws. You should must also consider legislation in other countries where you do business. If you deal with individuals in Europe, or they can access your website, you will need to comply with the General Data Protection Regulation (GDPR) email requirements.

Storing emails for a few years is not likely to take up masses of storage for a small company with a few of members of staff; however, the more employees a company has, the greater the need for extensive resources just to store emails. The average size of a business email may only be 10KB, but multiply that by 123 – the average number of emails sent and received each day by an average company employee (Radicati email statistics report 2015-2019), by 365 days each year, and by the number of years that those emails need to be maintained, and the storage requirements become massive.

If any emails ever need to be obtained, it is vital that an email archive or backup can be searched. In the case of standard backups, that is likely to be an incredibly long process. Backups were not created to be searched and finding the right backup alone can be almost impossible, let alone finding all emails sent to, or received from, a specific company or person. Backups have their uses, but they are not suitable for companies for email retention purposes.

For that, an email archive is necessary. Email archives contain structured email data that can easily be reviewed and searched. If ever an eDiscovery request is received, finding all email correspondence is a quick and simple task. Since many email archives are cloud based, they also do not require large and expensive op-premises storage resources. Emails are stored in the cloud, with the space provided by the service supplier.

ArcTitan is a cost-effective, quick and easy-to-manage email archiving solution supplied by TitanHQ that meets the needs of all businesses and enables them to adhere with all email retention laws in the United States.

ArcTitan includes a variety of security protections to ensure stored data is kept 100% secure and confidential, with email data encrypted in transit and storage, replicated and backed up to ensure constant availability. As opposed to many email archiving solutions, ArcTitan is fast. The solution can process 200 emails per second from your email server and archived emails can be retrieved instantly though a a browser or Outlook plugin. Emails can be archived from any location, whether in the office or on the go via a laptop or tablet. There are no restrictions on storage space or the number of users and the solution can be scaled up to meet the needs of companies of all sizes.

To find out more about ArcTitan, get in touch with the TitanHQ team today.

Frequently Asked Questions (FAQs)

How does email archiving work?

Email archiving involves sending an exact copy of a message outside the email system for long term storage. The messages are usually deduplicated and compressed to save on storage space and are indexed prior to archiving to ensure the archive can be rapidly searched. Email archiving solutions typically have end-to-end encryption to ensure messages cannot be intercepted and the emails are maintained in a tamper-proof repository and can be quickly retrieved on demand.

Is email archiving necessary?

Emails must be retained for compliance and need to be produced quickly for audits and e-discovery. Email recovery is far faster with an email archive. Most businesses have important data stored in email accounts that is stored nowhere else. That data is at risk if it is not sent to an archive. In the event of a ransomware attack that also encrypts backups, email data could be lost forever or cost millions to recover. The regulatory fines for loss of email data can be astronomical. Data loss is not possible with an email archive.

Is email archiving expensive?

Email archiving in the cloud is a low-cost solution that allows businesses to retain a tamper-proof copy of all messages to meet compliance requirements and for disaster recovery. An email archive saves on mail server storage space, which will increase performance. When you factor in productivity improvements and the reduced time producing emails to resolve customer complaints, for audits, and E-discovery requests, an email archive is money well spent.

Is email archiving the same as backing up email?

Email archiving and backing up email are not the same. Backups are intended for short term email storage for disaster recovery purposes. Entire mailboxes can quickly be restored from a backup if a mailbox is corrupted, deleted, or encrypted with ransomware. An email archive is a long-term email storage solution. In contrast to a backup, an archive can be rapidly searched allowing individual emails to be quickly found and recovered.

How much space can be saved with an email archive?

The amount of space saved by implementing an email archiving solution will vary from business to business, but typically businesses can reduce storage space by up to 80% by implementing an email archive and further, if emails ever need to be recovered, the archive can be rapidly searched, and emails retrieved in seconds.

Tackling Phishing Scams in 2021

 

There was a huge surge in phishing campaigns conducted during 2021, most companies are now very familiar with them and the danger(s) that they pose. Due to this is it now more important than ever to be aware how to tackle this type of attack head on.

This type of attack typically begins with an email being sent to your inbox which appears 100% authentic and includes a request for you to complete an action urgently.  While you probably think that you would be adept at spotting a ploy such as this, every day three billion spoofing emails are transmitted so there is every chance that if you are not tricked, someone in your organization make take the bait and click a link that will lead to a lot of pain for your group.

To assist you in your fight against spamming, we have put together a number of measures you can introduce at your organization.

Investigate How the Sender is Aware of You

All a phisher will do is sometimes launch a campaign where millions of spoof emails are broadcast pretending to be genuine well-known and reputable companies. They know that companies that operate on a global basis will have millions of customers so there is an excellent chance that the message will reach the inboxes of some actual clients. Always treat the message with suspicion even if it is from a company that you have an existing business relationship with.

Check for Spyware

It is important to check for spyware if you are finding yourself in receipt of a large number of spoof emails that appear to be sent from companies whose web portals you use a lot. If this is the case it is likely that one of your devices has been infiltrated with spyware which is recording your web traffic. This can be managed with a strong endpoint security application or spyware cleaner to make your device safe again.

Review the Email Address that is Contacting You

Even if a phishing email includes everything to make the message appear authentic such as a company logo/image and corporate header, you should pay very close attention to the sending email. Phishing emails are normally uncovered by the sending name and sending email address being completely different from each other. 

Check for Standard Phishing Email Claims

These include: 

  • Someone contacts you to confirm some personal information in relation to an account you hold.
  • You are made aware of suspicious activity on an account that you hold and asked to complete an action like visiting a link to change your password.
  • You are informed that you are entitled to claim a tax refund or government subsidy
  • An email from “IT Department” or “Help Desk”  asking you to complete an action.

Tackling Phishing Emails

Using a strong security solution like SpamTitan will prevent phishing, ransomware, and malware variants attacks while also safeguarding all financial accounts using multi-factor authentication.  

Having this in place will prevent your details from ever being exposed. It is important for companies to recognise the danger posed by cyberattacks and take steps, like configuring SpamTitan, in order to address it. 

Contact TitanHQ as soon as you can in order to find out more about how SpamTitan Email Security helps you tackle phishing attacks.

 

Supply Chain Targeted by Hackers

Supply Chain Targeted by Hackers

As cybercriminals look for more new targets that might bear them some profit it appears that they have now shifted some focus towards infiltrating supply chains.

These attacks occur when hacking groups manage to infiltrate servers and components that companies will likely buy from third party suppliers. IT departments would presume that new equipment has not been infiltrated and happily install it onto their networks. This type of attack is now increasing, particularly evident within state-sponsored campaigns that may make it easier for cybercriminals to gain access during the production process. 

Igt will come as no surprise that, due to lower costs, the majority of technology components are manufactured in China. These components are then ordered by the manufacturer and they are instructed how to add them to their own equipment. The manufacturing/purchaser configures these components to build their systems locally before sending them on to the final destination. This means that all #malicious components inserted into hardware design will, more than likely, not be detected.

There is a small chance that some groups will carry out penetration tests on new equipment installed into their infrastructure. However, the vast majority of IT professionals will take it for granted that a brand new system will not feature weak points once it is set up and all software remains updated. Sadly there is a possibility that an opening could have been created for cybercriminals to target, allowing private data to be accessed. 

Occasionally, new equipment will transmit a signal to alert cybercriminals that malicious components are now operational. Once this is sent it is possible that a hacker could access data, review the network, remove data to a third-party server, download passwords, or configure more malware on other equipment. In more complex attacks, the malicious equipment could allow a state-sponsored threat actor remote management of the local system.

Anything configured on your network should be dealt with carefully until it’s validated and tested. Most system managers conduct tests on new hardware to see to it that there are no bugs or defects so that performance is at an optimal level. It is now just as important to review this hardware for any possible security issues.

Penetration testing should be completed in order to guarantee that there is no chance of malicious activity taking place after the system becomes operational. Any company installing hardware from third parties can mitigate risk by mapping the supply chain carefully. System penetration testing should also be completed to uncover unusual traffic patterns and activity on the local network. Backdoors might be present in order to transmit data back to the cybercriminals. 

As the targeting of supply chains becomes more prevalent companies will have to increase their testing efforts to ensure the new hardware is safe before it is made operational within a system. TitanHQ can safeguard supply chains from cybercriminal-led.

Contact the TitanHQ team now to discover more about the cybersecurity solutions like email filtering that can be added to your company’s security suite. 

 

Rockingham School District Emotet Malware Infection Cost $314,000 to Address

In November 2018 the Rockingham school district in North Carolina suffered an Emotet malware infection that cost a massive $314,000 to resolve. The malware was delivered using spam emails, which were sent to multiple users’ inboxes. The attack included an often-used ploy by hackers to get users to install malware.

The emails appeared to have been sent by the anti-virus supplier used by the school district, with the subject line ‘incorrect invoice’ and the correct invoice attached to the email. The emails were believable and looked like many other legitimate emails received on a daily basis. The emails requested the recipient open and check the attached invoice; however, doing so resulted in Emotet being downloaded and installed.

Not long after those emails were received and opened, staff started to experience problems. Internet access seemed to have been disabled for some users and reports were received from Google saying email accounts had been disabled due to spamming. The school district looked into the issue and discovered several devices and servers had been infected with malware.

Emotet malware is a Trojan that can worm its way across a network. Infection on one machine will result in the virus being sent to other vulnerable devices. The malware can also send copies of itself via email, and injects itself into previous message threats. The malware is capable of stealing victims’ credentials including online banking details, and also acts as a downloader of other malware variants and ransomware.

Emotet is a very advanced malware variant that is difficult to spot and hard to remove. The Rockingham school district discovered just how troublesome Emotet malware infections can be when attempts were made to remove the Trojan. The school district was able to successfully clean some infected machines by reimaging the devices; however, malware remained on the network and simply re-infected those devices.

Addressing the attack required assistance from security experts. 10 ProLogic ITS engineers spent approximately 1,200 hours on site reimaging machines. 12 servers and around 3,000 end points had to be reimaged to remove the malware and stop reinfection. The cost of cleanup ran to $314,000.

Attacks such as this are far from unusual. Cybercriminals target a wide range of vulnerabilities to install malware on business computers and servers. In this case, the attack took advantage of gaps in email defenses and a lack of security awareness of staff members.

To safeguard against malware, layered defenses are necessary. An advanced spam filtering solution can ensure malicious emails are not delivered to inboxes, endpoint protection software can detect unusual user behavior indicating an attack in progress, antivirus solutions can potentially discover infections, while web filters can block web-based attacks and drive-by malware downloads. End users are the last line of defense and should be shown how to recognize malicious emails and websites. Using a combination of these measures will help to prevent attacks such as this.

Blocking Drive-By Malware Installations

A drive-by malware download is a web-based attack which occurs when malware is installed on a target device. It is crucial for groups to put in place drive-by malware download security, along with configuring a spam filter to block malware delivery via email. 

The malware could be:

  • Malware to make money for the developer thanks to advertising income
  • Spyware to collect data on the user
  • Keyloggers or banking Trojans that gather credentials
  • Ransomware to encrypt data and demand money from the victim.

These installations typically happen unnoticed to the device user. It can be as simple as a phishing email being received with a hyperlink that avoids the spam filter which takes the recipient to a compromised website which is laden with malware lures.

Authentic web portals can also be infiltrated and loaded with malware and ransomware. This is even more likely for a large web site that allows the placement of third-party ad blocks that generate extra revenue. Malicious adverts – termed malvertising – may get around various testing required by third-party ad networks and be shown to site visitors. If a link is visited, the user is taken to the malicious web portal. Threat actors also participate in #search engine poisoning. This is when search engine optimization tactics are deployed in order to move malicious websites to the top of the search engine results pages. 

It is vital for companies to safeguard themselves from drive-by malware downloads. Using a web-filtering solution.to block out undesirable website content from being displayed. The consumer versions come with parental control features for home WiFi networks. 

WebTitan from TitanHQ is popular for corporate entities, managed services providers, and Internet service providers to prevent access to malicious, illegal, and other undesirable web content including pornography and safeguards from drive-by malware downloads in a number of different ways. 

Initially it does not allow downloads of specific file types from the Internet, those most linked to malware (.exe, .js, and .msi for example). Second, it employs the use of blacklists of IP addresses and domains that have previously been marked as involved in spreading malware distribution. Finally it can be utilised to prevent access to dangerous website categories that are typically involved in spreading malware.

WebTitan is simple to configure in a short space of time. It does not impinge on page loads, speeds load, safeguards users regardless of location, and updates automatically as soon as new malicious content is identified in threat intelligence reports. .

In order to protect your company from drive-by malware installations, enhance security in relation to phishing attacks, and safely manage web content that is accessible on your network, get in touch with TitanHQ now to find out more.

 

Cyberloafing Costs Revealed in New Study

A study published in the Journal of Psychosocial Research on Cyberspace has highlighted the cost of cyberloafing to businesses. Cyberloafing has a massive impact on productivity, yet it is all too common. The cyberloafing costs for businesses are considerable and employees who partake in cyberloafing can seriously damage their career trajectory.

Employers are paying their employees to carry out work duties, yet a huge amount of time is lost to cyberloafing. Cyberloafing dramatically cuts productivity and gobbles up company profits. The study was carried out on 273 employees and cyberloafing was measured along with the characteristics that led to the behavior.

The study indicated a correlation exists between dark personality traits such as psychopathy, Machiavellianism and narcissism, but also suggested that employees are wasting huge amounts of time simply because they can do so. The sites most commonly viewed were not social media sites, but news websites and retail sites for online shopping.

In a perfect world, employees would be able to complete their duties and allocate some time each day to personal Internet use without any reduction in productivity. Some employees do just that and curb personal Internet use and do not let it impact their work duties. However, for many employees, cyberfloafing is an issue and huge losses are suffered by employers.

A report on cyberloafing published by Salary.com indicated 69% of employees waste time at work every day, with 64% visiting non-work related webs pages. Out of those workers, 39% said they wasted up to an hour on the Internet at work, 29% wasted 1-2 hours, and 32% wasted over two hours a day.

Cyberloafing can have a huge impact in company profits. A company with 100 workers, each of whom spend an hour daily on personal Internet use, would see productivity losses of in excess of 25,000 man-hours annually.

Productivity losses caused by cyberloafing are not the only problem – or cost. When employees use the Internet for personal reasons, their actions slow down the network resulting in slower Internet speeds for all. Personal Internet use increases the chance of malware and viruses being introduced, which can cause further productivity losses. The cost of addressing those infections can be huge.

What Can Employers do to Reduce Cyberloafing Costs?

First of all, it is vital that the workforce is educated on company policies relating to personal Internet use. Advising the staff about what is an acceptable level of personal Internet use and what is considered unacceptable behavior ensures everyone is aware of the rules. They must also be told about the personal consequences of cyberloafing.

The Journal of Psychosocial Research on Cyberspace study says, “a worker’s perceived ability to take advantage of an employer is a key part of cyberloafing.” By improving monitoring and making it clear that personal Internet use is being recorded, it acts as a good deterrent. When personal Internet use reaches problem levels there should be repercussions for the employees involved.

If there are no sanctions for employees that break the rules and company policies are not enforced, little is likely to change. Action could be taken against the workers concerned through standard disciplinary procedures such as verbal and written warnings. Controls could be implemented to curb Internet activity – such as blocks applied for certain websites – social media sites/news sites for example – when employees are wasting too much time online. Those blocks could be temporary or even time-based, only permitting personal Internet use during breaks or at times when workloads are usually low.

WebTitan – An Easy Solution to Cut Productivity Losses and Curb Cyberloafing

Such controls are simple to apply using WebTitan. WebTitan is an Internet filter for SMBs and enterprises that can be deployed in order to reclaim lost productivity and block access to web content that is unacceptable in the workplace.

WebTitan allows administrators to apply Internet controls for individual employees, user groups, or the entire company, with the ability to apply time-based web filtering controls as appropriate.

Stopping all employees from logging onto the Internet for personal reasons may not be the best way forward, as that could have a negative impact on morale which can similarly impact productivity. However, some controls can certainly help employers reduce productivity losses. Internet filtering can also reduce the risk of lawsuits as a result of illegal activity on the network and blocking adult content in the workplace and can help to stop the development of a hostile work environment.

If you would like to increase productivity and start enforcing Internet usage policies in your company, contact TitanHQ today. WebTitan is available on a free trial to test the solution in your own environment before making a decision about a purchase.

Network Segmentation Best Practices to Improve Security

Whatever the size of your company, one of the most important security measure to deploy to block threat actors from gaining access to your servers, workstations, and data is a hardware firewall. A hardware firewall will make sure your digital assets are well secured, but how should your firewall be set up for optimal network security? If you follow network segmentation best practices and implement firewall security zones, you can improve security and keep your internal network isolated and protected from attacks by remote hackers.

Most companies have a well-defined network structure that incorporates a secure internal network zone and an external untrusted network zone, often with intermediate security zones. Security zones are sets of servers and systems that have similar security requirements and include a Layer3 network subnet to which several hosts link up to.

The firewall provides protection by managing traffic to and from those hosts and security zones, whether at the IP, port, or application level.

Network Segmentation Best Practices

There is no single configuration that will be ideal for all companies and all networks, since each business will have its own requirements and required functionalities. However, there are some network segmentation best practices that should be implemented.

Possible Firewall Security Zone Segmentation

Network Segmentation Best Practices

In the above depiction we have used firewall security zone segmentation to keep servers separated. In our example, we have used a a sole firewall and two DMZ (demilitarized) zones and an internal zone. A DMZ zone is an isolated Layer3 subnet.

The servers in these DMZ zones may have to be Internet facing in order to function. For instance, web servers and email servers need to be Internet facing. Because they face the Internet, these servers are the most susceptible to cyberattacks, so they should be separated from servers that do not require direct Internet access. By keeping these servers in separate zones, you can minimize the damage if one of your Internet facing servers is compromised.

In the diagram above, the permitted direction of traffic is shown with the red arrows. As you can see, bidirectional traffic is allowed between the internal zone and DMZ2, which includes the application/database servers, but only one-way traffic is permitted to take place between the internal zone and DMZ1, which is used for the proxy, email, and web servers. The proxy, email, and web servers have been located in a separate DMZ to the application and database servers for the highest possible protection.

Traffic from the Internet is permitted by the firewall to DMZ1 but the firewall should only permit traffic through certain ports (80,443, 25 etc.). All other TCP/UDP ports should be closed. Traffic from the Internet to the servers in DMZ2 is not allowed, at least not directly.

A web server may to link up with a database server, and while it may seem like a good idea to have both of these virtual servers operating on the same machine, from a security perspective this should be avoided. Ideally, both should be separated and located in different DMZs. The same applies to front end web servers and web application servers which should similarly be located in different DMZs. Traffic between DMZ1 and DMZ2 will no doubt be required, but it should only be permitted on certain ports. DMZ2 can connect to the internal zone for certain special cases such as backups or authentication through active directory.

The internal zone is made up of of workstations and internal servers, internal databases that do not have to be web facing, active directory servers, and internal applications. It is recommended that Internet access for users on the internal network to be directed through an HTTP proxy server located in DMZ 1. Remember that the internal zone is isolated from the Internet. Direct traffic from the internet to the internal zone should not be allowed.

The above setup provides important security for your internal networks. In the event that a server in DMZ1 is compromised, your internal network should still be protected since traffic between the internal zone and DMZ1 is only allowed in one direction.

By complying with network segmentation best practices and using the above firewall security zone segmentation you should be able to improve the security of your network. For greater security, we also recommend using a cloud-based web filtering solution such as WebTitan, which filters the Internet and stops end users from accessing websites known to host malware or those that break acceptable usage policies.

Exclaimer Mail Archiver Reaches End of Life

This September, the Exclaimer Mail Archiver reaches end-of-life. The Exclaimer Mail Archiver email archiving solution has been discontinued and support for the solution will no longer be provided by Exclaimer from the end of the month. That means vulnerabilities will no longer be addressed and customers will need to migrate to a new email archiving solution.

The Best Exclaimer Mail Archiver Alternative

If you are looking for an Exclaimer Mail Archiver alternative there are many solutions to choose from, but when it comes to functionality, ease of use, speed, compliance, and usability, you need look no further than ArcTitan from TitanHQ.

ArcTitan is an award-winning email archiving and email retention solution, which was recently rated as the best email archiving software company of 2021 by the independent small business review site digital.com, based on archiving features, online support, and encryption availability.

As with all TitanHQ solutions, setup is a quick and simple process. When you sign up to use ArcTitan you will be provided with detailed step-by-step instructions for configuring your email server to duplicate your emails. Your TitanHQ support team will work with your IT team to migrate your existing archive and can even work directly with your service provider for a totally pain-free migration. For the majority of clients, same day account set up is possible.

ArcTitan is a cloud-based email archiving solution, so there is no need for any on-site hardware. Compatibility is not an issue, as ArcTitan will seamlessly integrate with most email systems, including Microsoft Exchange, Microsoft 365, Zimbra, Lotus Notes, and many others and you can import an existing archive from MS Exchange, Google Apps, EML, MBOX, MSG, or PST with ease.

Advantages of ArcTitan Email Archiving

TitanHQ likes to make everything simple. All the complexity is in the background, with users able to access their archives via an Outlook add-on or a web interface. When you need to access your archive to recover emails, lightning-fast searches of the archive can be performed. In fact, TitanHQ is a front runner in the market for searchability of email archives and allows large data searches to be performed at incredible speeds. With a load performance of more than 200 emails per second from your email server, ArcTitan is one of the fastest email archiving solutions on the market.

Users also benefit from

  • Unlimited storage
  • Folder replication
  • Delegated permissions
  • Re-ingestion function
  • Disaster recovery included with impressive SLAs
  • GDPR, HIPAA and SOX Compliance
  • Seamless integration with Microsoft 365 / Office 365
  • No maintenance headaches: we monitor and manage the infrastructure 24/7, it is our job to make sure it’s performing well.
  • Massive cost and time savings

In contrast to many email archiving solutions, customers are not locked into proprietary data formats. That means you can move some or all of your data to another system as required. Email data are transferred and retrieved using open standards and you can export to EML, MSG, PDF, TIFF and PST.

No matter what, you will not have any costly, time-consuming data conversions. That includes when you join and if you leave. On top of that, ArcTitan is extremely competitively priced, which makes it an ideal Exclaimer Mail Archiver alternative.

Contact TitanHQ Today and find out for yourself why ArcTitan is the best Exclaimer Mail Archiver alternative. ArcTitan is available on a free trial, and product demonstrations can be booked on request.

Digital.com Rates ArcTitan by TitanHQ Top Email Archiving Solution for 2021

The leading independent business software review site Digital.com has recognized ArcTitan by TitanHQ as one of the best email archiving solutions for small businesses, with the product named in Best Email Archiving Software Company ratings for 2021.

Digital.com rates small business online tools, products, and services. The research team conducted a 40-hour assessment of over 45 companies to determine the leading email archiving solution providers. Each company’s product was assessed based on archiving features, online support, and encryption availability.

The researchers were looking for features that make email archiving solutions ideal for small businesses, such as supported deployment, robust access controls, secure backup management, and Microsoft 365 integration.

To be considered as a leader in the field for 2021, Digital.com experts required companies to provided first-class online support, including self-help resources and easy access to live support with customer support reps. Security was also an important factor. Archives needed to have powerful encryption to ensure files and emails containing sensitive business data were well protected.

Some of the features that makes the award-winning TitanHQ email archiving solution stand out from the competition are:

  • Unlimited storage
  • Folder replication
  • Delegated permissions
  • Re-ingestion function
  • GDPR, HIPAA and SOX Compliance
  • Powerful search and retrieve tool
  • Easy Microsoft 365 integration

Having an email archiving solution that is competitively priced and easy to set up and use is important for small businesses. Small businesses typically have limited budgets and need to buy cost effective solutions. Emails need to be sent to a secure repository to meet compliance requirements, and when emails need to be recovered, when dealing with customer disputes, legal matters, or when emails are deleted from inboxes by mistake for example, it is vital that they can be found and retrieved quickly.

ArcTitan has an intuitive email search and retrieval tool that performs lightning-fast searches of emails and attachments. Plus, emails are stored securely, are replicated, and automatically backed up to ensure they are always available. Seamless integration with Microsoft 365 ensures small businesses have no IT headaches. ArcTitan truly is a set and forget solution.

If you have yet to implement an email archiving solution, are unhappy with your current service provider or want to reduce your email archiving costs, ArcTitan is the solution you need.

For further information on the ArcTitan cloud-based email archiving solution, to book a product demonstration, or to register for a free trial, contact the TitanHQ team today.

Preventing Phishing Attacks: Five Strong Tactics

As cybercriminals look for more new targets that might bear them some profit it appears that they have now shifted some focus towards infiltrating supply chains.

These attacks occur when hacking groups manage to infiltrate servers and components that companies will likely buy from third party suppliers. IT departments would presume that new equipment has not been infiltrated and happily install it onto their networks. This type of attack is now increasing, particularly evident within state-sponsored campaigns that may make it easier for cybercriminals to gain access during the production process. 

Igt will come as no surprise that, due to lower costs, the majority of technology components are manufactured in China. These components are then ordered by the manufacturer and they are instructed how to add them to their own equipment. The manufacturing/purchaser configures these components to build their systems locally before sending them on to the final destination. This means that all #malicious components inserted into hardware design will, more than likely, not be detected.

There is a small chance that some groups will carry out penetration tests on new equipment installed into their infrastructure. However, the vast majority of IT professionals will take it for granted that a brand new system will not feature weak points once it is set up and all software remains updated. Sadly there is a possibility that an opening could have been created for cybercriminals to target, allowing private data to be accessed. 

Occasionally, new equipment will transmit a signal to alert cybercriminals that malicious components are now operational. Once this is sent it is possible that a hacker could access data, review the network, remove data to a third-party server, download passwords, or configure more malware on other equipment. In more complex attacks, the malicious equipment could allow a state-sponsored threat actor remote management of the local system.

Anything configured on your network should be dealt with carefully until it’s validated and tested. Most system managers conduct tests on new hardware to see to it that there are no bugs or defects so that performance is at an optimal level. It is now just as important to review this hardware for any possible security issues.

Penetration testing should be completed in order to guarantee that there is no chance of malicious activity taking place after the system becomes operational. Any company installing hardware from third parties can mitigate risk by mapping the supply chain carefully. System penetration testing should also be completed to uncover unusual traffic patterns and activity on the local network. Backdoors might be present in order to transmit data back to the cybercriminals. 

As the targeting of supply chains becomes more prevalent  companies will have to increase their testing efforts to ensure the new hardware is safe before it is made operational within a system. TitanHQ can safeguard supply chains from cybercriminal-led.

Contact the TitanHQ team now to discover more about the cybersecurity solutions that can be added to your company’s security suite. 

 

Cisco Umbrella Alternative for SMBs and MSPs

In this post we propose an ideal Cisco Umbrella alternative that you can implement at a fraction of the cost of Cisco Umbrella, yet still have excellent protection from web-based threats and precision Internet content control for your workforce.

WebTitan Cloud is the leading Cisco Umbrella alternative for SMBs and Managed Service Providers (MSP) that serve the SMB market. WebTitan Cloud is, in many respects, a direct swap out for Cisco Umbrella, and one that will save you a small fortune on DNS filtering costs.

What is Cisco Umbrella?

In 2015, Cisco acquired OpenDNS and rebranded the OpenDNS Umbrella solution Cisco Umbrella. Cisco Umbrella is first and foremost a DNS filtering service – A cloud-based security service that protects office and home workers from online threats by filtering DNS requests. The Cisco Umbrella DNS filtering service works at the DNS lookup stage of a web request, where a URL is translated into an IP address to allow the resource to be located by a computer.

Cisco Umbrella DNS filtering allows administrators to set controls governing the web content that can be accessed, the files that can be downloaded from the Internet, along with a range of other security features such as a cloud-delivered firewall, shadow IT protection, and tools to investigate cyber threats.

Before we cover the cost of WebTitan versus Cisco Umbrella in our Cisco Umbrella review, it is worthwhile taking a moment to explain why DNS filtering is now an essential part of the security stack and why you need to add this additional layer of security if you are not already using a DNS filter.

Why is a DNS Filter Necessary?

You will no doubt be aware that the internet can be a dangerous place. As an IT professional or SMB owner, you need to make sure that your employees do not venture into areas of the internet that could cause your business harm.

Even general web browsing can pose a risk of a malware infection or ransomware download, and employees can easily be tricked into visiting phishing web pages where credentials are harvested. These are very real threats that need to be mitigated.

Rather than leave things to chance and hope your employees obey the rules and recognize all threats in time, you can implement a content filtering solution such as a DNS filter. A DNS filter requires no hardware purchases nor software downloads. You just reconfigure your DNS and point it to the provider of your DNS filtering service and apply your content controls. A DNS filter will block access to malicious content an can be configured to block downloads of certain file types commonly used to install malware.

All DNS content filtering takes place in the cloud, there will be no latency, and filtering will take place without any content being downloaded. You can control the categories of content that can be accessed and, if rules are broken by employees, they will be directed to a block page and no harm will be done. You can run reports on web usage, apply controls to conserve bandwidth, and perhaps most importantly, you can prevent employees from visiting malicious websites and can block malware and ransomware downloads. Without this additional security layer, your business will be at risk.

Cisco Umbrella Review

In this Cisco Umbrella review we will cover some of the advantages and disadvantages of Cisco Umbrella and will present a Cisco Umbrella alternative that is ideal for SMBs and MSPs. The Cisco Umbrella alternative we suggest includes the most important features of the Umbrella DNS filtering solution, with some key advantages for SMBs and MSPs. First, let us consider some aspects of the Cisco Umbrella solution to save you time in your research.

Cisco Umbrella Pricing

Cisco Umbrella pricing is not particularly transparent. First, there is no Cisco Umbrella price list on the Cisco website, and while it is possible to get an idea of the Cisco Umbrella price from resellers via Google searches, their prices tend to be out of date. Cisco recently updated and renamed its three Cisco Umbrella offerings, and as part of the re-jigging of the packages and addition of extra features, the Cisco Umbrella price was increased.

Cisco Umbrella pricing is a little complicated and varies based on several different factors. Naturally the prices increase from the basic offering - DNS Security Essentials - to the most advanced version of the solution - Secure Internet Gateway (SIG) Essentials, but also by the number of users, length of the contract term, and the optional extras that are added to the standard packages. It should be noted that standard Cisco Umbrella pricing only includes basic email support. More comprehensive support is offered as an add-on at an additional cost, and you will need to pay extra for software updates and access to online learning resources.

There is a Cisco Umbrella ordering guide that provides more information about what is included, the features of the solution, and a breakdown of each package to help businesses choose the most suitable version of the solution and select the extras they need. But if a Cisco Umbrella ordering guide is required, it gives you some idea of the complexity of Cisco Umbrella pricing.

Cisco Umbrella Licensing

As previously mentioned, Cisco Umbrella licensing is for three different solutions. These were initially called “Professional”, “Insights” and “Platform” but have recently been renamed “DNS Security Essentials,” “DNS Security Advantage,” and “DNS Secure Internet Gateway (SIG) Essentials.”

Cisco Umbrella licensing is based on the number of users and the minimum contract term is 1 year. In contrast to other DNS filtering service providers, with Cisco Umbrella you have to pay the costs upfront. You cannot spread the cost over the contract term with monthly billing, which makes the solution prohibitively expensive for many businesses, especially considering the cost of the SIG Essentials solution could be, with typical add-ons, in the region of $5+ per user, per month.

Is It Worth Paying the Cisco Umbrella Price?

We are not going to try to convince you not to look at Cisco Umbrella, as it is an accomplished DNS filtering solution that is suitable for many enterprises and SMBs. The product will certainly protect your business from web-based threats and will allow you to enforce your internet policies. However, there is a but. If you are already using Cisco Umbrella or have made enquiries about the solution, you will be aware that the product comes at a considerable cost.

Cisco Umbrella is not a one-size fits all solution. Cisco caters to a range of different customers, from small businesses to large enterprises and packages have been devised accordingly. The most basic offering is DNS Security Essentials, which is a bare bones DNS filtering package that blocks malware and ransomware downloads and allows you to enforce your Internet policies. However, there are many important features lacking that most SMBs will feel are important. For instance, now that most websites have moved over to HTTPS, connections to those sites are encrypted. You therefore need to decrypt, inspect, and then re-encrypt that traffic. The basic package does not include this feature - termed SSL inspection. That means those websites will be opaque to the solution and many malicious websites now have SSL certificates. Full decryption and inspection of all SSL traffic is only available in the top-level package. The mid-range solution only has partial decryption and inspection (for risky websites).

DNS Security Advantage is the second package offered, which provides more features such as greater insight for investigations, file threat intelligence, and  other tools. At the top end is the comprehensive Secure Internet Gateway Essentials package, which offers enterprise-grade DNS filtering with a host of features required by enterprises with a huge workforce. For most SMBs, the top package will offer a host of features that will most likely not be used. Unfortunately, the lowest level package is missing some important features that really are required by many SMBs.

What is the Cisco Umbrella Cost Per User?

So, how much does Cisco Umbrella cost? This is a key consideration for SMBs as they are likely to have limited budgets. They need to pay for several layers of cybersecurity to block the threats they are most likely to encounter. Spend top dollar on one solution and it is likely to mean less can be spent on other important security controls.

At the standard level, the Cisco Umbrella cost per user is $2.20 per month as of the start of 2021, which is considerably more than Cisco Umbrella alternative options such as WebTitan. For 100 users, Cisco Umbrella will cost $2,640 per year and that price only includes basic email support. If you opt for one of the more advanced packages, and we believe the middle package is the lowest level you should really consider due tot he lack of SSL inspection in the basic package, that price will increase considerably.

The standard price for a Cisco Umbrella alternative is around $1.00 to $1.50 per user per month, but here at TitanHQ we have a highly competitive pricing policy and can provide you with a Cisco Umbrella alternative for as little as $0.90 per user per month. That will save you $1,560 per year, based on 100 users compared to the basic Cisco Umbrella price.

There is More to Consider than the Cost of Cisco Umbrella Alone

Cost is not the only consideration, although it is certainly important. You will want to ensure that your DNS filter allows you to control content easily and it must provide protection against web-based threats. So, does opting for a Cisco Umbrella alternative reduce the protection you will get? Actually, you can pay less and improve protection, have an easier to use product, with better reporting, and less complexity.

At TitanHQ we have a totally transparent and flexible pricing policy and provide the same, high level of protection for everyone. All customers benefit from full SSL inspection to ensure that HTTPS traffic is inspected and analyzed, and all customers get industry-leading customer support at no extra cost.

WebTitan is also loved by users who rate it highly for ease of setup, ease of use, ease of admin, and for the quality of support provided. This can be seen on review sites such as G2 Crowd, as detailed below.

Cisco Umbrella alternative

The Leading DNS Filtering Solution for MSPs Serving the SMB Market

TitanHQ is the global leader in cloud-based email and web security solutions for MSPs that serve the SMB market. WebTitan has been designed to be ideal for MSPs and includes a host of features not offered by Cisco. In contrast to all packages of Cisco Umbrella, we offer a range of hosting options - with TitanHQ, in a private cloud, and you can even host the solution in your own environment, something that is important for many MSPs. You can also have WebTitan in white label form ready to take your own branding, another big plus for MSPs that is not offered by Cisco. The solution is also easy to integrate seamlessly into your own security and customer management solutions thanks to a suite of APIs. Onboarding new customers is simple and painless, and managing their web filtering settings is straightforward. All customers are kept separate in the solution and you can apply individual settings with ease, but you can still apply bulk settings to all customer accounts. Plus you can manage the solution securely from anywhere with an Internet connection.

Cisco Umbrella alternative for MSPs

Many MSPs are now making the switch from Cisco Umbrella to WebTitan, with the most common reasons being the high cost of Umbrella, which has to be passed on to customers or absorbed. It can be a difficult sell with the high cost, even though the benefits of web filtering are usually understood by clients. The usability of the solution is also a common complaint, as is the quality of post-sales customer support and the lack of flexibility.

UK-based managed service provider Network Needs is one of the MSPs that has made the switch from Cisco Umbrella to WebTitan, and accurately sums up the experience of the many MSPs that have done the same. "When we decided to trial WebTitan we were happily surprised. Straightaway we dropped Cisco Umbrella and moved to WebTitan and it is impressing us every day," said Network Needs Technical Director, Ryan Lochhead. "WebTitan easily integrated into Network Needs existing service stack, avoiding any delays in offering the service. There is comprehensive remote management and monitoring via an API. Any MSP will benefit from WebTitan’s many advantages"

How Does WebTitan Compare to Cisco Umbrella?

WebTitan Cisco Umbrella Comparison Chart

Find out More About Our Alternative to Cisco Umbrella Today!

Our sales staff will be happy to explain the benefits of WebTitan over Cisco Umbrella and schedule a product demonstration to show you how easy the solution is to use and integrate into your own environment. If you would like to try WebTitan before committing, you can also take advantage of our free 14-day trial. For the duration of the trial you will have access to full product support to ensure you get the most out of the solution. For more information, give the TitanHQ team a call today.

Frequently Asked Questions (FAQs)

Is Cisco Umbrella the same as OpenDNS?

Cisco acquired OpenDNS and rebranded the OpenDNS enterprise security products as Cisco Umbrella. Cisco Umbrella is not exactly the same as OpenDNS, but they do perform the same function, with Cisco Umbrella providing enterprises with greater control, more features, and better integration with other Cisco solutions.

Is Cisco Umbrella worth the cost?

Cisco Umbrella is a powerful web security solution that provides important security benefits and visibility into the Internet activity of all devices and users. While the threat protection is excellent, the cost of the solution can be prohibitively expensive for many small businesses, who can get the features they need from a solution at a fraction of the cost.

Who uses Cisco Umbrella?

While any company can benefit from Cisco Umbrella and improve security, the solution is aimed at mid-to large-sized organizations and includes many features that smaller businesses will not need or use. If you are just looking for a web security solution to control access to web content and block malware downloads, you will be able to make considerable savings with WebTitan.

Is Cisco Umbrella DNS Security Essentials worth the cost?

The features included with the cheapest package of Cisco Umbrella – DNS Security Essentials - are very limited. Businesses looking for the features provided by DNS Security Essentials will be able to get them and more – full SSL inspection for instance - with a Cisco Umbrella alternative such as WebTitan Cloud.

Is Cisco Umbrella a good choice for MSPs?

Cisco does provide Umbrella for Managed Service Providers and it is a good solution for protecting clients and preventing costly malware infections. While an accomplished product, the cost can be high for MSPs, especially those serving the SMB market and there is no option for hosting within an MSP data center and the solution will not be provided as a white label.

New Geo-blocking Email Security Feature Included in SpamTitan 7.11 Release

New Geo-blocking Email Security Feature Included in SpamTitan 7.11 Release

A new version of TitanHQ has been launched that introduces Geo-blocking email filtering in addition to many other updates and fixes aimed at enhancing usability.

This new version of the award-winning email security solution added geo-blocking due to the high level of demand from existing users. It will be included with the solution at no additional cost to the subscription. This Geo-blocking feature means that users of the solution will be able to prevent, or permit, emails sent from specific geographical areas being delivered to their inbox(es). This is done using the country of IP address of the mail server that the email is sent from. This places an additional level of security for companies that allows them to restrict access to geographic threat vectors and stop malware, ransomware, and phishing emails from landing in inboxes.

A country can be selected and all emails from individuals and groups in that location will be blocked. Doing this can greatly improve your company’s cybersecurity efforts as the majority of malicious emails originate from a small number of countries. These are, in most cases, countries that most small- to medium-sized businesses do not have any contact with. Due to this it will not have any impact on business to block this country and it could save a lot of money that would have been lost in addressing a successful cyber attack. 

This is simple to configure within the SpamTitan solution. It can be enabled within the SpamTitan Country IP Database. For companies that do not wish to block every group from a specific country or domain, there is a whitelisted option which will allow you to approve specific senders and their email will be allowed to reach the correct inboxes.A

Along with geoblocking there are a range of other security improvements that have been created in order to further strengthen the already excellent threat detection and blocking mechanisms within SpamTitan. These include an upgraded sandboxing tool that places more security from attacks featuring malware, ransomware, phishing, spear-phishing, Advanced Persistent Threats, and malicious URLs hidden within emails. 

Recently reported bugs have been addressed and have resulted in better email rendering in Mail Viewer and the option of removing quarantine report token expiry and improving domain verification.

TitanHQ CEO Ronan Kavanagh said: “Geoblocking has been a much-requested feature and as always we listen to our customers and provide what they need to implement the very best email security they can. After experiencing 30% growth in 2021, TitanHQ expects these product enhancements and new features to make 2021 another record-breaking year.”

SpamTitan can be provided as a 100% cloud-based solution or as an anti-spam gateway, which is run as a virtual appliance on existing company hardware. Existing users of SpamTitan Cloud will have their solution automatically updated on September 14, 2021.A full description of the latest updates in SpamTitan 7.11 is available here.

Users of SpamTitan Gateway will need to manually upgrade to the latest version via System Setup > System Updates.

 

Most Popular Phishing Tactics Cybercriminals Use

Most Popular Phishing Tactics Cybercriminals Use

Cybercriminals normally use phishing attacks in order to steal access credentials to corporate networks which will allow them to download private data, install malware, and commit further fraudulent attacks.

This type of attack is, typically, carried out through emailing individuals and getting them to hand over credentials and protected information. hackers normally use ‘social engineering’ tactics to make the recipients of the email believe that the communication they are sending is genuine. This is accomplished by pretending to be real people within the same group, often by creating an email address that is very close to the authentic email address with a similar layout as well. These emails will feature a URL that takes anyone who clicks on it to a data harvesting website that is laden with malware and adware. In order to ensure that their conversion rate is higher the cybercriminals make the spoofed website look almost identical to the real website as is possible.

These spam attacks offer the chance of a high return for a minimal effort for the hackers. Additionally, if they are detected, it is very difficult to apprehend those responsible for conducting them. Here we have listed the most common ways that hackers use email to try and steal private data. The emails will include:

  1. Information that advises accounts are about to be closed unless the website is visited to stop this from happening immediately
  2. Advice related to account changes that could be suspicious
  3. IRS/tax related notices that relate to you qualifying for a refund due to an overpayment
  4. Payment requests for something that you never placed an order for
  5. Proof of identification requests
  6. Contact from the police is relation to crime you are believed to be linked to
  7. Malware detection notices

It is also important to recognise that there are alway new types of phishing email introduced by cybercriminals. Along with the usual phishing campaigns that feature fake invoices and resumes, missed deliveries, and fake account charge notifications are regularly used there are also topical current events-related lures. Recently there have been phishing campaigns linked to COVID-19, the TOkyo Olympics and Euro 2022.

The best way to tackle the most popular types of phishing attacks, along with topical attacks, is to configure an advanced spam filtering solution like SpamTitan. Using SpamTitan will put in place strong security that can prevent phishing and other malicious emails from allowing your databases and valuable information to be accessed by criminals. This is done thanks to the use of a wide variety of tools that include machine-learning to identify suspicious messages, sandboxing, dual antivirus engines, greylisting, and malicious link detection mechanisms. This solution blocks the receipt of malicious messages and, when used in tandem with cybersecurity training, can practically reduce the chance of your system being successfully attacked to zero. 

Contact the TitanHQ team now to discover more in relation to safeguarding your databases from phishing and spam attacks. There is a free trial available and you can request a product demonstration which will allow you to see how little investment is needed to secure your systemes from all possible phishing attacks. 

 

Cybercriminals Stole $1.9m in Southern Oregon University Phishing Attack

A Southern Oregon University phishing attack has demonstrated exactly why so many hackers have opted for phishing to make money. The Southern Oregon University phishing attack involved just one phishing email. The attackers pretended to be a construction company – Andersen Construction – that was erecting a pavilion and student recreation center at the University.

The attackers spoofed the email address of the construction firm and asked for all future payments be directed to a different bank account. The university then transferred the next payment of €1.9m to the new account in April 2019. The university realized the construction firm had not received the funds three days later. The FBI was made aware of the situation as soon as the fraud was discovered and attempts were made to recover the funds. The university reports that the hackers had not emptied all of the funds from their account, but a sizeable amount of the payment had been withdrawn and could not be recovered. Joe Mosley, a representative for SOU said, “It’s certainly not all of the money that was transferred, but it’s not just nickels and dimes, either.”

In order for a scam like this to be successful, the hackers would need to be aware that the construction project was taking place and the name of the firm that had been awarded the contract. that information is not hard to find, and universities are easy to target as they often have ongoing construction projects.

These attacks are referred to as Business Email Compromise (BEC) scams. They typically involve a contractor’s email account being hacked and used to send an email requesting changes to payment information, although these scams need not involve compromising an email account. Spoofing an email account can be just as effective.

Increase in BEC Attacks Prompts FBI Alert for Universities

In this instance, the payment was massive but it is far from an isolated incident. The FBI has issued warnings to universities to be wary of attacks such as this. BEC attacks may not be nearly as common as other forms of cybercrime, but they are the leading cause of losses to cybercrime as the payments made to the attackers are often considerable. Payments are often of the order of several hundred thousand dollars or in some cases millions.

The FBI said that access to a construction firm’s email account is not required. All that is required is for the scammer to buy a similar domain to the one used by the firm. Accounts department employees should carefully check the email address in any request to change banking information or payment methods, as it is common for domains to be used that differ from the genuine domain by only one letter. for instance, an L may be used instead of an i or a zero instead of the letter O.

The Southern Oregon University phishing attack shows just how simple it can be for cybercriminals to pull off a BEC attack. Protecting against BEC attacks requires employees to be vigilant and to use extreme caution when requests are made to alter bank accounts. Such a request should always be verified by some means other than email. A telephone call to the construction firm could easily have identified this scam before any transfer was completed.

BEC Scammers Steal $2.3m from New Hampshire Town

Peterborough, a town in New Hampshire, was recently the focus of an attack by BEC scammers who were able to diver a number of bank transfers before being discovered.

This occurred when the cybercriminals shared forged documents to workers in the Finance Department of the town, requesting them to complete amendments to account information for a range of different payments. This complex scam was responsible for more than one email exchange between workers. It is clear that the cybercriminals had completed in-depth research to ascertain the most valuable transactions to focus on.

The scam was first identified when the ConVal School District alerted the town when they had never received a $1.2 million transfer of funds that had been. Peterborough officials looked into this and confirmed that the transfer had been made. However, the investigation also confirmed that the bank account details had been changed and that two large bank transfers to the contractor in question had been sent to hacker-controlled accounts. Overall, $2.3m was stolen  in the attack.

BEC attacks are complex in nature. Cybercriminals have finely-honed talents for conducting these campaigns and can very simply fool finance department workers into believing that they are being directed by the CEO, CFO, or a vendor using email, since the authentic email account is being used. The hackers also research the type of emails normally shared by the owner of the account and copy that style so as not to be detected.

There is a process that groups must employ in order to prevent the initial attack vector and to discover scams in time to prevent any fraudulent transfers of funds. The main security measure in this type of attack is a spam filtering solution, which will tackle block the first phishing email used to obtain the credentials for internal email accounts. SpamTitan uses a variety of features to spot and quarantine these phishing emails, including machine learning technology that can identify email messages that are not the same as normal messages usually received by staff members. Outbound scanning is used to discover phishing attacks as the cybercriminals attempt to use employee email accounts to infiltrate the accounts of their final target – the CFO or CEO. Rules can also be set to flag attempts to share sensitive data – such as W-2 forms – using email.

Along with spam filtering, it is crucial for groups to raise awareness of the threat of BEC attacks in their group, particularly among workers in the finance department. Policies and processes should also be implemented that require any change to payment details to be verified by telephone using previously confirmed contact details. Using these simple steps can be the difference between tackling an attack and sending millions of dollars directly to the hackers’ accounts.

Contact the TitanHQ team now if you wish to enhance your cybersecurity measures in the face of BEC and phishing attacks. 

 

Office 365 Credentials Stolen Using Sneaky Tactics

Over the last few months organizations using Office 365 are being attacked using a sneaky phishing campaign that is using a variety of different tactics to trick recipients and email security measures.

The focus of this campaign is to get recipients to unwittingly share Office 365 credentials that can be used to commit further email fraud. 

The campaign begins with phishing emails being shared from email addresses that appear to be authentic. This is accomplished as spoofed display names are being included to make the sender appear genuine. The campaign concentrates on specific groups and includes believable usernames and domains for sender display names linked to the target and the messages also incorporate authentic logos for the targeted company and Microsoft branding.

Additionally the messages feature believable Microsoft SharePoint lures to fool recipients into clicking on an embedded hyperlink that will take them to the phishing URL. Those who receive the email messages are advised that a co-worker has shared a file-share request that they may have missed, along with a link that will take the recipient to a web portal hosting a fake Microsoft Office 365 login form.

To get recipients to click on the URL, the emails say that the shared file includes information in relation to bonuses, staff reports, or price books. The phishing emails incorporate two different URLs with malformed HTTP headers. The main phishing URL is for a Google storage resource which points to an AppSpot domain. If the user  completes the signs-in process, they are brought to a Google User Content domain with an Office 365 phishing page. The second URL is embedded in the notification settings and brings users to a compromised SharePoint site, which again requires the user to sign in to get to the final page.

To trick email security solutions, the messages employ extensive obfuscation and encryption for file types often connected with malicious messages, such as JavaScript, along with multi-layer obfuscation in HTML. The threat actors have employed old and unusual encryption tactics, including the use of morse code to mask segments of the HTML deployed in the attack. A variety of the code segments used in the attacks are found in several open directories and are called by encoded scripts. Microsoft cybersecurity specialists found, and tracked, the campaign and compared it to a jigsaw puzzle, where all the pieces look normal on their own and only become dangerous when they are correctly pieced together.

This campaign is very dangerous, with the threat actor having gone to great trouble to mask their true intentions in order to get end users to hand over their credentials. 

Should you be worried in relation to your cybersecurity measures and wish to tackle attacks like this, contact the TitanHQ team now to find out more in relation to security solutions that can be easily put in place to prevent phishing and other email threats to enhance your security suite.

 

 

MSP Cybersecurity Selling Tactics

While a lot of companies are unable to invest a large amount of money in cybersecurity solutions, many do opt to avail of the services provided by Managed Service Providers (MSPs).

Due to this it is important for MSPs to make smaller companies aware of the crucial service that they can provide for them. The lack of a good cybersecurity service can lead to data breaches and, in some cases, regulatory fines and legal issues. 

It is no surprise that cash-strapped small businesses have not invested thousands of dollars on cybersecurity measures so it is the role of their MSP to make them aware of the importance of having an adequate cybersecurity structure in place to prevent hacking attacks. So the onus is on the MSP to ensure that their client(s) are completely aware of the level of risk they are facing. As the needs of all businesses are different there will be different levels of threat that each faces. An audit of the risk the client is facing will provide them with the knowledge to enable them to make a smart decision when it comes to investment in cybersecurity. This is much more useful for a small company as they will not find themselves investing in a package with many features that are of no use to them.

Small companies will appreciate the level of risk that they are facing, rather than being bewildered with the technical aspects of each solution that they are being provided with. While this technical information should certainly be provided, it is not going to be the thing that pushes most small companies into making an investment decision. 

Monitoring is equally important for the prevention of cybersecurity attacks. Once installed, cybersecurity solutions must be maintained. This means it is important for MSPs to see to it that there is an adequate amount of staff working to spot all potential cyberattacks and work swiftly to mitigate them. In order for the client to know what they are investing in they need to be made aware of the difference between IT and cybersecurity support. A lot of clients will think that these two solutions are the same thing when this is really not the case. 

It is important to MSPs to be able to educate and add value for the stakeholders at their client companies so that the value of investment is appreciated and there is a build up in trust. This is one place where MSP clients can be assist4e by TitanHQ.

Through the provision of smartly priced , robust and proven cybersecurity solutions to address the threat posed by typical hacking attack vectors, in addition to a solution for backing up and archiving business critical data, Titan HQ enhances security measures everywhere. 

If you would like additional details in relation to the cybersecurity solutions for MSPs ,provided by TitanHQ, contact them now to find out more about TitanHQ email security, DNS filtering, and email archiving, and the TitanShield Partner Program.

Once up and running with the TitanShield Program, MSPs will gain strong tools, marketing assistance, and training support to help them sell cybersecurity solutions to their clients.

 

Some Credit Unions Still Lacking Strong Email Security

It is well known that financial institutions are an ideal target for cybercriminal. Despite this Credit unions still lag behind when it comes to configuring adequate cybersecurity for their email systems. This shortcoming leaves these bodies wide open or hackers who aim to get access to banking systems and financial data.

With a strong email security system in place internal employees and the financial institution’s customers are safeguarded from possible infiltration. It can prevent a phishing email tricking an account holder believing that they have received what looks like an email from the credit union. A spoofed message will be designed so that only a closer look will reveal that it is not genuine. Skilled cybercriminals are availing of email servers that don’t have any spam flags in place so they will be able to bypass basic security measures to land in a prospective victim’s inbox. Additionally there is a chance that the account holders use an email provider with poor spam detection, which means that the malicious message will not be quarantined.

However, if the account holder has good email filters, the malicious message will be marked as spam. As this is not, typically, the case cybercriminals are aware that their phishing messages will reach a good number of the intended recipients, potentially earning them thousands of dollars.

Credit unions require a minimum of Domain-based Message Authentication, Reporting & Conformance (DMARC) in order to tackle phishing messages. In order for this to be as successful as possible, both the recipient email system and the domain owner (the credit union) must configure DMARC.

There are two parts to a DMARC system: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). SPF is the IP addresses that are permitted to send email for the domain. The SPF entry is placed on the domain owner’s name server as a DNS record, from here it will prevent email spoofing. When email messages are issued with an unauthorized IP address, it is marked as a “failed” DMARC status and is not shared with the intended recipient. There is, however, an onus on the recipient’s email service to review the status and quarantine/delete the incoming message.

DKIM is a signature system that makes sure that cybercriminals have not altered a message. An encrypted signature is shared including the headers of the message using the recipient’s public key placed as a DNS entry at the host. The recipient’s mail server can then authenticate the recipient message to deduce if the signature is the same by encrypting the same message and comparing it to the resulting value. The resulting value should be the same if no content within the message has been changed.

It is often, incorrectly, believed that small businesses are not a valued target of phishers. However, Credit Unions are small financial institutions that can be perfect targets as they are known for not having a strong cybersecurity suite in place. DMARC rules will address the threat posed to these bodies. 

Phishing can be conducted at a low cost by hackers so it is crucial for organizations to focus their efforts on fighting it. Using DMARC will safeguard internal staff members and account holders who are being sent emails

 

 

Case Study: Home Depot Data Breach Cost $179 Million

When pondering how much to spend on cybersecurity defenses, be sure to consider the cost of a retail data breach. Ill-advised security practices and a lack of proper cybersecurity defenses can cost a company dearly. That was certainly the case for Home Depot.

A data breach of the scale of that which impacted Home Depot in 2014 can cost hundreds of millions of dollars to address. The Home Depot data breach was huge. It was the largest retail data breach involving a point of sale system ever to be reported. Malware had been downloaded that allowed cyber criminals to obtain over 50 million credit card numbers from Home Depot customers and around 53 million email addresses.

The Home Depot cyberattack was conducted using credentials that had been stolen from one of the retailer’s vendors. Those credentials were used to obtain access to the network, the attackers then elevated privileges, and moved laterally undetected until they found what they were looking for: The POS system. Malware was downloaded that recorded credit card details as payments were made, and the information was silently exfiltrated to the attacker’s servers. The malware infection went unnoticed for five months between April 2014 and September 2014.

Last year, Home Depot agreed to pay out $19.5 million in damages to customers that had been impacted by the breach. The payout included the costs of providing credit monitoring services to those affected by the breach. Home Depot has also paid out a minimum of $134.5 million to credit card companies and banks. The latest settlement amount will permit banks and credit card companies to submit claims for $2 per compromised credit card without having to show proof of losses suffered. If banks can show losses, they will have up to 60% of their losses compensated.

The total cost of the retail data breach is approximately $179 million, although that figure does not incorporate all legal fees that Home Depot must pay, and neither does it include undisclosed settlements. The final cost of the retail data breach will be much bigger and is likely to pass the $200 million mark.

Then there is the reputation damage suffered as a result of the data breach. Following any data breach, customers often take their business elsewhere and many consumers that were affected by the Home Depot breach said they would not shop there again. A number of studies have been carried out on the fallout from a data breach, with one HiTrust study suggesting companies may lose up to 51% of their customers following a breach of sensitive data.

 

MSP Cybersecurity Selling Tips

Managed Service Providers (MSPs) are often used by smaller organizations that do not have their own IT department, in order to meet the technology and cybersecurity requirements.

The challenge in this scenario is that MSPs need to be able to relay to the small companies that are trying to make their budgets stretch as far as possible the importance of investing in the strongest possible cybersecurity measures. 

It is crucial that small businesses are fully aware of the dangers that they are facing unless they introduce a strong cybersecurity suite. Any data breach could lead to regulatory fines and costly litigation. There are a number of different ways that MSPs can get this message across to their clients and we have detailed them below. 

Focus on Enhancing Cybersecurity

There is a good business opportunity for MSPs to increase their revenue by selling cybersecurity security services to small companies that currently have no structure in place.The easiest way to do this is to show clients the risks that they are taking by not having strong cybersecurity measures implemented. As all companies have different needs it is up to the MSP to spot where the need of the company sits in relation to cybersecurity and concentrate on this. 

This is easier following an audit of the company’s current cybersecurity strategy, or lack thereof. Companies will appreciate a bespoke level of cybersecurity measure, matched to their specific needs, rather than being sold a package that includes a range of measures that they have no need for. Providing the company with the audit will assist in the sales process also as these companies may not have the resources to complete this themselves.

With the audit a step-by-step process for addressing each vulnerability can be included to allow the company to see how their worries will be alleviated. As configuring and investing in cybersecurity solutions is a massive step for small companies with a limited budget it is crucial that the decision makers for potential clients are able to quantify the benefits that they are gaining from any possible investment. 

Importance of Cybersecurity Support Being Provided by an MSP

In order for them to be effective, cybersecurity solutions have to be properly set up and managed. MSPs must do their utmost to ensure that clients also invest in cybersecurity so that the product they are selling is set up correctly. 

By relaying to the client the importance of this aspect, and the difference between IT support and cybersecurity support, clients will be more likely to invest in this service. After communicating with the client there should be no confusion between the two and the needs for the latter should be obvious to the purchaser. Doing this successfully will make the business relationship easier going forward as there will be less issues and a stronger level of service provided. 

TitanHQ

TitanHQ can be an excellent solution for MSP clients to avail of as it is competitively priced, strong and configured to tackle the most common attack vectors, along with a solution for backing up and archiving business critical data.

Contact TitanHQ nwo to find out more in relation to TitanHQ email security, DNS filtering, and email archiving for MSPs, and the TitanShield Partner Program. MSPs that are a member of the TitanShield Program will be given in-depth and strong tools, marketing advice, and training support.

 

Should You Block File Sharing Websites in the Workplace to Stop Malware Infecting Your Network?

There are valid reasons why you should block file sharing websites in the workplace. These websites are mainly used to share pirated software, music, films, and TV shows. It would be improbable that the owner of the copyright would take action against an employer for failing to stop the illegal sharing of copyrighted material, but this is an unnecessary legal danger and there is currently a crackdown on illegal file sharing.

The main risk from using these websites comes in the form of malware. There is limited data on malware downloads from pirated software, although data from a study in 2013 highlight how common it is. The study as conducted by IDC on 533 websites and peer-2-peer file sharing networks, the downloading of pirated software led to spyware and tracking cookies being downloaded to users’ computers 78% of the time. More concerning is the fact that Trojans were downloaded with pirated software 36% of the time.

A survey carried out on IT managers and CIOs at the time showed that malware was downloaded 15% of the time with the software.  IDC found that overall there was a 33.3% chance of infecting a machine with malware by using pirated software.

Even browsing on torrent sites can be harmful. Malwarebytes has reported users of the popular torrent site The Pirate Bay were shown malicious adverts. An advertiser used a pop-under to silently redirect users to a malicious site that had the Magnitude exploit kit which was used to install Cerber ransomware onto users’ devices.

A study completed by UC San Diego involved testing pirated software downloads using VirusTotal. VirusTotal reviews files against the databases of 68 different anti-virus services. The research team found that 50% of pirated files were infected with malware.

Dealing with malware from pirated software was found to take around 1.5 billion hours per year. For companies the cost can be considerable. IDC estimated the cost to enterprises to be around $114 billion in 2013 alone. And that was just for the clean-up. The cost of data breaches caused by illegal software installations was calculated at around $350 billion.

New malware variants are often discovered in pirated software and fake software available through P2P file sharing websites. In 2021, NordLocker identified a previously unknown malware variant that was being distributed in pirated video games and software such as Adobe Photoshop. The malware was not detected for 2 years, during which time it had infected more than 3.2 million computers.

Businesses can monitor devices and check for unauthorized software downloads on individual devices; however, by the time a software installation has been identified, malware is likely to already have been downloaded. A recent report by Verizon indicates that on average, hackers are able to extract data within 28 minutes of obtaining access to a system.

One of the simplest ways to manage risk is to block file sharing websites including P2P and torrent sites. A web filter can be easily set up to block file sharing websites and stop them from being accessed. Many web filters can also be set up to block specific file types from being installed, including keygens and other executables.

If organizations block file sharing websites in the workplace they will ensure that copyright-violating activities are stopped and and the risk of malware downloads is effectively mitigated and users are prevented from visiting websites hosting phishing kits.

Choosing not to block file sharing websites in the workplace could turn out to be expensive for a company. It is far better to block possibly dangerous websites and online activities than to have to cover the cost of removing malware infections and remediating data breaches.

Remote Working on Public Wi-Fi Concerns

The problems associated with working via public Wi-Fi are well known, especially now as workers globally shift to a remote working or hybrid model of office use. 

Even though a large number of companies have recognized the advantages linked to remote working and having staff members work from home, many other organizations are putting in place the hybrid working routine that permits employees to be based away from the office for part of their working week at least. 

However, there are many things to be wary of when it comes to accessing the Internet via public Wi-Fi networks, one of the most significant being the Wi-Fi access point that people log on to is not the same as the Wi-Fi network of the individual’s employer. It has happened on previous occasions that cybercriminals have created WiFi networks which are designed to look like authentic Wi-Fi access points. This type of connection has been labelled as ‘evil twins’.

Hackers are known to set up malicious proxies, view network activity, and create user redirects to take Wi-Fi users to websites that are loaded with malware. If Bluetooth and NFC are enabled, a hacker could locate nearby devices and download information that could allow them to locate and focus on a specific individual.

There are a range of different tactics that should be implemented to prevent remotely-based workers from sharing their details due to  a phishing attack, or otherwise impact their device or their organization’s databases. The most straightforward of these is to restrict or forbid the use of public Wi-Fi networks. However, doing so may greatly impact the productivity of remote workers.

Logging on to a public WiFi network, if there is no other solution available, should only be done if there is encryption and strong authentication in place to ensure a high level of security. It is also wide to make sure that a password is necessary to access the WiFi hotspot.

It is advisable for organizations to implement a variety of different security measures such as setting up a company policy that bans the use of public Wi-Fi networks or uploading any sensitive data on websites that do not begin with ‘HTTPS’. Creating a Virtual Private Network (VPN) for employees with enough capacity to permit everyone to log on at the same time is a smart move as it extends the scope of web filters to remote workers’ devices. This will stop access to web pages known to be malicious and stop malware downloads.

Options like WebTitan are simple to configure so as to secure remote workers’ devices, and filtering controls will then be managed in the same manner as if the employee was sitting at a workstation in the corporate headquarters.

It is also important that cybersecurity best practices are followed like running all patches and software updates once they are available. Multi-Factor authentication should be enabled and anti-malware software installed. Anti-spam services – like SpamTitan  – should also be configured to stop email attacks, and firewalls should be switched on to stop unauthorized inbound and outbound connections.

 

 

2020 Witnessed Massive Surge in Healthcare Data Breaches

According to figures from the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), 2020 saw record numbers of healthcare data breaches reported – more than in any other year since healthcare data breaches started to be tracked. An article published on HIPAA Journal in January, 2021 included an analysis of healthcare data breaches in 2020 with the following findings:

  • Over 29 million healthcare records were breached from January 1 to December 31, 2020
  • There was a rate of 1.76 healthcare data breaches reported per day
  • Healthcare data breaches grew by 25% year-over-year
  • During 2020, 642 healthcare data breaches of 500 or more records were discovered

In addition to this:

  • The total number of healthcare data breaches has doubled since 2014 and tripled since 2010.
  • Over 3,700 breaches of 500 or more records have been reported since October 2009
  • Since 2009, more than 268 million healthcare records have been breached

How Data Breaches Occur

There are many different causes of healthcare data breaches, the most common of which are:

  • Hacking of servers and email accounts
  • Portable devices being stolen or lost
  • Unauthorized disclosures of personal healthcare information

The size of some of the data breaches is staggering. One largest breaches of the year was reported by the Dental Care Alliance, and was discovered on October 11, 2020. The payment card numbers of more than 1 million patients were compromised in the attack. The hackers initially obtained access to DCA systems on September 18, and access remained possible until October 13. Along with payment card data, those responsible may have illegally taken patient names and contact information as well as medical information and insurance information.  Patients were made aware of the attack in early December and approximately 10% of the patients later reported misuse of their data.

There are many factors that have led to the huge spike in attacks that took place over the last 12 months. Ultimately, the increase in attacks is simply due to cybercriminals targeting the healthcare sector to gain access to sensitive data. Patient records are extremely valuable as they can be used for multiple types of fraud. While credit card information will only garner a few dollars on their own, patient data can be sold for up to $150 per record. For healthcare providers, the cost of mitigating data breaches is considerable. the IBM Security Cost of a Data Breach Report shows the cost of a healthcare data breach has risen by 16% and is now costs and average of $499 per record.

Healthcare organizations have a responsibility to secure patient data and prevent attackers from accessing systems containing patient data. TitanHQ can assist healthcare organizations by providing solutions to block the most common attack vectors. Get in touch with TitanHQ now to discover how our award winning solutions can stop hackers from gaining access to patient data.

Businesses Face Massive Challenges as Phishing Attacks Surge

Since the beginning of 2020 there has been a noticeable spike in the amount of ransomware attacks recorded. Less noticeable however, has been that phishing attacks are also extremely widespread nowadays.  

Phishing attacks aim to steal passwords and other login credentials that will unlock access to databases and, potentially, much more valuable private data. Particularly attractive for phishers are email credentials. For instance, a healthcare worker’s email account will often hold valuable healthcare data, health insurance details, and Social Security information. This range of information can be deployed to carry out identity theft or other fraudulent activity. 

The start of most phishing attacks is when a phishing email is sent in order to try and trick the recipient into handing over access details for a database. There have been many different research studies completed that have indicated that phishing is one of the main threats facing groups. In the UK and the US, two recent surveys have revealed that 75% of companies had suffered a data breach in the last year while another study showed that more than 50% of IT management have witnessed a surge in phishing attacks in the past year.

Employee training courses are crucial in order to increase awareness of the phishing threat. The current trend towards remote  working has made providing this a much more tricky challenge. Refresher classes must be conducted on an ongoing basis or vulnerabilities can come to the surface. Phisher often change their tactics and new trends must be made known to employees so that they know what to look out for. As phishing emails evolve and continue to look more and more realistic the challenge linked to spotting these attacks becomes all the greater.

Two of the best technical approaches to combating phishing attacks are spam filters and web filters. When used in tandem they can provide a strong forcefield to bolster cybersecurity measures and block all attempts to infiltrate your databases.

A spam filter must have specific features configured to tackle complex phishing threats. By using blacklists emails from known malicious IP addresses will be blocked. However, IP addresses can often be changed so machine learning approaches are required to tackle brand new phishing tactics and threats from IP addresses not regarded as malicious. Using multiple AV engines malware threats can be handled, while sandboxing can be used to identify spot malware straind. DMARC is also vital to take on email impersonation attacks, while outbound scanning is important for quickly discovering infiltrated inboxes. All of these features are used by SpamTitan, which is why the solution registers a high block rate (over 99.97%) and low false positive rate.

Web filters are mainly used to limit access to potentially dangerous websites, whether they are sites with pornographic content or malicious sites employed for phishing and malware transmission. Web filters, especially DNS-based filters, greatly enhance security in the face of threats. they will also prevent access to known malicious websites and block malware installations. WebTitan provides all of this and can easily be set up to safeguard remotely-based employees workers.

With phishing attacks are on the rise it is crucial for companies to configure solutions to address this threat. For more details on SpamTitan and WebTitan, and how they can make your company safer, contact TitanHQ now. 

 

 

Public Wi-Fi Issues for Remote Working

The issues caused by using public Wi-Fi are widely known and should be more widely recognized and the global shifts towards remote working. Since the beginning of the COVID19 pandemic. a large number of companies have had little choice but to permit the staff members to work from a remote location.

While a lot of companies have witnessed the benefits to remote working and having staff members work from home, many other businesses are beginning to operate with a hybrid working model that allows staff to work remotely for a portion of the week as a minimum. 

There are a range of dangers to be addressed when using the Internet on public Wi-Fi networks, one of the most serious being the Wi-Fi access point that people log on to is not really the Wi-Fi network of the company that the employees work for. In many cases hackers create WiFi networks that appear to be genuine Wi-Fi access points. Using these – often referred to as evil twins – connections are reviewed, and no communicated data is safe.

Cybercriminals often create malicious proxies, monitor network activity traffic, and deploy user redirects to bring Wi-Fi users to malware laded web portals. If Bluetooth and NFC are turned on, a hacker could search for nearby devices and steal information that could allow them to identify and target a specific person.

There are many different measures that should be put in place to see to it that remote workers are not tricked into sharing their details in a phishing attack, or otherwise compromise their device, and in turn, the network of their company. The simplest of these measures is to stop the use of public Wi-Fi networks, although that is not always possible for travelling workers.

If there is no other option available then a connection should only be made to a Wi-Fi hotspot with encryption and strong authentication, as security will be strongest. Make sure that there is a password required to access the WiFi hotspot and there is less chance of any transmitted data being intercepted. 

Companies need to put a range of precautions in place. These can include creating a company policy that forbids the use of public Wi-Fi networks or sharing any sensitive data on websites that do not begin  with HTTPS. Providing a Virtual Private Network (VPN) for staff with adequate capacity to allow all workers to connect is a smart move as it extends the range of web filters to remote workers’ devices. This will prevent access to recognized dangerous web pages and prevent malware installations.

Solutions such as WebTitan are easy to set up in order to secure remote workers’ devices, and filtering controls will then be placed as though the user is situated in the corporate headquarters.

Standard cybersecurity best practices should also be adhered to, such as seeing to it that patches and software updates are applied quickly. Multi Factor authentication should be turned on and anti-malware software configured. Anti-spam services should also be used to prevent email attacks, and firewalls and DNS filtering should be turned on to prevent unauthorized inbound and outbound connections.

It is also advisable to turn off Link-Local Multicast Name Resolution (LLMNR) and Netbios Name Service (NBT-NS) on Windows laptops and to set up Web-Proxy Autodiscovery Protocol (WPAD) to allow only corporate proxy servers and to disable device file and printer sharing on public networks.

 

Haron & BlackMatter: Two New Ransomware-as-a-Service Operations in Action

July has witnessed the emergence of two new ransomware-as-a-service (RaaS) groups, Haron and BlackMatter. Cybersecurity experts have been closely examining the attacks that these groups are believed to be responsible for and have discovered links to some well known RaaS operations that have recently gone quiet – Avaddon, REvil, and DarkSide.

There is still no solid proof of a connection aside from a range of similarities which suggest that either the Avaddon, REvil, and DarkSide RaaS operations have reorganized their attacks or that those who worked on these attacks have begun their own group. 

Even though it is forbidden to advertise RaaS operations on some cybercrime forums, the BlackMatter RaS has been advertising for affiliates on Russian speaking cybercrime forums – even though they are not stating outright that this is an RaaS operation. A user referred to as “BlackMatter” created an account on July 19 on both the XSS and Exploit criminal forums looking for help seeking assistance to register on the networks of U.S., UK, Australian, or Canadian businesses with more than $100 million in annual revenues. They also made it clear that they were not seeking access to state institutions or any targets in the healthcare sector. This was not long after REvil and Avaddon revealed that they would also cease these types of attacks following the colonial pipeline attack.

An Escrow account, to be used to settle disputes over payments, was set up by the BlackMatter operator with a $120,000 deposit. A reward of between $3K and $100K is being offered by the group along with a share in any ransoms earned in exchange for access. The BlackMatter operators boast that their group uses the strongest features of DarkSide, REvil, and LockBit, all three of which are believed to have operated from inside Russia.

Similarities were identified between BlackMatter and REvil and DarkSide by several cybersecurity groups, with Recorded Future labelling BlackMatter as the heir to DarkSide and REvil, although proof remains circumstantial at this point in time.  For example, BlackMatter is very similar to BlackLivesMatter, which was the label for the Windows registry used by REvil. Mandiant reports that it has found some proof which indicates at least one member of the DarkSide operation working with Black Matter, although that individual may just be an affiliate that has moved their partnership.

S2W Lab has found similarities between Haron ransomware and Avaddon, notably a largely copy and pasted ransom note, similar appearances and wording on the ransom negotiation sites, the same structures on the data leak sites, and identical sections of JavaScript code for chat. However, while the Avaddon gang created its own ransomware, Haron was created using the Thanos ransomware.

There may be nothing in the similarities, or the code was just stolen by the BlackMatter creator to save time, as there are some significant differences between the two. As has been previously stated here, no clear proof has been found to indicate that Avaddon and Haron are one and the same.

Cybersecurity experts have ongoing investigations into the new groups, but regardless of who is managing the operations, their aims look quite similar. Both are focusing on large businesses with a lot of revenue and if the RaaS operations that have gone quiet remain out of action, there will be any affiliates looking for a new RAAS operation to avail of.

 

 

Attacks on Windows and Linux Systems Using LemonDuck Malware Increasing

Those managing the LemonDuck malware campaigns have increased their activity, whilst introducing new attack features, in the last few weeks.

While this strain of malware is chiefly known for the power of its botnet and the cryptocurrency mining targets there have been moves to concentrate on other aspects of their hacking attempts. Even though the bot and cryptocurrency mining activities remain live continue, now malware has been added that can disable security measures on infiltrated devices, quickly shifting laterally inside networks, dropping a range of tools onto infected devices, and stealing and stealing credentials.

Those operating the attacks have craft campaigns which feature emails related to recent news and events for their phishing attempts launched via Microsoft Office attachments.There are also attempts made to infect devices with new exploits and some older vulnerabilities. During 2020 this group was spreading malware through phishing emails using COVID-19 themed lures, and while phishing emails are still being used to broadcast the malware, the threat actor has also been targeting recently addressed vulnerabilities in Microsoft Exchange to gain access to systems, according to a recent security warning from Microsoft.

LemonDuck malware is slightly unusual as it is relatively unique for these malware strains to be deployed via Windows and Linux systems. The malware operators prefer to have complete management of infected devices so they can erase competing malware if it is present. To make sure no other malware variants have been downloaded, after accessing a device, the vulnerability LemonDuck exploited to gain access to a system is addressed.

If the malware is downloaded on a device with Microsoft Outlook installed, a script is activated that uses saved credentials to obtain access to the mailbox and copies of itself are then sent in phishing emails to all contacts in the mailbox, using a preset message and a malware downloader as an attached file.

The malware was first discovered during May 2019, with the previous forms of LemonDuck malware deployed in attacks within China, but the malware is now being shared on a larger scale. It has now been spotted in attacks launched in the United States, United Kingdom, Russia, France, India, Germany, Korea, Canada, and Vietnam.

To date, Microsoft has discovered two different operating structures that both use LemonDuck malware which could suggest that the malware is being used by multiple groups with different aims. The ‘LemonCat’ infrastructure was put to action in a campaign focused on Microsoft Exchange Server vulnerabilities to identify backdoors, exfiltrate credentials and data, and deliver other malware variants, including Ramnit.

Preventing infiltration attempts using this malware requires a range of tactics. A robust spam filter like SpamTitan should be implemented to tackle the phishing emails used to broadcast the malware. SpamTitan also reviews outbound messages to stop malware strains with emailing capabilities from being shared with contacts. Since vulnerabilities are targeted to obtain access to networks, it is important to have a rigorous patch management policy and to apply patches quickly after they are made available.  Antivirus software should be configured and set to automatically update, and a web filter is recommended to block malware installs over the Internet.

For additional details on enhancing your cybersecurity measures against LemonDucck malware and other malware attacks, call the TitanHQ now.

 

Phishing Campaign Using ZLoader Banking Trojan Disables Office Macro Warnings

It is very common for malware to be broadcast via phishing emails that seek some level of user interaction like visiting a URL to download a Microsoft Office file. Malicious payloads are often sent using Word and Excel files via macros.

You should always be wary of Macros as they can be used to infiltrate your systems with malicious code. In most cases they are not enabled and will only be allowed to run if they are manually enabled by the end user. When an Office file is clicked on and it includes a macro, an alert will pop up to state that there is a macro and that it is potentially malicious. If the macro is not manually activated by the end user, malware cannot infect your systems.

A phishing attack has recently been discovered that is employing the usual phishing campaign for spreading malware. The first attack point is a phishing email, and Office files are attached that are filled with macros that install the malware payload – in this case ZLoader. However, a new method is used to spread the dangerous Office files by turning off usual macro warnings and security mechanisms.

In this attack, malicious DLLs – Zloader malware – are sent masquerading as the payload, but the first phishing email does not have the malicious code attached. The phishing email has a Microsoft Word file which will lead to the download of a password-protected Excel spreadsheet from the hacker’s remote server when the file is opened and macros are turned on.

The attack depends on Microsoft Word Visual Basic for Applications (VBA) and the Dynamic Data Exchange (DDE) fields of Microsoft Excel, and is effective on systems that support the legacy .xls file format.

Once the encrypted Excel file is installed, Word VBA-based instructions in the file read the cell contents from the specially designed XLS file. Word VBS then writes the cell contents into XLS VBA to set up a new macro for the XLS file. When the macros are prepared, Excel macro defenses are turned off by the Word document by setting the policy in the registry to Disable Excel Macro Warning. The Excel VBA is then run and downloads the malicious DLL files, which are  run using rundll32.exe.

While the malicious files will be silently installed and executed, this attack still needs the recipient to turn on the macros in the first Word document. Victims are fooled into doing this by informing them “This document was created in an earlier version of Microsoft Office Word. To access or amend this document, please click the ‘Enable editing’ button on the top bar, and then click ‘Enable content’,” when they open the Word file. That one click will initiate the entire infection chain.

ZLoader is a string of the Zeus banking Trojan, which first reared its head during 2006. The malware is also referred to asc ZBot and Silent Night and is used by a range of different attack groups. The malware was deployed in large scale attacks during 2020 using COVID-19 themed lures, such as COVID-19 prevention tips, along with more standard lures such as job applications.

Once downloaded, the malware uses webinjects to capture passwords, login details and browser cookies. 

If you wish to prevent this from impacting your business contact the TitanHQ team now to find out more about SpamTitan Email Security and WebTitan Web Security. There is no obligation for a 14-day free trial so you can see for yourself how easy they are to use and how effective they are at blocking malware attacks.

 

Education Sector Targeted by Pysa Ransomware Group

During 2020, the healthcare sector has been constant focus of ransomware gangs, but the education sector is also dealing with a rise in attacks, with the Pysa (Mespinoza) ransomware gang now extensively targeting the education sector.

Pysa ransomware is another strain of Mespinoza ransomware that was first seen in ransomware campaigns during October 2019. The threat group responsible for the attacks, like many other ransomware gangs, uses double extortion tactics. Files are encrypted and a ransom demand is issued that must be paid to obtain the keys to decrypt files, but to improve the chances of the ransom being paid, data is stolen before file encryption. The gang threatens to sell the stolen data on the darkweb if the ransom is not paid. Many targeted healthcare organizations have been forced to pay the ransom demand even when they have backups, solely to prevent the sale of their data.

Since October 2019, the Pysa ransomware gang has focused on large companies, the healthcare sector, and local government bodies, but there has been a recent rise in attacks on the education sector. Attacks have been carried out on K12 schools, higher education institutions, and colleges, with attacks being reported in 12 U.S. states and in the United Kingdom. The rise in attacks led the FBI to issue a Flash Alert in March 2020 warning the education sector about the heightened risk of Pysa ransomware attacks.

Reviews of attacks revealed the gang carries out network reconnaissance using open source tools like Advanced Port Scanner and Advanced IP Scanner. Tools including PowerShell Empire, Koadic, and Mimikatz are employed to obtain credentials and elevate privileges and move laterally inside networks. The gang looks for sensitive data that can be easily monetized and exfiltrates the data before delivering the ransomware payload.

Discovering a Pysa ransomware attack in progress is tricky, so it is crucial for defenses to be hardened to prevent attackers from gaining access to networks. In attacks on French firms and government agencies, brute force tactics were used against management consoles and exposed Active Directory accounts. Some attacks have included exploitation of Remote Desktop Protocol flaws, with the gang also known to use spam and phishing emails to obtain credentials to gain a foothold in education networks.

As a range of methods are used for obtaining access, there is no one option that can be implemented to block attacks. Educational institutions need to use a combination of security solutions and cybersecurity best practices to improve their security posture and block attacks. Antivirus/antimalware solutions are vital, as is ensuring they are kept updated. Since many attacks begin with a phishing email, an advanced email security gateway is also crucial. Picking a solution such as SpamTitan that uses dual AV engines and sandboxing will increase the probability of malware being installed, which is used by ransomware gangs for persistent access to networks. SpamTitan also blocks phishing emails containing links to websites where credentials are harvested. SpamTitan uses machine learning methods to identify new types of email attacks.

Patches and security updates should be implemented quickly after they have been released to stop software and operating system vulnerabilities from being exploited. You should employ the rule of least privilege for accounts, limit the use of administrative accounts as far as you can, and segment networks to hamper efforts to move laterally once access has been gained. You should also be scanning your network for suspicious activity and investigate alerts to ensure infiltrations are quickly discovered. All redundant RDP ports should be closed, and a VPN used for remote access.

It is crucial for backups to be created of all critical data to ensure that file recovery can take place without paying the ransom. Multiple backups of data should be created, those backups should be tested to make sure file recovery is possible, and at least one copy should be stored on an air-gapped device.

Malware Being Shared Using Fake Windows 11 Installers

Microsoft announced, on June 24 2021, that the release on Windows 11 will be happening soon and represents a significant upgrade of the Windows NT operating system, the successor to Windows 10.

The last time an update of this scale was completed was when Windows 10 was released during 2015. Hence this has caused quite a stir as everyone is eager to see what will be included. The specifics of the launch date remain unknown but it will be before the end of the current calendar year. However, some users are being offered the chance to obtain a free copy before the official launch date. 

The first Insider Preview of Windows 11 was announced by Microsoft on June 28. Installing the upgrade to Windows 11 is quite easy. A small number are being offered a simple upgrade that simply requires them to register for the Dev channel of the Windows Insider Program.  Despite the obvious dangers of downloaded software updates from unknown or unofficial sources many people have been trying to locate one.

It is no surprise that unofficial ISOs are pretending to provide Windows 11 even though they are not in a position to do so. Their true aim is to install and share malware. Hackers have been sharing these fake Windows 11 download tools to share a wide variety of malicious payloads. There is a strong chance that these fake Windows 11 installers will place adware or unwanted programs on your devices, even worse they may install malware with various degrees of maliciousness, such as Remote Access Trojans and backdoors that give the attackers full access to the victims’ devices, information stealers such as keyloggers that obtain passwords and other sensitive data, cryptocurrency miners, and ransomware.

Cybersecurity experts working at Kaspersky Lab have discovered many fake Windows 11 installers being shared around the world, including one seemingly genuine downloader titled 86307_windows 11 build 21996.1 x64 + activator.exe. Despite the title and 1.76GB file size, it was not what it appeared to be. If the user executed the file and agreed to the terms and conditions, the file would then be installed to place a different executable that places a range of malicious software onto the user’s device.

As the publicity around the official Window 11 release date ramps up, we can expect there to be many other fake installers deployed. Hackers are fond of a long-awaited software release, as it’s easy to get users to double click on executable files. Malicious adverts, websites, and emails offering free copies of Windows 11 will increase, so be careful.

If it is wise to make sure that you have an advanced and effective spam filtering solution configured like SpamTitan. This will safeguard you in the face of malicious emails. A web filter like WebTitan will protect you from malicious file downloads and see to it that you only download software or applications from authentic sources.

 

Cybersecurity in Education: Five Key Components You Must Have

K-12 educational sector cybersecurity legal requirements are a constant area of concern for Information Technology managers in that sector. 

The K-12 Cybersecurity Resource Center reported that there were as many as three times the amount of cyber incidents registered during 2019 in United States school districts than during 2018.

With this in mind, and with the thought in mind that school districts need to spend more time bolstering their cybersecurity efforts we have put together a list of five key elements that should be a part of any K12 security strategy. They are: 

  1. Never Allocate Local Admin Rights: When students are assigned local admin privileges bad things can happen quite easily. If a user installs malware or other types of malicious code it obtains the rights and privileges of that user. Hackers aim for younger people to try and tick them into downloading games and other applications that are hiding malicious payloads. Once local admin rights are allocated it is much easier for cybercriminals to share malware and viruses.
  2. Advanced Internet Filtering: The educational sector has changed considerably and a lot of online classes are held these days. Due to this an internet filtering solution is a must and any school systems that receives e-Rate funding is legally obliged to have a configured content filtering solution.  But content filtering is not adequate for Internet filtering.  Schools require an advanced DNS Security and DNS content filtering system like WebTitan.  WebTitan’s DNS Security system prevents students from accessing malicious websites and internet based malware portals.  It audits and lists malicious threats in real time and strips internet packets of malware and malicious code, thus preserving the safety of the online learning process.
  3. Removing Legacy Technology: Removing legacy technology is important as, when they are no longer supported with updates and patches, such as Windows 7 machines and can cause havoc by allowing malware variants to infiltrated databases that they are linked to.
  4. Apply Updates and Patches Quickly: A lot of the time updates and patching are delayed so as not to impact any learning times in schools. This can result in hundreds or thousands of computers with unpatched vulnerabilities and security gaps.  Patches must be run as a priority as soon as they become available.  Internal IT must have some way to manage the update process using a device management system such as Group Policy or an MDM solution.
  5. Configure an Email Security System: Email will always be the primary delivery system for malware and virus attacks, as long as it remains the most common messaging solution globally. An education enterprise grade email security solution should be able to tackle spam, viruses, ransomware and embedded links to malicious web pages, but incorporates data leak prevention policies as schools host a great deal of highly personal data related to the  student body and staff members.  SpamTitan is perfect for this as it uses double antivirus protection as well as protection from zero-day attacks. 

Conclusion

Incorporating these five key components into a K12 Security strategy will go a long way ensuring that K-12 institutions remain safe in the face of cyberattacks. Fet in touch with a TitanHQ Security Expert today to see how they can help protect your school’s students and teachers.

 

5 Crucial Elements of a Robust Education Cybersecurity Solution

Recent updates from the K-12 Cybersecurity Resource Center have revealed the number of cyberattacks that targeted US schools tripled during 2019 before accounting for 61% percent of all malware attacks during 2020 – according to Microsoft research. Now is the time for all educational bodies to enhance their cybersecurity measures.   There is absolutely no doubt that school districts need to focus on cybersecurity efforts. Here we have listed 5 key characteristic robust K12 compliance security solutions.

  1. Apply Patches & Updates ASAP: All disruption to the annual school cycle is welcome, even  more so after the intermittent lock downs that were caused by the COVID-19 pandemic. However, updates should not be postponed to try and avoid any down time. If software patches and  updates are not applied as quickly as possible then bodies are running the risk of having known vulnerabilities targeted. IT staff need to create a process to conduct the update process using a device management system such as Group Policy or an MDM solution.
  2. Removing Legacy Technology: Schools have a habit, in order to make resources stretch as far as possible, to delay removing legacy tech from their network. While it is natural for teachers and administrators to distribute as many computing devices into the hands of students as they can, it can result in devices that are no longer supported (and therefore vulnerable) creating a vulnerability on the network. These devices should be removed no matter what.
  3. A Strong Security System: An education enterprise grade email security solution should measures to tackle spam, viruses, ransomware and embedded links to malicious websites while also preventing data leaks from educational bodies. SpamTitan can complete this as it features double antivirus email protection as well as protection from zero-day attacks. 
  4. Avoid Allocating Local Admin Rights: When students are assigned local admin privileges it creates a major vulnerability on the network in question.  When a user downloads malware or other types of malicious code it obtains the rights and privileges of that user. Children could be tempted to install software and download games without thinking. While allotting local admin rights to all standard users makes it more straightforward for internal IT to deploy machines, it also makes it easier for hackers to distribute malware and viruses.
  5. Advanced Internet Filtering: All schools that are given e-Rate funding must configure some element of content filtering solution in place.  As content filtering is no longer sufficient when it comes to Internet filtering there is also a requirement for an advanced DNS Security and DNS content filtering system such as WebTitan.  The DNS Security system of WebTitan prevents students from viewing malicious web pages and internet based malware depositories.  It checks for, and spots, malicious threats in real time and removes internet packets of malware and malicious code, in doing so maintaining the safety of the online learning process.

Conclusion

It is crucial that all educational institutions Wsee to it that they are kept safe from the ever increasing threat posed by cybercriminals.  Configuring the above five elements to a K12 Security strategy will greatly assist in this happening. In order to keep your K12 body safe using a multi-layer security solution, contact the TitanHQ Security team now to find out how you can safeguard your group.

 

Fake Kaseya Update Used in MSP Cobalt Phishing Campaign

It is believed that, on July 2, the managed service provider (MSP) customers of Kaseya were impacted in a ransomware attack.

Leveraging the Kaseya Virtual System Administrator (VSA) platform cybercriminals were able to share ransomware with, Kaspersky Lab believes, approximately 5,000 attempts to infiltrate databases in roughly 22 countries. These attacks are believed to have taken place during the first three days after the initial breach. While it is, as of yet, unknown how many of the attempts bore fruit Kaseya estimates that 1,500 of its direct customers and downstream businesses were impacted during the attack.

The attack took advantage of reported KSA platform vulnerabilities identified in April by the Dutch Institute for Vulnerability Disclosure (DIVD). Following this discovery Kaseya released patches to address four of the seven reported vulnerabilities during April and May and was working on patches to fix the remaining three flaws. However, the REvil ransomware gang targeted a credential leaking flaw, referred to as CVE-2021-30116, before the patch was made available.

Once the breach was spotted by Kaseya they took action and created mitigations to restrict the potential reach of the attacks. These mitigations shut down all additional attempts to infiltrate the system but Kaseya users remain in danger from Kaseya phishing attacks.

Now hackers have created phishing Cobalt Strike attacks aimed at Kaseya customers pushing. These attacks are spoofed Kaseya VSA security updates. Cobalt Strike is an authentic penetration testing and threat emulation solution. Sadly, hackers are known to use it to obtain remote access to corporate databases.

The Malwarebytes Threat intelligence team were first to discover the attacks, using emails that carried a file titled SecurityUpdates.exe. There is also a URL that claims to host a Microsoft update to address the Kaseya vulnerability targeted by the ransomware group.

Users are directed to click on the included file or browse to an update page where they can download the Kaseya VSA to keep them safe from ransomware campaigns. Unfortunately completing this action will only result in Cobalt Strike beacons being delivered and allowing the hackers access to protected databases.

This is quite an intelligent attack as users will be expecting a security update to address the known flaw on Kaseya. Due to this the company (Kaseya) has broadcasted a warning to all users advising them not to click on any files or visit URLs click links in emails that appear to carry updates for the Kaseya VSA. Kaseya said any email sent in relation to this will never have hyperlinks or attachments included.

Alway deal with inbound emails that say they have security updates or files related to the same as potential ransomware attacks. Never visit a link in an email like this download attached files. If you must, go to the official company website to see if there are any security updates available.

 

Huge Rise in Crypto Phishing Campaigns

The Federal Trade Commission has recently revealed that crypto phishing scams have grown by over 1,000% since last October according to a report from CBS News.

It has been calculated that 2020 bore witness to some 400,000 cryptocurrency scams. Hackers have been focused on the new monetary currency for some time and are estimated to have stolen some $80m in the USA alone. These attacks typically involve investment scams, digital wallet thefts and phishing attacks.The FBI has stated that crypto-related BEC scams have risen significantly in the past 24 months, with businesses having around $10m stolen during 2020.

The factors behind the massive spike in these types of attack are quite varied. They include:

  • As this is a very new type of currency, most people remain unfamiliar with the intricacies of the technology Blockchain is a neoteric frontier and the average layperson does not completely understand how it works. The knowledge gap creates a potential attack point for cybercriminals
  • The large number of currencies also assists cybercriminals with their campaigns. Currently there are more that 5,000 cryptocurrencies in existence globally. Additionally new cryptocurrencies are being created almost every day so hackers can move from one to the other as they try to find a susceptible target.
  • Third party identification documents are a major attraction for hackers in data exfiltration attacks.  These can be used to access cryptocurrency wallets using this seized personal information.
  • The associated anonymity is also an attractive element for hackers. While their supportive blockchains provide a record of the actual financial transaction, most of them do not share personal data related to transactions.  All of this makes it difficult for authorities to ascertain any sort of financial pattern concerning that can aid their investigations.  Crypto, as it turns out, is a payment paradise for cyberattack managers.

The majority of BEC attacks are expertly managed as the hackers have often thoroughly researched their targets. In a lot of cases a compromised company email system  might have been initially infiltrated as long as months before the initial attack takes place. This gives them time to learn the protocols and culture of the organization. Following this period of time the attack is normally conducted using the impersonation of a key executive such as the CEO or CFO as a tactic.  The aim is to get a lower level employee that has privileges to the company’s payment system to send funds for a stated reason such as a large business deal or company transaction.  The employee asked to complete the bank transfer to an account belonging to the hacking group. Once the funds hit the account, the bank automatically changes the money into cryptocurrency.

FBI Guideline

Along with releasing an annual update the FBI has also made public a list of specific measures that companies and individuals should adopt in order to prevent them from being a target of a BEC cryptocurrency scam.  These include:

  • Individuals are urged to constantly review bank accounts to see if there is any evidence of indiscretions and unrecognized transactions.
  • Use a multi-factor authentication (MFA) solution to augment your authentication processes. One of the best ways is to have a PIN sent through text or email for authentication.
  • Use a robust best anti-phishing protection like SpamTitan that feature double antivirus, data leak prevention, real-time blacklists (RBLs), email content filtering as well an inbuilt Bayesian auto-learning heuristics.
  • IT managers should make sure that their corporate email applications are set up to permit users to see the full email extensions of received emails.

 

 

87% growth in HMRC Phishing Attacks in Past Year

In the United Kingdom, Her Majesty’s Revenue and Customs (HMRC) – the UK government department responsible for tax collection – is often impersonated in order to conduct cyberattacks.

Phishing campaigns using this mode of attack have been surging in the past year, with official figures obtained by Lanop Outsourcing under a Freedom of Information request showing the growth in HMRC impersonation attacks to be 87% with the amount of attacks jumping from 572,029 in 2019/2020 to 1,069,522 in 2020/2021. 

Email scams are the most common phishing vector and the most often leverage lures being fake notifications about tax rebates and refunds. These grew by 90% in the last year and the amount of HMRC phishing attacks sent using email grew by 109% to 630,193. Additionally growth was experienced in text-based phishing (smishing) campaigns. These jumped by 52% year-over-year and voice phishing (vishing) attacks were up by 66%.

Another public body which was used to try and trick recipients via impersonation scams was the Driver and Vehicle Licensing Agency (DVLA). There was a massive 661% increase in reports of phishing scams impersonating the DVLA during the past 12 months.

While these attacks are mainly focused on individuals they are also a serious concern for business groups due to their aim of stealing sensitive data such as passwords. If they get hold of these then there is a strong possibility that they will be used in attacks on companies. Phishing campaigns also attempt to spread malware to business networks. If this is successful then hackers can access  the databases before moving laterally and cause damage across an entire group network.

In order to defend your company from attacks like this it is vital to implement a thorough set of measures. Staff training is crucial so that those using the systems and software on your network know how to spot and mark an incoming cyberattack. As a minimum all staff should be aware what to do if a suspicious email lands in their inbox. When staff are engaging in distance and remote working, as is more common than ever these days, this is even more important.

All we all know is that staff training will not completely eliminate mistakes from happening. Individuals will either fail to pay sufficient attention, due to burn out or lack of interest, or try to use a shortcut, to get their work done more quickly, which is not best practice for cybersecurity. This means that you need a robust cybersecurity suite to bolster the staff training method and keep your organization safe.

A robust cybersecurity suite will alway include an advanced spam filtering solution that will spot and block phishing attacks. Remember that all spam filters are not created equal though. Some are proficient at tackling phishing emails from known malicious IP addresses only. However, stronger solutions like SpamTitan are able to spot previously unseen phishing scams thanks to artificial intelligence and predictive technologies for addressing the danger posed by  zero-day attacks. Additionally sandboxing fights malware attacks that have not yet been added to antivirus engines and DMARC mitigates the dangers presented by email impersonation attacks.

In order to safeguard your group from these types of attack contact TitanHQ now to discover more in relation to enhancing your cybersecurity suite.

 

Webinar: June 30, 2021: How to Deal with Phishing and Ransomware Threats

Businesses that permitted their employees to work from home during the pandemic faced challenges giving their workers to access internal networks remotely while maintaining security. Cybercriminals took advantage of vulnerabilities that were introduced and readily exploited weaknesses. Attacks on businesses increased and remote employees were the natural target. Throughout the pandemic, phishing and ransomware attacks were rife, with many businesses falling victim to attacks.

Now that restrictions have been eased, businesses have been able to open their offices once again, but many have now adopted a hybrid working model where employees continue to work from home at least some of the week. Businesses that have adopted this model need to now focus on cybersecurity strategies to combat phishing and ransomware attacks targeting their home workers.

A recent Osterman Research/TitanHQ survey of cybersecurity professionals revealed the challenges they faced during the pandemic and the extent to which their businesses were attacked. 85% of the 130 security professionals surveyed said they had experienced at least 1 security incident in the past 12 months, with phishing and ransomware perceived to be the biggest threats.

Even though IT professionals are well aware of the seriousness of the threat from phishing and ransomware attacks, only 37% of organizations surveyed rated their defenses as highly effective at combatting these threats. Security budgets had increased by an average of 28% from 2020 to 2021, yet defenses were still not up to the job.

When asked about the biggest threats their organization faced, the top three threats were email related. The biggest threat was business email compromise (BEC) attacks that trick low-level employees into divulging sensitive information, followed by phishing messages that result in malware infections and phishing emails that result in an account compromise.

Phishing emails are commonly used to deliver ransomware, either via the theft of credentials that give the attackers a foothold in the network or via the delivery of malware such as TrickBot, which is subsequently used to deliver ransomware.

The survey revealed many businesses are struggling to deal with phishing and ransomware threats, despite increases in security budgets. To help businesses improve their defenses against phishing and ransomware attacks, TitanHQ and Osterman Research will be hosting a webinar. During the webinar, attendees will learn about the advanced security threats uncovered by the in-depth survey, learn about the most effective mitigations against phishing and ransomware attacks, and will receive actionable information and best practices to reduce the risk of attacks succeeding.

Webinar Details:

How to Reduce the Risk of Phishing and Ransomware Attacks

Wednesday, June 30, 2021

7:00 p.m. to 8:00 p.m. BST / 2:00 p.m. to 3:00 p.m. EST / 11:00 a.m. to 12:00 p.m. PST

The webinar will be conducted by Michael Sampson, Senior Analyst at Osterman Research and Sean Morris, Chief Technology Officer at TitanHQ.

Register Your Place Here

Why SpamTitan is the Best MSP Defense Against Email Threats?

At present the main way that hacking groups are accessing business networks is via phishing campaigns.

The single best way of tacking phishing campaigns is using an email spam filter. This type of cybersecurity solution will audit all incoming email traffic to check for spam signature, phishing characteristics and any indication of malware.

An award-winning anti-spam software, SpamTitan boasts the best possible tools to safeguard your group from phishing and other email-leveraging campaigns. At present more than 1,500 organizations use SpamTitan globally.

While you may see a multitude of spam filtering solutions available which will claim to adequately safeguard your group from the smarted phishing tactics, one has become the chosen solution of managed service providers (MSP) – TitanHQ. Here we examine the reasons for this choice.

  1. Advanced email blocking: SpamTitan uses upload block and permits lists per policy, advanced reporting, recipient verification and outbound email reviewing. There is also a capability for whitelisting/blacklisting at all hierarchical levels of permissions within your network.
  2. Excellent malware protection: There are dual antivirus engines from two leading AV providers and sandboxing that leverages machine learning and behavioral analysis to tackle any file which appears to be dangerous.
  3. Protection against zero-day attacks: Machine learning predictive technology takes zero-day attacks foen and there is also AI-driven threat intelligence to tackle block zero-minute attacks head on.
  4. Office 365 environment security measures: There are a range of protection measures present that secure in depth against email threats. These can be simply added to Office 365 environments to greatly enhance security in the face of phishing and email-based malware campaigns.
  5. Easy integration: There is a straightforward configuration process for adding this to your existing Service Stack through TitanHQ API’s and MSPs benefit from streamlined management with RMM integrations.
  6. Data leak prevention: Strong data leak prevention rules that are easy to create and allow for tagging of data to spot and block internal data loss.
  7. Intuitive multi-tenant dashboard: MSP-client hierarchy means that you can keep clients segregated and decide if you need to manage client settings in bulk or on an individual basis. This is a set and forget solution, meaning a low level of IT service intervention is all that is required.
  8. White labelling: Can be supplied a #white label version to reinforce an MSP’s brand.
  9. Industry-leading customer support: TitanHQ customer service is the industry leader in the field with world class pre-sales and technical support and sales & technical guidance. MSPs are allocated a  dedicated account manager, assigned sales engineer support, access to the Global Partner Program Hotline, and 24/7 priority technical support.
  10. Competitive pricing and monthly billing: SPs benefit can view the transparent pricing policy, competitive pricing, excellent margins, and monthly billing. The sales cycle is just 14 days.

If you would like to begin providing SpamTitan for your clients, contact the TitanHQ channel team at once and begin your free trial.

Common Cybersecurity Errors that Leave you Vulnerable

There has been a surge in the amount of profit-generating cyberattacks in the last year, particularly within the healthcare sector in the USA.

In tandem with this the amount of money demanded to release encrypted data, by hackers, has gone through the roof. Even in cases where this ransom is handed over the recovery process can be very tricky and in a lot of cases the data is never handed by the cybercriminals at all. 

This is a situation that no group wants to find themselves in so it is important to be sure you have addressed all possible weaknesses in relation to your cybersecurity measures. Here we have listed the areas which, if unaddressed, are likely to allow hackers to disrupt your organization’s ability to operate. 

Security Mistakes That Must Be Addressed

  1. Multi Factor Authentication: When log in details are stolen there is huge potential for hackers to access your databases. However, if you have multi-factor authentication configured then this risk is mitigated as there is a second stage of verification that must be completed in order for access to be granted.
  2. Email Security: Phishing presents a huge danger to all networks. Hackers send email trying to get staff to either reply or click on a link that will lead to the installation of malware or adware on your servers. Ideally cybercriminals are seeking the log in credentials of a high level executive who has permission to access all parts of the network. Configuring  an advanced AI-based spam filter that uses sandboxing and greylisting will prevent this from happening 99% of the time.
  3. Security Awareness Training: As a lot of attacks, liek email attacks mentioned above, focus on interaction with employees, it is vital that you train these people to spot potential attacks. Regular refresher training courses are also important to keep everything fresh in the mind and educate in relation to new threats that have appeared since the last training session.
  4. Web Security: It is important to add security to police Internet activity on your networks. It would be very easy for an employee to unknowingly browse onto a site that is loaded with adware and malware. Using web filtering software will cut off access to malicious websites.
  5. Applying Patches & Software Updates: Hackers are swift to try and take advantage of software, firmware, and operating system flaws. Due to this it is vital that your organization applies patches and runs updates as soon as they become available. If this task is not not then it is bound to be just a matter of time before someone gains access to your network and servers.
  6. Password Management Software: Creating weak passwords leaks you vulnerable to brute force attacks Staff should be given the tools to set up and save strong secure passwords.
  7. Creating an Incident Response Plan & Back-ups: ‘Fail to prepare, prepare to fail’ as the saying goes. Companies that have not planned for what to do in the event that they are infiltrated by a cyberattack could have irreparable damage inflicted upon them. Regular backups must be created and tested. It is also wise to store one copy of the backup off site. 

Colonial Pipeline Ransomware Attack Started with a Compromised Password

During April 2021, cybercriminals were able to log onto the databases of Colonial Pipeline and install ransomware that led to the shutdown of a fuel pipeline system that provides service to the entire eastern Eastern Seaboard of the USA.

This resulted in a lot of panic buying of fuel by Americans on the East Coast as fuel supplies were threatened. The knock-on effect of this was local fuel shortages and a surge in the price of gasoline to their highest level since 2015. There was a 4.6 million barrels drop in the level of stockpiles of gasoline on the East Coast.

The DarkSide ransomware-as-a-service operation was blamed for the attack and has now been taken down. Before it was shut down, Colonial Pipeline handed over a $4.4 million ransom to remove the encryption from their files. They took the decision to pay the ransom due to the danger facing the fuel supplies. Colonial Pipeline provided almost half (45%) of fuel to the East Coast. Though handing over the ransom was a difficult move to make, it had to be done due to the threat to fuel supplies. Another consideration was the length of time that it might take to retrieve the files without having the attacker-supplied decryption keys.

This attack should not have been allowed to gain access to such a critical infrastructure. The subsequent review into the cyberattack showed that all it took for the attack to be successful was the use of one compromised password to remotely access the database. The account that was compromised was not secured using multi-factor authentication.

According to Charles Carmakal, senior vice president at cybersecurity firm Mandiant which was involved in the investigation, the compromised password was for a virtual private network account. The account may have been dormant but it was still possible to use the login credentials to gain access to Colonial Pipeline’s network.

As of yet it remains unknown how the cybercriminals came to be in possession of this password. The password has since been located in a database of breached passwords that was made available via the dark web. There is a chance that an individual had created a password for the account and it was also in use on a separate account that was infiltrated. It is typical for passwords from data breaches to be used in brute force attacks as password reuse is commonplace. Phishing campaigns are used to obtain passwords also.

Mandiant searched for anything to suggest how the password was stolen by the cybercriminals. The cybersecurity experts found no evidence of hacker activity prior to April 29, 2021 nor any proof of phishing attempts. At this point in time it appears that how the password was obtained and the username determined may never come to be known.

Is it quite obvious that this hack could have been stopped using cybersecurity best practices including carrying out audits of accounts and closing down dormant accounts, creating setting unique and complex passwords for every account, configuring multi-factor authentication to prevent stolen compromised passwords from being used for access, and installing a robust anti-spam solution.

GitHub Repository Weaknesses Create Attack Points

Created in 2008, GitHub has recorded massive growth amongst developers and companies for its hosting, sharing and software code capabilities. These are available in both open source and proprietary codemaking it very popular with more than 100 million code repositories currently on the platform.

Sadly, this also means that GitHub is a very attractive target for cybercriminals who have used the platform’s popularity as as a basis for several attack types, including ranoms, backdoor attacks and code injection campaigns. GitHub Actions is a feature of GitHub that allows a CI/CD workflow pipeline for software delivery into production. It is one of the main infrastructures in GitHub that automates software workflow. In a recent exploit, experts at Google Project Zero discovered a design vulnerability in GitHub Actions. This vulnerability could allow a hacker write access to a repository, meaning that they could reveal encrypted secrets. One of the experts, Felix Wilhelm, was able to show the vulnerability using Microsoft’s Visual Studio Code GitHub repository, where he could inject code which was then shared with the project’s new issue workflow.

The flaws in Actions allow ways for cybercriminals to exploit the GitHub database network. Recently  code injection flaws and vulnerabilities in GitHub Actions allowed crypto-criminals to conduct bit mining malware. The attacks have been registering since late last year. The attack targets repositories using Actions, the automatic execution of software workflows feature to place malicious code into a software workflow. The process leveraged by the hackers is smooth slick: the malicious GitHub Actions code is first forked from original workflows, but then a Pull Request merges the code back, in tandem with the crypto miner code. The key to the attack uses GitHub’s infrastructure to share malware and mine cryptocurrency on GitHub’s servers. The flaw in Actions means that the attack does not need the repository owner to give permission for the Pull Request: The crypto-miner code, misnamed as npm.exe. is hosted on GitHub. The whole attack is expertly devised using a mechanism that has, so far, made a mockery of the critical infrastructure of GitHub.

The worry in relation to this recent crypto mining attack on GitHub repositories, is that the hacker, yet again, leveraging inherent infrastructure of a network. Any weakness in the corporate structure can be targeted. Bolstering the security of these infrastructure hatches is crucial to stopping cyber-attacks. Source code is a critical system and GitHub a critical infrastructure. Firms and vendors using GitHub should ensure they use best security practices. But even groups not using GitHub as a source code repository may well be receiving source code hosted via GitHub. To address this cybersecurity best practices must be implemented. People, processes, and technology are the some of the tje cyber best practices, but adding in awareness of possible infrastructure hacks is vital to keeping your business protected.

Some of the steps that you need to implement include:

  • Stopping employees from visiting dangerous URLs or installing malicious software/files
  • Preventing staff from accessing infected web portals
  • Implementing GitHub security best steps when using the infrastructure to host source code
  • Training staff to ensure they are conscious of security tricks and tactics

Preventing these attacks is possible with WebTitan Cloud DNS filter. It will tackle malware, phishing, viruses, ransomware & malicious sites.