Threat Landscape Dominated by Emotet Trojan

The Emotet Trojan first reared its head during 2014 and was first seen as a banking Trojan, leveraged to exfiltrate sensitive data such as bank account information from browsers when the user logs into their bank account. The Emotet Trojan has since undergone some changes and represents a much bigger threat to cybersecurity nowadays.

Emotet is is easily spread to other devices, using a worm like process to infect other devices on the network as well as hijacking the user’s email account and using it to send duplicates of itself to victims’ contacts. Infected devices are placed on the Emotet botnet, and have been used in attacks on other groups. The Emotet creators have now linked up with other hacking operations and are using their malware to share other Trojans such as TrickBot and QakBot, which in turn are employed to share ransomware.

Data from HP Inc. revealed Emotet infections grew by 1,200% from Q2 to Q3, displaying the extent to which activity has increased recently. Data from Check point show Emotet is the most serious malware threat, representing for 12% of all infections in October 2020. TrickBot, which is delivered by Emotet, is the second biggest threat, representing for 4% of infections.

The Emotet and TrickBot Trojans are resulting in the rapid rise of ransomware infections worldwide, especially attacks on healthcare groups. The healthcare sector in the United States is being focused on by ransomware gangs as a result of the heightened chance of the ransom being paid. In a number of instances, the latest ransomware attacks have been made possible due to previous Emotet an TrickBot infections.

Sadly, as a result of the efficient way that Emotet spreads, removing the malware can be tricky. It is likely that more than one device has been infiltrated, and when the Trojan is removed from one device, it is often reinfected by other infected devices in the organization.

Emotet is mainly shared using phishing emails, most often using malicious macros in Word documents and Excel spreadsheets, although JavaScript attachments are also known to be utilized. The lures employed in the phishing emails differ a lot varied, often using lures connected with recent news events, COVID-19, and holiday season lures in build up to Halloween, Black Friday, and Cyber Monday.

The wisest tactic is prevent infiltration is to block Emotet emails from reaching inboxes and making sure that employees are trained how to spot phishing emails.

If you wish to safeguard your organization from Emotet and other malware and phishing attacks, contact the TitanHQ team a call to discover more details about SpamTitan Email Security.

Phishing Attack Prevention Solutions lacking in Most Healthcare Organizations

The danger posed by phishing attacks is constant, especially for the healthcare sector which is often focused on by cybercriminals as a result of the high profit to be earned from selling healthcare data and obtaining access to compromised email accounts.

Phishing attacks are having a massive impact on healthcare suppliers in the United States, which are recording huge record numbers of phishing attacks. The sector industry is also inundated with ransomware attacks, with many of the attacks beginning with a successful phishing attack. One that sends a ransomware installer like the Emotet and TrickBot Trojans, for instance.

A recent survey carried out by HIMSS on U.S. healthcare cybersecurity workers has shown that the extent to which phishing attacks are meeting their intended targets. The survey, which was carried out durinf trhe period from March to September 2020, showed that phishing to be the leading cause of cybersecurity incidents at healthcare organizations in the past year, being cited as the cause of 57% of attacks.

One interesting details discovered is the lack of proper security from phishing and other email attacks. While 91% of surveyed organizations have implemented antivirus and antimalware solutions, it is extremely worrying that 9% appear to have not. Only 89% said they had implemented firewalls to prevent cybersecurity attacks.

Then there is multi-factor authentication, feature which is highly effective at stopping stolen credentials from being used to remotely log in to email accounts.  Microsoft stated in a Summer 2020 blog post that multifactor authentication will prevent 99.9% of attempts to use stolen credential to log into accounts, yet multifactor authentication had only been implemented by 64% of healthcare groups.

That does represent a massive improvement from 2015 when the survey was last carried out, when just 37% had put in place MFA, but it shows there is still room for improvement, especially in a sector that experiences more than its fair share of phishing attacks.

In the data breach reports that are needed for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Rules, which healthcare groups in the U.S are required to adhere with, it is common for breached groups to state they are putting in place MFA after suffering a breach, when MFA could have stopped that costly breach from occurring in the first place. The HIMSS survey revealed 75% of groups augment security after experiencing a cyberattack.

The amount of phishing attacks that are succeeding cannot be blamed on a single factor, but what is clear is there needs to be larger scale investment in cybersecurity to prevent these attacks from succeeding. An effective email security solution should be a priority – One that can block phishing emails and malware attacks. Training on cybersecurity must be conducted for staff for HIPAA compliance, but training should be provided regularly, not just once a year to meet compliance requirements. Implementation of multifactor authentication is also a crucial anti-phishing tactic.

 

Most Healthcare Groups Do Not have the Correct Solutions to Prevent Phishing Attacks

The danger posed by phishers is constant, especially for the healthcare sector which is often focused on by cybercriminals as a result to the high value of healthcare data and impacted email accounts. Phishing campaigns are having a massive impact on healthcare groups in the United States, which are reporting the highest ever numbers of successful infiltrations.

The industry is also heavily impacted by ransomware campaigns, with many of the attacks beginning with a successful phishing attack. One that shares a ransomware downloader such as the Emotet and TrickBot Trojans, for instance.

A recent survey carried out by HIMSS on U.S. healthcare cybersecurity experts has revealed the extent to which phishing attacks are hitting their targets. The survey, which was distributed from March and September 2020, showed that phishing is the main cause of cybersecurity attacks at healthcare groups in the 12 months, being referred to as the cause of 57% of attacks.

One interesting revelation garnered from the survey is the lack of appropriate protections against phishing and other email attacks. While it is reassuring that 91% of surveyed groups have implemented antivirus and antimalware solutions, it is extremely worrying that 9% appear to have not. Only 89% said they had implemented firewalls to prevent cybersecurity attacks.

Then there is multi-factor authentication. Multifactor authentication will not prevent phishing emails from being delivered, but it is highly effective at preventing stolen log in details from being used to remotely access email accounts.

In the data breach reports that are necessary for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Rules, which healthcare groups in the U.S are required to comply with, it is common for breached entities to state they are implementing MFA after experiencing a breach, when MFA could have prevented that costly breach from happening initially. The HIMSS survey showed that 75% of groups augment security after being hit by a cyberattack.

These cyberattacks can also have a negative impact on patient treatment. 28% of respondents said cyberattacks disrupted IT operations, 27% said they disrupted business management, and 20% said they resulted in financial losses. 61% of respondents said the attacks had an impact on non-emergency clinical care and 28% said the attacks had interfered with emergency treatment, with 17% saying they had resulted in patient harm. The latter figure could be underestimated, as many groups do not have the mechanisms in place to see if patient safety has been impacted.

The amount of phishing attacks that are hitting their targets cannot be attributed to a single factor, but what is clear is there needs to be higher level of investment in cybersecurity to prevent these attacks from succeeding. An effective email security solution should be a top priority – One that can block phishing emails and malware attacks. Training on cybersecurity must be conducted for employees for HIPAA compliance, but training should be provided on a constant basis, not just once a year to meet compliance requirements. Implementation of multifactor authentication is also an essential anti-phishing tactic.

One area of phishing security that is often ignored is a web filter. A web filter prevents the web-based component of phishing attacks, preventing employees from accessing websites hosting phishing forms. With the complex nature of current phishing attacks, and the realistic fake login pages used to capture credentials, this anti-phishing measure is also crucial.

TitanHQ can give you cost-effective cloud-based anti-phishing and anti-malware processes solutions to safeguard your network from email- and web-based components of cyberattacks and both of these solutions are provided at quite a reasonable cost, with flexible payment options.

If you want to enhance your defenses against phishing, prevent costly cyberattacks and data leaks, and the possible regulatory penalties that can follow, contact TitanHQ now.

Start with Network Basics for Cybersecurity

All too often enterprise administrators follow best practices for numerous network infrastructure but forget the importance of email cybersecurity. You could argue that email cybersecurity is more important than any other OpSec strategy since many of the biggest data breaches start with a phishing email. With more employees working from home due to COVID-19, it’s more important than ever to ensure that email cybersecurity is configured and implemented across all communication channels.

Firewalls, access controls, user identity management, and other network fundamentals are all components in good cybersecurity posture. But EmailCybersecurity is equally as important in blocking and protecting you from malicious malware and you won’t even see suspicious emails because they are put in quarantine to be reviewed.

Email security is built on two things – Sender Policy Framework (SPF) and Domainkeys Identified Mail (DKIM). An SPF record is the easiest to implement and takes only a few minutes of the administrator’s time. The SPF record is added to the organization’s DNS server as a TXT entry. This TXT entry is a string with specific syntax that provides recipient email servers with a list of authorized IP address that can be used to send enterprise email.

DKIM is similar to en encrypted signature. A header is added to an email message with the senders own signature. The recipient verifies this signature to ensure that the message was sent by the recipients domain. With SPF and DKIM , cyber security validated the sender and completely stops the recipient email servers from sending spoofed phishing emails to that users inbox.

The recipient email server can be configured with Domain-based Message Authentication, Reporting and Conformance (DMARC) cybersecurity. DMARC rules determine how an email server should handle messages when SPF and DKIM are present. With strict DMARC rules, email servers might reject messages where no SPF record is present. For instance, organizations that use Google Suite might find their domain emails blocked if an SPF record is not present for the third-party sender.

Only one successful phishing email is all it takes for an attack to break into a network and send more and more of these to higher targets. A recent Ponemon report the average cost of any breach is $3.82 Million, and a lot of these breaches use text to trick the recipient into clicking on harmful links with a malware attachment.

Tech Radar has reported that a trillion emails are sent per year and that 3.4 billion are sent per day. With employees working from home there’s a high risk of them receiving one of these emails and could be the next vessel for a huge breach.

Even trained users can be susceptible to these sorts of attacks and if a phishing email is opened the large amount of data this person has been trusted with could be completely stolen and sold on Darknet markets to be used in a long term attack.

With many email attacks happening more and more often , cyber security should be part of all organisations’ networks. Firewalls to block these attacks are necessary and usage of DMARC , DKIM and SPF are basic cyber security tools that minimise the threat of severe data breach.

Sextortion Scam Target Zoom Users

One of the main business successes of the Covid-19 pandemis is the Zoom video conferencing app, which registered over 300 million new users by the end of April thanks to the requirements of remote workers and long distance communications.

This new working routine means that some remote workers take a more haphazard attitude towards cybersecurity and what they do in front of their laptop cameras. This comfort zone has results in a new way for hackers to target staff and companies through of Zoom sextortion scams.

Sextortion has become a new vector of attack for hackers to steal money from unsuspecting individuals. The scam is largely email-based. The scam is blackmail based. Sextortion, also called ‘porn scams’ is not new to cybersecurity threats. A recent report released by Sophos discovered that millions of sextortion emails were broadcast in 2019-2020 earning the fraudsters behind the emails over $500,000. Hackers love successful scams, so they continue to come up with new campaigns based on a successful theme.

The sextortion emails normally include a threat to make public sexually explicit material, usually as a video. The hacker explains in the sextortion email that the video was recorded by malware downloaded on the user’s device. The threat continues that if the victim does not meet the ransom demand (usually in bitcoin) within a given time period, the compromising video will be shared to the user’s contact list.

An example of a sextortion email (received recently) is displayed here:

As always, hackers are talented at spotting an opportunity, and as Zoom has become a major part of our daily lives, so cybercriminals have perfected their sextortion tactics to the video conferencing platform. This most recent sextortion campaign, ‘Zoom sextortion’, has been connected to an incident that included TV analyst Jeffrey Toobin. Toobin was caught in a compromising position on a Zoom video conference with other media workers. Whilst Toobin was not specifically a victim of sextortion, in this instance. However, the fact such a famous  person was captured ‘on camera’ in a compromising position, has permitted fraudsters to use the incident as added pressure in sextortion email campaigns.

Email is again the central vector in the Zoom sextortion campaign. As the Zoom app increased in use, security was quickly identified as a major area for concern. “Zoombombing”, involving Zoom conferences being invaded by uninvited users was a particular issue in the early days of COVID-19 lockdown. In March, the FBI released a warning about the hijacking of Zoom and other video conferencing services. Security vulnerabilities were focused on access control issues in the Zoombombing attacks.

This most recent Zoom sextortion targets two weaknesses, the fears of Zoom users in relation to security and being exposed do embarrassing things that are captured on Zoom.

The sextortion email claims that states that a zero-day flaw in the Zoom app has permitted access to the victim’s camera and other device metadata. The hacker continues by outlining that they have captured embarrassing footage of the user during a Zoom meeting, referencing to the Jeffrey Toobin case.

“I do not want you to be the next Jeffrey Toobin”  — states the sextortion hacker scammer…

Most workers being sent this email will not feel threatened. However, a small number of people may feel bullied and concerned that even a minor misdemeanor may end in a warning or even a sacking. Due to this, the victim may decide to pay the ransom, which in this particular scam is $2000 in bitcoin.

Cyber-extortion is becoming more popular as hackers look for quick wins.

QBot Trojan Shared in Election Interference-Themed Phishing Emails

Recently , Cybercriminals seized the chance to cause to attack the millions of people watching the US presidential election coverage by conducting a malware attacked disguised with emails claiming to hold information about possible election interference.

As the high amount of postal votes lead to many delays in the release of official results and possible legal challenges and recounts being demanded, the traffic garnered by news reports related to this has been very high. Spam campaigns exploiting and using this situation for their own gain began being shared not lon gafter polls closed. Qbot banking Trojan was included in the emails which, when opened by recipients resulted in the hijacking of the email account. A subsequent move was that the email woul dthen be sent out to more contacts.

In this campaign, searches are completed for for emails including the term “election” and a reply is sent out to these emails. A zip file is attached to the emails named “ElectionInterference” with the zip file containing a malicious spreadsheet. These messages aim to encourage the recipient to open the attached spreadsheet spreadsheet to find important details about interference in the US election. As incumbent President Trump continues to claim that there was fraud occurring during the election count these messages seem very reliable to recipients. This spreadsheet is similar in style to a safe DocuSign file and the user is instructed to activate content to decode this file and see the contents. However, completing this action will allow macros to run which will quietly download the Qbot Trojan.

The Qbot Trojan was created in 2008 but has had many updates over the years, including the addition of many new features to evade and avoid modern security solutions. This included the ability to override Outlook email threads, the same technique is used by the Emotet Trojan to increase chances of their damaging content being opened by recipients.

In addition to targeting vulnerable customers of huge financial institutions, Qbot Trojan aims to steal protected information such as credit card info and important passwords. Qbot is a malware deliverer and the operators gang up with other dangerous groups to lead to mass sending of malicious payloads with ransomware being delivered.

These threat actors take avail of any chance to infect all devices with malware. A huge amount of COVID-19 themed lures and Election-themed spam emails are likely to be shared as further legal action is expected in relation to the election results. Threat actors will also target Black Friday, Cyber Monday and many other holiday times to use phishing lures to steal credentials and spread malware.

All businesses can defend against these phishing and malspam campaigns using a mix of a spam filters, web filters, antivirus software and end user training. For more information on protecting your business against emails and web based threats, contact TitanHQ now.