Popularity of Dating Apps During Lockdown Leads to Phishing Campaign

A phishing campaign that spreads a remote access trojan called Hupigon, a RAT that was first identified in 2010, is targeting higher education institutions in the United States.

The Hupigon RAT has previously been deployed by advanced persistent threat groups (APT) from China, although this campaign is not thought to have been operated by APT groups, instead the Hupigon RAT has been repurposed by hackers. While many industries have been targeted in the campaign, almost half of attacks have been conducted on colleges and universities.

The Hupigon RAT allows the operators to install other malware variants, steal passwords, and obtain access to the microphone and webcam. Infection could see the hackers take full management of an infected device.

The campaign uses online dating lures to trick users to install the Trojan. The emails show two dating profiles of supposed users of the platform, and the recipient is directed to select the one they find the most attractive. When the user makes their choice, they are brought to a website where an executable file is downloaded, which installs the Hupigon RAT.

The choice of lure for the campaign is no doubt influenced by the huge increase in popularity of dating apps during the COVID-19 pandemic. While there are not many actual dates taking place due to lockdown and social distancing measures now in place around the world, the lockdowns have seen many people with a lot of time on their hands. That, coupled with social isolation for many single people, has actually led to a rise in the use of online dating apps, with many users of the apps turning to Zoom and FaceTime to have virtual dates. Many popular dating apps have reported a rise in use during the COVID-19 pandemic. For instance, Tinder reports use has grown, with the platform having its busiest ever day, with over 3 billion profiles swiped in just one day.

As we have already seen with COVID-19 tricks in phishing attacks, which account for most lures during the pandemic, when there is interest in a particular event or news story, hackers will take advantage. With the popularity of dating apps surging, we can expect to see an rise in the number of online dating -themed lures.

The advice for higher education institutions and companies is to ensure that an advanced spam filtering solution is in place to prevent the malicious messages and ensure they do not land in end users’ inboxes. It is also crucial to ensure that security awareness training is still being conducted for staff, students, and remote employees to teach them how to spot the signs of phishing and other email threats.

TitanHQ can be os assistance. If you wish to better protect staff, students, and employees and keep inboxes free of threats, give the TitanHQ team a call as soon as you can. After registering, you can be protecting your inboxes in no time.

Damage Caused by University Cyberattacks Revealed in UK Study

UK think tank Parliament Street has produced a report that uncovers has revealed the extent to which universities are being focused on by hackers and the sheer amount of spam and malicious emails that are sent to the inboxes of university staff and students.

Data related to malicious and spam email amounts was obtained by Parliament Street through a Freedom of Information request. The analysis of data from UK universities showed they are having to block millions of spam emails, hundreds of thousands of phishing emails, and tens of thousands of malware-laced emails every year.

Warwick University’s figures indicate that over 7.6 million spam emails were sent to the email accounts of staff and students in the last quarter of 2019 alone, which included 404,000 phishing emails and more than 10,000 emails including malware.

Bristol University encountered a similar level of focus withmore than 7 million spam emails over the same period, 76,300 of which included malware. Data from the London School of Hygiene and Tropical Medicine showed that more than 6.3 million spam emails were registered during 2019, which included almost 99,000 phishing emails and over 73,500 malware attacks. 12,773,735 spam and malicious emails were received in total for 2018 and 2019.

Data from Lancaster University showed that over 57 million emails were rejected for reasons such as spam, malware, or phishing, with 1 million emails marked as possible spam. The figures from Imperial College London were also worrisome, with almost 40 million emails intercepted during 2019.

Like attacks on firms, cyberattacks on universities are often conducted for financial profit. These attacks attempt to send malware and obtain credentials to obtain access to university networks to exfiltrate data to sell on the black market. Universities store huge amounts of sensitive student data, which is extremely valuable to hackers as it can be leveraged for identity theft and other types of fraud. Attacks are also conducted to send ransomware to steal money from universities.

Universities normally have high bandwidth to support tens of thousands of students and employees. Attacks are conducted to hijack devices and add them to botnets to conduct a range of cyberattacks on other targets. Email accounts are being hijacked and used to run spear phishing attacks on other targets.

Nation state-backed advanced persistent threat (APT) groups are focusing on universities to gain access to intellectual property and research data. Universities carry out cutting edge research and that information is extremely valuable to companies who can use the research data to develop products to gain a massive competitive advantage.

Universities are viewed as relatively soft targets compared to groups of a similar size. Cybersecurity defenses tend to be far less advanced, and the large networks and number of devices used by staff and students make defending networks complicated.

With the amount of cyberattacks on universities increasing, leaders of higher education institutions need to implement measures to enhance cybersecurity and prevent the attacks from succeeding.

The majority of threats are sent over email, so advanced email security defenses are essential, and that is an area where TitanHQ can be of assistance.

Independent tests confirm that SpamTitan blocks in excess of 99.97% of spam email, helping to keep inboxes free of junk email. SpamTitan uses dual anti-virus engines to block known threats, machine learning to spot new types of phishing attacks, and sandboxing to discover and block zero-day malware and ransomware threats. When email attachments get past initial tests, suspicious attachments are moved to the sandbox for in depth analysis to identify command and control center callbacks and other malicious actions. SpamTitan also uses SPF and DMARC controls to prevent email impersonation attacks, data loss prevention controls for outbound messages and controls to discover potential email account compromises.

If you wish to enhance cybersecurity defenses, begin with upgrading your email security defenses with SpamTitan. You may be shocked to learn  how little investment is required to majorly enhance your email security defenses. To discover more get in touch with TitanHQ now.

Module for Brute Force RDP Attacks Included in TrickBot Trojan

The TrickBot Trojan is a complex banking Trojan that was first identified in 2016. While the malware was first just an information stealer dedicated to stealing online banking credentials, the malware has evolved massively  over the past four years and several modules have been added that provide a host of other malicious capabilities.

The TrickBot Trojan’s information stealing capabilities have been greatly enhanced. In addition to banking credentials, it will steal system and network data, email credentials, tax data, and intellectual property. TrickBot is capable of moving laterally and silently infecting other computers on the network using authentic Windows utilities and the EternalRomance exploit for the SMBv1 vulnerability. The malware can place a backdoor for persistent access. TrickBot also acts as a malware installer and will download other malicious payloads, such as Ryuk ransomware.

The Trojan is often updated and new variants are regularly made available. The Command and Control infrastructure is also constantly changing. According to a review by Bitdefender, more than 100 new IPs are added to its C&C infrastructure each month with each having a lifespan of around 16 days. The malware and its infrastructure are highly complex, and while steps have been taken to dismantle the operation, the hackers are managing to stay one step ahead.

TrickBot is primarily shared using spam email through the Emotet botnet. Infection with Emotet sees TrickBot downloaded, and infection with TrickBot sees a computer added to the Emotet botnet. Once all useful data has been obtained from an infected system, the baton is passed over to the Ryuk ransomware operators with a reverse shell opened giving the Ryuk ransomware operators access to the netword.

A recent review of a variant captured by Bitdefender on January 30, 2020 has shown another method of distribution has been added to its arsenal. The Trojan now has a module for bruteforcing RDP. The brute force RDP attacks are mainly being carried out on organizations in the financial services, education, and telecom industries and are currently targeted on organizations in the United States and Hong Kong at this stage, although it is likely that the attacks will spread region-by-region over the coming weeks. The attacks are being conducted to steal intellectual property and financial data.

Since the TrickBot Trojan is modular, it can be always be updated with new features and the evolution of the malware so far, and its success, means it will go on being a threat for some time to come. Thankfully, it is possible to prevent infections by practicing good cyber hygiene.

Spam is still the main method of delivery for both the Emotet Trojan and TrickBot so an advanced spam filter is vital. Since new variants are constantly being made available, signature-based detection methods alone are not enough. SpamTitan incorporates a Bitdefender-powered sandbox to analyze suspicious email attachments for malicious activity. This ensures the malicious activity of completely new malware variants is identified and the emails are quarantined before they can cause any damage.

If you don’t require RDP, ensure it is turned off. If you do, ensure access is restricted and strong passwords are established Use rate restricting to block login attempts after a set number of failures and ensure multifactor authentication is implemented to prevent stolen credentials from being used.

For additional details on SpamTitan Email Security and to find out how you can enhance your defenses against email and web-based attacks, contact the TitanHQ team now.


COVID-19 Crisis Pandemic: Email Security & Home Working

The 2019 Novel Coronavirus pandemic has meant that many workers have had to self-isolate at home and an increasing number of employees wish to work from home to reduce risk of contracting COVID-19. Companies are under pressure to allow their workers to stay at home and use either company-issued or personal devices to log onto their networks and work remotely.

Cybercriminals are always changing their tactics, techniques, and procedures and they have jumped at the opportunity served up by the Novel Coronavirus. People are wary and rightly so. COVID-19 has a high mortality rate and the virus is spreading rapidly. People want information about cases in their local district, advice on how to safeguard themselves, and information about possible cures. Hackers have obliged and are conducting phishing campaigns that claim to offer all that information. Many campaigns have now been discovered from many different threat groups that attempt to obtain login credentials and spread malware. Since the start of January when the first major campaigns were detected, the volume of coronavirus and COVID-19 emails has increased majorly.

Campaigns are being run impersonating different governmental and non-governmental bodies on the Novel Coronavirus and COVID-19, such as the World Health Organization (WHO), the U.S. Centers for Disease Control and Prevention (CDC), the U.S. Department of Health and Human Services, and other government agencies. COVID-19-themed emails are being shared with remote workers that spoof HR departments warning about cases that have been detected within the group. Health insurers are being spoofed in campaigns that include invoices for information on COVID-19.

Since January, more in excess of 16,000 Coronavirus and COVID-19-themed domains have been registered which are being used to host phishing kits and distribute malware. Experts at CheckPoint Software report that those domains are 50% more likely to be malicious than other domains registered in the same length of time.

Email security and home working will naturally be a major worry for IT teams given the sheer number of home workers due to the Coronavirus pandemic and the volume of attacks that are now being conducted focusing on home workers. With so many devices now connecting to networks remotely, if cybercriminals do obtain credentials, it will be much more difficult for IT teams to identify threat actors connecting remotely. Luckily, there are steps that can be taken to improve email security and home working need not majorly increase risk.

You should see to it that your employees can only connect to your network and cloud-based services through a VPN. Enterprise VPNs can be set up to force all traffic through the VPN to reduce the potential for mistakes. Make sure that the VPN is set up to start automatically when the device is turned on up.

It is vital that all remote workers are protected by a strong and effective email security solution. It is not possible to stop hackers targeting remote workers, but it is possible to prevent phishing and malware threats from reaching inboxes.

To safeguard your employees against phishing attacks and malware, an advanced email security solution is vital. If you use Office 365 for email, do not use on Office 365 email security. You will need greater protection than Exchange Online Protection provides to safeguard against phishing, spear phishing, and zero-day threats.

SpamTitan has a number of different detection mechanisms to identify and block the full range of email threats. SpamTitan incorporates SPF and DMARC to put in place protection against email impersonation attacks, machine learning algorithms and predictive technology to safeguard from zero-day attacks, advanced phishing protection from whaling and spear phishing attacks by scanning inbound email in real-time, dual antivirus engines to prevent malware threats, and sandboxing for in depth analysis of suspicious attachments. SpamTitan also incorporates 6 specialist RBLs, supports whitelisting, blacklisting, and greylisting, and uses multiple threat intelligence feeds.

There is a higher risk of insider threats with remote workers. To supply protection and to prevent accidental policy breaches, SpamTitan has a data loss prevention filter to stop credit card numbers, Social Security numbers, and other data types from being sent over email.

No email security solution can 100% prevent all email threats from infiltrating your inbox, 100% of the time. It is therefore important to provide regular cybersecurity training to employees to make them knowledgeable of phishing threats, train them how to identify a phishing email or social engineering scam, and to condition remote employees how to react should a threat be received. Phishing simulation exercises are also helpful to see which employees require additional training and to identify possible gaps in training programs. IT security basic training refreshers should also be given to ensure employees know what can and cannot be completed with work devices.

Multi Factor authentication must be put in place on all applications and email accounts to add security in the event of an account compromise. If credentials are stolen and used from a previously unknown location or an unfamiliar device, a second authentication factor must be given before access is granted. You should also turn off macros on all user devices, unless a specific user needs to use macros for work reasons.

To discover more about how you can enhance email security for remote workers, give the TitanHQ team a call now. You can set up a demonstration to see SpamTitan in action and you can also register for a free trial to put SpamTitan to the test on your own network.


SpamTitan v7.00 Included Bitdefender Anti-Virus Engine

A new version of TitanHQ’s cloud-based anti-spam service and anti-spam software was made available on March 5, 2018. SpamTitan version 7.00 incorporates patches for recently identified flaws in the ClamAV antivirus engine and a change to the primary AV engine used by the solution.

The main anti-virus engine of SpamTitan version 7.00 is supplied by the Romanian firm Bitdefender. Bitdefender is an award-winning antivirus engine that provides strong email protection against malware, viruses, and ransomware. Combined with the secondary AV engine – ClamAV – users take advantage of excellent protection against email-based malware and ransomware attacks. The dual AV engines see to it that malicious software is not delivered to end users’ inboxes via email attachments.

The change to Bitdefender was the obvious choice and TitanHQ is planning to further its strategic relationship with the Romanian cybersecurity business over the coming weeks and months. The amendment to the primary AV engine will be unnoticeable to existing users, who will still be protected from malicious threats.

The update to the most recent version will not happen automatically. Customers who have ‘prefetch of system updates’ enabled on their SpamTitan installations will be able to see the newest version in their list of available updates and can manually trigger the update to the new version. Customers who do not have that option turned on need to “check for updates” via their user interface.

Customers have been advised to review the documentation accompanying the latest version before installation as it includes important information on how the update should be applied. TitanHQ explains that it is not possible to update from v4 or v5 of the platform to SpamTitan version 7.00 without initially installing version 6 of the platform.

Customers should remember that the update must be applied before May 1, 2018 to ensure continued protection, as support for the Kaspersky AV engine – used in all versions of SpamTitan prior to v7 – will come to an end on that date. TitanHQ has also informed customers that support for v4 and v5 of SpamTitan will also cease from May 1, 2018.

SpamTitan v7.00 includes patches for the following flaws: CVE-2017-12374, CVE-2017-12375, CVE-2017-12376, CVE-2017-12377, CVE-2017-12379, CVE-2017-12380. All of those flaws exist in ClamAV. The most recent version also improves protection against DoS attacks and should be run as soon as possible. The update will take around 10-20 minutes to run.


COVID-19 Phishing Emails Target Healthcare Providers

Healthcare providers are being targeted by spammers using COVID-19 phishing campaigns, with the attack showing no sign of letting up. The volume of attacks has led to the U.S. Federal Bureau of Investigation (FBI) to release a further warning to healthcare providers urging them to take steps to safeguard their networks and prevent the attacks.

The first significant COVID-19 themed phishing attacks targeting healthcare providers began being detected by around March 18, 2020. The attacks have increased over the following weeks and the lures have diversified.

Campaigns have been carried out targeting at-home healthcare staff who are supplying telehealth services to patients, and there has been an increase in business email compromise campaigns. The latter see vendors impersonated and requests issued for early or out-of-band payments due to struggles that are being experienced due to COVID-19.

The phishing attacks are being run to obtain login details and to spread malware, both of which are used to gain a foothold in healthcare networks to allow follow-on system exploitation, persistence, and the stealing sensitive data.

The malware being shared in these campaigns is very varied and includes data stealers such as Lokibot, backdoors, and Trojans such as Trickbot. Microsoft has recently made revealed that hat Trickbot accounts for the majority of COVID-19 phishing emails targeting Office 365 users, with a campaign last week involving hundreds of different, unique macro-laced files. Along with being a dangerous malware variant in its own right, Trickbot also installs other malicious payloads, including RYUK ransomware.

A diverse variety of malware is sent by a similarly diverse range of email attachments and malicious scripts. Microsoft Word documents including malicious macros are typically used, as are 7-zip compressed files, Microsoft executables, and JavaScript and Visual Basic scripts. The emails are being shared via a combination of domestic and international IP addresses.

While the amount of COVID-19 themed phishing emails has been on the rise, the overall volume of phishing emails has not increased by a significant amount. What is happening is threat actors are changing their lures and are now using COVID-19 lures as they are more likely to be clicked on.

The campaigns can be highly very realistic. The lures and requests are believable, many of the emails are well written, and authorities on COVID-19 such as the Centers for Disease Control and Prevention, the HHS’ Centers for Medicare and Medicaid Services, and the World Health Organization have been tricked by this. In a lot of cases the emails are sent from a known individual and trusted contact, which makes it more probable that the email attachment will be opened.

The advice provided by the FBI is to follow cybersecurity best practices such as never clicking on unsolicited email attachments, regardless of who appears to have shared the email. Ensuring software is kept up to date and patches are applied quickly is also vital, as is disabling automatic email attachment downloads. The FBI has also recommended filtering out specific types of attachments using email security software, something that is easy to set up with SpamTitan.

The FBI has emphasised the importance of not opening email attachments, even if antivirus software indicates that the file is clean. As the Trickbot campaign shows, new strains of malicious documents and scripts are being created at an incredible rate, and signature-based detection methods cannot keep up with the pace. This is another area where SpamTitan can be of assistance. Along with using dual antivirus engines to detect known malware variants faster, SpamTitan includes sandboxing to identify and obstruct zero-day malware threats that have yet to have their signatures added to antivirus software virus definitions lists.

Training is crucial to show healthcare employees cybersecurity best practices to help them spot phishing emails, but it is also important to ensure that your technical controls are in a position to block these threats. For more guidance get in touch with TitanHQ now.