Email Threats

Fake Kaseya Update Used in MSP Cobalt Phishing Campaign

It is believed that, on July 2, the managed service provider (MSP) customers of Kaseya were impacted in a ransomware attack.

Leveraging the Kaseya Virtual System Administrator (VSA) platform cybercriminals were able to share ransomware with, Kaspersky Lab believes, approximately 5,000 attempts to infiltrate databases in roughly 22 countries. These attacks are believed to have taken place during the first three days after the initial breach. While it is, as of yet, unknown how many of the attempts bore fruit Kaseya estimates that 1,500 of its direct customers and downstream businesses were impacted during the attack.

The attack took advantage of reported KSA platform vulnerabilities identified in April by the Dutch Institute for Vulnerability Disclosure (DIVD). Following this discovery Kaseya released patches to address four of the seven reported vulnerabilities during April and May and was working on patches to fix the remaining three flaws. However, the REvil ransomware gang targeted a credential leaking flaw, referred to as CVE-2021-30116, before the patch was made available.

Once the breach was spotted by Kaseya they took action and created mitigations to restrict the potential reach of the attacks. These mitigations shut down all additional attempts to infiltrate the system but Kaseya users remain in danger from Kaseya phishing attacks.

Now hackers have created phishing Cobalt Strike attacks aimed at Kaseya customers pushing. These attacks are spoofed Kaseya VSA security updates. Cobalt Strike is an authentic penetration testing and threat emulation solution. Sadly, hackers are known to use it to obtain remote access to corporate databases.

The Malwarebytes Threat intelligence team were first to discover the attacks, using emails that carried a file titled SecurityUpdates.exe. There is also a URL that claims to host a Microsoft update to address the Kaseya vulnerability targeted by the ransomware group.

Users are directed to click on the included file or browse to an update page where they can download the Kaseya VSA to keep them safe from ransomware campaigns. Unfortunately completing this action will only result in Cobalt Strike beacons being delivered and allowing the hackers access to protected databases.

This is quite an intelligent attack as users will be expecting a security update to address the known flaw on Kaseya. Due to this the company (Kaseya) has broadcasted a warning to all users advising them not to click on any files or visit URLs click links in emails that appear to carry updates for the Kaseya VSA. Kaseya said any email sent in relation to this will never have hyperlinks or attachments included.

Alway deal with inbound emails that say they have security updates or files related to the same as potential ransomware attacks. Never visit a link in an email like this download attached files. If you must, go to the official company website to see if there are any security updates available.


87% growth in HMRC Phishing Attacks in Past Year

In the United Kingdom, Her Majesty’s Revenue and Customs (HMRC) – the UK government department responsible for tax collection – is often impersonated in order to conduct cyberattacks.

Phishing campaigns using this mode of attack have been surging in the past year, with official figures obtained by Lanop Outsourcing under a Freedom of Information request showing the growth in HMRC impersonation attacks to be 87% with the amount of attacks jumping from 572,029 in 2019/2020 to 1,069,522 in 2020/2021. 

Email scams are the most common phishing vector and the most often leverage lures being fake notifications about tax rebates and refunds. These grew by 90% in the last year and the amount of HMRC phishing attacks sent using email grew by 109% to 630,193. Additionally growth was experienced in text-based phishing (smishing) campaigns. These jumped by 52% year-over-year and voice phishing (vishing) attacks were up by 66%.

Another public body which was used to try and trick recipients via impersonation scams was the Driver and Vehicle Licensing Agency (DVLA). There was a massive 661% increase in reports of phishing scams impersonating the DVLA during the past 12 months.

While these attacks are mainly focused on individuals they are also a serious concern for business groups due to their aim of stealing sensitive data such as passwords. If they get hold of these then there is a strong possibility that they will be used in attacks on companies. Phishing campaigns also attempt to spread malware to business networks. If this is successful then hackers can access  the databases before moving laterally and cause damage across an entire group network.

In order to defend your company from attacks like this it is vital to implement a thorough set of measures. Staff training is crucial so that those using the systems and software on your network know how to spot and mark an incoming cyberattack. As a minimum all staff should be aware what to do if a suspicious email lands in their inbox. When staff are engaging in distance and remote working, as is more common than ever these days, this is even more important.

All we all know is that staff training will not completely eliminate mistakes from happening. Individuals will either fail to pay sufficient attention, due to burn out or lack of interest, or try to use a shortcut, to get their work done more quickly, which is not best practice for cybersecurity. This means that you need a robust cybersecurity suite to bolster the staff training method and keep your organization safe.

A robust cybersecurity suite will alway include an advanced spam filtering solution that will spot and block phishing attacks. Remember that all spam filters are not created equal though. Some are proficient at tackling phishing emails from known malicious IP addresses only. However, stronger solutions like SpamTitan are able to spot previously unseen phishing scams thanks to artificial intelligence and predictive technologies for addressing the danger posed by  zero-day attacks. Additionally sandboxing fights malware attacks that have not yet been added to antivirus engines and DMARC mitigates the dangers presented by email impersonation attacks.

In order to safeguard your group from these types of attack contact TitanHQ now to discover more in relation to enhancing your cybersecurity suite.


Webinar: June 30, 2021: How to Deal with Phishing and Ransomware Threats

Businesses that permitted their employees to work from home during the pandemic faced challenges giving their workers to access internal networks remotely while maintaining security. Cybercriminals took advantage of vulnerabilities that were introduced and readily exploited weaknesses. Attacks on businesses increased and remote employees were the natural target. Throughout the pandemic, phishing and ransomware attacks were rife, with many businesses falling victim to attacks.

Now that restrictions have been eased, businesses have been able to open their offices once again, but many have now adopted a hybrid working model where employees continue to work from home at least some of the week. Businesses that have adopted this model need to now focus on cybersecurity strategies to combat phishing and ransomware attacks targeting their home workers.

A recent Osterman Research/TitanHQ survey of cybersecurity professionals revealed the challenges they faced during the pandemic and the extent to which their businesses were attacked. 85% of the 130 security professionals surveyed said they had experienced at least 1 security incident in the past 12 months, with phishing and ransomware perceived to be the biggest threats.

Even though IT professionals are well aware of the seriousness of the threat from phishing and ransomware attacks, only 37% of organizations surveyed rated their defenses as highly effective at combatting these threats. Security budgets had increased by an average of 28% from 2020 to 2021, yet defenses were still not up to the job.

When asked about the biggest threats their organization faced, the top three threats were email related. The biggest threat was business email compromise (BEC) attacks that trick low-level employees into divulging sensitive information, followed by phishing messages that result in malware infections and phishing emails that result in an account compromise.

Phishing emails are commonly used to deliver ransomware, either via the theft of credentials that give the attackers a foothold in the network or via the delivery of malware such as TrickBot, which is subsequently used to deliver ransomware.

The survey revealed many businesses are struggling to deal with phishing and ransomware threats, despite increases in security budgets. To help businesses improve their defenses against phishing and ransomware attacks, TitanHQ and Osterman Research will be hosting a webinar. During the webinar, attendees will learn about the advanced security threats uncovered by the in-depth survey, learn about the most effective mitigations against phishing and ransomware attacks, and will receive actionable information and best practices to reduce the risk of attacks succeeding.

Webinar Details:

How to Reduce the Risk of Phishing and Ransomware Attacks

Wednesday, June 30, 2021

7:00 p.m. to 8:00 p.m. BST / 2:00 p.m. to 3:00 p.m. EST / 11:00 a.m. to 12:00 p.m. PST

The webinar will be conducted by Michael Sampson, Senior Analyst at Osterman Research and Sean Morris, Chief Technology Officer at TitanHQ.

Register Your Place Here

Why SpamTitan is the Best MSP Defense Against Email Threats?

At present the main way that hacking groups are accessing business networks is via phishing campaigns.

The single best way of tacking phishing campaigns is using an email spam filter. This type of cybersecurity solution will audit all incoming email traffic to check for spam signature, phishing characteristics and any indication of malware.

An award-winning anti-spam software, SpamTitan boasts the best possible tools to safeguard your group from phishing and other email-leveraging campaigns. At present more than 1,500 organizations use SpamTitan globally.

While you may see a multitude of spam filtering solutions available which will claim to adequately safeguard your group from the smarted phishing tactics, one has become the chosen solution of managed service providers (MSP) – TitanHQ. Here we examine the reasons for this choice.

  1. Advanced email blocking: SpamTitan uses upload block and permits lists per policy, advanced reporting, recipient verification and outbound email reviewing. There is also a capability for whitelisting/blacklisting at all hierarchical levels of permissions within your network.
  2. Excellent malware protection: There are dual antivirus engines from two leading AV providers and sandboxing that leverages machine learning and behavioral analysis to tackle any file which appears to be dangerous.
  3. Protection against zero-day attacks: Machine learning predictive technology takes zero-day attacks foen and there is also AI-driven threat intelligence to tackle block zero-minute attacks head on.
  4. Office 365 environment security measures: There are a range of protection measures present that secure in depth against email threats. These can be simply added to Office 365 environments to greatly enhance security in the face of phishing and email-based malware campaigns.
  5. Easy integration: There is a straightforward configuration process for adding this to your existing Service Stack through TitanHQ API’s and MSPs benefit from streamlined management with RMM integrations.
  6. Data leak prevention: Strong data leak prevention rules that are easy to create and allow for tagging of data to spot and block internal data loss.
  7. Intuitive multi-tenant dashboard: MSP-client hierarchy means that you can keep clients segregated and decide if you need to manage client settings in bulk or on an individual basis. This is a set and forget solution, meaning a low level of IT service intervention is all that is required.
  8. White labelling: Can be supplied a #white label version to reinforce an MSP’s brand.
  9. Industry-leading customer support: TitanHQ customer service is the industry leader in the field with world class pre-sales and technical support and sales & technical guidance. MSPs are allocated a  dedicated account manager, assigned sales engineer support, access to the Global Partner Program Hotline, and 24/7 priority technical support.
  10. Competitive pricing and monthly billing: SPs benefit can view the transparent pricing policy, competitive pricing, excellent margins, and monthly billing. The sales cycle is just 14 days.

If you would like to begin providing SpamTitan for your clients, contact the TitanHQ channel team at once and begin your free trial.

Colonial Pipeline Ransomware Attack Started with a Compromised Password

During April 2021, cybercriminals were able to log onto the databases of Colonial Pipeline and install ransomware that led to the shutdown of a fuel pipeline system that provides service to the entire eastern Eastern Seaboard of the USA.

This resulted in a lot of panic buying of fuel by Americans on the East Coast as fuel supplies were threatened. The knock-on effect of this was local fuel shortages and a surge in the price of gasoline to their highest level since 2015. There was a 4.6 million barrels drop in the level of stockpiles of gasoline on the East Coast.

The DarkSide ransomware-as-a-service operation was blamed for the attack and has now been taken down. Before it was shut down, Colonial Pipeline handed over a $4.4 million ransom to remove the encryption from their files. They took the decision to pay the ransom due to the danger facing the fuel supplies. Colonial Pipeline provided almost half (45%) of fuel to the East Coast. Though handing over the ransom was a difficult move to make, it had to be done due to the threat to fuel supplies. Another consideration was the length of time that it might take to retrieve the files without having the attacker-supplied decryption keys.

This attack should not have been allowed to gain access to such a critical infrastructure. The subsequent review into the cyberattack showed that all it took for the attack to be successful was the use of one compromised password to remotely access the database. The account that was compromised was not secured using multi-factor authentication.

According to Charles Carmakal, senior vice president at cybersecurity firm Mandiant which was involved in the investigation, the compromised password was for a virtual private network account. The account may have been dormant but it was still possible to use the login credentials to gain access to Colonial Pipeline’s network.

As of yet it remains unknown how the cybercriminals came to be in possession of this password. The password has since been located in a database of breached passwords that was made available via the dark web. There is a chance that an individual had created a password for the account and it was also in use on a separate account that was infiltrated. It is typical for passwords from data breaches to be used in brute force attacks as password reuse is commonplace. Phishing campaigns are used to obtain passwords also.

Mandiant searched for anything to suggest how the password was stolen by the cybercriminals. The cybersecurity experts found no evidence of hacker activity prior to April 29, 2021 nor any proof of phishing attempts. At this point in time it appears that how the password was obtained and the username determined may never come to be known.

Is it quite obvious that this hack could have been stopped using cybersecurity best practices including carrying out audits of accounts and closing down dormant accounts, creating setting unique and complex passwords for every account, configuring multi-factor authentication to prevent stolen compromised passwords from being used for access, and installing a robust anti-spam solution.

GitHub Repository Weaknesses Create Attack Points

Created in 2008, GitHub has recorded massive growth amongst developers and companies for its hosting, sharing and software code capabilities. These are available in both open source and proprietary codemaking it very popular with more than 100 million code repositories currently on the platform.

Sadly, this also means that GitHub is a very attractive target for cybercriminals who have used the platform’s popularity as as a basis for several attack types, including ranoms, backdoor attacks and code injection campaigns. GitHub Actions is a feature of GitHub that allows a CI/CD workflow pipeline for software delivery into production. It is one of the main infrastructures in GitHub that automates software workflow. In a recent exploit, experts at Google Project Zero discovered a design vulnerability in GitHub Actions. This vulnerability could allow a hacker write access to a repository, meaning that they could reveal encrypted secrets. One of the experts, Felix Wilhelm, was able to show the vulnerability using Microsoft’s Visual Studio Code GitHub repository, where he could inject code which was then shared with the project’s new issue workflow.

The flaws in Actions allow ways for cybercriminals to exploit the GitHub database network. Recently  code injection flaws and vulnerabilities in GitHub Actions allowed crypto-criminals to conduct bit mining malware. The attacks have been registering since late last year. The attack targets repositories using Actions, the automatic execution of software workflows feature to place malicious code into a software workflow. The process leveraged by the hackers is smooth slick: the malicious GitHub Actions code is first forked from original workflows, but then a Pull Request merges the code back, in tandem with the crypto miner code. The key to the attack uses GitHub’s infrastructure to share malware and mine cryptocurrency on GitHub’s servers. The flaw in Actions means that the attack does not need the repository owner to give permission for the Pull Request: The crypto-miner code, misnamed as npm.exe. is hosted on GitHub. The whole attack is expertly devised using a mechanism that has, so far, made a mockery of the critical infrastructure of GitHub.

The worry in relation to this recent crypto mining attack on GitHub repositories, is that the hacker, yet again, leveraging inherent infrastructure of a network. Any weakness in the corporate structure can be targeted. Bolstering the security of these infrastructure hatches is crucial to stopping cyber-attacks. Source code is a critical system and GitHub a critical infrastructure. Firms and vendors using GitHub should ensure they use best security practices. But even groups not using GitHub as a source code repository may well be receiving source code hosted via GitHub. To address this cybersecurity best practices must be implemented. People, processes, and technology are the some of the tje cyber best practices, but adding in awareness of possible infrastructure hacks is vital to keeping your business protected.

Some of the steps that you need to implement include:

  • Stopping employees from visiting dangerous URLs or installing malicious software/files
  • Preventing staff from accessing infected web portals
  • Implementing GitHub security best steps when using the infrastructure to host source code
  • Training staff to ensure they are conscious of security tricks and tactics

Preventing these attacks is possible with WebTitan Cloud DNS filter. It will tackle malware, phishing, viruses, ransomware & malicious sites.