TitanHQ News

Babuk Ransomware Among new Cyberattack Threats in 2021

Babuk Ransomware Among new Cyberattack Threats in 2021

2021 has, so far, seen a massive rise in the introduction of new strains of ransomware being used to infiltrate the networks of enterprise organizations.

This represents a shift in the tactics of cybercriminals who spent most of 2020 trying to take advantage of workers who were forced into unsecured home-working environments by the COVID-19 pandemic. In the opening months of 2021 there is a clear surge in the amount of attacks that are concentrating on the employees who are slowly returning to large office settings.

One such strain of ransomware is called Babuk. This involves a request being sent to individuals, whose data has been encrypted, that seeks a $60k-$85k ransom to be transferred in order for the private keys to remove encryption to be handed over. Babuk, which is similar to regular ransomware campaign, includes a number of characteristics that have been designed specifically with companies in mind as a target.

Babuk disables many of the backup features available in Windows. The first feature to be made redundant is the Volume Shadow Copy Service (VSS) used to take backups of files in use. With this feature disabled, users cannot retrieve their current active files. It also disables file locking mechanism used on open and active files. For businesses using backup features in Microsoft Office, Babuk also turns off these features.

Babub then moves on to encrypting the database. This is completed by double-encrypting files that are smaller that 41MB, files larger than this are split prior to encryption. The encryption cipher being used is ChaCha8 which is generated from a SHA-256 hash – a cryptographically secure hashing algorithm. Unlike normal ransomware, Babuk only uses one private key as it is focused on infiltrating enterprise users.

There are a couple of ways that you can prepare for Babuk trying to attack and encrypt your databases. You will mitigate some of the danger by placing your own encryption on particularly important files. This will prevent Babuk from doing the same. Additionally, using a cloud backup will mean that there backups available for you to restore your information without handing over a ransom.

Monitoring software will weed out suspicious traffic on the network and, in doing so, prevent malware from encrypting files or exfiltrating data. System administrators will then be made aware of this and review the activity in question to gauge the threat level. Another strong security measure is using email filters with artificial intelligence (AI) that will allow you to spot potentially dangerous messages and attachments. They can then be quarantined and reviewed by an administrator. This method cuts out the possibility of human error leading to a malicious file being downloaded and initiating an encryption process.

Training and user education will also assist in preventing human error. This will involve providing staff with the knowledge required to spot threat. They will also be able to warn administrators about potential attacks and avoid running attachments on their local devices.

SpamTitan Email Security is a strong cybersecurity solution that will assist greatly in bring the risk of network infiltration down to an acceptable and manageable level. Call SpamTitan now to enquire about a free trial to witness the strength and value of the solution for yourself.

Teachers the Focus of New Phishing Attacks

Teachers the Focus of New Phishing Attacks

A recently-discovered phishing attack is attempting to invade messages sent between students and teachers. In the campaign an email is spoofed to look like it was sent from the parent of a student. However it includes an attachment file with a malicious macro. The message informs the teacher that an earlier message with a student assignment did not successfully reach their inbox.

It appears that the phishers came into possession of a directory of teacher email addresses via faculty contact lists available on a school website. The message looks extremely authentic as it includes the teacher’s name. Once the malicious file is opened, the macro downloads the ransomware executable files.

Some new tactics seen in this campaign include an SMS alerting the phisher once a recipient downloads the file and the use of Go programming language to create the malicious file. Files encrypted by the ransomware are listed in a text file named “About_Your_Files.txt” and stored on the user’s desktop.

Schools are an attractive target for phishers as they, typically, do no have massive funds to invest in cybersecurity. However, there are a number of measures that schools should introduce, as a minimum, to prevent attacks like this infiltrating their databases.

Email filters will block ransomware attachments before they reach targeted user inboxes. They spot malicious messages and files and place them in a quarantine folder where they can be reviewed by a system administrators to see if they are a false positive. If this is the case then the mail can be sent to the intended recipient.

Backups come into play once a database has been encrypted. They allow schools and other organizations to restore data without handing over any requested ransom. Best practice in this regard is to store backups off-site. Cloud backups are primarily used in disaster recovery strategies required after a ransomware attack. Training and user education is another security measure. Cybersecurity training will help teaching staff identify the tell tale signs of a phishing email and cut off the attack as soon as it begins.

The vast majority of schools have begun to implement digital means of communicating and working with students and parents. This a very efficient way of corresponding and allowed education to continue during all of the COVID-19 enforced lockdowns. However, this also brings new challenges for educational bodies. Cybersecurity may only have been a minimal concern ten years ago but now it needs to be tackled head on to avoid students and staff becoming the victims of hackers.

One very useful tool is WebTitan on-the go (OTG) for Chromebooks. This will allow your organization to safeguard all of your Chromebook users from the dangers associated with online usage. This security solution has been specifically created with the education sector in mind. Along with supporting CIPA compliance it is an inexpensive security filtering solution for Chromebooks.

Schools implementing the use of WebTitan Chromebook client can simply pply policies for all of their Chromebook users by group. Read more information about using WebTitan OTG for Chromebooks here

Hackers Infiltrate Passwordstate Notification Letters to Spread Malware

A cybercriminal group has managed to leverage email alerts, sent to notify users of an available update, in order to infect databases with malware.

The software update feature of the Passwordstate password manager was infiltrated to attack enterprise users of the password manager solution. The supply chain attack also successfully targets account holders with malware known as Moserpass at different points from April 20 to April 22.

Anyone who sought to avail of an update using the In-Pass Upgrade mechanism was potentially in receipt of the  malicious file downloaded titled Passwordstate_upgrade.zip file.

If the file was installed then it will kick off a chain of events allowing Moserpass to become active and gathering valuable information to any linked device or network in tandem with password data from the Passwordstate app. The malware also had a loader feature which may allow for the download of other malware strains onto victims’ devices. Due to the fact that passwords may have been stolen, impacted have been warned to change all of their passwords.

While the cyberattack was mitigated in less that 30 hours device users were issued to a request from Click Studios, the developer of the password app, to apply a hotfix to remove the malware from their systems. Sadly, having discovered the requests being shared via social media platforms, the hackers shared an identical email to conduct a phishing campaign who provided a link to a website that they controlled. As opposed to a fix to remove the Moserpass malware, an updated version of Moserpass malware was shared to anyone unfortunate enough to fall for the scam.

The email were, naturally enough, extremely realistic and recipients who followed the instructions in the email would likely think they were removing malware, when they were actually downloading it. The fake versions of the emails do not include a domain suffix used by Click Studios, request the hotfix is installed from a subdomain, and claim an ‘urgent’ update is necessary toto fix a bug, but it is easy to see how these messages could trick end users.

Click Studios provided password management services for approximately 29,000 companies and the solution has hundreds of thousands of users, many of whom will have heard of the breach and be worried about a malware infection. Click Studios said only a very small number of its customers were affected and had the malware installed – those who downloaded the update in the 28-hour period between April 20 and April 22 – but anyone receiving the fake email could well have been convinced that the email was genuine and implemented the download as directed.

It is a common tactic of cybercriminals to attempt and leverage fake security warnings to conduct attack, and data breach notifications are perfect to deploy in phishing attacks. This Passswordstate breach notification phishing campaign shows how crucial it is to double check every message for any indication of phishing, even if the email content appears to be authentic and the message includes what looks like the proper logos etc., and the dangers of posting copies of genuine breach notification letters on social media networks.

Many phishing attacks are complex by their nature, and it can be trciky for email recipients to spot that what is genuine and what is malicious. This is why your group requires an advanced spam and phishing security solution. If you want the best defenses against phishing, contact TitanHQ now and see how SpamTitan Email Security can enhance your security and keep your organization safe from phishing and other email-based attacks.

DriveSure Clients Exposed Publicly as 3.2 Million Data Records Breached

Despite the fact that the cat majority of groups invest in the highest standards of training and security measures so that they can safeguard they databases from cybercriminals, breaches still happen exposing vast amounts of protected information.

Recently cybercriminals illegally obtained more than 3.2 million data records from DriveSure, a training site used to help car dealerships sell and retain customers. This data had been stored on company’s MySQL database, meaning that credentials for the site and many others were publicly exposed to anyone who can get hold of the information in question.

DriveSure is has millions of customers that subscribe for  training and course material. These customers handed over their complete names, addresses, phone numbers, emails, vehicle VIN numbers, service records, and damage claims among many other pieces of information. Large corporate accounts and military addresses were also impacted as part of the breach.

Previously in 2021, experts discovered that this information had been published on a number of hacking forums. While the majority of cybercriminals sell data like this for a profit, in this case that hackers did not seem interested in making money. Instead the hacker made the entire database of stolen data available for free and without request for any money.

The attacker’s motive remains unclear, but the data was made available free of charge on many hacking forums. This made the data freely available to anyone who was able to locate the files online. As more people downloaded the files, the data became available to more people on other sites. Any user who subscribed to DriveSure needs to now amend their passwords.

Apart from the private sensitive data available, the individual responsible for the DriveSure breach made over 93,000 bcrypt hashed passwords available for download. In a secure application, the developer saves a password as a hashed value with a salt to make it more difficult to figure out. The bcrypt function is standard for hashing passwords, so DriveSure used a cryptographically secure way to hold passwords. Even if a password is cryptographically secure, downloaded passwords can be brute forced for a longer period of time when nothing is in place to restrict the number of attempts. Weak passwords can be brute forced even when stored as a cryptographically secure hash.

The problem with having hashed passwords available is that a hacker can spend days running scripts against all of them. Any poor passwords can be brute forced, and many users employ the same password across multiple sites. Since email addresses are also available, an attacker will use scripts to take over accounts across multiple sites using the same passwords stolen from the DriveSure site. This gives a hacker access to any account that uses the same password over a number of different sites including the DriveSure site.

The company encrypted the data that should be according to compliance standards, but much of the data is available in plaintext.

Email filters could have blocked the spoofing attacks so that the leaked database was unable to be used against the organization in a phishing attack. Additionally, sers should have been informed that it is unacceptable  to use the same password across several accounts to avoid problems in future.



2020 Witnessed Massive Surge in Healthcare Breaches

According to the U.S. Department of Health and Human Services Office for Civil Rights (OCR) in early 2020, following the outbreak of COVID-19, a huge number of large healthcare data breaches registered, more than in any other year. The Tenable Research 2020 Threat Landscape Report reported that the largest data breach violated 22bn records of personal data in 2020 impacted the healthcare sector.  An article made available HIPAA journal in January, 2021 reported that:

  • Over 29 million healthcare records were impacted during 2020
  • A rate of 1.76 Healthcare related data breaches per day was recorded
  • Healthcare data breaches grew by 25% year-over-year
  • During 2020 642 healthcare data breaches of 500 or more records were discovered

In addition to this:

  • The total amount of healthcare data breaches has doubled since 2014 and tripled since 2010.
  • Over 3,700 breaches of 500 or more records have been reported since October 2009
  • Since 2009 the total number of exposed records is more than 78 million

How Data Breaches Occur

The database breaches are happened as a result of three main factors:

  • Cyber attacks – hacking attacks involving malicious hacking campaigns
  • Endpoint devices being stolen of lost
  • Unauthorized disclosure of personal healthcare information

The size of the breaches is worrying. One largest that focused on Dental Care Alliance was discovered on October 11 comprised the payment card numbers of more than 1 million patients.  The hackers initially obtained access to the DCA systems on September 18. A solution was not put in place until October 13. Along with payment card data, those responsible may have illegally taken patient names and contact information as well as medical information and insurance information.  Patients were made aware of the attack in early December and approximately 10% of the patients later reported a breach of their account numbers.

There are many factors that have led to the huge spike in attacks that took place over the last 14 months.  Like many sectors, the change to remote work systems and the worrying nature  of the COVID-19 pandemic on healthcare organizational leaders has been one of the main reasons. However money has been the main factor behind the rise of cyberattacks on the healthcare industry.  Patient records are valuable in the open market due to the personal and private data they contain.  While credit card information will only garner a few dollars on their own, patient data can be sold for up to $150 per record.  Sadly, an infiltrated record costs the victimized group an average of $499 last year, a 16% increase annually.

Healthcare bodies have a responsibility to secure their patient’s data from potential data theft. TitanHQ can assist healthcare bodies with a solution to stop hackers from obtaining sensitive data. Get in touch with TitanHQ now and learn how our award winning solutions will secure your business and patients.

Employees Password Sharing Policies

On how many times have you received a phone call or an email from a manager in your group requesting he password of an employee to allow them to log onto their email account?

This request is typically issued when an employees is on annual leave and a call is received from a client or co-worker wishing to know if they have completed a request sent before they left. More often than not a client has sent an email to their account manager before he or she went on vacation, but it was accidentally neglected.

Access to the email account is crucial to prevent embarrassment or to ensure that a sales opportunity is not gone a begging. Maybe the specific employee has failed to configure their Out of Office reply and clients are not aware that they need to get in touch with a different person to get their questions addressed.

In years previously, managers used to maintain a log of all users’ passwords in a file on their computer. Should an emergency occur, they could discover the password and access any user account. However, this is dangerous. Nowadays this is not an acceptable thing to do. It also compromises the privacy of employees. If a password is known by any other person, there is nothing to prevent that person from using those login details any time they like. Since passwords are often used for personal accounts as well as work accounts, sharing that password could compromise the individual’s personal accounts also.

Keeping lists of passwords also makes it more difficult to take action over inappropriate internet and email usage. If a password has been shared, there is no way of ascertaining whether an individual has broken the law or breached company policies. It could have been someone else using that person’s login credentials.

IT workers are therefore not allowed to share passwords. Instead they must reset the user’s password, create a temporary one, and the user will need to reset it when they go back to work. Many managers will be ill at ease with these procedures and will still want to maintain their lists. Workers will be unhappy as they often use their work email accounts to send personal emails. Resetting a password and sharing manager access could be perceived as a major invasion of privacy.

However, there is an easy solution which will ensure that the privacy of individuals is assured, while forgotten Out of Office auto-responders can be created. Crucial emails will not go unnoticed either. To complete this you can establish shared mailboxes, although these are not always popular.

If this is done in Outlook and a manager may need to set it up in their Outlook program. It will also be a requirement for them to guide staff members how to use the shared mailboxes, and policies might need to be devised. They may have to permanently keep the mailboxes of multiple teams open in Outlook.

There is a different option, and that is to share permissions. It is more difficult to set up this control as it requires an MS Exchange Administrator to allow Delegate Access. Using Delegate Access will make it possible for a person, with the appropriate authorizations, to share an email on behalf of another staff member. This means mailboxes do not have to be accessible all the time. They can just be opened when an email must be sent. This may be perfect, but it will not allow a manager to implement a forgotten Out-of-Office auto-responder.

That would mean a member of the IT department such a domain manager would have to create it. A ticket would need to be filed requesting the action to be completed. This may not be desirable with managers, but it is the only way for the task to be completed without sharing the user’s login credentials or creating up a temporary password which would breach their privacy.

Groups must tackle an ever-growing threat from hackers. In 2019 and 2020, we have witnessed many high-profile data breaches, leading to significant financial repercussions and damaged brand reputation. Password-sharing at work comes with a huge danger for groups. 81% of breaches begin with stolen or weak passwords. When cybercriminals obtain entry to your database, shared passwords make it easier for them to access other sections of your network.

Multi-Factor Authentication to Prevent Password Sharing

 When MFA is configured, access is only allowed when the user approves the use of two authentication factors. For instance, they initially complete the password process and then must complete another authentication request. This could be a code sent to a device. Multi-factor authentication, like any security process, works best when employed along with other security strategies.

If a complete ban on password sharing in not in place in your organization, it must be set up as soon as possible. To discover more in relation to password security and some of the key protections you can implement to enhance your resilience against attacks, contact the SpamTitan team now.