Gift Card Scams Warning Issued for Holiday Season

Giving gift vouchers as Christmas presents is always popular and this year is no exception. Many gift card-themed scams were detected over Thanksgiving weekend that offered free or cheap gift cards to lure online shoppers into parting with their credit card details.

2018 has seen a surge in business email compromise (BEC) style tactics, with emails seeming to have been sent from within a company. The emails purport to have been sent from the CEO (or another executive) asking for accounts and administration staff purchase gift cards for clients or requesting gift cards be purchased to be used for charitable donations.

To minimize the risk from gift card scams and other holiday-themed phishing emails, companies must ensure they have strong spam filtering technology in place to block the emails at source and prevent them from landing in inboxes.

Consumers can be tricked into parting with credit card details, but businesses too are in danger. Most of these campaigns are carried out in order to gain access to login credentials or are used to install malware. If an end user responds to such a scam while at work, it is their employer that will be hit with the cost of being hacked.

2018 has seen many businesses targeted with gift card scams. The latest reports from Proofpoint suggest that out of the organizations that have been targeted with email fraud attacks, almost 16% had witnessed a gift card-themed attack: Up from 11% in Q2, 2018.

Many corporations businesses have Office 365 installed, but even Microsoft’s anti-phishing security has allowed phishing emails to slip through the net, especially at businesses that have not paid extra for advanced phishing protection. Even with the advanced anti-phishing security measures, emails still make it past Microsoft’s filters.

To obstruct these malicious messages, an advanced third-party spam filter is necessary.

Office 365 Phishing Emails Look like as Non-Delivery Alerts

A new phishing campaign was discovered by ISC Handler Xavier Mertens and the campaign seems to still be active.

The phishing emails look very like legitimate Office 365 non-delivery alerts and include Office 365 branding. As is the case with official non-delivery alerts, the user is warned that messages have not been delivered and told that action is required.

The Office 365 phishing emails state that “Microsoft found Several Undelivered Messages” and attributes the non-delivery to “Server Congestion.” The emails request the sender to retype the recipient’s email address and send the message again, although conveniently they include a Send Again button.

If users use the Send Again button, they will be sent to a website that closely resembles the official Office 365 website and includes a login box that has been auto-populated with the user’s email address.

If the password is typed, a JavaScript function sends both the email address and password to the hacker. The user will then be sent to the genuine outlook.office365.com website where they will be shown a real Office 365 login box.

While the Office 365 phishing emails and the website look genuine, there are signs that all is not what it seems. The emails are well composed and the sender’s email – postmaster@us.ibm.com – looks official but there is irregular capitalization of the warning message: Something that would not happen on an official Microsoft notification.

The clearest indication that this is a phishing scam is the domain to which users are sent if they click on the Send Again button. It is not an official Microsoft domain (agilones.com).

While the mistake in the email may be overlooked, users should notice the domain, although some users may proceed and type passwords as the login box is identical to the login on the official Microsoft site.

The campaign shows just how vital it is to carefully check every message before taking any action and to always review the domain before disclosing any sensitive data.

Hackers use Office 365 phishing emails because so many companies have signed up to use Office 365. Mass email campaigns therefore have a high chance of reaching an Outlook inbox. That said, it is easy to target office 365 users. A business that is using Office 365 broadcasts it using their public DNS MX records.

Firms can improve their resilience to phishing attacks through mandatory security awareness training for all workers. Employees should be told to always review messages carefully and should be guided how to identify phishing emails.

Companies should also ensure they have an advanced spam filtering solution set up. While Microsoft does offer anti-phishing protection for Office 365 through its Advanced Threat Protection (APT) offering, companies should consider using a third-party spam filtering solution with Office 365.

SpamTitan supplies superior protection against phishing and zero-day attacks, an area where APT is not proficient.

500 Million Guests IMpacted in Marriott Hotels Data Breach

A Marriott Hotels data breach has been discovered which could impact up to 500 million customer who previously made bookings at Starwood Hotels and Resorts. While the data breach is not the biggest ever reported – the 2013 Yahoo breach exposed up to  3 billion records – it is the second largest ever side by side with the 2014 Yahoo data breach that also impacted around half a billion users.

The Marriott data breach may not have impacted as many Internet users as the 2013 Yahoo data breach but due to the range of information stolen it is arguably more serious. Almost 173 million individuals have had their name, mailing address, email address stolen and around 327 million customers have had a combination of their name, address, phone number, email address, date of birth, gender, passport number, booking data, arrival and departure dates, and Starwood Guest Program (SPG) account numbers illegally taken. Additionally, Marriott also believes credit card details may have been illegally taken. While the credit card numbers were encrypted, Marriott cannot outright confirm whether the two pieces of data required to decrypt the credit card numbers was also taken by the hacker.

Along with to past guests at Starwood Hotels and Resorts and Starwood-branded timeshare properties, guests at Sheraton Hotels & Resorts, Westin Hotels & Resorts, W Hotels, St. Regis, Aloft Hotels, Element Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, and Four Points by Sheraton have been infiltrated, along with guests at Design Hotels that registered for the SPG program.

The data breach was discovered by Marriott on September 8, 2018, following an attempt by an unauthorized person to access the Starwood database. The investigation showed that the cybercriminal behind the attack first gained access to the Starwood database in 2014. It is currently not public knowledge how access to the database was obtained.

The Marriott hotels data breach is extremely serious and will prove massively expensive for the hotel group. Marriott has already offered U.S. based victims free enrollment in WebWatcher, has paid for third party experts to review and help address the data breach, and the hotel group will be strengthening its security and phasing out Starwood databases.

Even though the Marriott hotels data breach has only just been made public, two class action lawsuits have already been filed. One of the lawsuits seeks damages totaling $12.5 billion – $25 per person impacted.

There is also the chance that a E.U. General Data Protection Regulation (GDPR) fine. Fines of up to €20 million can be sanctioned, or 4% of global annual revenue, whichever is greater. That could place Marriott at risk of a $916 million (€807 million) penalty. The UK’s Information Commissioner’s Office – the GDPR supervisory authority in the UK – has been made aware of the breach and is making enquiries.

Danger of Marriott Data Breach Related Phishing Attacks

A phishing attack has sent email notifications have been shared with to those impacted by the breach by Marriott. They were sent from the domain: email-marriott.com. Rendition Infosec/FireEye researchers bought the domains email-marriot.com and email.mariott.com just after after the announcement to keep them out of the hands of hackers. Other similar domains may be bought up by less scrupulous individuals to be used for phishing attacks.

A breach of this extent is also ideal for speculative phishing attempts that spoof the email domain owen by Marriott. Mass email campaigns will likely to be shared randomly in the hope that they will reach breach victims or individuals that have stayed at a Marriott hotel or one of its associated brands on a previous occasion.

 

TrickBot Malware Updated with POS Data Stealing Capabilities

A never before seen module has been added to TrickBot malware that implements point-of-sale (POS) data collection functionality

TrickBot is a modular malware that is being actively created. In early November, TrickBot was updated with a password stealing capability, but the most recent update has made it even more dangerous, especially for hotels, retail outlets, and restaurants: Businesses that process large amounts of card payments.

The new module was discovered by security experts at Trend Micro who note that, at present, the module is not being deployed to record POS data such as credit/debit card details. At present, the new TrickBot malware module is only gathering data about whether an infected device is part of a network that supports POS services and the types of POS systems in use. The experts have not yet discovered how the POS information will be used, but it is highly probable that the module is being used for reconnaissance. Once targets with networks supporting POS systems have been selected, they will likely be subjected to further intrusions.

The new module, titled psfin32, is like a previous network domain harvesting module, but has been developed specifically to identify POS-related terms from domain controllers and basic accounts. The module achieves this by deploying LDAP queries to Active Directory Services which search for a dnsHostName that contains strings such as ‘pos’, ‘retail’, ‘store’, ‘micros’, ‘cash’, ‘reg’, ‘aloha’, ‘lane’, ‘boh’, and ‘term.’

The timing of the update, so near to the holiday period, implies that the threat actors are planning to take advantage of the busy holiday trade and are gathering as much information as possible before the module is used to collect POS data.

The recent updates to TrickBot malware have come along with a malicious spam email campaign (identified by Brad Duncan) which is focusing on companies in the United States. The malspam campaign uses Word documents containing malicious macros that install the TrickBot binary.

Securing from TrickBot and other data stealing malware requires a defense-in-depth approach to cybersecurity. The main attack way that threat actors use TrickBot is spam email, so it is essential for an advanced anti-spam solution to be deployed to stop malicious messages from being delivered to end users’ inboxes. End user training is also important to ensure employees are made aware of the danger of opening emails from unknown senders, launching suspicious email attachments, and visiting hyperlinks in those messages.

Antivirus solutions and endpoint security measures should also be used to identify and quarantine potentially malicious files in case malware infiltrated databases successfully.

POS Data Stealing Capabilities Added to TrickBot Malware

A new module has been attached to TrickBot malware that allows point-of-sale (POS) data collection capabilities.

TrickBot is a modular malware that is being developed. In early November, TrickBot was refreshed with with a password stealing module, but the latest update has made it even more dangerous, mostly for hotels, retail outlets, and restaurants: Companies that process large volumes of card payments.

The new module was discovered by security experts at Trend Micro who note that, at present, the module is not being used to capture POS data such as credit/debit card numbers. Currently, the new TrickBot malware module is only gathering data about whether an infected device is part of a network that supports POS services and the types of POS systems implemented. The experts have not yet determined how the POS information will be used, but it is highly likely that the module is being used for intelligence. Once targets with networks supporting POS systems have been discovered, they will likely be subjected to further intrusions.

The new module, labelled psfin32, is like a previous network domain harvesting module, but has been developed specifically to spot POS-related terms from domain controllers and basic accounts. The module achieves this by using LDAP queries to Active Directory Services which search for a dnsHostName that includes strings such as ‘pos’, ‘retail’, ‘store’, ‘micros’, ‘cash’, ‘reg’, ‘aloha’, ‘lane’, ‘boh’, and ‘term.’

The timing of the update suggests the threat actors are planning to use the increase in holiday trade and are gathering as much data as possible before the module is used to gather POS data.

The recent updates to TrickBot malware have been accompanied by a malicious spam email campaign (discovered by Brad Duncan) which is targeting companies in the United States. The malspam campaign uses Word documents including malicious macros that download the TrickBot binary.

Protecting against TrickBot and other data stealing malware requires a defense-in-depth approach to cybersecurity. The main attack vector used by the threat actors to blame TrickBot is spam email, so it is vital for an advanced anti-spam solution to be deployed to stop malicious messages from being sent to end users’ inboxes. End user training is also important to ensure employees are made aware of the danger of opening emails from unknown senders, launching suspicious email attachments, and clicking hyperlinks in those emails.

Antivirus solutions and endpoint security measures should also be deployed to identify and quarantine potentially malicious files in case malware makes it past perimeter security.

New Variant of Dharma Ransomware Discovered

A new Dharma ransomware variant has been created that is currently evading detection by most of antivirus engines.

Heimdal Security say that the most recent Dharma ransomware variant captured by its researchers was only identified as malware by one of the 53 AV engines on VirusTotal.

Dharma ransomware (also known as CrySiS) first was seen in 2006 and is still being developed. This year, many new Dharma ransomware variants have been made available, each using new file extensions for encrypted files (.bip, .xxxxx, .like, java, .arrow, .gamma, .arena, .betta, and .tron to name but a few). In the past two months alone four new Dharma ransomware variants have been discovered.

The threat actors to blame for Dharma ransomware have claimed many victims in recent months. Successful attacks have been seen recently by Altus Baytown Hospital in Texas, the Arran brewery in Scotland, and the port of San Diego.

While free decryptors for Dharma ransomware have been created, the constant evolution of this ransomware threat rapidly renders these decryptors obsolete.  Infection with the most recent variants of the ransomware threat only give victims three options: pay a sizeable ransom to recover files, restore files from backups, or face permanent file loss.

The latter is not a solution given the extent of files that are encrypted. Restoring files from backups is not always an option as Dharma ransomware can also encrypt backup files and can erase shadow copies. Payment of a ransom is not a solution as there is no guarantee that files can or will be decrypted.

Safeguarding against ransomware attacks requires a combination of policies, processes, and cybersecurity solutions. Dharma ransomware attacks are mostly carried out via two attack vectors: The exploitation of Remote Desktop protocol (RDP) and via email malspam campaigns.

The most recent Dharma ransomware variant attacks involve an executable file being sent using a .NET file and HTA file. Infections happen using RDP-enabled endpoints using brute force attempts to guess passwords. Once the password is obtained, the malicious payload is activated.

While it is not exactly obvious how the Arran brewery attack happened, a phishing attack is suspected. Phishing emails had been received just before file encryption. Arran Brewery’s managing director Gerald Michaluk said: “We cannot be 100 percent sure that this was the vector that infection occurred through, but the timing seems to be more than coincidental”.

To safeguard against RDP attacks, RDP should be disabled unless it is absolutely necessary. If RDP is a requirement, access should only be possible through a VPN and strong passwords should be established. Rate limiting on login attempts should be set to block login attempts after a set number of failures.

Naturally, good backup policies are vital. They will ensure that file recovery is possible without meeting a ransom. Multiple copies of backups should be made with one copy held securely off site.

To safeguard against email-based attacks, an advanced spam filter is needed. Spam filters that rely on AV engines may not notice the latest ransomware variants. Advanced analyses of incoming messages are vital.

SpamTitan can enhance protection for businesses through combination of two AV engines and predictive techniques to prevent new types of malware whose signatures have not yet been installed on AV engines.

For more information on SpamTitan and safeguarding your email gateway from ransomware attacks and other threats, contact TitanHQ’s security experts today.

Flash Player Vulnerability Being Actively Exploited via Spear Phishing Campaign

Adobe has released an unscheduled update to correct vulnerabilities in Adobe Flash Player, including a zero-day flaw that is currently being targeted in the wild by an APT threat group on targets in Russia. One target was a Russian healthcare center that supplies medical and cosmetic surgery services to high level civil servants of the Russian Federation.

The zero-day flaw is a use-after-free weakness – CVE-2018-15982 – which enables arbitrary code execution and privilege execution in Flash Player. A malicious Flash object operates malicious code on a victim’s computer which gives command line access to the system.

The vulnerability was noticed by security researchers at Gigamon ATR who reported the vulnerability to Adobe on November 29. Researchers at Qihoo 360 discovered a spear phishing campaign that is being used to send a malicious document and linked files that exploit the weakness. The document used in the campaign was a forged staff questionnaire.

The emails included a .rar compressed file attachment which included a Word document, the vulnerability, and the payload. If the .rar file is unpacked and the document viewed, the user is shown a warning that the document may damage the computer. If the content is activated, a malicious command is run which extracts and initiates the payload – a Windows executable file named backup.exe that is hidden as an NVIDIA Control Panel application. Backup.exe acts as a backdoor into a system. The malicious payload gathers system data which is sent back to the hackers via HTTP POST. The payload also downloads and runs shell code on the infected device.

Qihoo 360 researchers have labelled the campaign Operation Poison Needles due to the identified target being a healthcare center. While the attack seems to be politically motivated and highly targeted, now that details of the vulnerability have been made public it is likely that other threat groups will use exploits for the vulnerability in more and more attacks.

It is therefore vital for companies that have Flash Player installed on some of their devices to update to the most recent version of the software as soon as they can. That said, removing Flash Player, if it is not required, is a better option given the number of vulnerabilities that are identified in the software each month.

The vulnerability is Flash Player 31.0.0.153 and all previous versions. Adobe has addressed the flaw together with a DLL hijacking vulnerability in version 32.0.0.101.

Starbucks Porn Filter to Finally be Implemented in 2019

A Starbucks porn filter will be brought in 2019 to stop adult content from being accessed by customers hooked up to the chain’s free WiFi network.

It has taken a considerable amount of time for the Starbucks porn filter to be applied. In 2016, the coffee shop chain agreed to put in place a WiFi filtering solution following a campaign from the internet safety advocacy group Enough is Enough, but two years on and a Starbucks porn filter has only been applied in the UK.

Companies Pressured to Put in Place WiFi Filters to Block Porn

Enough is Enough released its Porn Free WiFi campaign – now renamed the SAFE WiFi campaign – to pressure companies that offer free WiFi to customers to apply WiFi filters to prevent access to adult content. In 2016, over 50,000 petitions were sent to the CEO’s of Starbucks and McDonalds urging them to apply WiFi filters and take the lead in preventing access to pornography and child porn on their WiFi networks.

After petitioning McDonald’s, the global restaurant chain took swift action and rolled out a WiFi filter across its 14,000 restaurants. However, Starbucks has been slow to take steps. After the McDonalds announcement in 2016, Starbucks agreed to roll out a WiFi filter once it had determined how to limit access to unacceptable content without involuntarily blocking unintended content. Until the Starbucks porn filter was applied, the coffee shop chain said it would reserve the right to stop any behavior that negatively impacted the customer experience, including activities on its free WiFi network.

The apparent lack of action lead Enough is Enough to increase the heat on Starbucks. On November 26, 2018, Enough is Enough president and CEO, Donna Rice Hughes, issued a fresh call for a Starbucks porn filter to be put in place and for the coffee chain to follow through in its 2016 promise. Rice Hughes also called for the public to sign a new petition calling for the Starbucks porn filter to finally be put in place.

Starbucks Porn Filter to Be Launched in All Regions in 2019

Starbucks has responded to Enough is Enough, via Business Insider, stating that it has been testing a variety of WiFi filtering solutions and has identified one that meets its needs. The Starbucks porn filter will be released across all its cafes in 2019.

All companies that offer free WiFi to their customers have a responsibility to ensure that their networks cannot be abused and remain ‘family-friendly.’ It is inevitable that some individuals will abuse the free access and flaunt policies on acceptable use. A technical solution is therefore necessary to enforce those policies.

While Enough is Enough is focused on ensuring adult content is prevented, there are other benefits of WiFi filtering. A WiFi filter protects customers from malware downloads and can stop them accessing phishing websites. All manner of egregious and illegal content can be restricted.

WiFi filters can also help companies conserve bandwidth to make sure that all customers can log on to the Internet and enjoy reasonable speeds.

TitanHQ has long been a supporter of WiFi filtering for public WiFi hotspots and has developed WebTitan Cloud for WiFi to allow businesses to easily restrick access to unacceptable and illegal web content on WiFi networks.

WebTitan Cloud for WiFi allows companies to carefully control the content that can be accessed over WiFi without involuntarily blocking unintended content. Being 100% cloud based, no hardware purchases have to be completed and no software downloads are necessary.

The solution offers companies advanced web filtering capabilities through an easy to use intuitive user interface. No IT consultants are needed to implement and run the solution. It can be set up and managed by individuals that have little to no technical knowhow.

The solution is highly scalable and can be used to safeguard thousands of users, at multiple locations around the globe, all managed through a single user interface.

If you run a company that offers free WiFi to customers and you have not yet started controlling the activities that can take place over your WiFi network, contact TitanHQ today for further information on WebTitan Cloud for WiFi.

Managed Service Providers (MSPs) that want to start providing WiFi filtering to their clients can join the TitanHQ Alliance. All TitanHQ solutions have been created to meet the needs of MSPs and make it simple for them to add new security capabilities to their service stacks.

Office 365 Phishing Emails Masquerade as Non-Delivery Notifications

A phishing campaign was recently discovered by ISC Handler Xavier Mertens and it seems as though the campaign is still  active.

The phishing emails look like legitimate Office 365 non-delivery notifications and include Office 365 branding. As is the case with official non-delivery alerts, the user is warned hat messages have not been delivered and told that action must be taken.

The Office 365 phishing emails claim that “Microsoft found Several Undelivered Messages” and attributes the non-delivery to “Server Congestion.” The emails direct the sender to retype the recipient’s email address and share the message again, although conveniently they have a Send Again button.

If users use the Send Again button, they will be directed to a website that closely looks like official Office 365 website and includes a login box that has been pre-filled-out with the user’s email address.

If the password is handed over, a JavaScript function sends both the email address and password to the hacker. The user will then be sent to the actual outlook.office365.com website where they will be shown a real Office 365 login box.

While the Office 365 phishing emails and the website look genuine, there are signs that all is not what it seems. The emails are well composed and the sender’s email – postmaster@us.ibm.com – looks official but there is irregular capitalization of the warning alert: Something that would not be included on an official Microsoft notification.

The most obvious sign that this is a phishing scam is the domain to which users are directed if they click on the Send Again button. It is not an authentic Microsoft domain (agilones.com).

While the mistake in the email may be missed, users should notice the domain, although some users may proceed and enter passwords as the login box is the exact same as the login on the official Microsoft site.

The campaign shows just how vital it is to carefully check every message before taking any action and to always review the domain before disclosing any sensitive data.

Hackers use Office 365 phishing emails because so many companies have signed up to use Office 365. Mass email campaigns therefore have a high probability of reaching an Outlook inbox. Even so, it is easy to target office 365 users. A business that is using Office 365 broadcasts it through their public DNS MX records.

Companies can bolster their resilience to phishing attacks through mandatory security awareness training for all staff. Employees should be told to always review messages carefully and should be taught how to spot phishing emails.

Companies should also make sure they have an advanced spam filtering solution implemented. While Microsoft does provide anti-phishing protection for Office 365 via its Advanced Threat Protection (APT) offering, businesses should think about using a third-party spam filtering solution with Office 365.

SpamTitan supplies protection against phishing and zero-day attacks, an area where APT experiences difficulty.

Lion Air Spear Phishing Campaign Spreading Cannon Trojan

A new malware variant,labelled the Cannon Trojan, is being implemented in targeted attacks on government agencies in the United States and Europe. This malware threat has been strongly connected to a threat group known under many names – APT28, Fancy Bear, Sofacy, Sednet, Strontium – that has connections  to the Russian government.

The Cannon Trojan is being used to collate data on potential targets, collecting system information and capturing screenshots that are sent back to APT28. The Cannon Trojan is also an installer capable of installing further malware variants onto an impacted system.

This recently-detected malware threat is stealthy and uses a mix of tricks to prevent detection and hide communications with its C2. Rather than communicating over HTTP/HTTPS, like other malware variants used by APT28, the Cannon Trojan communicates through email over SMTPs and POP3S.

Once downloaded, an email is shared over SMTPS through port 465 and an additional two email addresses are obtained through which the malware sends with its C2 using the POP3S protocol to receive instructions and send back data. While the use of email for communicating with a C2 has been seen previously, it is relatively unusual. One benefit offered by this method of communication is it is more difficult to identify and block that HTTP/HTTPS.

The Cannon Trojan, like the Zebrocy Trojan which is also being implementing using APT28, is being shared through spear phishing emails. Two email templates have been intercepted by Palo Alto Networks’ Unit 42 team, one of which takes advantage of interest in news about the Lion Air plane crash in Indonesia.

The Lion Air spear phishing campaign looks like it is providing updates on the victims of the crash, which the email claims are detailed in an attached Word document titled Crash List (Lion Air Boeing 737).docx. The user must Enable Content to see the contents of the document. It is claimed that the document was set up in an earlier version of Word and content must be turned on for the file to be displayed. Opening the email and enabling content would let the macro run, which would then silently install the Cannon Trojan.

Instead of the macro running and installing the payload straightaway, as an anti-analysis mechanism, the hackers use the Windows AutoClose tool to delete completion of the macro routine until the document is closed. Only then is the Trojan installed. Any sandbox that reviews the document and exits before closing the document would be unlikely to see it as malicious. In addition, the macro will only run if a link with the C2 is created. Even if the document is opened and content is allowed, the macro will not run without its C2 channel open.

The methods used by the hackers to obfuscate the macro and hide communications make this threat difficult to spot. The key to spotting infection is blocking the threat at source and stopping it from reaching inboxes. The provision of end user assistance to allow employees identify threats such as emails with attachments from unknown senders is also crucial.

Germany Cybercrime Losses Estimated to be €43 Billion

With the world’s largest economy, the United States is naturally a major focus for cybercriminals. Various studies have been carried out in relation to the cost of cybercrime in the United States, but little data has been made available on cybercrime losses in Germany – Europe’s largest economy.

The International Monetary Fund releases a list of countries with the largest economies. In 2017, Germany came in fourth place after the United States, China, and Japan. Its GDP of $3,68 trillion accounts for 4.61% of global GDP.

A recently released study carried out by Germany’s federal association for Information Technology – BitKom – has placed a figure on the toll that cybercrime is having on the German economy.

The study targeted on security chiefs and managers at Germany’s top 503 companies in the manufacturing sector. Based on the results of that survey, BitKom calculated cybercrime losses in Germany to be €43 billion ($50.2 billion). That accounts for 1.36% of the country’s GDP.

Extrapolate those cybercrime figures in Germany and it places the global cost of cybercrime at $1 trillion, substantially higher than the $600 billion figure estimate from cybersecurity company McAfee and the Center for Strategic and International Studies (CSIS) in February 2018. That study estimated the global percentage of GDP lost to cybercrime at between 0.59% and 0.80%, with GDP losses to cybercrime across Europe calculated to be between 0.79 to 0.89% of GDP.

Small to Medium Sized Businesses Most in Danger

While cyberattacks on large enterprises can be highly profitable for cybercriminals, those firms tend to have the resources available to spend heavily in cybersecurity. Attacks on large enterprises are therefore much more difficult and time consuming. It is far simpler to focus on smaller companies with less robust cybersecurity defenses.

Small to medium sized businesses (SMBs) often do not have the resources to spend heavily on cybersecurity, and consequently are far simpler to attack. The BitKom study confirmed that these firms, which form the backbone of the economy in Germany, are particularly susceptible to cyberattacks and have been extensively focused on by cybercriminals.

It is not just organized cybercriminal groups that are running these attacks. Security officials in Germany have long been concerned about attacks by well-financed foreign spy agencies. Those agencies are using cyberattacks to obtain access to the advanced manufacturing techniques created by German firms that give them a competitive advantage. Germany is one of the world’s main manufacturing nations, so it stands to reason that the German firms are an attractive target.

Cybercriminals are stealing money from German firms and selling stolen data on the black market and nation-state backed hackers are stealing proprietary data and technology to assist manufacturing in their own countries. According to the survey, one third of companies have had mobile phones stolen and sensitive digital data has gone missing from a quarter of German firms. 11% of German firms report that their communications systems have been tapped.

Attacks are also being used to sabotage German firms. According to the study, almost one in five German firms (19%) have had their IT and production systems infiltrated and impacted through cyberattacks.

Companies Must Enhance Their Defenses Against Cyberattacks

Achim Berg, head of BitKom recently stated: “With its worldwide market leaders, German industry is particularly interesting for criminals”. Companies, SMBs especially, must take cybersecurity much more seriously and invest commensurately in cybersecurity solutions to stop cybercriminals from gaining access to their systems and data.

Thomas Haldenweg, deputy president of the BfV domestic intelligence agency stated: “Illegal knowledge and technology transfer … is a mass phenomenon.”

Stopping cyberattacks is not easy. There is no onee solution that can safeguard against all attacks. Only defense-in-depth will see to it that cybercriminals and nation-state sponsored hacking groups are stopped from obtaining access to sensitive data.

Companies need to carry out regular, in-depth organization-wide risk analyses to identify all threats to the confidentiality, integrity, and availability of their data and systems. All identified dangers must then be addressed through a robust risk management process and layered defenses put in place to thwart attackers.

One of the chief vectors for attack is email. Figures from Cofense indicate that 91% of all cyberattacks begin with a malicious email. It stands to reason that enhancing email security should be a key priority for German firms. This is an area where TitanHQ can be of assistance.

TitanHQ is a supplier of world-class cybersecurity solutions for SMBs and enterprises that obstruct the most commonly used attack vectors. To discover more about how TitanHQ’s cybersecurity solutions can help to enhance the security posture of your company and block email and web-based attacks, contact the TitanHQ sales team now.

ArcTitan Offers Lightning-Fast, Enterprise-Class Microsoft Exchange Email Archiving for your Business

Is your business looking for a lightning-fast, enterprise-class method of email archiving? Nowadays, it is a requirement in business to have an email archiving solution in order to ensure that emails are not lost, emails can be retrieved on demand and storage space is kept to a minimum. Although native Microsoft Exchange Email Archiving is already available, most businesses will find the archiving options are not up to standard. The only alternative is to adopt a third-party email archiving solution. This will provide all the features required by businesses, as well improve efficiency and save on cost. In order to improve efficiency and meet the requirements of businesses, TitanHQ developed ArcTitan: A secure, fast, cloud-based email archiving solution.

What Email Archiving is and its Importance

Businesses have been required by federal, state, and industry regulations to retain emails for many years. Often a considerable amount of storage space is taken up through storing emails, especially when you consider the number of emails that are typically sent and received by employees daily. Although it suffices for businesses to store emails in backups to meet legal requirements, backups are not searchable. When a business needs to recover a certain email, it needs to be recovered quickly. This is simply not possible with backups, they are not searchable. The solution to this problem is an email archive. In comparison to backups, email archives are searchable and messages can be retrieved quickly and with minimal effort.

Email Archiving Necessary for eDiscovery and GDPR Compliance

An email archiving solutions for eDiscovery is essential. There have been a number of cases where, as part of the eDiscovery process, businesses have received heavy fines for the failure to produce emails. An example of this can be seen in the Zubulake v. USB Warburg case where the plaintiff was awarded $29 million as a result of the failure to produce emails.

In order to comply with GDPR legislation, email archives are now vital. Since May 25, 2018, when the EU’s General Data Protection Regulation came into effect, companies have been required on request to produce (and delete) every element of an individual’s personal data, including personal data contained in emails. This can be incredibly time consuming without an email archive and may result in data being unlawfully retained since backups are not searchable. The fines for GDPR compliance failures can reach as high as €20 million or 4% of global annual revenue, whichever is more substantial.

Native Microsoft Exchange Email Archiving Drawbacks

Native Microsoft exchange email archiving provides businesses with journaling and personal archive functions, but there are drawbacks to each. While the functions meet some business requirements such as freeing up space in mailboxes, they lack the full functions of a dedicated archive and do not meet all eDiscovery requirements.

When using native Microsoft Exchange email archiving, end users have too much control over the information that is loaded into an archive and they can’t delete emails unless a legal hold is activated. For admins, retrieving emails can be complicated and extremely time consuming.

With native Microsoft Exchange email archiving, functions fail to meet the needs of a lot of businesses particularly those in highly regulated industries. Although the native Microsoft Exchange email archiving functions have improved over the years, the limitations remain with most product versions and archiving can be complex with certain email architectures.

Any business that uses multiple email systems alongside Microsoft Exchange will require a third-party email archiving solution. This is due to Microsoft Exchange not supporting the archiving of emails from other platforms.

There has been an improvement in email archiving with Office 365. SMBs that use Office 365 already have email archiving functionality included in their plans, but it is only free of charge with E3-E5 plans. Additional plans charge around $3 per user, which is more expensive than custom-built archiving solutions such as ArcTitan.

Native Microsoft Exchange email archiving is an option for businesses, but Microsoft Exchange was not developed specifically for email archiving. However, despite the improvements that have been made by Microsoft, a third-party solution for email archiving on Microsoft Exchange is still required.

A third-party email archiving solution will make managing your email archiving significantly more efficient. It will save your IT department a considerable amount of time trying to locate old messages, especially for the typical requests that are received which are light on detail. The advanced search options in ArcTitan make search and retrieval of messages much faster and easier.

ArcTitan: Lightning-Fast, Enterprise-Class Email Archiving

ArcTitan has been specifically developed for email archiving making it more specialised than competitors. ArcTitan has been designed to meet all the archiving needs of businesses and allow managed service providers to offer email archiving to their clients.

The benefits of ArcTitan include extremely fast email archiving and message retrieval, secure encrypted storage and compliance with industry regulations such as HIPAA, SOX, FINRA, SEC and GDPR. ArcTitan allows businesses meet eDiscovery requirements without having to pay for additional eDiscovery services from Microsoft. ArcTitan also maintains an accurate audit trail. This allows businesses to have near instant access to all of their emails. ArcTitan serves as a black box recorder for all email to meet the various eDiscovery requirements and ensures compliance with federal, state, and industry regulations.

ArcTitan Features

ArcTitan requires no hardware or software, is quick and easy to install, and slots in to the email architecture of businesses with ease. The solution is highly scalable (there are no limits on storage space or users), it is easy to use, lightning fast and stores all emails safely and securely.

Businesses that have not yet implemented a Microsoft Exchange email archiving solution typically save up to 75% storage space. Costs are also kept to a minimum with a flexible pay as you go pricing policy, with subscriptions paid per live user.

  • Unlimited cloud based email archiving including inbound/outbound/internal email, folders, calendars and contacts
  • A full data retention and eDiscovery policy
  • HIPPA, SOX (and more) standard compliance and audited access trail
  • SuperFast Search™ – email is compressed, zipped, uses message de-duplication and attachment de-duplication ensuring the fast search and retrieval
  • Web console access with multi-tiered and granular access options – You decide user access permissions
  • No hardware / software installation required
  • Works with all email servers including MS Exchange, Zimbra, Notes, SMTP/IMAP/Google/PO
  • Secure transfer from your email server
  • Encrypted storage on AWS cloud
  • Instantly searchable via your browser – You can find archived emails in seconds
  • Maintains a complete audit trail
  • Optional Active Directory integration for seamless Microsoft Windows authentication
  • Optional Outlook email client plugin

If you have not yet implemented an email archiving solution, if you are unhappy with the native Microsoft Exchange email archiving features, or if you are finding your current archiving solution too expensive or difficult to use, contact TitanHQ today to find out more about the benefits of ArcTitan and the improvements it can offer to your business.

California Wildfire Scam Email Warning Issued

A California wildfire scam is underway that asks for donations to help those impacted by the recent wildfires. The emails seem to come from the CEO of a company and are aimed at its staff members in the accounts and finance sections.

It should come as no shock that hackers are taking advantage of yet another natural disaster and are trying to con people into giving donations. Scammers often move swiftly following natural disasters to pull on the emotions and defraud businesses. Similar scams were carried out in the wake of the recent hurricanes that hit the United States and caused widespread harm.

The California wildfire scam, discovered by Agari, is a business email compromise (BEC) attack. The emails seem to have been sent by the CEO of a company, with his/her email address used to transmit messages to company staff. This is often accomplished by spoofing the email address although in some instances the CEO’s email account has been compromised and is used to broadcast the messages.

The California wildfire scam includes one major red flag. Rather than ask for a monetary donation, the scammers request money in the form of Google play gift cards. The messages ask for the redemption codes to be sent back to the CEO by reply.

The emails are sent to staff members in the accounts and finance departments and the emails ask that the money be donated in 4 x $500 denomination gift cards. If these are returned to the CEO, he/she will then forward them on to company clients that have been impacted by the California wildfires.

The reason Google play gift cards are asked for is they can easily be exchanged on darknet forums for other currencies. The gift cards are almost impossible to trace back to the hacker.

The messages include lots of grammatical errors and incorrect spellings. Even so, it is another indication that the messages are not authentic. However, scams like this are sent because they are successful. Many people have been tricked by similar scams previously.

Safeguarding against scams like this requires a combination of technical controls, end user training and company policies. An advanced spam filtering solution should be be put in place – SpamTitan for instance – to stop messages such as these from arriving in inboxes. SpamTitan checks all incoming emails for spam signatures and uses complex techniques such as heuristics, machine learning and Bayesian analysis to spot advanced and never-before-seen phishing campaigns.

End user training is vital for all staff, especially those with access to corporate bank accounts. Those workers are usually targeted by scammers. Policies should be put in place that require all requests for changes to bank accounts, unusual payment requests, and wire transfers above a certain threshold to be confirmed by phone or in person before they are given approval.

A combination of these tactics will help to secure businesses from BEC attacks and other email scams.

Web Filtering Software for Schools

Although the aims of the Children´s Internet Protection Act (CIPA) – and later state legislation relating to web filters for schools – were undoubtedly well-intentioned, some educational institutions have been reluctant to adapt school web filtering software.

Some of the reasons for this reluctance are logical. Over-zealous web filters for schools can stop students from accessing educational material and teenage support groups, while students from lower-income families without home Internet can be hindered by “digital deprivation” in an over-filtered environment.

It is sometimes the case that school web filtering software is responsible for an over-filtered environment. Depending on the extent of the software, it may have a high maintenance overhead or lack the versatility to account for students of different ages studying a wide range of topics.

In these instances, it is easier for system managers to apply the maximum security settings to ensure compliance with federal and state laws. This is when the issues are seen. Now, there is a solution from SpamTitan that can resolve these issues quickly and simply – WebTitan Cloud.

WebTitan Cloud is cloud-based school web filtering software that is quick to put in place and easy to configure. Being a cloud-based solution, there is no hardware to buy or software to be installed – so no technical skills are required and there are no upfront costs to consider.

Once active, WebTitan Cloud uses a three-tier mechanism to review each request to visit a website against its filtering parameters, providing the level of granularly web filters for schools should have in order to be effective in a multi-age, multi-cultural environment.

The filtering parameters can be created according to age, by user, by class, or by year – and password protected – to ensure each student is able to access the educational and age-appropriate material they need to become digitally literate and in order to be able to seek help from support groups if needed.

Along with its versatility, WebTitan Cloud provides a safe barrier against online content prohibited by CIPA and protects networks and users´ devices against malware, adware, spyware and ransomware. Our school web filtering software also has security measures to prevent students trying circumnavigate the filtering parameters. With WebTitan Cloud schools can:

  • Restrict access to VPNs and proxy websites.
  • Set up multilingual filter settings.
  • Stop access to cached website pages.
  • Filter out numerical IP addresses.

For schools that supply a wireless network for students, WebTitan Cloud for WiFi is equally as versatile and safe. Our school web filtering software for wireless networks allows schools to manage the content students can access from their mobile devices, and supplies a deep analysis of network activity – right down to the online activity of each individual user.

In states where parents have the right to state the level of Internet access their children can have at school, the versatility of WebTitan Cloud for WiFi prevents the scenario in which every child has to adhere to the wishes of the strictest parent. The detailed level of oversight also helps to identify students who may be using the Internet inappropriately and who are then vulnerable to online attacks.

Our WiFi web filters for schools can be deployed to filter Internet content from a single hotspots or multiple hotspots. It safeguards users´ devices as well as the school´s network without affecting the speed at which web content is sent. They also have a very useful bandwidth-restricting function that can stops students consuming a school´s bandwidth by streaming sports, films and music videos.

Our school web filtering software for both fixed networks and wireless networks has been created to be effective against online threats, compliant with federal and states laws, easy to use and sufficient versatile to resolve issues about stopping students from accessing educational material and teenage support groups. Now we ask you to test our web filters for schools for free.

If your school has been reluctant to put in place school web filtering software due to worries regarding an over-filtered environment, we invite you to contact us and discuss your concerns. Our team of Sales Technicians will reply to any questions you have about web filters for schools and invite you to have a free trial of WebTitan Cloud or WebTitan Cloud for WiFi – whichever is the most proper solution for your specific circumstances.

There are no set up expenses to address, no credit cards are required and there are no contracts to complete order to take advantage of our offer. Our free trial is intended to give you the chance to evaluate the merits of school web filtering in your own environment and there is no obligation on you to go on using our service once the free trial has ended. Call us now and your school could be safeguarding your students from online dangers and inappropriate content within 15 minutes.

Emotet Malware Being Spread Using Thanksgiving Themed Spam Emails

There has been a rise in malspam campaigns spreading Emotet malware in recent times, with many new campaigns initiated that spoof financial institutions – the modus operandi of the threat group behind the attacks.

The Emotet malware campaigns use Word documents including malicious macros. If macros are turned on, the Emotet malware payload is installed. The Word documents are either sent as email attachments or the spam emails contain hyperlinks which direct users to a website where the Word document is installed.

Various social engineering tricks have been used in these recent campaigns. One new tactic that was spotted by Cofense is the wrapping of malicious hyperlinks in Proofpoint’s (PFPT) TAP URL Defense wrapping service to make the email seem benign.

According to Cofense, the campaign shares Emotet malware, although Emotet in turn installs a secondary payload. In past campaigns, Emotet has been sent along with ransomware. First, Emotet steals details, then the ransomware is used to steal money from victims. In the most recent campaign, the secondary malware is the banking Trojan named IcedID.

A additional campaign has been seen that uses Thanksgiving-themed spam emails. The messages seem to be Thanksgiving greetings for employees, and similarly include a malicious hyperlink or document. The messages claim the document is a Thanksgiving card or greeting. Many of the emails have been personalized to help with the deception and include the user’s name. In this campaign, while the document downloaded seems to be a Word file, it is actually an XML file.

A new version of Emotet malware has been updated recently. Along with stealing credentials, a new module has been added that harvests emails from an infected user. The previous six months’ emails – which include subjects, senders, and message content – are illegally taken. This new module is thought to have been added to enchance the effectiveness of future phishing campaigns, for corporate espionage, and data theft.

The latest increase in Emotet malware campaigns, and the wide variety tactics used by the threat actors behind these campaigns, highlight the importance of implementing a defense in depth strategy to block phishing emails. Organizations should not rely on one cybersecurity solution to provide security against email attacks.

Phishing campaigns aim for a weak link in security defenses: Staff members. It is therefore vitaal to ensure that all employees with corporate email accounts are taught how to spot phishing threats. Training needs to be constant and should cover the latest tactics used by cybercriminals to spread malware and steal details. Staff are the last line of defense. Through security awareness training, the defensive line can be greatly strengthened.

As a frontline defense, all businesses and groups should deploy an advanced spam filtering solution. While Office 365 email includes a basic level of protection against phishing attacks, a powerful third-party anti-phishing and spam filtering solution is needed to provide protection against more complex email attacks.

SpamTitan is an advanced email filtering solution that employs predictive techniques to supply provide superior protection against phishing attacks, zero-day attacks, and new malware variants that bypass signature-based defenses.

Along with scanning message content, headers, attachments, and hyperlinks for spam and malware signatures, SpamTitan uses heuristics, machine-based learning, and Bayesian analysis to discover emerging threats. Greylisting is used to identify and block bigger spam campaigns, such as those typically carried out by the threat actors spreading banking Trojans and Emotet malware.

How SpamTitan Spam Filtering Works

 

Lion Air Spear Phishing Campaign Shares Stealthy Cannon Trojan

A newly created malware variant, callede Cannon Trojan, is being used in focused attacks on government agencies in the United States and Europe. The new malware threat has been connected to a threat group known under many titles – APT28, Fancy Bear, Sofacy, Sednet, Strontium – that has links to the Russian government.

The Cannon Trojan is being used to gather data on potential targets, collatting system information and capturing screenshots that are sent back to APT28. The Cannon Trojan is also an installer capable of loading further malware variants onto a compromised system.

The new malware threat is stealthy and uses a range of tricks to avoid detection and hide communications with its C2. Rather than communicating over HTTP/HTTPS, like other malware variants used by APT28, the Cannon Trojan communicates through email over SMTPs and POP3S.

Once downloaded, an email is shared through SMTPS through port 465 and another two email addresses are obtained through which the malware communicates with its C2 using the POP3S protocol to receive instructions and share back data. While the use of email for communicating with a C2 is not unknown, it is relatively unusual. One advantage provided by this method of communication is it is more difficult to spot and block that HTTP/HTTPS.

The Cannon Trojan, like the Zebrocy Trojan which is also being used by APT28, is being shared via spear phishing emails. Two email templates have been captured by Palo Alto Networks’ Unit 42 team, one of which takes advantage of interest in the Lion Air plane crash in Indonesia.

The Lion Air spear phishing campaign seems to provide data on the victims of the crash, which the email claims are listed in an attached Word document titled Crash List (Lion Air Boeing 737).docx. The user must Enable Content to see the contents of the document. It is alleged that the document was created in an earlier version of Word and content must be turned on for the file to be displayed. Opening the email and enabling content would trigger the macro to run, which would then silently install the Cannon Trojan.

Instead of the macro running and downloading the payload immediately, as an anti-analysis mechanism, the hackers use the Windows AutoClose tool to slow the completion of the macro routine until the document is shut. Only then is the Trojan installed. Any sandbox that analyzes the document and exits before closing the document would be unlikely to view it as malicious. Further, the macro will only run if a link with the C2 is established. Even if the document is opened and content is enabled, the macro will not run without its C2 channel open.

The techniques employed by the hackers to obfuscate the macro and hide communications make this threat difficult to spott. The key to stopping infection is blocking the threat at source and preventing it from arriving at inboxes. The provision of end user training to assist employees identify threats such as emails with attachments from unknown senders is also vital.

Banking Trojans Installed Using Windows Components in New Office 365 Threat

A new Office 365 threat has been discovered that stealthily downloads malware by masking communications and downloads by targeting legitimate Windows components.

The attack begins with malspam including a malicious link included in an email. Various themes could be used to encourage users into visiting the link, although one of the latest campaigns masquerades as emails from the national postal service in Brazil.

The emails claim the postal service tried to deliver a package, but the delivery failed as there was no one home. The tracking code for the package is listed in the email and the user is requested to click the link in the email to receive the tracking data.

In this instance, clicking the link will lead to a popup asking the user to confirm the installation of a zip file, which it is claimed includes the tracking information. If the zip file is downloaded, the user will be asked to click on a LNK file to receive the information. The LNK file runs cmd.exe, which executes a Windows Management Instrumentation (WMI) file: wmic.exe. This legitimate Windows file will be used to communicate with the attacker’s C2 server and will establish a copy of another Windows file – certutil.exe in the %temp% folder with the name certis.exe. A script then runs which tells the certis.exe file to connect to a different C2 server to install malicious files.

The focus of this attack is to use authentic Windows files to install the malicious payload: A banking Trojan. The use of legitimate Windows files for communication and installing files helps the attackers bypass security controls and download the malicious payload unnoticed.

These Windows files can install other files for legitimate purposes, so it is hard for security teams to identify malicious activity. This campaign focuses on users in Brazil, but this Office 365 threat should be a worry for all users as other threat actors have also adopted this tactic to download malware.

Due to the complexity in distinguishing between legitimate and malicious wmic.exe and certutil.exe activity, blocking an office 365 threat such as this is simplest at the initial point of attack: Stopping the malicious email from being sent to an inbox and providing security awareness training to workers to help them spot this Office 365 threat. The latter is vital for all companies. Employees can be turned into a strong last line of prevention using security awareness training. The former can be completed with a spam filtering solution like SpamTitan. SpamTitan will stop the last line of defense from being challenged.

Microsoft uses many different ways to spot malspam and prevent malicious messages from arriving in users’ inboxes; however, while efforts have been made to improve the effectiveness of the spam filtering controls of Office 365, many malicious messages are still reaching their destinations.

To enhance Office 365 security, a third-party spam filtering solution should be implemented. SpamTitan has been created to allow easy integration into Office 365 and provides superior security from a wide variety range of email threats.

SpamTitan uses a range of different methods to stop malspam from being sent to end users’ inboxes, including predictive techniques to discover threats that are misidentified by Office 365 security controls. These methods ensure industry-leading catch rates of over 99.9% and stop malicious emails from arriving in inboxes.

HookAds Malvertising Campaign Sending People to Trojans, Info Stealers and Ransomware Websites

One of the ways that threat actors download malware is using malvertising. Malvertising is the positioning of malicious adverts on legitimate websites that send visitors to websites where malware is installed. The HookAds malvertising campaign is one such example and those responsible for the campaign have been particularly active recently.

The HookAds malvertising campaign has one aim – to direct people to a website hosting the Fallout exploit kit. An exploit kit is malicious code that operates when a visitor arrives on a web page. The visitor’s computer is explored to determine whether there are any flaws – unpatched software – that can be exploited to silently download files.

In the case of the Fallout exploit kit, users’ devices are explored for several known Windows vulnerabilities. If one is discovered, it is exploited and a malicious payload is installed. Several malware variants are currently being shared via Fallout, including data stealers, banking Trojans, and ransomware.

According to threat analyst nao_sec, two different HookAds malvertising campaigns have been identified: One is being used to broadcast the DanaBot banking Trojan and the other is sending two malware payloads – The Nocturnal data stealer and GlobeImposter ransomware via the Fallout exploit kit.

Exploit kits can only be implemented to deliver malware to unpatched devices, so businesses will only be under threat from of this web-based attack vector if they are not 100% up to date with their patching. Sadly, many businesses are slow to run patches and exploits for new vulnerabilities are frequently uploaded to EKs such as Fallout. Due to this, a security solution is needed to obstruct this attack vector.

The threat actors responsible for the HookAds malvertising campaign are taking advantage of the low prices for advertising blocks on websites by low quality ad networks – those often utilized by owners of online gaming websites, adult sites, and other types of websites that should not be logged onto by employees. While the site owners themselves are not actively working with the threat actors behind the campaign, the malicious adverts are still displayed on their websites along with legitimate ads. The use of a web filter is advisable to mitigate this threat.

Emotet Malware Spread Using Thanksgiving Themed Spam Emails

There has been a rise in malspam campaigns spreading Emotet malware in recent time, with many new campaigns initiated that spoof financial institutions – the operating methods of the threat group responsible for the campaigns.

The Emotet malware campaigns use Word documents which have malicious macros. If macros are enabled, the Emotet malware payload is installed. The Word documents are either shared as email attachments or the spam emails include hyperlinks which bring users to a website where the Word document is installed.

Various social engineering tricks have been implemented in these campaigns. One new tactic that was spotted by Cofense is the wrapping of malicious hyperlinks in Proofpoint’s (PFPT) TAP URL Defense wrapping service to make the email seem benign.

According to Cofense, the campaign sends Emotet malware, although Emotet in turn installs a secondary payload. In previous campaigns, Emotet has been sent along with ransomware. First, Emotet steals details, then the ransomware is used to steal money from victims. In the most recent campaign, the secondary malware is the banking Trojan named IcedID.

Another campaign has been discovered that uses Thanksgiving themed spam emails. The messages seem to be Thanksgiving greetings for employees, and similarly include a malicious hyperlink or document. The messages say that the document is a Thanksgiving card or greeting. Many of the emails have been personalized to help with the deception and include the user’s name. In this campaign, while the document downloaded seems to be a Word file, it is actually an XML file.

Emotet malware has been refreshed recently. In addition to stealing details, a new module has been incorporated which harvests emails from an infected user. The past six months’ emails – which include subjects, senders, and message content – are stolen. This new module is thought to have been added to enhance the effectiveness of future phishing campaigns, for corporate espionage, and data theft.

The recent rise in Emotet malware campaigns, and the highly varied tactics implemented by the threat actors behind these campaigns, emphasise the importance of adopting a defense in depth strategy to block phishing emails. Groups should not rely on one cybersecurity solution to provide protection against hacking attacks.

Phishing campaigns aim for a weak link in security defenses: Staff members. It is therefore wise to ensure that all employees with corporate email accounts are trained how to recognize phishing threats. Training needs to be constant and should cover the latest tactics used by hackers to spread malware and steal details. Staff members are the last line of defense. Through security awareness training, the defensive line can be significantly enhanced.

As a frontline defense, all businesses and groups should use an advanced spam filtering solution. While Office 365 email includes a basic level of protection against phishing attacks, a powerful third-party anti-phishing and spam filtering solution is needed to provide security against more complex email attacks.

SpamTitan is an advanced email filtering software that uses predictive techniques to supply superior protection against phishing attacks, zero-day attacks, and new malware variants that bypass signature-based security.

Along with scanning message content, headers, attachments, and hyperlinks for spam and malware signatures, SpamTitan employs heuristics, machine learning, and Bayesian analysis to spot emerging threats. Greylisting is used to spot and obstruct large scale spam campaigns, such as those usually carried out by the threat actors spreading banking Trojans and Emotet malware.

Easy Way to Win Business and Boost Revenue for MSPs With Email Archiving

Email archiving is a great way for a company to win business and boost revenue. Although it is often an overlooked service, it can add value and improve profits for MSPs. Email archiving has a high margin, generates regular additional income, is easy to implement and manage and is an easy sell to clients.

Email Archiving in SMBs

Email archiving is now essential for organisations of all sizes, from SMBs to the largest enterprises. Large numbers of emails are sent and received on a daily basis by companies. Copies of those emails need to be stored, saved, and often retrieved. Storage of emails in mailboxes can often pose problems. Emails and attachments often need a considerable amount of storage, which means hardware must be purchased and maintained. Storing large volumes of emails in mailboxes is not a secure way of storing emails.

Although storing emails in backups is an option, it is far from ideal. Space is still needed and recovering emails when they are required is not a straightforward task as backup files are not indexed and searching for messages can take a considerable amount of time.

An email archive, in comparison, is indexed and searchable and therefore emails can be retrieved on demand quickly and with ease. If there is a legal dispute or when an organisation needs to demonstrate compliance (with GDPR or HIPAA for example) businesses need to be able to recover emails in an efficient manner. Additionally, an email archive also provides a clear chain of custody, which is also required to comply with a lot of regulations.

Cloud-based archives offer secure storage for emails and have no restrictions on storage space. The cloud storage offered is also highly scalable and emails can be easily retrieved, regardless of the location.

In summary, email archiving can enhance security, lower costs, improve efficiency and is an invaluable compliance tool.

Email Archiving in MSPs

Due to the benefits of email archiving it should be an easy sell for MSPs, either as Office 365 archiving-as-a-service as an add-on or incorporated into existing email packages. This is in order to offer greater value and make your packages unique compared to those of your competitors.

Office 365 archiving-as-a-service will generate regular income for very little effort as an add-on service. It will also improve the meagre returns from simply offering Office 365 to your clients. Overall, it can help you to attract more business when put as part as a package.

Email Archiving Made Simple Made Simple for MSPs by ArcTitan

TitanHQ is a leading provider of cloud-based security solutions for MSPs. TitanHQ products such as SpamTitan, WebTitan and ArcTitan SaaS email archiving have all been developed from the group up to specifically meet the various needs of MSPs.

ArcTitan has been developed by TitanHQ to be easy to implement and manage. It seamlessly integrates into MSPs service stacks, allowing them to provide greater value to clients and make email services a much more lucrative offering. As a result of this, TitanHQ is able to offer generous margins on ArcTitan for MSPs.

Benefits of ArcTitan for MSPs

  • Easy implementation
  • Software downloads not necessary
  • No hardware requirements
  • Secure, cloud-based storage
  • Easy to operate centralised management system
  • Increases profitability of Office 365
  • Highly scalable email archiving
  • Easy set up for MSPs
  • Usage easy for clients
  • Improved margins for MSPs
  • Full suite of APIs supplied for simpler integration
  • Multiple hosting options: TitanHQ Cloud, dedicated private cloud, or host the solution in your own data centre
  • Fully rebrandable (ArcTitan can be supplied in white-label form ready for your own branding)
  • Usage-based pricing and monthly billing available
  • World class customer service and support

If you are yet to start offering email archiving to your clients or if you are unhappy with your current provider, contact the TitanHQ MSP team today for full ArcTitan product information, pricing details and further information on our MSP Program.

New Variant of Dharma Ransomware Discovered

A new Dharma ransomware variant has been created that is evading detection by most antivirus engines. Heimdal Security has said that his most recent Dharma ransomware variant captured by its researchers was only discovered to b malware by one of the 53 AV engines on VirusTotal.

Dharma ransomware (also referred to as CrySiS) was first spotted in 2006 and is still being developed. 2018 several new Dharma ransomware variants have been made public, each using new file extensions for encrypted files (.bip, .xxxxx, .like, java, .arrow, .gamma, .arena, .betta, and .tron to name but a few). In just the past two months four new Dharma ransomware variants have been discovered.

Those to blame for Dharma ransomware have claimed many victims in recent months. Successful attacks have been made public recently by Altus Baytown Hospital in Texas, the Arran brewery in Scotland, and the port of San Diego.

While free decryptors for Dharma ransomware have been created, the constant evolution of this ransomware threat rapidly makes these decryptors obsolete.  Infection with the latest variants of the ransomware threat only allows victims three options: pay a sizeable ransom to recover files, restore files from backups, or face permanent file deletion.

The latter is not viable given the extent of files that are encrypted. Rescuing files from backups is not always possible as Dharma ransomware can also encrypt backup files and can erase shadow copies. Payment of a ransom should not be completed as there is no guarantee that files can or will be decrypted.

Safeguarding against ransomware attacks requires a combination of policies, procedures, and cybersecurity solutions. Dharma ransomware attacks are mostly carried out via two attack vectors: The exploitation of Remote Desktop protocol (RDP) and through email malspam campaigns.

The most recent Dharma ransomware variant attacks involve an executable file being dropped by a .NET file and HTA file. Infections take place via RDP-enabled endpoints using brute force attempts to guess passwords. Once the password is stolen, the malicious payload is deployed.

While it is not yet known how the Arran brewery attack occurred, a phishing attack is suspected. Phishing emails had been received just prior to file encryption. “We cannot be 100 percent sure that this was the vector that infection occurred via, but the timing seems to be more than coincidental,” said Arran Brewery’s managing director Gerald Michaluk.

To safeguard against RDP attacks, RDP should be turned off unless it is absolutely necessary. If RDP is required, access should only be possible through a VPN and strong passwords should be put in place. Rate limiting on login attempts should be set up to block login attempts after a set number of failures.

Due to this, good backup policies are essential. They will mean that file recovery is possible without payment of a ransom. Multiple copies of backups should be made with one copy held securely off site.

To safeguard against email-based attacks, an advanced spam filter is necessary. Spam filters that rely on AV engines may not spot the latest ransomware variants. Advanced reviews of incoming messages are vital.

SpamTitan can enhance protection for companies through combination of two AV engines and predictive techniques to block new types of malware whose signatures have not yet been installed on AV engines.

For additional information on SpamTitan and safeguarding your email gateway from ransomware attacks and other threats, contact TitanHQ’s security experts today.

New WebTitan and ArcTitan Integrations as Z Services Expands Partnership with Titan HQ

TitanHQ has recently expanded its partnership with Z Services, the leading SaaS provider of cloud-based cybersecurity solutions in the MENA region, which will result in new WebTitan and ArcTitan integrations.

Z Services operates 17 secure data centers in the UAE (base location), Qatar, Egypt, Saudi Arabia, Morocco, Jordan, Kuwait, Oman, Bahrain, and Kuwait. It is the only company in the Middle East and North Africa to offer a multi-tenant, cloud-based, in-country, cybersecurity architecture.

Z Services partnered with TitanHQ in February of 2017 and integrated TitanHQ’s award-winning email filtering technology into its service stack. Through doing this, it enabled Z Services to start offering SpamTitan-powered Z Services Anti-Spam SaaS to its clients. TitanHQ’s email filtering technology now also enables Z Services’ clients to filter out spam email and protect against sophisticated email-based threats such as malware, viruses, ransomware, botnets, phishing and spear phishing.

Due to the integration proving to be such a great success for Z Services, the firm has now decided to take its partnership with Titan HQ to the next level by integrating two new TitanHQ-powered SaaS solutions into its service stack. WebTitan – TitanHQ’s award-winning web filtering technology and ArcTitan – its innovative email archiving solution, have now both been incorporated Z Services’ MERALE SaaS offering. MERALE has been specifically developed to meet the needs of small to medium sized enterprises, such as cybersecurity, threat protection, and compliance solutions.

“With cybersecurity growing as a critical business concern across the region, there is a clear need to make security an operational rather than a capital expense. Hence the paradigm shift in the delivery of effective security solutions from the traditional investment and delivery model to an agile SaaS model through the primary connectivity provider of SMEs – the ISPs,” explained Z Services’ President for the Middle East and North Africa, Nidal Taha. “MERALE will be a game-changer in how small and medium businesses in the region ensure their protection, and as a subscription-based service, it removes the need for heavy investments and long-term commitments.”

Speaking from Titan HQ’s point of view, CEO Ronan Kavanagh said “We are delighted to continue our successful partnership with Z Services and share their vision for serving the SME segment with leading edge SaaS based security solutions. With this development Z Services is strengthening its leadership position as an innovative cloud-based cybersecurity solutions provider in the Middle East and North Africa.”

TitanHQ’s cloud-based cybersecurity solutions have been developed specifically to meet the needs of Managed Service Providers. More than 7,500 businesses worldwide are currently using the email filtering, web filtering, and email archiving solutions supplied by TitanHQ and more than 1,500 MSPs are now offering TitanHQ solutions to their clients.

When compared to many other cybersecurity solution providers, TitanHQ offers its products with a range of hosting options (including within an MSP’s own infrastructure), as full white label solutions ready for MSPs to apply their own branding. Through offering their clients TitanHQ solutions MSPs are able to significantly reduce costs related to support and engineering. They achieve this by blocking a wide range of cyber threats at source. MSPs also benefit from generous margins and world class customer service and support.

If you are an MSP and have not yet incorporated email filtering, web filtering, and email archiving solutions into your service stack, if you are unhappy with your current providers, or are looking to increase profits significantly while also ensuring your clients have the best protection against email and web-based threats, contact TitanHQ today for further information.

Users with Valid SSL Certificates Being Tricked by CloudFlare IPFS Gateway Phishing Forms

The CloudFlare IPFS gateway has only recently been made publically available, but it is already being used by phishers to serve malicious content.Cloudflare IPFS gateway phishing attacks are likely to have a good success rate, as some of the checks carried out  by end users to confirm the legitimacy of domains will not produce red flags.

The IPFS gateway is a P2P system that permits files to be shared easily throughout a group and accessed through a web browser. Content is sent to different nodes throughout the networked systems. The system can be used for creating sharing websites, and CloudFlare has made this process simpler by offering free SSL certificates and allowing domains to be easily linked to IPFS.

If phishers host their phishing forms on CloudFlare IPFS, they can use CloudFlare’s SSL certificate. Since the phishing page will begin with cloudflare-ipfs.com, this adds legitimacy. The CloudFlare-owned domain is more likely to be trusted than other phishing domains.

When CloudFlare IPFS Gateway phishing forms are detected, visitors will be advised that the webpage is secure, the site starts with HTTPS, and a green padlock will be displayed. If the visitor takes the time to check certificate information of the web page, they will find it has been issued to CloudFlare-IPFS.com by CloudFlare Inc., and the certificate is authentic. The browser will not serve any warning and CloudFlare IPFS Gateway phishing content will therefore seem genuine.

At least one threat actor is using the CloudFlare IPFS Gateway for phishing and is hosting forms that state they are standard login pages for Office 365, DocuSign, Azure AD, and other cloud-based services, complete with proper logos.

If a visitor fills out the form information, their credentials will be forwarded to the operator of a known phishing domain – searchurl.bid – and the user will be shown a document about business models, strategy and innovation. This may also not lead to a red flag.

The CloudFlare IPFS Gateway phishing strategy is like that used on Azure Blob storage, which also take advantage of legitimate SSL certificates. In that case the certificate is produced by Microsoft.

It is becoming more and more important for phishers to use HTTPS for hosting phishing content. As more businesses change from HTTP to HTTPS, and browsers such as Chrome now display warnings to users about insecure sites, phishers have similarly had to move to HTTPS. Both CloudFlare IPFS Gateway and Azure Blog storage offer a simple way to do this.

In both instances, links to the malicious forms are shared through spam email. One of the most typical ways to do this is to include an email attachment that contains a button which must be clicked in order to install content. The user is warned that the content of the file is secured, and that professional email login credentials must be entered in order to see the content. The document may be an invoice, purchase order, or a scanned document that needs to be looked over.

The rise in use of cloud platforms to host phishing content makes it more important than ever for groups to set up advanced phishing defenses. A strong spam filter such as SpamTitan should be used to block the initial emails and prevent them from being sent to end users’ inboxes. These phishing tactics should also be included in security awareness training to raise awareness of the threat and to warn users that SSL certificates do not necessarily mean the content of a web page is authentic. Web filtering solutions are also vital for restricting access to known malicious web pages, should a user click on a malicious link.

Universities Targeted as Hackers Search for Valuable Research Data

Hackers have been targeted universities extensively in the last year according to figures recently released by Kaspersky Lab.

Universities store very valuable information. As research group collate valuable proprietary data. The results of research studies are particularly valuable. It may not be possible to sell data as easily as credit cards and Social Security numbers, but there are certainly buyers will pay top dollar for valuable research. Nation state sponsored hacking groups are focusing on universities and independent hacking groups are getting in on the act and carrying out cyberattacks on universities.

There are many possible attack vectors that can be used to obtain access to university systems. Software flaws that have yet to be patched can be targeted, misconfigured cloud services such as unsecured S3 buckets can be logged onto, and brute force attempts can be used to estimate guess passwords. However, phishing attacks on universities are often witnessed.

Phishing is often linked with scams to obtain credit card information or login details to Office 365 accounts, with companies and healthcare groups often targeted. Universities are also in the firing line and are being attacked.

The reason phishing is so common is because it is often the most simple way to access targeted networks, or at least gain a foothold for additional attacks. Universities are naturally careful about protecting their research and security controls are usually used accordingly. Phishing permits those controls to be got around relatively easily.

A successful phishing attack on a student may not result in much damage, at least initially. However, once access to their email account is obtained, it can be used for additional phishing attacks on lecturers for example.

Spear phishing attacks on lecturers and research associates offer a more standard route. They are likely to have higher privileges and access to sought after research data. Their accounts are also likely to include other interesting and useful information that can be used in a wide variety of secondary attacks.

Email-based attacks can include malicious attachments that send information stealing malware such as keyloggers, although many of the the latest attacks have used links to fake university login web pages. The login pages are identical copies of the genuine login pages used by universities, the only difference being the URL on which the page is hosted.

Kaspersky Lab has revealed that over 1,000 phishing attacks on universities have been detected in the past 12 months and 131 universities have been focused on. Those universities are spread across 16 different countries, although 83/131 universities were in the United States.

Stopping phishing attacks on universities, staff, and students requires a multi layered approach. Technical security measures must be implemented to cut risk, such as an advanced spam filter to block most of phishing emails and stop them being sent to end users. A web filtering solution is vital for restricting access to phishing websites and web pages hosting malware. Multi-factor authentication is also vital to ensure that if account information is infiltrated or passwords are guessed, an extra form of authentication is required to gain access to accounts.

As a last line of security, staff and students should trained so they are conscious of the risk from phishing.

Office 365 Phishing Attacks Using Cloud Service Providers’ SSL Certificates

Office 365 phishing attacks are widely witnessed, very realistic, and Office 365 spam filtering controls are easily being got around by cybercriminals to ensure messages land in inboxes. Further, phishing forms are being hosted on webpages that are secured with valid Microsoft SLL certificates to trick users into believing that the websites are real.

Should a phishing email get past perimeter defenses and arriving in an inbox, there are many giveaway signs that the email is not genuine.

There are often spelling errors, bad grammar, and the messages are sent from suspicious senders or domains. To improve the response rate, cybercriminals are now spending much more time carefully creating their phishing emails and they are often virtually indistinguishable from real communications from the brand they are spoofing. Formatting wish, they are carbon copies of real emails complete with the branding, contact information, sender details, and logos of the business being spoofed. The subject is perfectly realistic and the content well composed. The actions the user is asked to take are perfectly plausible.

Hyperlinks are included in emails that direct users to a website where they are asked to enter their login credentials. At this stage of the phishing attack there are usually more indications that all is not as it seems. A warning may flash up that the website may not be authentic, the website may begin with HTTP rather than the secure HTTPS, or the SSL certificate may not be owned by the company that the website is spoofing.

Even these tell-tale signs are not always on display, as has been shown is many recent Office 365 phishing attacks, which have the phishing forms hosted on webpages that have current Microsoft SSL certificates or SSL certificates that have been issued to other cloud service providers such as CloudFlare, DocuSign, or Google.

To greatly enhance your security measures you will require a dedicated third-party spam filtering solution for Office 365 such as SpamTitan. SpamTitan focuses on defense in depth, and supplies superior protection against advanced phishing attacks, new malware, and complex email attacks to ensure malicious messages are restricted or quarantined rather than being sent to end users’ inboxes. Some of the additional security measures supplied by SpamTitan against Office 365 phishing attacks are detailed in the image here:

To find out more about making Office 365 more secure and how SpamTitan can benefit your company, contact TitanHQ. Our highly experienced sales consultants will be able to advise you on the full range of benefits of SpamTitan, the best deployment option, and can offer you a free trial to allow you to personally evaluate the solution before committing to a purchase.

 

Chinese and English Speakers Targeted New RaaS Variant of FilesLocker Ransomware

FilesLocker, a new ransomware threat has been discovered is currently being offered as ransomware-as-a-service (RaaS) via a TOR malware forum. FilesLocker ransomware is not a extremely sophisticated ransomware variant, but it still poses a major threat.

FilesLocker ransomware is a dual language ransomware variant that shows ransom notes in both Chinese and English. MalwareHunterTeam has found a Chinese forum on TOR where it is being offered to affiliates to distribute for a percentage of the ransom payments.

Unless advertised more widely, the number of affiliates that sign up may be restricted, although it may prove popular. There are a number of features which could see the ransomware variant favored over other RaaS offerings, notably a sliding scale on commissions. The developers are offering a 60% cut of ransoms, which will go up by 75% if sufficiently high numbers of infections can be generated.

While relatively straightforward, FilesLocker ransomware still uses an RSA 2048+AES algorithm to lock files and it erases Windows shadow copies to hamper efforts to recover files without paying the ransom. FilesLocker is also capable of file encryption in a broken network environment.

No server is needed and the ransomware is working on all Windows versions later than XP plus 32-bit and 64-bit Windows Server. Users are also able to easily keep an eye for infections through a tracking feature which displays infections by country.

There is no free decryptor for FilesLocker ransomware in existence. Recovery can only be completed by restoring files from backups.

While news of a new RaaS offering is never welcome, there has at least been some good news on the ransomware front this recently at least for some victims.

GandCrab ransomware is another RaaS offering that has been for sale since January 2018. It has been widely adopted, with many affiliates using it to distribute the ransomware over the past 10 months.

A GandCrab ransomware decryptor was designed by Bitdefender in February that was able to unlock files encrypted by version 1.0 and v1.1 of GandCrab ransomware. The decryptor was developed after private keys were released online. However, it didn’t take long for v2.0 to be released, for which no free decryptor is available. There have been a number of further updates to GandCrab ransomware over the past few months, with v5.0 of the ransomware variant released in late September.

This week, Bitdefender has revealed that after collaboration with the Romanian Police, Europol and other law enforcement bodies, a new decryption tool has been developed that permits GandCrab ransomware victims to decrypt files for free, provided they have been hacked with version 1, 4, or 5 of the ransomware.

The version can be deduced by the extension used on encrypted files. V1=GDCB; v2/3=CRAB; v4=KRAB; and v5 uses a completely random 10-character extension.

The free GandCrab ransomware decryptor has been placed to the NoMoreRansom Project website. Bitdefender is currently attempting to put in plsvr on a free decryptor for v2 and v3 of GandCrab ransomware.

Recipe Unlimited Ryuk Ransomware Attack Leads to Restaurant Closures

What is thought to have been a Ryuk ransomware attack on Recipe Unlimited, a group of some 1,400 restaurants in Canada and North America, has forced the chain to shutdown computers and temporarily close the doors of some of its restaurants while IT teams try to address the attack.

Recipe Unlimited, previously known as Cara Operations, operates pubs and restaurants under many different titles, including Harvey’s, Swiss Chalet, Kelseys, Milestones, Montana’s, East Side Mario’s, Bier Markt, Prime Pubs, and the Landing Group of Restaurants. All of these  pub and restaurant brands have been impacted by the Recipe Unlimited ransomware attack.

While only a relatively small number of restaurants were forced to close, the IT outage caused widespread issues, stopping the restaurants that remained open from taking card payments from customers and using register systems to complete orders.

While it was at first unclear what caused the outage, a ransomware attack on Recipe Unlimited was later confirmed. A staff member at one of the impacted restaurants provided CBC News with a copy of the ransom note that had appeared on the desktop of one of the infected computers.

The ransom note is the same sent by the threat actors behind Ryuk ransomware. They say that files were encrypted with “military algorithms” which cannot be decrypted without a key that is only available from them. While it is unclear exactly how much the hackers asked for payment to decrypt files, they did threaten to increase the cost by 0.5 BTC (Approx. $4,000 CAD) per day until contact was made. The Recipe Unlimited ransomware attack is thought to have taken place on September 28. Some restaurants remained closed on October 1.

The ransomware attack on Recipe Unlimited is just one of the recently witnessed attacks involving Ryuk ransomware. The hackers are understood to have gathered more than $640,000 in ransom payments from companies who have had no other option other than to pay for the keys to unlock their files. The ransomware attack on Recipe Unlimited did not push up that total, as Recipe Unlimited conducted regular backups and expects to be able to restore all systems and data, although naturally that will take some time.

Ransomware attacks on restaurants, businesses, healthcare suppliers, and cities are extremely common and can be incredibly costly to address. The recent City of Atlanta ransomware attack caused widespread disruption due to the massive scale of the attack, involving thousands of computers.

The cost of addressing the attack, including making upgrades to its systems, is likely to cost around $17 million, according to estimates from city officials. The Ransomware attack on the Colorado Department of Transportation is estimated to cost $1.5 million to resolve.

There is no straightforward solution that will block ransomware attacks, as many different vectors are used to download the malicious file-encrypting software. Preventing ransomware attacks requires defense in depth and multiple software solutions.

Spam filtering solutions should be used to stop email delivery of ransomware, web filters can be set up to prevent access to malicious websites where ransomware is downloaded, antivirus solutions may detect infections in time to block attacks, and intrusion detection systems and behavioral analytics solutions are useful to quickly identify an attack in progress and limit the harm inflicted.

All operating devices and software must be kept fully up to date, strong passwords should be implemented, and end user must receive training to make them aware of the danger posed by ransomware. They should be trained in security best practices and trained how to identify threats. Naturally, robust backup policies are necessary to ensure that in the event of disaster, files can be rescued without having to meet the ransom demand.

New Sextortion Scam: Emails Appear to Have Been Sent from User’s Email Account

A new sextortion scam has been discovered that tries to fool the recipient of the message into believing their email account has been compromised and that their computer is under full control of the hacker.

The hackers trick he user’s email address so that it appears that the message has been issued from the user’s email account – The sender and the recipient names are the exact same.

A quick and simple check that can be performed to deduce whether the sender name shown is the actual account that has been used to send the email is to click forward. When this is completed, the display name is shown, but so too is the actual email address that the message has been broadcast from. In this instance, that check does not work making it seem that the user’s email account has actually been compromised.

The messages used in this campaign try to extort money by suggesting the hacker has obtained access to the user’s computer by means of a computer virus. It is alleged that the virus gives the attacker the ability to review the user’s internet activities in real time and use the computer’s webcam to record the user.

The hacker claims that the virus was placed to the computer due to the user viewing an adult website and that while viewing internet pornography the webcam was active and recording. “Your tastes are so weird,” states the hacker in the email.

The hacker claims that they will synch the webcam footage with the content that the user was looking at and send a copy of the video to all the user’s partner, friends, and relatives. It is said that all the user’s accounts have been compromised. The message also has an example of one of the user’s passwords.

While it is very unlikely that the password given in the email is valid for any of the user’s account, the message itself will still be worrying for some individuals and will be enough to get them to make the requested payment of $800 to have the footage erased.

However, this is a sextortion scam where the hackers have no leverage as there is no virus and no webcam footage. However, it is clear that at least some recipients were not willing to take a risk.

According to security experts SecGuru, who received a version of the email in Dutch and found a similar English language version, the Bitcoin account used by the hacker had received payments of 0.37997578 Bitcoin – $3,500 – in the first two days of the attack.  Now 7 days after the first payment was completed, the earnings have grown to 1.1203 Bitcoin – $6,418 – with 15 people having paid.

A similar sextortion scam was carried out in the summer which also had an interesting twist. It implemented an old password for the account that had been downloaded from a data dump. In that instance, the password was real, at least at some point in the past, which made the scam seem authentic.

 

Increase in Phishing Attacks on Publishers and Literary Scouting Agencies Leads to Warning

Financial entities, healthcare groups and universities have seen a growth in cyberattacks in recent times, but there has also been a rise in phishing attacks on publishers and literary scouting agencies.

Any company that stores sensitive information that can be sold for profit is in danger from cyberattacks, and publishers and literary scouting agencies are no different. Like any employer, scouting agencies and publishers hold sensitive information such as bank account numbers, credit card details, Social Security numbers, contract information, and W-2 Tax forms, all of which have a high value on the black market. The companies also normally complete wire transfers and are therefore targets for BEC hackers.

However, recently there have been many reports of phishing attacks on publishers and literary scouting agencies that attempt to obtain access to unpublished manuscripts and typescripts. These are always extremely valuable. If an advance copy of an eagerly awaited book can be obtained before it is released, there will be no shortage of fans willing to hand over money for a copy. Theft of manuscripts can result in extortion efforts with ransoms demanded to stop their publication online.

2018 has seen a major rise in phishing attacks on publishers and literary scouting agencies. At present, campaigns are being carried out by hackers that seem to have a good understanding of the sector. Highly realistic and plausible emails are being shared to publishing houses and agencies which use the proper industry terminology, which suggests they are the work of an industry insider.

A rise in phishing attacks on publishers on both sides of the Atlantic has been recorded, with the threat already having lead to  Penguin Random House North America to issue out warnings to employees to warn them regarding the threat.  According to a recent report in The Bookseller, many publishers have been targeted with phishing schemes like this, including Penguin Random House UK and Pan Macmillan.

Safeguarding from phishing attacks requires a combination of technical solutions, policies and procedures, and employee guidance.

Publishers and scouting agencies should implement software solutions that can prevent phishing attacks and prevent malicious emails from being sent to their employees’ inboxes.

SpamTitan is a strong anti-phishing tool that blocks 99.97% of spam emails and 100% of known malware. DMARC email-validation is included to detect email spoofing and stop malicious emails from arriving in employees’ inboxes.

End user training is also crucial to grow awareness of the risks of phishing. All staff should be shown how to recognize phishing emails and other email threats to see to it that they do not fall for these email scams.

If own a publishing house or literary scouting agency and would like to improve your cyber defenses, get in touch with the TitanHQ team today for further information on cybersecurity solutions that can enhance your security posture against phishing and other email and web-based dangers.

California Wildfire Scam Alerts Issued

A California wildfire scam is underway that asks for financial donations to help the victims of the recent wildfires. The emails look like they are being sent from the CEO of a company and are directed at its employees in the accounts and finance department.

It should come as no shock that hackers are taking advantage of yet another natural disaster and are trying to con people into giving donations. Hackers often take advantage of natural disasters to pull on the heart strings and defraud companies. Similar scams were carried out following the recent hurricanes that hit the United States and caused widespread damage.

The California wildfire scam, discovered by Agari, is a form of business email compromise (BEC) attack. The emails look like they have been sent by the CEO of a company, with his/her email address used to send messages to company staff. This is often achieved by spoofing the email address although in some instances the CEO’s email account has been compromised and is used to share the messages.

The California wildfire scam have one major red flag. Instead of seeking for a monetary donation, the scammers ask for Google play gift cards. The messages seek the redemption codes be sent back to the CEO by return.

The emails are sent to staff in the accounts and finance sections and the emails request that the money be sent in 4 x $500 denomination gift cards. If these are returned to the CEO, he/she will then forward them on to company clients that have been impacted by the California wildfires.

The reason Google play gift cards are sought is because they can easily be exchanged on the darknet for other currencies. The gift cards are virtually impossible to trace back to the hacker.

The messages are full of grammatical mistakes. However, scams such as this are conducted because they work. Many people have been fooled by similar scams previously.

Safeguarding against scams such as this requires technical controls, end user training and strong company policies. An advanced spam filtering solution should be implemented – SpamTitan for instance – to prevent messages such as these from landing in inboxes. SpamTitan reviews all incoming emails for spam signatures and uses advanced methods such as heuristics, machine learning, and Bayesian analysis to identify advanced and never-before-seen phishing campaigns.

End user training is vital for all staff, especially those with access to corporate bank accounts. Those people are regularly targeted by hackers. Policies should be introduced that mean all requests for changes to bank accounts, atypical payment requests, and wire transfers above a certain threshold to be approved by phone or in person before they are authorized.

 

Stealthy sLoad Downloader Performs Extensive Reconnaissance Before Delivering Payload

In recent months there have been new, versatile malware downloaders discovered that gather a significant amount of data about users’ systems before deploying a malicious payload. That payload is placed on the users’ system.

Marap malware and Xbash are two notable recent instances. Marap malware fingerprints a system and is capable of installing additional modules based on the results of the initial reconnaissance. XBash also reviews the system, and determines whether it is the best system for cryptocurrency mining or a ransomware attack and deploys its payload accordingly.

A further versatile and stealthy malware variant, name sLoad downloader, can now be placed on that list. SLoad was first discovered in May 2018, so it predates both of the above malware variants, although its use has been increasing.

The main aim of sLoad appears to be reconnaissance. Once installed on a system, it will figure out the location of the device based on the IP address and performs several checks to calculate the type of system and the software that is running and will determine whether it is on a real device or in a sandbox environment. It checks the processes operating on the system, compares against a hardcoded list, and will exit if certain security software is downloaded to avoid detection.

Once the system is suitable, a full scan of all running processes will be completed. The sLoad installer will search for Microsoft Outlook files, ICA files associated with Citrix, and other system information. sLoad is capable of capturing screenshots and searches the browser history looking for specific banking domains. All of this data is then fed back to the hackers’ C2 server.

Once the system has been fingerprinted, further malware variants are installed, primarily banking Trojans. Geofencing is used widely by the threat actors using sLoad which helps to ensure that banking Trojans are only placed on systems where they are likely to be effective – if the victim uses one of the banks that the Trojan is targeting.

In most of the campaigns seen so far, the banking Trojan of choice has been Ramnit. The attacks have also been very focused on specific countries including Canada, and latterly, Italy and the United Kingdom – Locations which are currently being attacked by Ramnit. Other malware variants linked to the sLoad downloader include the remote desktop tool DarkVNC, the Ursnif information stealer, DreamBot, and PsiBot.

The sLoad downloader is almost exclusively sent through spam email, with the campaigns often containing personal information such as the target’s name and address. While there have been many email subjects used, most commonly the emails relate to purchase orders, shipping notifications and missed packages.

The emails include Word documents with malicious macros in ZIP files, or alternatively embedded hyperlinks which will install the ZIP file if clicked.

The sLoad installer may be stealthy and versatile, but preventing the threat is possible with an advanced spam filter. End user training to condition staff never to click on hyperlinks from unknown senders or open attachments or allow macros will also help to stop infection.  Web filtering solutions supply an additional layer of protection to prevent attempts to download malicious files from the Internet.

Updated Version of Azorult Malware Being Shared via RIG Exploit Kit

An updated version of Azorult malware has been discovered. The most recent version of the data stealer and malware downloader has already been deployed in attacks and is being shared via the RIG exploit kit.

Azorult malware is mainly an information stealer which is used to download usernames and passwords, credit card numbers, and other data including browser histories. Newer versions of the malware have seen cryptocurrency wallet-stealing capabilities included.

Azorult malware was first spotted in 2016 by researchers at Proofpoint and has since been deployed in a large number of attacks via exploit kits and phishing email campaigns. The latter have used hyperlinks to malicious sites, or more commonly, malicious Word files with malware downloaders.

In 2016, the malware variant was first installed with the Chthonic banking Trojan, although more recent campaigns have seen Azorult malware deployed as the primary malware payload. This year has seen many different threat actors pair the information stealer with a secondary ransomware payload.

Campaigns have been noticed using Hermes and Aurora ransomware as secondary payloads. In both campaigns, the main aim is to obtain login credentials to raid bank accounts and cryptocurrency wallets. When all useful information has been taken, the ransomware is activated, and a ransom payment is requested to unlock the decrypted files.

A new version of the Azorult was distributed in July 2018 – version 3.2 – which included significant improvements to both its stealer and downloader functions.  Now Proofpoint researchers have discovered a new variant – version 3.3 – which has already been placed with RIG. The new variant was on the market shortly after the source code for the previous version was leaked online.

The new variant uses an alternative method of encryption, has improved cryptocurrency stealing functionality to permit the contents of BitcoinGold, electrumG, btcprivate (electrum-btcp), bitcore, and Exodus Eden wallets to be stolen, a new and improved loader, and a new admin panel. The latest version has a lower detection rate by AV software ensuring more installations.

The RIG exploit kit uses exploits for known flaws in Internet Explorer and Flash Player, which use JavaScript and VBScripts to download Azorult.

If your operating systems and software are always fully patched and current you will be secure from these exploit kit downloads as the vulnerabilities targeted by RIG are not new. However, many businesses are slow to apply patches, which need to be thoroughly  tested. It is therefore strongly advisable to also use a web filtering solution such as WebTitan to provide additional protection against exploit kit malware downloads. WebTitan stops end users from visiting malicious websites such as those hosting exploit kits.

The most recent version of Azorult malware was first put on sale on October 4. It is possible that other threat actors will buy the malware and distribute it via phishing emails, as was the case with older versions. It is therefore wise to also put in place an advanced spam filter and ensure that end users are shown how to recognize malicious emails.

New Version of Azorult Malware Being Distributed via RIG Exploit Kit

An undated strain of Azorult malware has been discovered which downloader has already been used in attacks and is being shared using the RIG exploit kit.

Azorult malware is mainly an information gatherer which is used to obtain usernames and passwords, credit card details, and other data including browser histories. Newer versions of the malware have seen cryptocurrency wallet-stealing capabilities included.

Azorult malware was first discovered in 2016 by researchers at Proofpoint and has since been utilized in a large number of attacks through exploit kits and phishing email campaigns. The latter have used links to malicious sites, or more typically, malicious Word files including malware downloaders.

Back in 2016, the malware variant was first installed in tandem with the Chthonic banking Trojan, although later campaigns have seen Azorult malware deployed as the primary malware payload. 2018 has seen multiple threat actors pair the information stealer with an accompanying ransomware payload.

Campaigns have been identified using Hermes and Aurora ransomware as secondary payloads. In both attacks, the initial target is to steal login details to raid bank accounts and cryptocurrency wallets. When all useful data has been obtained, the ransomware is enabled, and a ransom payment is requested in order to decrypted files.

A new strain of the Azorult was issued in July 2018 – version 3.2 – which contained major improvements to both its stealer and downloader functions.  Now Proofpoint researchers have discovered a new variant – version 3.3 – which has already been included with RIG. The new variant was released just after the source code for the previous version was leaked on the Internet.

The new variant uses an alternative method of encryption, has enhanced cryptocurrency stealing functionality to allow the contents of BitcoinGold, electrumG, btcprivate (electrum-btcp), bitcore, and Exodus Eden wallets to be obtained, a new and improved loader and an updated admin panel. The latest version is more difficult for AV software to notice ensuring more installations.

The RIG exploit kit uses exploits for known flaws in Internet Explorer and Flash Player, which use JavaScript and VBScripts to install Azorult.

If your operating systems and software are kept fully updated you will be safeguarded against these exploit kit downloads as the vulnerabilities exploited by RIG are not new. However, many businesses are slow to apply patches, which need to be extensively tested. It is therefore important to also deploy a web filtering solution.

XMRig Cryptocurrency Miner Installed Using Fake Adobe Flash Updates

Using fake software updates to spread malware is not a new phenomenon, but a new malware campaign has been discovered that is quite different. Fake Adobe Flash updates are being spread that actually do update the user’s Flash version, albeit with the addition of the XMRig cryptocurrency miner.

The campaign deploys pop-up notifications that are an exact replica of the authentic notifications used by Adobe, telling the user that their Flash version needs to be updated. Clicking on the install button, as with the authentic notifications, will update users’ Flash to the most recent version. However, in the background, the XMRig cryptocurrency miner is also downloaded and installed. Once downloaded, XMRig will operate silently in the background, unbeknown to the user.

The campaign was discovered by security experts at Palo Alto Network’s Unit 42 team. The researchers found several Windows executable files that began with AdobeFlashPlayer that were hosted on cloud servers not controlled by Adobe.

A review of network traffic during the infection process revealed most of the traffic was connected to updating Adobe Flash from an Adobe controlled domain, but that soon amended to traffic through a domain associated with downloaders known to push cryptocurrency miners. Traffic was later identified over TCP port 14444 that was associated with the XMRig cryptocurrency miner.

Additional analysis of the campaign showed it has been operating since mid-August, with activity increasing in September when the fake Adobe Flash updates started to be distributed more widely.

End users are unlikely to notice the downloading and installation of the XMRig cryptocurrency miner, but there is likely to be a noticeable slowdown in the operation of their computer. The installation of the XMRig cryptocurrency miner may be stealthy, but when it runs it takes up almost all of the computer’s CPU for cryptocurrency mining. Any user that reviews Task Manager will see Explorer.exe hogging their CPU. As with the majority of cryptocurrency miners, XMRig mines Monero. What is not currently obvious is which websites are distributing the fake Adobe Flash updates, or how traffic is being sent to those sites.

Any alert about a software update that pops up while browsing the internet should be dealt with as suspicious. The window should be shut, and the official website of that software supplier should be visited to determine if an update is required. Software updates should only ever be installed from official websites, in the case of Adobe Flash, that is Adobe.com.

The Palo Alto experts say “Organizations with decent web filtering and educated users have a much lower risk of infection by these fake updates.”

Anthem Data Breach Settlement for Spear Phishing Attack is $16 Million

Due to a massive data breach in 2015 in which 78.8 million health plan records were stolen, Anthem Inc.has settled a class action data breach for $115 million and OCR has now agreed a $16 million data breach settlement with the health insurer.

Before the announcement of the settlement , the unenviable record was held by Science Applications International Corporation, a vendor used by healthcare groups, that suffered a 4.9 million record breach in 2011. The Anthem data breach was on a completely different scale.

The hacking responsible for the Anthem data breach was clearly skilled. Mandiant, the cybersecurity company that assisted with the investigation, suspected the attack was a nation-state funded cyberattack. The hackers managed to obtain access to Anthem’s data warehouse and downloaded a huge volume of data undetected. The time of the first attack to discovery was almost a year.

While the attack was complex, a foothold in the network was not obtained through an elaborate hack or zero-day exploit but through phishing emails.

At least one staff member responded to a spear phishing email, sent to one of Anthem’s subsidiaries, which gave the hackers the entry point they needed to launch another attack and gain access to Anthem’s health plan member database.

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) looks into healthcare data breaches that lead to the exposure or theft of 500 or more records. An in-depth review of the Anthem breach was therefore a certainty given its size. A fine for non-compliance with Health Insurance Portability and Accountability Act (HIPAA) Rules was a very likely outcome as HIPAA requires healthcare groups to safeguard health data. The scale of the breach also made it likely that it would lead to the largest ever penalty for a healthcare data breach.

Previous to the Anthem data breach settlement, the largest fine for a healthcare data breach was $5.55 million, which was agreed between OCR and Advocate Health Care Network in 2016. The Anthem data breach settlement was almost three times that figure, which reflected the seriousness of the breach, the number of people affected, and the extent to which HIPAA Rules were alleged to have been breached.

OCR claimed that Anthem Inc., had breached five provisions of HIPAA Rules, and by doing so failed to stop the breach and limit its severity. The Anthem data breach settlement was however agreed with no admission of liability.

The regulatory fine is just a small fraction of the total cost of the Anthem data breach. On top of the Anthem data breach settlement with OCR, Anthem faced multiple legal actions in the wake of the data breach. The consolidated class action lawsuit was settled by Anthem in January 2018 for $115 million.

The class action settlement document showed that Anthem had already paid $2.5 to consultants in the wake of the breach, $31 million was spent mailing alert letters, $115 million went on enhancements to security, and $112 million was paid to provide identity theft protection and credit monitoring services to affected plan subscribers.

With the $115 million class action settlement and the $16 million OCR settlement, that brings the overall cost of the Anthem data breach to $391.5 million.

At $391.5 million, that makes this the most costly healthcare phishing campaign by some distance and the cost clearly emphasises just how important it is to implement a defense-in-depth strategy to safeguard against phishing attacks.

Cloud Service Providers’ SSL Certificates Targeted by Office 365 Phishing Attacks

Office 365 phishing attacks are widely witnessed and very realistic, with Office 365 spam filtering controls are easily being bypassed by scammers to ensure messages reach inboxes.

Additionally, phishing forms are being hosted on webpages that are secured with valid Microsoft SLL certificates to fool users the websites are genuine.

If a phishing email making it past perimeter defenses and arriving in an inbox, there are a number of tell-tale signs that the email is not real.

Usually, there are often spelling mistakes, incorrect grammar, and the messages are sent from questionable senders or domains. To bolster the response rate, scammers are now spending much more time carefully crafting their phishing emails and they are often virtually indistinguishable from real communications from the brand they are spoofing. In terms of style, they are carbon copies of genuine emails complete with the branding, contact data, sender details, and logos of the company being spoofed. The subject is perfectly believable and the content well written. The actions the user is asked to complete are perfectly plausible.

Hyperlinks in emails that bring users to a website where they are required to fill out their login credentials. At this stage of the phishing attack there are usually additional signs that all is not as it seems. A warning may be included in a pop up to say that the website may not be genuine, the website may begin with HTTP rather than the secure HTTPS, or the SSL certificate may not be owned by the business that the website is spoofing.

Even these tell-tale signs are not always evident, as has been shown is many recent Office 365 phishing attacks, which have the phishing forms hosted on webpages that have existing real Microsoft SSL certificates or SSL certificates that have been issued to other cloud service providers such as CloudFlare, DocuSign, or Google.

Office 365 users are being focused on by scammers as they know Office 365 phishing controls can be easily got around. Even with Microsoft’s Advanced Threat Protection for Office 365, phishing emails are still delivered. A 2017 study by SE Labs showed even with this more anti-phishing control, Office 365 anti-phishing measures were only rated in the low-middle of the market for security offered. With only the basic Exchange Online Protection, the protection was worse again.

Whether you operate an SMB or a large enterprise, you are likely to be sent high volumes of spam and phishing emails and many messages will be delivered to end users’ inboxes. Since the emails can be virtually impossible for end users to identify as dangerous, it is probable that all but the most experienced, well trained, security conscious workers will be tricked. What is therefore needed is an advanced third-party spam filtering solution that will work in tandem with Office 365 spam filtering controls to provide far greater security.

While Office 365 will prevent spam emails and phishing emails (Osterman Research proved it blocks 100% of known malware), it has been shown to lack performance against advanced phishing threats like spear phishing.

Office 365 does not have the same range of predictive technology as dedicated on-premises and cloud-based email security gateways which are much better at detecting zero-day attacks, new malware, and advanced spear phishing attacks.

To enhance protection you require a dedicated third-party spam filtering solution for Office 365 such as SpamTitan. SpamTitan focuses on defense in depth, and provides better protection against advanced phishing attacks, new malware, and complex email attacks to ensure malicious messages are blocked or quarantined instead of being delivered to end users’ inboxes. Some of the additional security measures provided by SpamTitan against Office 365 phishing attacks are detailed in the image below:

To discover more about making Office 365 safer and how SpamTitan can be of advantage to your company, get in touch with TitanHQ.

 

U.S. Banks Being Attacked by DanaBot Trojan

In May, security experts at Proofpoint noticed a spam email campaign that was sharing a new banking Trojan named DanaBot. At the time it was believed to be a single threat actor was using the DanaBot Trojan to target groups in Australia to obtain online banking details.

That campaign is still ongoing, but in addition, campaigns have been identified in Europe attacking customers of banks in Italy, Germany, Poland, Austria, and the UK. Then in late September, a further DanaBot Trojan campaign was carried out targeting U.S. banks.

The DanaBot Trojan is a modular malware coded in Delphi that can install additional components to add various different functions.

The malware is can capture screenshots, stealing form data, and logging keystrokes in order to obtain banking details. That data is sent back to the hackers’ C2 server and is subsequently used to steal money from corporate bank accounts.

A review of the malware and the geographical campaigns shows different IDs are used in the C2 communication headers. This strongly implies that the campaigns in each region are being carried out by different individuals and that the DanaBot Trojan is being provided as malware-as-a-service. Each threat actor is to blame for running campaigns in a specific country or set of countries. Australia is the only country where there are two affiliates operating campaigns. Overall, there appears to currently be 9 individuals running distribution campaigns.

The country-specific campaigns are employing different methods to share the malicious payload, including the new Fallout exploit kit, web injects, and spam email. The latter of which is being used to distribute the Trojan in the United States.

The U.S. campaign uses a fax notice lure with the emails seeming to come from the eFax service. The messages look professional and include all the appropriate formatting and logos. The emails contain a button that must be clicked to download the 3-page fax message to the device.

Clicking on the button will install a Word document with a malicious macro which, if allowed to operate, will initiate a PowerShell script that downloads the Hancitor downloader. Hancitor will then download the Pony stealer and the DanaBot Trojan.

Proofpoint’s investigation into the malware revealed similarities with the ransomware groups Reveton and CryptXXX, which suggests that DanaBot has been created by the same group responsible for both of those ransomware threats.

The U.S. DanaBot campaign is attacking customers of various U.S. banks, including RBC Royal Bank, Royal Bank, TD Bank, Wells Fargo, Bank of America, and JP Morgan Chase.  It is probably that the campaigns will spread to other countries as more threat actors are signed up to use the malware.

Stopping attacks requires defense in depth against all attack vectors. An advanced spam filter is needed to block malspam. Users of Office 365 should enhance protection with a third-party spam filter such as SpamTitan to provide better security against this threat. To prevent web-based attacks, a web filtering solution should be implemented. WebTitan can block efforts by end users to visit websites known to include exploit kits and IPs that have previously been used for malicious reasons.

End users should also advised never to open email attachments or click on hyperlinks in emails from unknown senders, or to allow macros on documents unless they are 100% certain that the files are authentic. Companies in the United States should also think about warning their employees about fake eFax emails to raise awareness of the danger.

U.S. Bank Customers Targeted by DanaBot Trojan

Last May, security specialists at Proofpoint identified a spam email campaign that was sharing a new banking Trojan titled DanaBot. At first it was thought that a single threat actor was using the DanaBot Trojan to target groups in Australia to obtain online banking details.

That campaign has persisted, but in addition, campaigns have been noticed in Europe targeting customers of banks in Italy, Germany, Poland, Austria, and the UK. Then last month a further DanaBot Trojan campaign was carried out targeting U.S. banks.

The DanaBot Trojan is a modular malware programmed in Delphi that can install additional components to add various different functions.

The malware can capture screenshots, obtain form data, and record keystrokes in order to obtain banking credentials. That data is sent back to the attackers’ C2 server and is then used to steal money from corporate bank accounts.

A review of the malware and the geographical campaigns shows alternative IDs are used in the C2 communication headers. This strongly suggests that the attacks in each region are being carried out by different individuals and that the DanaBot Trojan is being provided as malware-as-a-service. Each threat actor is charged with running campaigns in a specific country or set of countries. Australia is the only country where there are two affiliates conducting campaigns. Overall, there appears to currently be nine hackers running distribution campaigns.

The country-specific campaigns are using a variety of tools to distribute the malicious payload, which include the new Fallout exploit kit, web injects, and spam email. The latter is being used to share the Trojan in the United States.

The U.S. campaign sends a fax notice lure with the emails seeming to come from the eFax service. The messages look authentic and are complete with appropriate formatting and logos. The emails include a button that must be clicked to download the 3-page fax message.

Clicking on the button will install a Word document with a malicious macro which, if permitted to run, will initiate a PowerShell script that downloads the Hancitor downloader. Hancitor will then install the Pony stealer and the DanaBot Trojan.

Proofpoint’s review of the malware revealed similarities with the ransomware groups Reveton and CryptXXX, which suggests that DanaBot has been developed by the same group to blame for both of those ransomware threats.

The U.S. DanaBot campaign is focused on customers of various U.S. banks, including RBC Royal Bank, Royal Bank, TD Bank, Wells Fargo, Bank of America, and JP Morgan Chase.  It is probable that the campaigns will spread to other countries as more threat actors begin to use the malware.

Stopping attacks requires detailed defense against each of the attack vectors. An advanced spam filter is necessary to block malspam. Subscribers to Office 365 should increase protection with a third-party spam filter such as SpamTitan to supply better protection against this threat. To stop web-based attacks, a web filtering solution should be implemented. WebTitan can block efforts by end users to visit websites known to include exploit kits and IPs that have previously been used for malicious aims.

End users should also advised to never open email attachments or visit hyperlinks in emails from unknown senders, or to enable macros on documents unless they are 100% certain that the files are authentic. Companies in the United States should also think about warning their employees about fake eFax emails to increase awareness of the threat.

Around €43 Billion Cybercrime Losses Experienced in Germany

As the world’s largest economy, the United States is always going to be a major focus for hackers. Various studies have been carried out on the cost of cybercrime in the United States, but little data is available on cybercrime losses in Germany – the biggest economy in the European Union.

The International Monetary Fund published a list of countries with the largest economies. In 2017, Germany was ranked fourth behind the United States, China, and Japan. Its GDP of $3,68 trillion makes up 4.61% of global GDP.

A recent study carried out by Germany’s federal association for Information Technology – BitKom – has estimated a figure on the toll that cybercrime is taking on the German economy.

The survey was sent to security chiefs and managers at Germany’s top 503 companies in the manufacturing sector. From the findings of that survey, BitKom estimated cybercrime losses in Germany to be €43 billion ($50.2 billion). That makes up 1.36% of the country’s GDP.

Extrapolate those cybercrime losses in Germany and it places the global expense of cybercrime at $1 trillion, substantially higher than the $600 billion figure estimate from cybersecurity firm McAfee and the Center for Strategic and International Studies (CSIS) in February 2018. That study estimated the global percentage of GDP lost to cybercrime at between 0.59% and 0.80%, with GDP losses to cybercrime across Europe estimated to be around 0.79 to 0.89% of GDP.

Small to Medium Sized Businesses Most in Danger

While cyberattacks on large enterprises could possibly be highly profitable for cybercriminals, those firms tend to have the resources available to invest heavily in cybersecurity. Attacks on large enterprises are therefore much more difficult and time consuming. It is far more simple to target smaller companies with less robust cybersecurity security.

Small to medium sized businesses (SMBs) often do not have the resources to invest heavily in cybersecurity, and consequently are far more simple to attack. The BitKom study confirmed that these companies, which form the backbone of the economy in Germany, are particularly vulnerable to cyberattacks and have been extensively targeted by hackers.

It is not only organized hacking groups that are conducting these attacks. Security officials in Germany have long been concerned about attacks by well-resourced foreign spy agencies. Those agencies are using cyberattacks to obtain access to the advanced manufacturing techniques developed by German firms that give them a competitive edge. Germany is one of the world’s leading manufacturing nations, so it stands to reason that the German firms are a lucrative target.

Hackers are extorting money from German firms and selling stolen data on the black market and nation-state sponsored hackers are stealing proprietary data and technology to advance producing their own countries. According to the survey, one third of companies have had mobile phones stolen and sensitive digital data has been lost by 25% of German firms. 11% of German firms report that their communications systems have been tapped.

Attacks are also being conducted to target German firms. The study reveals that almost one in five German firms (19%) have had their IT and production systems sabotaged through cyberattacks.

Companies Must Improve Their Defenses Against Cyberattacks

Achim Berg, head of BitKom commented: “With its worldwide market leaders, German industry is particularly interesting for criminals,” Companies, SMBs in particular, therefore need to take cybersecurity much more seriously and invest commensurately in cybersecurity solutions to prevent cybercriminals from obtaining access to their systems and data.

Thomas Haldenweg, deputy president of the BfV domestic intelligence agency remarked: “Illegal knowledge and technology transfer … is a mass phenomenon.”

Preventing cyberattacks is not basic. There is no single solution that can secure against all attacks. Only defense-in-depth will ensure that hackers and nation-state sponsored hacking groups are stopped from gaining access to sensitive information.

Firms need to conduct regular, comprehensive organization-wide risk analyses to spot all threats to the confidentiality, integrity, and availability of their data and systems. All identified risks must then be mitigated through a robust risk management process and layered defenses implemented to deny attackers.

One of the main methods for attack is email. Figures from Cofense indicate that 91% of all cyberattacks start with a malicious email. It stands to reason that improving email security should be a key priority for German firms. This is an area where TitanHQ can assist.

TitanHQ is a supplier of world-class cybersecurity solutions for SMBs and enterprises that block the most commonly used attack vectors. To discover more about TitanHQ’s cybersecurity solutions can help to enhance the security posture of your company and block email and web-based attacks, contact the TitanHQ sales team now.

 

The Margin for MSPs with Office 365 Lies in Security

It is becoming increasingly clearer that the margin for MSPs with regards to Office 365 lies in the security aspect of the application. Office 365 is currently in huge demand with over 135 million commercial monthly users. Through trusted advisers such as MSPs, resellers and Microsoft Cloud Solution Providers, its adoption amongst small and mid-size businesses continues to grow at a rapid pace.

Currently, partners can purchase from Microsoft Cloud Service Providers such as AppRiver, Intermedia, Pax8, etc. and can then resell 0365 licenses to their downstream customers. However, the margins made from this activity are very small. Office 365 is a reliable solution for the customer base of many VARs and MSPs. Although it allows them to capture new business, it lacks the ability to make significant margin. This leads to many VARs and MSPs questioning the point of 0365.

Despite it being evident that 0365 is a great email and productivity application, MSPs can’t build a sustainable business on such small margins. Cloud backup, migrations and other services can add to the value of an Office 365 offer, however:

  • 73% of 2018 MSP 501 listees rated their fastest growing service as security
  • 55% chose professional services
  • only 52% selected Office 365

For MSPs, consultants and resellers, O365 represents an opportunity to help build a profitable practice based around subscription sales to SMBs. It also helps clients to learn how to protect their investment within their IT budget and secure their network through a “defense in depth” approach.

Due to the continuing onslaught of phishing attacks and ransomware, IT budgets are being built with security in mind. Given the regular headlines reporting countless exploits where hackers have sabotaged an O365 environment with ease, this doesn’t come as a surprise. Security is a feature that Microsoft has added to 0365 but unfortunately this does not meet the security benchmarks set by most organizations. A recent study showed that a third of business owners do not have safeguards in place to combat cyber breaches. What’s more is that 60% of small businesses that suffer a breach go out of business within six months of the attack.

As email security experts who have gained over 20 years’ experience, we are aware new malware can penetrate the usual email filtering mechanisms. It has been the case for quite an amount of time that older email protection technologies, analysis reputation and fingerprinting as examples, are no longer effective against the evolution of these threats. Recent research conducted by Osterman shows that Microsoft’s EOP can detect 100% of all known viruses and updates every 15 minutes. However, the research also discovered it didn’t have the same security effects against unknown or new malware delivered by email.

As trusted providers, MSPS have a huge opportunity to provide a “full suite” of cloud productivity tools such as 0365, Dynamics, Azure and cloud security and compliance such as email security and web security, DLP, and archiving to their downstream SMB customers at combined margins of over 75 to 100%. This can be achieved without massive increases to their monthly spend.

Small to medium-sized businesses are focused only on the necessary to keep the lights on and to grow the business. Microsoft’s main messages to organizations choosing Office 365 is the cost savings that are achievable from moving to a cloud-based solution. A move such as this would save the company money and allow IT staff to work on business problems and, ultimately, add more value to the company. Web and email security and compliance do not need to be detrimental to those looking to save costs in their IT spend and productivity.

How MSPs can boost margins on 0365 business

It is evident the Margin for MSPs to be made with Office 365 lies in security. If MSPs fail to invest in security as a service and a defense in depth approach, it could prove almost impossible to make their 0365-business profitable. The dilemma for partners has moved past whether to offer security for 0365, it is now at point where partners need to discover how to best deliver a cost-effective advanced security platform that can handle todays advanced threats. This should be achieved while also keeping IT security budgets in check for their SMB customers.

In todays world consultants, managed service providers and resellers have the opportunity to offer customers a very cost-effective defense in depth approach to security. MSPs can now deliver advanced security with TitanHQ’s Private Cloud Security services – SpamTitan (email security), WebTitan (content filtering) and ArcTitan (email archiving) – alongside O365 subscriptions. Through doing this they can ensure they make healthy margins, while continuing to keep monthly costs down for their customers.

Currently, Office 365 continues to be the leader in the productivity and collaboration space. However, for partners selling and managing this service, margins remain tight. As partners sell and manage more 0365 mailboxes, offering add-on security is the answer to making the process more profitable.

Be Mindful of Gaps in Security with 0365

For MSPs looking to take their business further, offering security in depth service to plug the Office 365 security gaps is the answer. Email has become central to running an organization and, as a result, is constantly targeted by attackers. Because of this, it is vital for MSPs to use a reliable third-party security vendor like TitanHQ, who’ve been specializing in email and web security for 25 years. Unlike Microsoft, security is our area of expertise.

Today, we work with over 2000 MSP’s worldwide daily. We protect your customers from malware, phishing, viruses, ransomware, botnets and other cyber threats. A lot of these customers are Office 365 users. Our products were built from the ground up with MSP’s for MSP’s, which we feel is crucial. We save MSP’s time by stopping problems with support and engineering at source. We also provide ideal products to sell in your technology stack which allows you to increase margin. Contact us today to learn how MSPs like you can boost margins on Office 365 business.

Best Practices to Improve Security & Network Segmentation

Whatever the size of your company business, the best security measure to deploy to block threat actors from gaining access to your servers, workstations, and data is to implement a hardware firewall. A hardware firewall will make sure your digital assets are well secured, but how should your firewall be set up for optimal network security? If you follow network segmentation best practices and implement firewall security zones you can improve security and keep your internal network isolated and secured from web-based attacks.

Most companies have a well-defined network structure that incorporates a secure internal network zone and an external untrusted network zone, often with intermediate security zones. Security zones are sets of servers and systems that have similar security requirements and includes a Layer3 network subnet to which several hosts link up to.

The firewall provides protection by managing traffic to and from those hosts and security zones, whether at the IP, port, or application level.

There is no single configuration that will be ideal for all companies and all networks, since each business will have its own requirements and required functionalities. However, there are some network segmentation best practices that should be implemented.

Possible Firewall Security Zone Segmentation

Network Segmentation Best Practices

In the above depiction we have used firewall security zone segmentation to keep servers separated. In our example we have used a a sole firewall and two DMZ (demilitarized) zones and an internal zone. A DMZ zone is an isolated Layer3 subnet.

The servers in these DMZ zones may have to be Internet facing in order to function. For instance, web servers and email servers need to be Internet facing. Because they face the internet, these servers are the most susceptible to attack so should be separated from servers that do not require direct Internet access. By keeping these servers in separate zones, you can minimize the damage if one of your Internet facing servers is infiltrated.

In the diagram above, the permitted direction of traffic is shown with the red arrows. As you can see, bidirectional traffic is allowed between the internal zone and DMZ2 which includes the application/database servers, but only one-way traffic is permitted to take place between the internal zone and DMZ1, which is used for the proxy, email, and web servers. The proxy, email, and web servers have been located in a separate DMZ to the application and database servers for the highest possible protection.

Traffic from the Internet is permitted by the firewall to DMZ1. The firewall should only permit traffic through certain ports (80,443, 25 etc.). All other TCP/UDP ports should be closed. Traffic from the Internet to the servers in DMZ2 is not allowed, at least not directly.

A web server may to link up with a database server, and while it may seem a good idea to have both of these virtual servers operating on the same machine, from a security perspective this should be avoided. Ideally, both should be separated and located in different DMZs. The same applies to front end web servers and web application servers which should similarly be located in different DMZs. Traffic between DMZ1 and DMZ2 will no doubt be required, but it should only be permitted on certain ports. DMZ2 can connect to the internal zone for certain special cases such as backups or authentication through active directory.

The internal zone is made up of of workstations and internal servers, internal databases that do not have to be web facing, active directory servers, and internal applications. It is recommended that Internet access for users on the internal network to be directed through an HTTP proxy server located in DMZ 1.

Remember that the internal zone is isolated from the Internet. Direct traffic from the internet to the internal zone should not be allowed.

The above set up puts in place provides important security for your internal networks. In the event that a server in DMZ1 is impacted, your internal network will remain protected since traffic between the internal zone and DMZ1 is only allowed in one direction.

By complying with network segmentation best practices and using the above firewall security zone segmentation you can get the best out of network security. For more security, we also recommend using a cloud-based web filtering solution such as WebTitan which filters the Internet and stops end users from accessing websites known to host malware or those that break acceptable usage policies.

Versatile New Malware AdvisorsBot Distributed via Spam Email

Hotels, restaurants, and telecommunications businesses are being targeted with a new hacking email campaign that delivers a new form of malware called AdvisorsBot. AdvisorsBot is a malware installer which, like many malware variants, is being distributed using spam emails containing Microsoft Word attachments with malicious macros.

Clicking on an infected email attachment and enabling macros on the document will see Advisorsbot installed. Advisorsbot’s primary aim is to complete fingerprinting on an infected device. Data will be gathered on the infected device is then communicated to the threat actors’ command and control servers and further instructions are given to the malware based on the data gathered on the system. The malware records system data, details of programs installed on the device, Office account details, and other details. It is also able to capture screenshots on an infected device.

AdvisorsBot malware is so titled because the early examples of the malware that were first seen on May 2018 contacted command and control servers that contained the word advisors.

The spam email campaign is mainly being conducted on targets in the U.S., although infections have been detected worldwide. Several thousands of devices have been infected with the malware since May, according to the security experts at Proofpoint who discovered the new malware threat. The threat actors thought to be behind the attacks are a APT group known as TA555.

Various email lures are being implemented in this malware campaign to get the recipients to open the infected attachment and turn on macros. The emails sent to hotels seem to be from people who have been charged twice for their stay. The campaign on restaurants uses emails which say that the sender has suffered food poisoning after eating in a particular establishment, while the attacks on telecommunications firms use email attachments that seem to be resumes from job applicants.

AdvisorsBot is coded in C, but a second form of the malware has also been seen that is written in .NET and PowerShell. The second variant has been called PoshAdvisor. PoshAdvisor is executed via a malicious macro which runs PowerShell command that installs a PowerShell script which executes shellcode that runs the malware in the memory without writing it to the disk.

Fallout Exploit Kit Used to Deliver New GandCrab v5 Ransomware Variant

A new variety of GandCrab ransomware (GandCrab v5) has been shared. GandCrab is an extremely popular ransomware threat that is made available to affiliates under the ransomware-as-a-service distribution model. Affiliates receive a cut of the profits from any ransoms payed by people they manage to infect.

GandCrab was first made public released in January 2018 and fast grew into one of the most widely used ransomware variants. In July it was named the main ransomware threat and is regularly updated by the authors.

There have been many changes made in GandCrab v5, including the change to a random 5-character extension for encrypted files. The ransomware also implements an HTML ransom note rather than dropping a txt file to the desktop.

Bitdefender made free decryptors available for early versions of the ransomware, although steps were implemented by the authors to improve security for version 2.0. Since version 2.0 was released, no free decryptors for GandCrab ransomware have been created.

Recovery from a GandCrab v5 infection will only be possible by meeting the ransom – around $800 in the Dash cryptocurrency – or by restoring files from backups. Victims are only given a short period of time for paying the ransom before the price to decrypt doubles. It is therefore vital that backups are created of all data and for those backup files to be reviewed to make sure files can be recovered in the event of disaster.

Since this ransomware variant is made available under the ransomware-as-a-service model, different vectors are used to share the ransomware by different threat actors. Earlier versions of the ransomware have been shared via spam email and through exploit kits such as RIG and GrandSoft. GandCrab v5 has also been confirmed as being shared via the new Fallout exploit kit.

Traffic is sent to the exploit kit using malvertising – malicious adverts that redirect users to exploit kits and other malicious websites. These malicious adverts are placed on third party advertising networks that are used by many popular websites to generate an extra income stream.

Any user that clicks one of the malicious links in the adverts is sent to the Fallout exploit kit. The Fallout exploit kit contains exploits for several old flaws and some relatively recent exploits. Any user that has a vulnerable system will have GandCrab ransomware silently installed onto their device. Local files will be encrypted as well as files on all network shares, not just mapped drives.

Whenever a new zero-day vulnerability is found it doesn’t take long for an exploit to be incorporated into malware. The publication of proof of concept code for a Task Scheduler ALPC vulnerability was no different. Within a few days, the exploit had already been adopted by hackers and incorporated into malware.

The exploit for the Task Scheduler ALPC vulnerability permits executable files to operate on a vulnerable system with System privileges and has been incorporated into GandCrab v5. The exploit is believed to be used to carry out system-level tasks such as deleting Windows Shadow Volume copies to make it more difficult for victims to recover encrypted files without paying the ransom. Microsoft has now released a patch to correct the flaw as part of its September Patch Tuesday round of updates, but many firms have yet to apply the patch.

The key step to take is to ensure that recovery from a ransomware attack is possible is to ensure backups are begun. Without a viable backup the only way of recovering files is by paying the ransom. In this instance, victims can decrypt one file for free to show that viable decryption keys exist. However, not all ransomware variants permit file recovery.

Stopping ransomware infections requires software solutions that obstruct the main attack vectors. Spam filtering solutions like SpamTitan stop dangerous messages from being delivered to inboxes. Web filters such as WebTitan stop end users from visiting malicious sites known to host exploit kits. Remote desktop services are often exploited to obtain system access, so it is vital that these are disabled if they are not required, and if they are, they should only be accessible through VPNs.

Patches should be applied quickly to stop weaknesses from being exploited and advanced anti malware solutions should be used to find and quarantine ransomware before files are encrypted.

Viro Botnet Malware Encrypts Files, Logs Keystrokes and Hijacks Email Accounts

A new malware threat – titled Viro botnet malware – has been discovered that combines the file-encrypting powers of ransomware, with a keylogger to record passwords and a botnet capable of sending spam emails from infected devices.

Viro botnet malware is one of a new strain of malware variants that are highly flexible and have a wide variety of capabilities to maximize profit from a successful infection. There have been many recently discovered malware variants that have combined the file-encrypting properties of ransomware with cryptocurrency mining code.

The most recent threat was identified by security experts at Trend Micro who say that this new threat is still in development and seems to have been developed from scratch. The code is dissimilar to other known ransomware variants and ransomware families.

Some ransomware variants can self-propagate and can share from one infected device to other devices on the same network. Viro botnet malware achieves this by hijacking Outlook email accounts and using them to share spam email containing either a duplicate of itself as an attachment or a downloader to all people on the infected user’s contact list.

Viro botnet malware has been implemented in targeted attacks in the United States through spam email campaigns, although strangely, the ransom note dropped on the victims’ desktops is written in French. This is not the only new ransomware threat to include a French ransom note. PyLocky, a recently discovered new ransomware threat that looks like Locky ransomware, also had a French ransom note. This seems to be a coincidence as there are no indications that the two ransomware threats are linked or are being distributed by the same threat group.

With Viro botnet, Infection begins with a spam email containing a malicious attachment. If the attachment is opened and the content is permitted to run, the malicious payload will be installed. Viro botnet malware will first check registry keys and product keys to decide whether its encryption routine should run. If those checks are passed, an encryption/decryption key pair will be create through via a cryptographic Random Number Generator, which are then sent back to the hacker’s C2 server. Files are then encrypted via RSA and a ransom note is placed on the desktop.

Viro botnet malware also includes a basic keylogger which will log all keystrokes on an infected machine and send the data back to the hacker’s C2 server. The malware is also capable of downloading further malicious files from the hacker’s C2.

While the hacker’s C2 server was initially active, it has currently been deleted so any further devices that are infected will not have data encrypted. Connection to the C2 server is required for the encryption routine to start. Even though the threat has been neutralized this is thought to only be a brief hiatus. The C2 is expected to be resurrected and larger distribution campaigns are likely.

Safeguarding against email-based threats such as Viro botnet malware needs an advanced spam filtering solution such as SpamTitan to stop malicious messages from being sent to end users.  Advanced antimalware software should be downloaded to detect malicious files should they be downloaded, and end users should receive security awareness training to help them spot security threats and respond properly.

Multiple backups should also be set up – with one duplicate copy stored securely offsite – to ensure files can be rescued following file encryption.

New Xbash Malware Threat Includes Coin Mining and Ransomware Functionality

Xbash malware is one of many new malware threats to be discovered in recent times that uses the file-encrypting properties of ransomware with the coin mining functionality of cryptocurrency mining malware.

In 2018, several cybersecurity and threat intelligence companies have discovered that ransomware attacks have plateaued or are dropping. Ransomware attacks are still profitable, although there is potential to make more money through cryptocurrency mining.

The recent Internet Organized Crime Threat Report published by Europol notes that cryptojacking is a new cybercrime trend and is now a commonly-seen, low-risk revenue stream for cybercriminals, but that “ransomware remains the key malware threat”.  Europol states in its report that a decline has been witnessed in random attacks via spam email, instead cybercriminals are focusing on attacking businesses where greater profits lie. Those attacks are highly concentrated.

Another new trend offers cybercriminals the best of both worlds – the use of versatile malware that have the elements of both ransomware and cryptocurrency miners. These highly versatile malware variants provide cybercriminals with the chance to obtain ransom payments as well as the chance to mine for cryptocurrency. If the malware is downloaded on a system that is not ideally suited for mining cryptocurrency, the ransomware function is enabled and vice versa.

Xbash malware is one such danger, albeit with one major caveat. Xbash malware cannot restore files. In that respect it is more similar to NotPetya than Cerber. As was the case with NotPetya, Xbash malware just masquerades as ransomware and requests a payment to restore files – Currently 0.2 BTC ($127). Payment of the ransom will not lead to keys being supplied to unlock encrypted files, as currently files are not encrypted. The malware simply erases MySQL, PostgreSQL, and MongoDB databases. This function is enabled if the malware is installed on a Linux system. If it is downloaded on Windows devices, the cryptojacking function is turned on.

Xbash malware can also self-propagate. Once downloaded on a Windows system it will spread throughout the network by exploiting flaws in Hadoop, ActiveMQ and Redis services.

Xbash malware is programmed in Python and compiled into a portable executable (PE) format using PyInstaller. The malware will complete its file encrypting/deletion routine on Linux systems and use JavaScript or VBScript to download and run a coinminer on Windows systems. Palo Alto Networks’ Unit42 has said that the malware is being spread by a threat group known as Iron Group, which has previously been linked with ransomware attacks.

At present, infection takes place through the exploitation of unpatched flaws and brute force attacks on systems with weak passwords and unprotected services.  Protection from this threat requires the use of strong, unique non-default passwords, prompt patching, and endpoint security solutions. Restricting access to unknown hosts on the Internet will stop communication with its C2 if it is installed, and naturally it is important that multiple backups are regularly made to ensure file recovery can happen.

Kaspersky Lab have said that there has been a doubling of these multi-purpose remote access tools witnessed over the past 18 months and their popularity is likely to continue to rise. This sort of versatile malware could well become the malware of choice for advanced threat actors over the course of the next year.

Google Chrome Ad Blocker Released

The Google Chrome Ad blocker has been released, a new feature of Chrome means intrusive adverts can now be blocked by users.

Google makes  massive amount of money from advertising, so the Google Chrome Ad blocker will not restrict all adverts, only those that are ruled as intrusive and annoying. Those are naturally subjective terms, so how will Google rule what constitutes ‘intrusive’?

One of the first reviews carried out by Google is whether adverts on a webpage breach the standards set by the Coalition for Better Ads – a network of trade organizations and online media companies committed to improving the online experience for Internet users.

The Coalition for Better Ads has classified ad experiences that rank the lowest across a range of experience factors and has established what is acceptable. These standards include four types of adverts for Desktop users: Popup ads, auto-playing videos with sound, prestitial ads with countdowns, and large sticky ads. There are eight categories covering mobile adverts: Popup ads, prestitial ads (where ads are loaded before content), prestitial ads that include countdowns, flashing animated ads, auto-playing videos with sound, full screen scrollover ads, large sticky ads, and an ad density greater than 30%.

Google Chrome reviews webpages against these standards. If the page has none of the above advert categories, no action will be implemented. Google says when 7.5% of ads on a site breach the standards the filter will kick in. If the above standards are violated the site get a warning and will be given 30 days to address this. Site owners that do not pay heed to the warning and fail to take action will have their sites added to a list of failed sites. Those websites will have the adverts blocked, although visitors will be allowed the option of loading adverts on that site.

The aim of the Google Chrome Ad blocker is not to restrict advertisements, but to urge site owners to comply with Better Ads standards. Google reports that the danger of ad blocking has already had a positive effect. Before the Google Chrome Ad blocker was even made available, Google says 42% of sites with intrusive adverts have already made changes to bring their sites as per Better Ads standards.

The move may not have been one Google wanted to enact, but it is an important step to complete. Intrusive adverts have become a major nuisance and web users are taking action by downloading ad blockers. Ad blockers do not rate ads based on whether they are annoying. They restrict all adverts, which is obviously bad for companies such as Google. Google made $95.4 billion dollars from advertising last year and growing use of ad blockers could make a serious dent in its profits. According to figures released by Deloitte, 31% of users in the United States have already installed ad blockers and the figure is expected to rise to a 33% of all computers this year.

Why Businesses Should Consider Using a Web Filter

For companies, adverts are more than a simple annoyance. Some adverts pose a serious security threat. Hackers use malicious adverts to bring end users to phishing websites and webpages hosting exploit kits and malware. Termed malvertising, these adverts are a major danger. While it is possible to use an adblocker to stop these malicious adverts from being displayed, adblockers will not stop other serious web-based threats. For greater web security, a web filter is necessary.

A web filter can be set up to block categories of website content that employees have no need to view during the working day. The filter can also be configured to block websites/webpages known to be used for phishing or malware distribution and can block downloads of specific file types such as JavaScript and other executable files: Files that are often used to download malware. WebTitan also allows companies to reduce the risk from malvertising without having to download ad blockers.

By carefully managing the web content that can be viewed by employees, businesses can greatly enhance web security and block the majority of web-based dangers.

For more details on blocking malicious and undesirable content, get in touch with the TitanHQ team today to find out more.

 

Spam Email Campaigns in Europe Started using Python-Based PyLocky Ransomware

A new strain of Python-based ransomware has been discovered that appears to be Locky, one of the most widely deployed ransomware variants in 2016. The new ransomware variant has been labelled PyLocky ransomware by security researchers at Trend Micro who have noticed using it in hacking campaigns in Europe, particularly France, throughout July and August.

The spam email campaigns were, at first, sent in comparatively small batches, although over time the volume of emails sharing PyLocky ransomware has surged significantly.

Various social engineering tactics are being employed by the hackers to get the ransomware installed, including fake invoices. The emails identified by Trend Micro have included an embedded hyperlink which sends users to a malicious webpage where a zip file is installed. The zip file includes PyLocky ransomware which has been compiled using the PyInstaller tool, which allows Python applications to be changed to standalone executable files.

If downloaded, PyLocky ransomware will encrypt around 150 different file types including Office documents, image files, sound files, video files, databases, game files, archives, and program files. Files saved on all logical drives will be encrypted and the original copies will be replaced. A ransom note is then placed on the desktop which has been copied from the note used by the threat actors behind Locky, although the two cryptoransomware threats are not linked. Ransom notes are written in French, English, Korean, and Italian so it is likely that the attacks will become more widespread over the coming days.

While Python is not normally used to create ransomware, PyLocky is not the only Python-based ransomware variant to have been developed. Pyl33t was used in a number of attacks in 2017, and CryPy emerged in 2016. What makes the latest ransomware variant different is its anti-machine learning capabilities, which help to stop analysis using standard static analysis methods.

The ransomware attacks Windows Management Instrumentation (WMI) to figure out the properties of the system on which it is downloaded. If the total visible memory of a system is 4GB or greater, the ransomware will execute instantly. If it is lower than 4GB, the ransomware will remain dormant for 11.5 days – an attempt to figure out if it is in a sandbox environment.

 

Spam Email Campaigns in Europe Using Python-Based PyLocky Ransomware

A new Python-based form of ransomware has been discovered that closely resembles as Locky, one of the most commonly seen ransomware variants during 2016. The new ransomware variant has been titled PyLocky ransomware by security specialists at Trend Micro who have seen it being deployed in Europe, particularly France, during July and August.

The spam email campaigns were, at first, sent in relatively small batches, although over time the number of emails sending PyLocky ransomware has increased drastically.

Many social engineering tactics are being used by the hackers to get the ransomware downloaded to devices, including fake invoices. The emails captured by Trend Micro have included an embedded hyperlink which directs users to a malicious webpage where a zip file is installed. The zip file contains PyLocky ransomware which has been put together using the PyInstaller tool, which allows Python applications to be changed to standalone executable files.

If downloaded, PyLocky ransomware will encrypt around 150 different file variants including Office documents, image files, sound files, video files, databases, game files, archives, and program files. Files kept on all logical drives will be encrypted and the original files will be overwritten. A ransom note is then placed on the desktop which has been copied from the note used by the threat actors responsible for Locky, although the two cryptoransomware threats are not linked. Ransom notes are presented in French, English, Korean, and Italian so it is probable that the hacking campaigns will become more widespread going forward.

While Python is not normally used to develop ransomware, PyLocky is not the only Python-based ransomware variant to have been noticed. Pyl33t was used in many attacks in 2017, and CryPy was first seen in 2016. This, most recent ransomware variant is different in that is has anti-machine learning capabilities, which help to stop analysis using standard static analysis methods.

The ransomware uses Windows Management Instrumentation (WMI) to calculate the properties of the system on which it is downloaded. If the total visible memory of a system is 4GB or more, the ransomware will execute instantly. If it is less than 4GB, the ransomware will sleep for 11.5 days – an effort to determine if it is in a sandbox environment.

Stopping attacks can be done using a variety of cybersecurity measures. An advanced spam filtering solution like SpamTitan will help to stop the spam emails being send to end users’ inboxes. A web filter, such as WebTitan, can be implemented to control the websites that can be accessed by end users and block malicious file downloads. Security awareness training will allow end users recognize the threat for what it is. Advanced malware detection tools are necessary to spot the threat due to its anti-machine learning capabilities.

At present, there is no free decryptor for PyLocky available.

Hotel WiFi Networks Targeted in in Cyberattacks due to NSA Exploit

Security experts have identified a number of cyberattacks on hotel WiFi networks that target a known NSA exploit – EternalBlue – for a flaw that was patched by Microsoft in March.

The same exploit was part o the WannaCry ransomware attacks that took place in May and the NotPetya wiper attacks in June. Even though the malware campaigns impacted hundreds of companies and caused millions (if not billions) of dollars in financial losses, there are still many companies that not applied the update to address this flaw.

The recent cyberattacks on hotel WiFi networks have impacted venues in the Middle East and Europe. Once access is obtained to hotel networks and databases, the hackers spy on guests via hotel WiFi networks and steal their login details.

Security experts at FireEye discovered the new campaign, which they have blamed on the Russian hacking group APT28, also known as Fancy Bear. Fancy Bear is thought to have been sponsored by the Russian government and has compelted a large number of high profile cyberattacks in recent years, including the cyberattack on the World Anti-Doping agency (WADA). Following that attack, Fancy Bear published athletes’ therapeutic use exemption (TUE) data.

As opposed to the WannaCry and NotPetya attacks that were conducted remotely without any user involvement, the newest campaign is being conducted using a spear phishing campaign. The hacking group sends malicious emails to hotel staff and uses email attachments to configure their backdoor – Gamefish. In this case, the attachment looks like a reservation form for a hotel booking. Gamefish is downloaded if hotel employees enable the macros in the document.

Once the backdoor is configured, the hackers search for internal and guest WiFi networks using EternalBlue and spread to other devices. Once installed in computers that control the WiFi networks, the hackers can launch attacks on devices that attempt to log onto the hotel WiFi network.

The hackers implement the open-source Responder tool to listen for MBT-NS (UDP/137) broadcasts from devices that are trying to connect to WiFi network resources. Instead of connecting, they link to Responder which obtains usernames and hashed passwords. That information is then sent to a computer controlled by the hackers. Once the hashed passwords have been deciphered they can be used to attack hotel guests.

The identities of the affected hotels have not been disclosed, although FireEye has revealed that at least one Middle Eastern hotel and seven in Europe have been targeted in these attacks. The hotels were well respected venues likely to be frequented by high-net worth guests and business travellers.

Travellers have been told to exercise caution when connecting to hotel WiFi networks, such as avoiding logging into online bank accounts or better still, avoiding logging onto hotel WiFi networks altogether. While the use of a VPN when connecting to hotel WiFi networks is a wise move, in this case the attack can occur before a secure VPN connection is completed.

FireEye says that this sort of attack is difficult to detect and block. The attackers passively gather data and leave virtually no traces. Once login details have been obtained, guests are susceptible and not just while they are staying at the hotel. FireEye believes the credentials are then used to target individuals when they go back home and sign into their home networks.

The best method for hotels to obstruct cyberattacks on hotel WiFi networks such as this is by blocking the phishing and spear phishing attacks that lead to downloading of the malware. Hotels should ensure all employees are given security awareness training and a spam filtering solution such as SpamTitan is configured to stop malicious emails from being sent to employees’ inboxes.

Development of the System Administrator Role

The system administrator is a crucial role in any group. Without sysadmins to deal with IT issues on a daily basis, the business would cease to exist. Sysadmins also play an essential role in ensuring the security of the network by taking positive steps to keep systems secure as well as reacting to threats before they lead to a data breach. With more cyberattacks taking place, increasingly complex IT systems being implemented, and the fast pace of technological evolution, one thing is certain: The future of the system administrator is likely to go on using up long hours and hard work.

It is also easy to guess that the future of the system administrator will result in massive changes to job descriptions. That has always been the case and never more so than now. There will be a ongoing need for on the job training and new systems and processes must go on being learned. Being a System administrator is therefore unlikely to be tiresome.

Recent studies released by the US Bureau of Labor Statistics predict that there is likely to be sustained growth in the profession for the next two years. While the forecast was previously 12% growth, this has now been cut to 6% – similar to other occupations. The heightened automation of many sysadmin tasks is partly to blame for this decline in growth, since businesses are likely to need less staff as manual processes are cut. That said, the figures suggest that demand for IT workers will remain high. Even with newer, faster technology being adapted, staff are still asked to keep everything running smoothly.

XaaS, the Cloud, Virtualization, and VoIP Use to Rise

Sadly, while automation means increased efficiency, it can entail many hidden costs. Firstly, with more automation it can become harder to deduce the source of a problem when something goes wrong. More automation also means the system administrator must become even more savvy. Automation usually involves scripting in various languages, so while you may have been able to get away with knowing Python or Windows PowerShell, you will probably need to become knowledgeable in both, and maybe more.

If you are thinking about becoming a system administrator, now is the time to learn your first scripting language, as it will make it easier to learn others on the job if you understand the fundamentals. It will also help you to get the job in the first place.

Use of the cloud is growing, especially for backup and archiving, which has also lead to a drop in the need for server-centered tasks. While there has been a drop in labor-intensive routine data processes, there has been a rise in the need to become proficient in the use of Application Programming Interfaces (APIs).

While many duties are now being outsourced through XaaS, it is still vital to understand those duties. The future of the system administrator is likely to require XaaS to be reviewed and assessed to make sure those services match the IT requirements of the organization. Sales staff will likely say their XaaS meets all business needs. Having an SA that understands the functions, the technology, and the needs of the business will be vital for cutting out the services that are unsuitable.

To cut expenses, many businesses are using VoIP. While this does offer massive cost savings, businesses cannot tolerate less than the 99.999% of uptime offered by phone firms. The future of the system administrator is therefore likely to involve a thorough comprehension of the dynamics of network load.

Virtualization has also grown, with millions of virtual networks making the SA’s job more complex. That means knowledge of switching and routing will have to grow.

Communication, Collaboration, and Negotiation Skills in Demand

The SA’s job no longer just is simply studying manuals and learning new systems. SAs are now required to communicate more effectively, understand the business, and collaborate with others. SAs will require good communication skills, must become excellent collaborators, and also proficient at negotiation. Luckily, there are many courses out there to help.