HookAds Malvertising Campaign Sending People to Trojans, Info Stealers and Ransomware Websites

One of the ways that threat actors download malware is using malvertising. Malvertising is the positioning of malicious adverts on legitimate websites that send visitors to websites where malware is installed. The HookAds malvertising campaign is one such example and those responsible for the campaign have been particularly active recently.

The HookAds malvertising campaign has one aim – to direct people to a website hosting the Fallout exploit kit. An exploit kit is malicious code that operates when a visitor arrives on a web page. The visitor’s computer is explored to determine whether there are any flaws – unpatched software – that can be exploited to silently download files.

In the case of the Fallout exploit kit, users’ devices are explored for several known Windows vulnerabilities. If one is discovered, it is exploited and a malicious payload is installed. Several malware variants are currently being shared via Fallout, including data stealers, banking Trojans, and ransomware.

According to threat analyst nao_sec, two different HookAds malvertising campaigns have been identified: One is being used to broadcast the DanaBot banking Trojan and the other is sending two malware payloads – The Nocturnal data stealer and GlobeImposter ransomware via the Fallout exploit kit.

Exploit kits can only be implemented to deliver malware to unpatched devices, so businesses will only be under threat from of this web-based attack vector if they are not 100% up to date with their patching. Sadly, many businesses are slow to run patches and exploits for new vulnerabilities are frequently uploaded to EKs such as Fallout. Due to this, a security solution is needed to obstruct this attack vector.

The threat actors responsible for the HookAds malvertising campaign are taking advantage of the low prices for advertising blocks on websites by low quality ad networks – those often utilized by owners of online gaming websites, adult sites, and other types of websites that should not be logged onto by employees. While the site owners themselves are not actively working with the threat actors behind the campaign, the malicious adverts are still displayed on their websites along with legitimate ads. The use of a web filter is advisable to mitigate this threat.

Emotet Malware Spread Using Thanksgiving Themed Spam Emails

There has been a rise in malspam campaigns spreading Emotet malware in recent time, with many new campaigns initiated that spoof financial institutions – the operating methods of the threat group responsible for the campaigns.

The Emotet malware campaigns use Word documents which have malicious macros. If macros are enabled, the Emotet malware payload is installed. The Word documents are either shared as email attachments or the spam emails include hyperlinks which bring users to a website where the Word document is installed.

Various social engineering tricks have been implemented in these campaigns. One new tactic that was spotted by Cofense is the wrapping of malicious hyperlinks in Proofpoint’s (PFPT) TAP URL Defense wrapping service to make the email seem benign.

According to Cofense, the campaign sends Emotet malware, although Emotet in turn installs a secondary payload. In previous campaigns, Emotet has been sent along with ransomware. First, Emotet steals details, then the ransomware is used to steal money from victims. In the most recent campaign, the secondary malware is the banking Trojan named IcedID.

Another campaign has been discovered that uses Thanksgiving themed spam emails. The messages seem to be Thanksgiving greetings for employees, and similarly include a malicious hyperlink or document. The messages say that the document is a Thanksgiving card or greeting. Many of the emails have been personalized to help with the deception and include the user’s name. In this campaign, while the document downloaded seems to be a Word file, it is actually an XML file.

Emotet malware has been refreshed recently. In addition to stealing details, a new module has been incorporated which harvests emails from an infected user. The past six months’ emails – which include subjects, senders, and message content – are stolen. This new module is thought to have been added to enhance the effectiveness of future phishing campaigns, for corporate espionage, and data theft.

The recent rise in Emotet malware campaigns, and the highly varied tactics implemented by the threat actors behind these campaigns, emphasise the importance of adopting a defense in depth strategy to block phishing emails. Groups should not rely on one cybersecurity solution to provide protection against hacking attacks.

Phishing campaigns aim for a weak link in security defenses: Staff members. It is therefore wise to ensure that all employees with corporate email accounts are trained how to recognize phishing threats. Training needs to be constant and should cover the latest tactics used by hackers to spread malware and steal details. Staff members are the last line of defense. Through security awareness training, the defensive line can be significantly enhanced.

As a frontline defense, all businesses and groups should use an advanced spam filtering solution. While Office 365 email includes a basic level of protection against phishing attacks, a powerful third-party anti-phishing and spam filtering solution is needed to provide security against more complex email attacks.

SpamTitan is an advanced email filtering software that uses predictive techniques to supply superior protection against phishing attacks, zero-day attacks, and new malware variants that bypass signature-based security.

Along with scanning message content, headers, attachments, and hyperlinks for spam and malware signatures, SpamTitan employs heuristics, machine learning, and Bayesian analysis to spot emerging threats. Greylisting is used to spot and obstruct large scale spam campaigns, such as those usually carried out by the threat actors spreading banking Trojans and Emotet malware.

Easy Way to Win Business and Boost Revenue for MSPs With Email Archiving

Email archiving is a great way for a company to win business and boost revenue. Although it is often an overlooked service, it can add value and improve profits for MSPs. Email archiving has a high margin, generates regular additional income, is easy to implement and manage and is an easy sell to clients.

Email Archiving in SMBs

Email archiving is now essential for organisations of all sizes, from SMBs to the largest enterprises. Large numbers of emails are sent and received on a daily basis by companies. Copies of those emails need to be stored, saved, and often retrieved. Storage of emails in mailboxes can often pose problems. Emails and attachments often need a considerable amount of storage, which means hardware must be purchased and maintained. Storing large volumes of emails in mailboxes is not a secure way of storing emails.

Although storing emails in backups is an option, it is far from ideal. Space is still needed and recovering emails when they are required is not a straightforward task as backup files are not indexed and searching for messages can take a considerable amount of time.

An email archive, in comparison, is indexed and searchable and therefore emails can be retrieved on demand quickly and with ease. If there is a legal dispute or when an organisation needs to demonstrate compliance (with GDPR or HIPAA for example) businesses need to be able to recover emails in an efficient manner. Additionally, an email archive also provides a clear chain of custody, which is also required to comply with a lot of regulations.

Cloud-based archives offer secure storage for emails and have no restrictions on storage space. The cloud storage offered is also highly scalable and emails can be easily retrieved, regardless of the location.

In summary, email archiving can enhance security, lower costs, improve efficiency and is an invaluable compliance tool.

Email Archiving in MSPs

Due to the benefits of email archiving it should be an easy sell for MSPs, either as Office 365 archiving-as-a-service as an add-on or incorporated into existing email packages. This is in order to offer greater value and make your packages unique compared to those of your competitors.

Office 365 archiving-as-a-service will generate regular income for very little effort as an add-on service. It will also improve the meagre returns from simply offering Office 365 to your clients. Overall, it can help you to attract more business when put as part as a package.

Email Archiving Made Simple Made Simple for MSPs by ArcTitan

TitanHQ is a leading provider of cloud-based security solutions for MSPs. TitanHQ products such as SpamTitan, WebTitan and ArcTitan SaaS email archiving have all been developed from the group up to specifically meet the various needs of MSPs.

ArcTitan has been developed by TitanHQ to be easy to implement and manage. It seamlessly integrates into MSPs service stacks, allowing them to provide greater value to clients and make email services a much more lucrative offering. As a result of this, TitanHQ is able to offer generous margins on ArcTitan for MSPs.

Benefits of ArcTitan for MSPs

  • Easy implementation
  • Software downloads not necessary
  • No hardware requirements
  • Secure, cloud-based storage
  • Easy to operate centralised management system
  • Increases profitability of Office 365
  • Highly scalable email archiving
  • Easy set up for MSPs
  • Usage easy for clients
  • Improved margins for MSPs
  • Full suite of APIs supplied for simpler integration
  • Multiple hosting options: TitanHQ Cloud, dedicated private cloud, or host the solution in your own data centre
  • Fully rebrandable (ArcTitan can be supplied in white-label form ready for your own branding)
  • Usage-based pricing and monthly billing available
  • World class customer service and support

If you are yet to start offering email archiving to your clients or if you are unhappy with your current provider, contact the TitanHQ MSP team today for full ArcTitan product information, pricing details and further information on our MSP Program.

New Variant of Dharma Ransomware Discovered

A new Dharma ransomware variant has been created that is evading detection by most antivirus engines. Heimdal Security has said that his most recent Dharma ransomware variant captured by its researchers was only discovered to b malware by one of the 53 AV engines on VirusTotal.

Dharma ransomware (also referred to as CrySiS) was first spotted in 2006 and is still being developed. 2018 several new Dharma ransomware variants have been made public, each using new file extensions for encrypted files (.bip, .xxxxx, .like, java, .arrow, .gamma, .arena, .betta, and .tron to name but a few). In just the past two months four new Dharma ransomware variants have been discovered.

Those to blame for Dharma ransomware have claimed many victims in recent months. Successful attacks have been made public recently by Altus Baytown Hospital in Texas, the Arran brewery in Scotland, and the port of San Diego.

While free decryptors for Dharma ransomware have been created, the constant evolution of this ransomware threat rapidly makes these decryptors obsolete.  Infection with the latest variants of the ransomware threat only allows victims three options: pay a sizeable ransom to recover files, restore files from backups, or face permanent file deletion.

The latter is not viable given the extent of files that are encrypted. Rescuing files from backups is not always possible as Dharma ransomware can also encrypt backup files and can erase shadow copies. Payment of a ransom should not be completed as there is no guarantee that files can or will be decrypted.

Safeguarding against ransomware attacks requires a combination of policies, procedures, and cybersecurity solutions. Dharma ransomware attacks are mostly carried out via two attack vectors: The exploitation of Remote Desktop protocol (RDP) and through email malspam campaigns.

The most recent Dharma ransomware variant attacks involve an executable file being dropped by a .NET file and HTA file. Infections take place via RDP-enabled endpoints using brute force attempts to guess passwords. Once the password is stolen, the malicious payload is deployed.

While it is not yet known how the Arran brewery attack occurred, a phishing attack is suspected. Phishing emails had been received just prior to file encryption. “We cannot be 100 percent sure that this was the vector that infection occurred via, but the timing seems to be more than coincidental,” said Arran Brewery’s managing director Gerald Michaluk.

To safeguard against RDP attacks, RDP should be turned off unless it is absolutely necessary. If RDP is required, access should only be possible through a VPN and strong passwords should be put in place. Rate limiting on login attempts should be set up to block login attempts after a set number of failures.

Due to this, good backup policies are essential. They will mean that file recovery is possible without payment of a ransom. Multiple copies of backups should be made with one copy held securely off site.

To safeguard against email-based attacks, an advanced spam filter is necessary. Spam filters that rely on AV engines may not spot the latest ransomware variants. Advanced reviews of incoming messages are vital.

SpamTitan can enhance protection for companies through combination of two AV engines and predictive techniques to block new types of malware whose signatures have not yet been installed on AV engines.

For additional information on SpamTitan and safeguarding your email gateway from ransomware attacks and other threats, contact TitanHQ’s security experts today.

New WebTitan and ArcTitan Integrations as Z Services Expands Partnership with Titan HQ

TitanHQ has recently expanded its partnership with Z Services, the leading SaaS provider of cloud-based cybersecurity solutions in the MENA region, which will result in new WebTitan and ArcTitan integrations.

Z Services operates 17 secure data centers in the UAE (base location), Qatar, Egypt, Saudi Arabia, Morocco, Jordan, Kuwait, Oman, Bahrain, and Kuwait. It is the only company in the Middle East and North Africa to offer a multi-tenant, cloud-based, in-country, cybersecurity architecture.

Z Services partnered with TitanHQ in February of 2017 and integrated TitanHQ’s award-winning email filtering technology into its service stack. Through doing this, it enabled Z Services to start offering SpamTitan-powered Z Services Anti-Spam SaaS to its clients. TitanHQ’s email filtering technology now also enables Z Services’ clients to filter out spam email and protect against sophisticated email-based threats such as malware, viruses, ransomware, botnets, phishing and spear phishing.

Due to the integration proving to be such a great success for Z Services, the firm has now decided to take its partnership with Titan HQ to the next level by integrating two new TitanHQ-powered SaaS solutions into its service stack. WebTitan – TitanHQ’s award-winning web filtering technology and ArcTitan – its innovative email archiving solution, have now both been incorporated Z Services’ MERALE SaaS offering. MERALE has been specifically developed to meet the needs of small to medium sized enterprises, such as cybersecurity, threat protection, and compliance solutions.

“With cybersecurity growing as a critical business concern across the region, there is a clear need to make security an operational rather than a capital expense. Hence the paradigm shift in the delivery of effective security solutions from the traditional investment and delivery model to an agile SaaS model through the primary connectivity provider of SMEs – the ISPs,” explained Z Services’ President for the Middle East and North Africa, Nidal Taha. “MERALE will be a game-changer in how small and medium businesses in the region ensure their protection, and as a subscription-based service, it removes the need for heavy investments and long-term commitments.”

Speaking from Titan HQ’s point of view, CEO Ronan Kavanagh said “We are delighted to continue our successful partnership with Z Services and share their vision for serving the SME segment with leading edge SaaS based security solutions. With this development Z Services is strengthening its leadership position as an innovative cloud-based cybersecurity solutions provider in the Middle East and North Africa.”

TitanHQ’s cloud-based cybersecurity solutions have been developed specifically to meet the needs of Managed Service Providers. More than 7,500 businesses worldwide are currently using the email filtering, web filtering, and email archiving solutions supplied by TitanHQ and more than 1,500 MSPs are now offering TitanHQ solutions to their clients.

When compared to many other cybersecurity solution providers, TitanHQ offers its products with a range of hosting options (including within an MSP’s own infrastructure), as full white label solutions ready for MSPs to apply their own branding. Through offering their clients TitanHQ solutions MSPs are able to significantly reduce costs related to support and engineering. They achieve this by blocking a wide range of cyber threats at source. MSPs also benefit from generous margins and world class customer service and support.

If you are an MSP and have not yet incorporated email filtering, web filtering, and email archiving solutions into your service stack, if you are unhappy with your current providers, or are looking to increase profits significantly while also ensuring your clients have the best protection against email and web-based threats, contact TitanHQ today for further information.

Users with Valid SSL Certificates Being Tricked by CloudFlare IPFS Gateway Phishing Forms

The CloudFlare IPFS gateway has only recently been made publically available, but it is already being used by phishers to serve malicious content.Cloudflare IPFS gateway phishing attacks are likely to have a good success rate, as some of the checks carried out  by end users to confirm the legitimacy of domains will not produce red flags.

The IPFS gateway is a P2P system that permits files to be shared easily throughout a group and accessed through a web browser. Content is sent to different nodes throughout the networked systems. The system can be used for creating sharing websites, and CloudFlare has made this process simpler by offering free SSL certificates and allowing domains to be easily linked to IPFS.

If phishers host their phishing forms on CloudFlare IPFS, they can use CloudFlare’s SSL certificate. Since the phishing page will begin with cloudflare-ipfs.com, this adds legitimacy. The CloudFlare-owned domain is more likely to be trusted than other phishing domains.

When CloudFlare IPFS Gateway phishing forms are detected, visitors will be advised that the webpage is secure, the site starts with HTTPS, and a green padlock will be displayed. If the visitor takes the time to check certificate information of the web page, they will find it has been issued to CloudFlare-IPFS.com by CloudFlare Inc., and the certificate is authentic. The browser will not serve any warning and CloudFlare IPFS Gateway phishing content will therefore seem genuine.

At least one threat actor is using the CloudFlare IPFS Gateway for phishing and is hosting forms that state they are standard login pages for Office 365, DocuSign, Azure AD, and other cloud-based services, complete with proper logos.

If a visitor fills out the form information, their credentials will be forwarded to the operator of a known phishing domain – searchurl.bid – and the user will be shown a document about business models, strategy and innovation. This may also not lead to a red flag.

The CloudFlare IPFS Gateway phishing strategy is like that used on Azure Blob storage, which also take advantage of legitimate SSL certificates. In that case the certificate is produced by Microsoft.

It is becoming more and more important for phishers to use HTTPS for hosting phishing content. As more businesses change from HTTP to HTTPS, and browsers such as Chrome now display warnings to users about insecure sites, phishers have similarly had to move to HTTPS. Both CloudFlare IPFS Gateway and Azure Blog storage offer a simple way to do this.

In both instances, links to the malicious forms are shared through spam email. One of the most typical ways to do this is to include an email attachment that contains a button which must be clicked in order to install content. The user is warned that the content of the file is secured, and that professional email login credentials must be entered in order to see the content. The document may be an invoice, purchase order, or a scanned document that needs to be looked over.

The rise in use of cloud platforms to host phishing content makes it more important than ever for groups to set up advanced phishing defenses. A strong spam filter such as SpamTitan should be used to block the initial emails and prevent them from being sent to end users’ inboxes. These phishing tactics should also be included in security awareness training to raise awareness of the threat and to warn users that SSL certificates do not necessarily mean the content of a web page is authentic. Web filtering solutions are also vital for restricting access to known malicious web pages, should a user click on a malicious link.

Chinese and English Speakers Targeted New RaaS Variant of FilesLocker Ransomware

FilesLocker, a new ransomware threat has been discovered is currently being offered as ransomware-as-a-service (RaaS) via a TOR malware forum. FilesLocker ransomware is not a extremely sophisticated ransomware variant, but it still poses a major threat.

FilesLocker ransomware is a dual language ransomware variant that shows ransom notes in both Chinese and English. MalwareHunterTeam has found a Chinese forum on TOR where it is being offered to affiliates to distribute for a percentage of the ransom payments.

Unless advertised more widely, the number of affiliates that sign up may be restricted, although it may prove popular. There are a number of features which could see the ransomware variant favored over other RaaS offerings, notably a sliding scale on commissions. The developers are offering a 60% cut of ransoms, which will go up by 75% if sufficiently high numbers of infections can be generated.

While relatively straightforward, FilesLocker ransomware still uses an RSA 2048+AES algorithm to lock files and it erases Windows shadow copies to hamper efforts to recover files without paying the ransom. FilesLocker is also capable of file encryption in a broken network environment.

No server is needed and the ransomware is working on all Windows versions later than XP plus 32-bit and 64-bit Windows Server. Users are also able to easily keep an eye for infections through a tracking feature which displays infections by country.

There is no free decryptor for FilesLocker ransomware in existence. Recovery can only be completed by restoring files from backups.

While news of a new RaaS offering is never welcome, there has at least been some good news on the ransomware front this recently at least for some victims.

GandCrab ransomware is another RaaS offering that has been for sale since January 2018. It has been widely adopted, with many affiliates using it to distribute the ransomware over the past 10 months.

A GandCrab ransomware decryptor was designed by Bitdefender in February that was able to unlock files encrypted by version 1.0 and v1.1 of GandCrab ransomware. The decryptor was developed after private keys were released online. However, it didn’t take long for v2.0 to be released, for which no free decryptor is available. There have been a number of further updates to GandCrab ransomware over the past few months, with v5.0 of the ransomware variant released in late September.

This week, Bitdefender has revealed that after collaboration with the Romanian Police, Europol and other law enforcement bodies, a new decryption tool has been developed that permits GandCrab ransomware victims to decrypt files for free, provided they have been hacked with version 1, 4, or 5 of the ransomware.

The version can be deduced by the extension used on encrypted files. V1=GDCB; v2/3=CRAB; v4=KRAB; and v5 uses a completely random 10-character extension.

The free GandCrab ransomware decryptor has been placed to the NoMoreRansom Project website. Bitdefender is currently attempting to put in plsvr on a free decryptor for v2 and v3 of GandCrab ransomware.

Recipe Unlimited Ryuk Ransomware Attack Leads to Restaurant Closures

What is thought to have been a Ryuk ransomware attack on Recipe Unlimited, a group of some 1,400 restaurants in Canada and North America, has forced the chain to shutdown computers and temporarily close the doors of some of its restaurants while IT teams try to address the attack.

Recipe Unlimited, previously known as Cara Operations, operates pubs and restaurants under many different titles, including Harvey’s, Swiss Chalet, Kelseys, Milestones, Montana’s, East Side Mario’s, Bier Markt, Prime Pubs, and the Landing Group of Restaurants. All of these  pub and restaurant brands have been impacted by the Recipe Unlimited ransomware attack.

While only a relatively small number of restaurants were forced to close, the IT outage caused widespread issues, stopping the restaurants that remained open from taking card payments from customers and using register systems to complete orders.

While it was at first unclear what caused the outage, a ransomware attack on Recipe Unlimited was later confirmed. A staff member at one of the impacted restaurants provided CBC News with a copy of the ransom note that had appeared on the desktop of one of the infected computers.

The ransom note is the same sent by the threat actors behind Ryuk ransomware. They say that files were encrypted with “military algorithms” which cannot be decrypted without a key that is only available from them. While it is unclear exactly how much the hackers asked for payment to decrypt files, they did threaten to increase the cost by 0.5 BTC (Approx. $4,000 CAD) per day until contact was made. The Recipe Unlimited ransomware attack is thought to have taken place on September 28. Some restaurants remained closed on October 1.

The ransomware attack on Recipe Unlimited is just one of the recently witnessed attacks involving Ryuk ransomware. The hackers are understood to have gathered more than $640,000 in ransom payments from companies who have had no other option other than to pay for the keys to unlock their files. The ransomware attack on Recipe Unlimited did not push up that total, as Recipe Unlimited conducted regular backups and expects to be able to restore all systems and data, although naturally that will take some time.

Ransomware attacks on restaurants, businesses, healthcare suppliers, and cities are extremely common and can be incredibly costly to address. The recent City of Atlanta ransomware attack caused widespread disruption due to the massive scale of the attack, involving thousands of computers.

The cost of addressing the attack, including making upgrades to its systems, is likely to cost around $17 million, according to estimates from city officials. The Ransomware attack on the Colorado Department of Transportation is estimated to cost $1.5 million to resolve.

There is no straightforward solution that will block ransomware attacks, as many different vectors are used to download the malicious file-encrypting software. Preventing ransomware attacks requires defense in depth and multiple software solutions.

Spam filtering solutions should be used to stop email delivery of ransomware, web filters can be set up to prevent access to malicious websites where ransomware is downloaded, antivirus solutions may detect infections in time to block attacks, and intrusion detection systems and behavioral analytics solutions are useful to quickly identify an attack in progress and limit the harm inflicted.

All operating devices and software must be kept fully up to date, strong passwords should be implemented, and end user must receive training to make them aware of the danger posed by ransomware. They should be trained in security best practices and trained how to identify threats. Naturally, robust backup policies are necessary to ensure that in the event of disaster, files can be rescued without having to meet the ransom demand.

New Sextortion Scam: Emails Appear to Have Been Sent from User’s Email Account

A new sextortion scam has been discovered that tries to fool the recipient of the message into believing their email account has been compromised and that their computer is under full control of the hacker.

The hackers trick he user’s email address so that it appears that the message has been issued from the user’s email account – The sender and the recipient names are the exact same.

A quick and simple check that can be performed to deduce whether the sender name shown is the actual account that has been used to send the email is to click forward. When this is completed, the display name is shown, but so too is the actual email address that the message has been broadcast from. In this instance, that check does not work making it seem that the user’s email account has actually been compromised.

The messages used in this campaign try to extort money by suggesting the hacker has obtained access to the user’s computer by means of a computer virus. It is alleged that the virus gives the attacker the ability to review the user’s internet activities in real time and use the computer’s webcam to record the user.

The hacker claims that the virus was placed to the computer due to the user viewing an adult website and that while viewing internet pornography the webcam was active and recording. “Your tastes are so weird,” states the hacker in the email.

The hacker claims that they will synch the webcam footage with the content that the user was looking at and send a copy of the video to all the user’s partner, friends, and relatives. It is said that all the user’s accounts have been compromised. The message also has an example of one of the user’s passwords.

While it is very unlikely that the password given in the email is valid for any of the user’s account, the message itself will still be worrying for some individuals and will be enough to get them to make the requested payment of $800 to have the footage erased.

However, this is a sextortion scam where the hackers have no leverage as there is no virus and no webcam footage. However, it is clear that at least some recipients were not willing to take a risk.

According to security experts SecGuru, who received a version of the email in Dutch and found a similar English language version, the Bitcoin account used by the hacker had received payments of 0.37997578 Bitcoin – $3,500 – in the first two days of the attack.  Now 7 days after the first payment was completed, the earnings have grown to 1.1203 Bitcoin – $6,418 – with 15 people having paid.

A similar sextortion scam was carried out in the summer which also had an interesting twist. It implemented an old password for the account that had been downloaded from a data dump. In that instance, the password was real, at least at some point in the past, which made the scam seem authentic.

 

California Wildfire Scam Alerts Issued

A California wildfire scam is underway that asks for financial donations to help the victims of the recent wildfires. The emails look like they are being sent from the CEO of a company and are directed at its employees in the accounts and finance department.

It should come as no shock that hackers are taking advantage of yet another natural disaster and are trying to con people into giving donations. Hackers often take advantage of natural disasters to pull on the heart strings and defraud companies. Similar scams were carried out following the recent hurricanes that hit the United States and caused widespread damage.

The California wildfire scam, discovered by Agari, is a form of business email compromise (BEC) attack. The emails look like they have been sent by the CEO of a company, with his/her email address used to send messages to company staff. This is often achieved by spoofing the email address although in some instances the CEO’s email account has been compromised and is used to share the messages.

The California wildfire scam have one major red flag. Instead of seeking for a monetary donation, the scammers ask for Google play gift cards. The messages seek the redemption codes be sent back to the CEO by return.

The emails are sent to staff in the accounts and finance sections and the emails request that the money be sent in 4 x $500 denomination gift cards. If these are returned to the CEO, he/she will then forward them on to company clients that have been impacted by the California wildfires.

The reason Google play gift cards are sought is because they can easily be exchanged on the darknet for other currencies. The gift cards are virtually impossible to trace back to the hacker.

The messages are full of grammatical mistakes. However, scams such as this are conducted because they work. Many people have been fooled by similar scams previously.

Safeguarding against scams such as this requires technical controls, end user training and strong company policies. An advanced spam filtering solution should be implemented – SpamTitan for instance – to prevent messages such as these from landing in inboxes. SpamTitan reviews all incoming emails for spam signatures and uses advanced methods such as heuristics, machine learning, and Bayesian analysis to identify advanced and never-before-seen phishing campaigns.

End user training is vital for all staff, especially those with access to corporate bank accounts. Those people are regularly targeted by hackers. Policies should be introduced that mean all requests for changes to bank accounts, atypical payment requests, and wire transfers above a certain threshold to be approved by phone or in person before they are authorized.

 

Stealthy sLoad Downloader Performs Extensive Reconnaissance Before Delivering Payload

In recent months there have been new, versatile malware downloaders discovered that gather a significant amount of data about users’ systems before deploying a malicious payload. That payload is placed on the users’ system.

Marap malware and Xbash are two notable recent instances. Marap malware fingerprints a system and is capable of installing additional modules based on the results of the initial reconnaissance. XBash also reviews the system, and determines whether it is the best system for cryptocurrency mining or a ransomware attack and deploys its payload accordingly.

A further versatile and stealthy malware variant, name sLoad downloader, can now be placed on that list. SLoad was first discovered in May 2018, so it predates both of the above malware variants, although its use has been increasing.

The main aim of sLoad appears to be reconnaissance. Once installed on a system, it will figure out the location of the device based on the IP address and performs several checks to calculate the type of system and the software that is running and will determine whether it is on a real device or in a sandbox environment. It checks the processes operating on the system, compares against a hardcoded list, and will exit if certain security software is downloaded to avoid detection.

Once the system is suitable, a full scan of all running processes will be completed. The sLoad installer will search for Microsoft Outlook files, ICA files associated with Citrix, and other system information. sLoad is capable of capturing screenshots and searches the browser history looking for specific banking domains. All of this data is then fed back to the hackers’ C2 server.

Once the system has been fingerprinted, further malware variants are installed, primarily banking Trojans. Geofencing is used widely by the threat actors using sLoad which helps to ensure that banking Trojans are only placed on systems where they are likely to be effective – if the victim uses one of the banks that the Trojan is targeting.

In most of the campaigns seen so far, the banking Trojan of choice has been Ramnit. The attacks have also been very focused on specific countries including Canada, and latterly, Italy and the United Kingdom – Locations which are currently being attacked by Ramnit. Other malware variants linked to the sLoad downloader include the remote desktop tool DarkVNC, the Ursnif information stealer, DreamBot, and PsiBot.

The sLoad downloader is almost exclusively sent through spam email, with the campaigns often containing personal information such as the target’s name and address. While there have been many email subjects used, most commonly the emails relate to purchase orders, shipping notifications and missed packages.

The emails include Word documents with malicious macros in ZIP files, or alternatively embedded hyperlinks which will install the ZIP file if clicked.

The sLoad installer may be stealthy and versatile, but preventing the threat is possible with an advanced spam filter. End user training to condition staff never to click on hyperlinks from unknown senders or open attachments or allow macros will also help to stop infection.  Web filtering solutions supply an additional layer of protection to prevent attempts to download malicious files from the Internet.

Updated Version of Azorult Malware Being Shared via RIG Exploit Kit

An updated version of Azorult malware has been discovered. The most recent version of the data stealer and malware downloader has already been deployed in attacks and is being shared via the RIG exploit kit.

Azorult malware is mainly an information stealer which is used to download usernames and passwords, credit card numbers, and other data including browser histories. Newer versions of the malware have seen cryptocurrency wallet-stealing capabilities included.

Azorult malware was first spotted in 2016 by researchers at Proofpoint and has since been deployed in a large number of attacks via exploit kits and phishing email campaigns. The latter have used hyperlinks to malicious sites, or more commonly, malicious Word files with malware downloaders.

In 2016, the malware variant was first installed with the Chthonic banking Trojan, although more recent campaigns have seen Azorult malware deployed as the primary malware payload. This year has seen many different threat actors pair the information stealer with a secondary ransomware payload.

Campaigns have been noticed using Hermes and Aurora ransomware as secondary payloads. In both campaigns, the main aim is to obtain login credentials to raid bank accounts and cryptocurrency wallets. When all useful information has been taken, the ransomware is activated, and a ransom payment is requested to unlock the decrypted files.

A new version of the Azorult was distributed in July 2018 – version 3.2 – which included significant improvements to both its stealer and downloader functions.  Now Proofpoint researchers have discovered a new variant – version 3.3 – which has already been placed with RIG. The new variant was on the market shortly after the source code for the previous version was leaked online.

The new variant uses an alternative method of encryption, has improved cryptocurrency stealing functionality to permit the contents of BitcoinGold, electrumG, btcprivate (electrum-btcp), bitcore, and Exodus Eden wallets to be stolen, a new and improved loader, and a new admin panel. The latest version has a lower detection rate by AV software ensuring more installations.

The RIG exploit kit uses exploits for known flaws in Internet Explorer and Flash Player, which use JavaScript and VBScripts to download Azorult.

If your operating systems and software are always fully patched and current you will be secure from these exploit kit downloads as the vulnerabilities targeted by RIG are not new. However, many businesses are slow to apply patches, which need to be thoroughly  tested. It is therefore strongly advisable to also use a web filtering solution such as WebTitan to provide additional protection against exploit kit malware downloads. WebTitan stops end users from visiting malicious websites such as those hosting exploit kits.

The most recent version of Azorult malware was first put on sale on October 4. It is possible that other threat actors will buy the malware and distribute it via phishing emails, as was the case with older versions. It is therefore wise to also put in place an advanced spam filter and ensure that end users are shown how to recognize malicious emails.

New Version of Azorult Malware Being Distributed via RIG Exploit Kit

An undated strain of Azorult malware has been discovered which downloader has already been used in attacks and is being shared using the RIG exploit kit.

Azorult malware is mainly an information gatherer which is used to obtain usernames and passwords, credit card details, and other data including browser histories. Newer versions of the malware have seen cryptocurrency wallet-stealing capabilities included.

Azorult malware was first discovered in 2016 by researchers at Proofpoint and has since been utilized in a large number of attacks through exploit kits and phishing email campaigns. The latter have used links to malicious sites, or more typically, malicious Word files including malware downloaders.

Back in 2016, the malware variant was first installed in tandem with the Chthonic banking Trojan, although later campaigns have seen Azorult malware deployed as the primary malware payload. 2018 has seen multiple threat actors pair the information stealer with an accompanying ransomware payload.

Campaigns have been identified using Hermes and Aurora ransomware as secondary payloads. In both attacks, the initial target is to steal login details to raid bank accounts and cryptocurrency wallets. When all useful data has been obtained, the ransomware is enabled, and a ransom payment is requested in order to decrypted files.

A new strain of the Azorult was issued in July 2018 – version 3.2 – which contained major improvements to both its stealer and downloader functions.  Now Proofpoint researchers have discovered a new variant – version 3.3 – which has already been included with RIG. The new variant was released just after the source code for the previous version was leaked on the Internet.

The new variant uses an alternative method of encryption, has enhanced cryptocurrency stealing functionality to allow the contents of BitcoinGold, electrumG, btcprivate (electrum-btcp), bitcore, and Exodus Eden wallets to be obtained, a new and improved loader and an updated admin panel. The latest version is more difficult for AV software to notice ensuring more installations.

The RIG exploit kit uses exploits for known flaws in Internet Explorer and Flash Player, which use JavaScript and VBScripts to install Azorult.

If your operating systems and software are kept fully updated you will be safeguarded against these exploit kit downloads as the vulnerabilities exploited by RIG are not new. However, many businesses are slow to apply patches, which need to be extensively tested. It is therefore important to also deploy a web filtering solution.

XMRig Cryptocurrency Miner Installed Using Fake Adobe Flash Updates

Using fake software updates to spread malware is not a new phenomenon, but a new malware campaign has been discovered that is quite different. Fake Adobe Flash updates are being spread that actually do update the user’s Flash version, albeit with the addition of the XMRig cryptocurrency miner.

The campaign deploys pop-up notifications that are an exact replica of the authentic notifications used by Adobe, telling the user that their Flash version needs to be updated. Clicking on the install button, as with the authentic notifications, will update users’ Flash to the most recent version. However, in the background, the XMRig cryptocurrency miner is also downloaded and installed. Once downloaded, XMRig will operate silently in the background, unbeknown to the user.

The campaign was discovered by security experts at Palo Alto Network’s Unit 42 team. The researchers found several Windows executable files that began with AdobeFlashPlayer that were hosted on cloud servers not controlled by Adobe.

A review of network traffic during the infection process revealed most of the traffic was connected to updating Adobe Flash from an Adobe controlled domain, but that soon amended to traffic through a domain associated with downloaders known to push cryptocurrency miners. Traffic was later identified over TCP port 14444 that was associated with the XMRig cryptocurrency miner.

Additional analysis of the campaign showed it has been operating since mid-August, with activity increasing in September when the fake Adobe Flash updates started to be distributed more widely.

End users are unlikely to notice the downloading and installation of the XMRig cryptocurrency miner, but there is likely to be a noticeable slowdown in the operation of their computer. The installation of the XMRig cryptocurrency miner may be stealthy, but when it runs it takes up almost all of the computer’s CPU for cryptocurrency mining. Any user that reviews Task Manager will see Explorer.exe hogging their CPU. As with the majority of cryptocurrency miners, XMRig mines Monero. What is not currently obvious is which websites are distributing the fake Adobe Flash updates, or how traffic is being sent to those sites.

Any alert about a software update that pops up while browsing the internet should be dealt with as suspicious. The window should be shut, and the official website of that software supplier should be visited to determine if an update is required. Software updates should only ever be installed from official websites, in the case of Adobe Flash, that is Adobe.com.

The Palo Alto experts say “Organizations with decent web filtering and educated users have a much lower risk of infection by these fake updates.”

Anthem Data Breach Settlement for Spear Phishing Attack is $16 Million

Due to a massive data breach in 2015 in which 78.8 million health plan records were stolen, Anthem Inc.has settled a class action data breach for $115 million and OCR has now agreed a $16 million data breach settlement with the health insurer.

Before the announcement of the settlement , the unenviable record was held by Science Applications International Corporation, a vendor used by healthcare groups, that suffered a 4.9 million record breach in 2011. The Anthem data breach was on a completely different scale.

The hacking responsible for the Anthem data breach was clearly skilled. Mandiant, the cybersecurity company that assisted with the investigation, suspected the attack was a nation-state funded cyberattack. The hackers managed to obtain access to Anthem’s data warehouse and downloaded a huge volume of data undetected. The time of the first attack to discovery was almost a year.

While the attack was complex, a foothold in the network was not obtained through an elaborate hack or zero-day exploit but through phishing emails.

At least one staff member responded to a spear phishing email, sent to one of Anthem’s subsidiaries, which gave the hackers the entry point they needed to launch another attack and gain access to Anthem’s health plan member database.

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) looks into healthcare data breaches that lead to the exposure or theft of 500 or more records. An in-depth review of the Anthem breach was therefore a certainty given its size. A fine for non-compliance with Health Insurance Portability and Accountability Act (HIPAA) Rules was a very likely outcome as HIPAA requires healthcare groups to safeguard health data. The scale of the breach also made it likely that it would lead to the largest ever penalty for a healthcare data breach.

Previous to the Anthem data breach settlement, the largest fine for a healthcare data breach was $5.55 million, which was agreed between OCR and Advocate Health Care Network in 2016. The Anthem data breach settlement was almost three times that figure, which reflected the seriousness of the breach, the number of people affected, and the extent to which HIPAA Rules were alleged to have been breached.

OCR claimed that Anthem Inc., had breached five provisions of HIPAA Rules, and by doing so failed to stop the breach and limit its severity. The Anthem data breach settlement was however agreed with no admission of liability.

The regulatory fine is just a small fraction of the total cost of the Anthem data breach. On top of the Anthem data breach settlement with OCR, Anthem faced multiple legal actions in the wake of the data breach. The consolidated class action lawsuit was settled by Anthem in January 2018 for $115 million.

The class action settlement document showed that Anthem had already paid $2.5 to consultants in the wake of the breach, $31 million was spent mailing alert letters, $115 million went on enhancements to security, and $112 million was paid to provide identity theft protection and credit monitoring services to affected plan subscribers.

With the $115 million class action settlement and the $16 million OCR settlement, that brings the overall cost of the Anthem data breach to $391.5 million.

At $391.5 million, that makes this the most costly healthcare phishing campaign by some distance and the cost clearly emphasises just how important it is to implement a defense-in-depth strategy to safeguard against phishing attacks.

Cloud Service Providers’ SSL Certificates Targeted by Office 365 Phishing Attacks

Office 365 phishing attacks are widely witnessed and very realistic, with Office 365 spam filtering controls are easily being bypassed by scammers to ensure messages reach inboxes.

Additionally, phishing forms are being hosted on webpages that are secured with valid Microsoft SLL certificates to fool users the websites are genuine.

If a phishing email making it past perimeter defenses and arriving in an inbox, there are a number of tell-tale signs that the email is not real.

Usually, there are often spelling mistakes, incorrect grammar, and the messages are sent from questionable senders or domains. To bolster the response rate, scammers are now spending much more time carefully crafting their phishing emails and they are often virtually indistinguishable from real communications from the brand they are spoofing. In terms of style, they are carbon copies of genuine emails complete with the branding, contact data, sender details, and logos of the company being spoofed. The subject is perfectly believable and the content well written. The actions the user is asked to complete are perfectly plausible.

Hyperlinks in emails that bring users to a website where they are required to fill out their login credentials. At this stage of the phishing attack there are usually additional signs that all is not as it seems. A warning may be included in a pop up to say that the website may not be genuine, the website may begin with HTTP rather than the secure HTTPS, or the SSL certificate may not be owned by the business that the website is spoofing.

Even these tell-tale signs are not always evident, as has been shown is many recent Office 365 phishing attacks, which have the phishing forms hosted on webpages that have existing real Microsoft SSL certificates or SSL certificates that have been issued to other cloud service providers such as CloudFlare, DocuSign, or Google.

Office 365 users are being focused on by scammers as they know Office 365 phishing controls can be easily got around. Even with Microsoft’s Advanced Threat Protection for Office 365, phishing emails are still delivered. A 2017 study by SE Labs showed even with this more anti-phishing control, Office 365 anti-phishing measures were only rated in the low-middle of the market for security offered. With only the basic Exchange Online Protection, the protection was worse again.

Whether you operate an SMB or a large enterprise, you are likely to be sent high volumes of spam and phishing emails and many messages will be delivered to end users’ inboxes. Since the emails can be virtually impossible for end users to identify as dangerous, it is probable that all but the most experienced, well trained, security conscious workers will be tricked. What is therefore needed is an advanced third-party spam filtering solution that will work in tandem with Office 365 spam filtering controls to provide far greater security.

While Office 365 will prevent spam emails and phishing emails (Osterman Research proved it blocks 100% of known malware), it has been shown to lack performance against advanced phishing threats like spear phishing.

Office 365 does not have the same range of predictive technology as dedicated on-premises and cloud-based email security gateways which are much better at detecting zero-day attacks, new malware, and advanced spear phishing attacks.

To enhance protection you require a dedicated third-party spam filtering solution for Office 365 such as SpamTitan. SpamTitan focuses on defense in depth, and provides better protection against advanced phishing attacks, new malware, and complex email attacks to ensure malicious messages are blocked or quarantined instead of being delivered to end users’ inboxes. Some of the additional security measures provided by SpamTitan against Office 365 phishing attacks are detailed in the image below:

To discover more about making Office 365 safer and how SpamTitan can be of advantage to your company, get in touch with TitanHQ.

 

U.S. Banks Being Attacked by DanaBot Trojan

In May, security experts at Proofpoint noticed a spam email campaign that was sharing a new banking Trojan named DanaBot. At the time it was believed to be a single threat actor was using the DanaBot Trojan to target groups in Australia to obtain online banking details.

That campaign is still ongoing, but in addition, campaigns have been identified in Europe attacking customers of banks in Italy, Germany, Poland, Austria, and the UK. Then in late September, a further DanaBot Trojan campaign was carried out targeting U.S. banks.

The DanaBot Trojan is a modular malware coded in Delphi that can install additional components to add various different functions.

The malware is can capture screenshots, stealing form data, and logging keystrokes in order to obtain banking details. That data is sent back to the hackers’ C2 server and is subsequently used to steal money from corporate bank accounts.

A review of the malware and the geographical campaigns shows different IDs are used in the C2 communication headers. This strongly implies that the campaigns in each region are being carried out by different individuals and that the DanaBot Trojan is being provided as malware-as-a-service. Each threat actor is to blame for running campaigns in a specific country or set of countries. Australia is the only country where there are two affiliates operating campaigns. Overall, there appears to currently be 9 individuals running distribution campaigns.

The country-specific campaigns are employing different methods to share the malicious payload, including the new Fallout exploit kit, web injects, and spam email. The latter of which is being used to distribute the Trojan in the United States.

The U.S. campaign uses a fax notice lure with the emails seeming to come from the eFax service. The messages look professional and include all the appropriate formatting and logos. The emails contain a button that must be clicked to download the 3-page fax message to the device.

Clicking on the button will install a Word document with a malicious macro which, if allowed to operate, will initiate a PowerShell script that downloads the Hancitor downloader. Hancitor will then download the Pony stealer and the DanaBot Trojan.

Proofpoint’s investigation into the malware revealed similarities with the ransomware groups Reveton and CryptXXX, which suggests that DanaBot has been created by the same group responsible for both of those ransomware threats.

The U.S. DanaBot campaign is attacking customers of various U.S. banks, including RBC Royal Bank, Royal Bank, TD Bank, Wells Fargo, Bank of America, and JP Morgan Chase.  It is probably that the campaigns will spread to other countries as more threat actors are signed up to use the malware.

Stopping attacks requires defense in depth against all attack vectors. An advanced spam filter is needed to block malspam. Users of Office 365 should enhance protection with a third-party spam filter such as SpamTitan to provide better security against this threat. To prevent web-based attacks, a web filtering solution should be implemented. WebTitan can block efforts by end users to visit websites known to include exploit kits and IPs that have previously been used for malicious reasons.

End users should also advised never to open email attachments or click on hyperlinks in emails from unknown senders, or to allow macros on documents unless they are 100% certain that the files are authentic. Companies in the United States should also think about warning their employees about fake eFax emails to raise awareness of the danger.

U.S. Bank Customers Targeted by DanaBot Trojan

Last May, security specialists at Proofpoint identified a spam email campaign that was sharing a new banking Trojan titled DanaBot. At first it was thought that a single threat actor was using the DanaBot Trojan to target groups in Australia to obtain online banking details.

That campaign has persisted, but in addition, campaigns have been noticed in Europe targeting customers of banks in Italy, Germany, Poland, Austria, and the UK. Then last month a further DanaBot Trojan campaign was carried out targeting U.S. banks.

The DanaBot Trojan is a modular malware programmed in Delphi that can install additional components to add various different functions.

The malware can capture screenshots, obtain form data, and record keystrokes in order to obtain banking credentials. That data is sent back to the attackers’ C2 server and is then used to steal money from corporate bank accounts.

A review of the malware and the geographical campaigns shows alternative IDs are used in the C2 communication headers. This strongly suggests that the attacks in each region are being carried out by different individuals and that the DanaBot Trojan is being provided as malware-as-a-service. Each threat actor is charged with running campaigns in a specific country or set of countries. Australia is the only country where there are two affiliates conducting campaigns. Overall, there appears to currently be nine hackers running distribution campaigns.

The country-specific campaigns are using a variety of tools to distribute the malicious payload, which include the new Fallout exploit kit, web injects, and spam email. The latter is being used to share the Trojan in the United States.

The U.S. campaign sends a fax notice lure with the emails seeming to come from the eFax service. The messages look authentic and are complete with appropriate formatting and logos. The emails include a button that must be clicked to download the 3-page fax message.

Clicking on the button will install a Word document with a malicious macro which, if permitted to run, will initiate a PowerShell script that downloads the Hancitor downloader. Hancitor will then install the Pony stealer and the DanaBot Trojan.

Proofpoint’s review of the malware revealed similarities with the ransomware groups Reveton and CryptXXX, which suggests that DanaBot has been developed by the same group to blame for both of those ransomware threats.

The U.S. DanaBot campaign is focused on customers of various U.S. banks, including RBC Royal Bank, Royal Bank, TD Bank, Wells Fargo, Bank of America, and JP Morgan Chase.  It is probable that the campaigns will spread to other countries as more threat actors begin to use the malware.

Stopping attacks requires detailed defense against each of the attack vectors. An advanced spam filter is necessary to block malspam. Subscribers to Office 365 should increase protection with a third-party spam filter such as SpamTitan to supply better protection against this threat. To stop web-based attacks, a web filtering solution should be implemented. WebTitan can block efforts by end users to visit websites known to include exploit kits and IPs that have previously been used for malicious aims.

End users should also advised to never open email attachments or visit hyperlinks in emails from unknown senders, or to enable macros on documents unless they are 100% certain that the files are authentic. Companies in the United States should also think about warning their employees about fake eFax emails to increase awareness of the threat.

Around €43 Billion Cybercrime Losses Experienced in Germany

As the world’s largest economy, the United States is always going to be a major focus for hackers. Various studies have been carried out on the cost of cybercrime in the United States, but little data is available on cybercrime losses in Germany – the biggest economy in the European Union.

The International Monetary Fund published a list of countries with the largest economies. In 2017, Germany was ranked fourth behind the United States, China, and Japan. Its GDP of $3,68 trillion makes up 4.61% of global GDP.

A recent study carried out by Germany’s federal association for Information Technology – BitKom – has estimated a figure on the toll that cybercrime is taking on the German economy.

The survey was sent to security chiefs and managers at Germany’s top 503 companies in the manufacturing sector. From the findings of that survey, BitKom estimated cybercrime losses in Germany to be €43 billion ($50.2 billion). That makes up 1.36% of the country’s GDP.

Extrapolate those cybercrime losses in Germany and it places the global expense of cybercrime at $1 trillion, substantially higher than the $600 billion figure estimate from cybersecurity firm McAfee and the Center for Strategic and International Studies (CSIS) in February 2018. That study estimated the global percentage of GDP lost to cybercrime at between 0.59% and 0.80%, with GDP losses to cybercrime across Europe estimated to be around 0.79 to 0.89% of GDP.

Small to Medium Sized Businesses Most in Danger

While cyberattacks on large enterprises could possibly be highly profitable for cybercriminals, those firms tend to have the resources available to invest heavily in cybersecurity. Attacks on large enterprises are therefore much more difficult and time consuming. It is far more simple to target smaller companies with less robust cybersecurity security.

Small to medium sized businesses (SMBs) often do not have the resources to invest heavily in cybersecurity, and consequently are far more simple to attack. The BitKom study confirmed that these companies, which form the backbone of the economy in Germany, are particularly vulnerable to cyberattacks and have been extensively targeted by hackers.

It is not only organized hacking groups that are conducting these attacks. Security officials in Germany have long been concerned about attacks by well-resourced foreign spy agencies. Those agencies are using cyberattacks to obtain access to the advanced manufacturing techniques developed by German firms that give them a competitive edge. Germany is one of the world’s leading manufacturing nations, so it stands to reason that the German firms are a lucrative target.

Hackers are extorting money from German firms and selling stolen data on the black market and nation-state sponsored hackers are stealing proprietary data and technology to advance producing their own countries. According to the survey, one third of companies have had mobile phones stolen and sensitive digital data has been lost by 25% of German firms. 11% of German firms report that their communications systems have been tapped.

Attacks are also being conducted to target German firms. The study reveals that almost one in five German firms (19%) have had their IT and production systems sabotaged through cyberattacks.

Companies Must Improve Their Defenses Against Cyberattacks

Achim Berg, head of BitKom commented: “With its worldwide market leaders, German industry is particularly interesting for criminals,” Companies, SMBs in particular, therefore need to take cybersecurity much more seriously and invest commensurately in cybersecurity solutions to prevent cybercriminals from obtaining access to their systems and data.

Thomas Haldenweg, deputy president of the BfV domestic intelligence agency remarked: “Illegal knowledge and technology transfer … is a mass phenomenon.”

Preventing cyberattacks is not basic. There is no single solution that can secure against all attacks. Only defense-in-depth will ensure that hackers and nation-state sponsored hacking groups are stopped from gaining access to sensitive information.

Firms need to conduct regular, comprehensive organization-wide risk analyses to spot all threats to the confidentiality, integrity, and availability of their data and systems. All identified risks must then be mitigated through a robust risk management process and layered defenses implemented to deny attackers.

One of the main methods for attack is email. Figures from Cofense indicate that 91% of all cyberattacks start with a malicious email. It stands to reason that improving email security should be a key priority for German firms. This is an area where TitanHQ can assist.

TitanHQ is a supplier of world-class cybersecurity solutions for SMBs and enterprises that block the most commonly used attack vectors. To discover more about TitanHQ’s cybersecurity solutions can help to enhance the security posture of your company and block email and web-based attacks, contact the TitanHQ sales team now.

 

The Margin for MSPs with Office 365 Lies in Security

It is becoming increasingly clearer that the margin for MSPs with regards to Office 365 lies in the security aspect of the application. Office 365 is currently in huge demand with over 135 million commercial monthly users. Through trusted advisers such as MSPs, resellers and Microsoft Cloud Solution Providers, its adoption amongst small and mid-size businesses continues to grow at a rapid pace.

Currently, partners can purchase from Microsoft Cloud Service Providers such as AppRiver, Intermedia, Pax8, etc. and can then resell 0365 licenses to their downstream customers. However, the margins made from this activity are very small. Office 365 is a reliable solution for the customer base of many VARs and MSPs. Although it allows them to capture new business, it lacks the ability to make significant margin. This leads to many VARs and MSPs questioning the point of 0365.

Despite it being evident that 0365 is a great email and productivity application, MSPs can’t build a sustainable business on such small margins. Cloud backup, migrations and other services can add to the value of an Office 365 offer, however:

  • 73% of 2018 MSP 501 listees rated their fastest growing service as security
  • 55% chose professional services
  • only 52% selected Office 365

For MSPs, consultants and resellers, O365 represents an opportunity to help build a profitable practice based around subscription sales to SMBs. It also helps clients to learn how to protect their investment within their IT budget and secure their network through a “defense in depth” approach.

Due to the continuing onslaught of phishing attacks and ransomware, IT budgets are being built with security in mind. Given the regular headlines reporting countless exploits where hackers have sabotaged an O365 environment with ease, this doesn’t come as a surprise. Security is a feature that Microsoft has added to 0365 but unfortunately this does not meet the security benchmarks set by most organizations. A recent study showed that a third of business owners do not have safeguards in place to combat cyber breaches. What’s more is that 60% of small businesses that suffer a breach go out of business within six months of the attack.

As email security experts who have gained over 20 years’ experience, we are aware new malware can penetrate the usual email filtering mechanisms. It has been the case for quite an amount of time that older email protection technologies, analysis reputation and fingerprinting as examples, are no longer effective against the evolution of these threats. Recent research conducted by Osterman shows that Microsoft’s EOP can detect 100% of all known viruses and updates every 15 minutes. However, the research also discovered it didn’t have the same security effects against unknown or new malware delivered by email.

As trusted providers, MSPS have a huge opportunity to provide a “full suite” of cloud productivity tools such as 0365, Dynamics, Azure and cloud security and compliance such as email security and web security, DLP, and archiving to their downstream SMB customers at combined margins of over 75 to 100%. This can be achieved without massive increases to their monthly spend.

Small to medium-sized businesses are focused only on the necessary to keep the lights on and to grow the business. Microsoft’s main messages to organizations choosing Office 365 is the cost savings that are achievable from moving to a cloud-based solution. A move such as this would save the company money and allow IT staff to work on business problems and, ultimately, add more value to the company. Web and email security and compliance do not need to be detrimental to those looking to save costs in their IT spend and productivity.

How MSPs can boost margins on 0365 business

It is evident the Margin for MSPs to be made with Office 365 lies in security. If MSPs fail to invest in security as a service and a defense in depth approach, it could prove almost impossible to make their 0365-business profitable. The dilemma for partners has moved past whether to offer security for 0365, it is now at point where partners need to discover how to best deliver a cost-effective advanced security platform that can handle todays advanced threats. This should be achieved while also keeping IT security budgets in check for their SMB customers.

In todays world consultants, managed service providers and resellers have the opportunity to offer customers a very cost-effective defense in depth approach to security. MSPs can now deliver advanced security with TitanHQ’s Private Cloud Security services – SpamTitan (email security), WebTitan (content filtering) and ArcTitan (email archiving) – alongside O365 subscriptions. Through doing this they can ensure they make healthy margins, while continuing to keep monthly costs down for their customers.

Currently, Office 365 continues to be the leader in the productivity and collaboration space. However, for partners selling and managing this service, margins remain tight. As partners sell and manage more 0365 mailboxes, offering add-on security is the answer to making the process more profitable.

Be Mindful of Gaps in Security with 0365

For MSPs looking to take their business further, offering security in depth service to plug the Office 365 security gaps is the answer. Email has become central to running an organization and, as a result, is constantly targeted by attackers. Because of this, it is vital for MSPs to use a reliable third-party security vendor like TitanHQ, who’ve been specializing in email and web security for 25 years. Unlike Microsoft, security is our area of expertise.

Today, we work with over 2000 MSP’s worldwide daily. We protect your customers from malware, phishing, viruses, ransomware, botnets and other cyber threats. A lot of these customers are Office 365 users. Our products were built from the ground up with MSP’s for MSP’s, which we feel is crucial. We save MSP’s time by stopping problems with support and engineering at source. We also provide ideal products to sell in your technology stack which allows you to increase margin. Contact us today to learn how MSPs like you can boost margins on Office 365 business.

Best Practices to Improve Security & Network Segmentation

Whatever the size of your company business, the best security measure to deploy to block threat actors from gaining access to your servers, workstations, and data is to implement a hardware firewall. A hardware firewall will make sure your digital assets are well secured, but how should your firewall be set up for optimal network security? If you follow network segmentation best practices and implement firewall security zones you can improve security and keep your internal network isolated and secured from web-based attacks.

Most companies have a well-defined network structure that incorporates a secure internal network zone and an external untrusted network zone, often with intermediate security zones. Security zones are sets of servers and systems that have similar security requirements and includes a Layer3 network subnet to which several hosts link up to.

The firewall provides protection by managing traffic to and from those hosts and security zones, whether at the IP, port, or application level.

There is no single configuration that will be ideal for all companies and all networks, since each business will have its own requirements and required functionalities. However, there are some network segmentation best practices that should be implemented.

Possible Firewall Security Zone Segmentation

Network Segmentation Best Practices

In the above depiction we have used firewall security zone segmentation to keep servers separated. In our example we have used a a sole firewall and two DMZ (demilitarized) zones and an internal zone. A DMZ zone is an isolated Layer3 subnet.

The servers in these DMZ zones may have to be Internet facing in order to function. For instance, web servers and email servers need to be Internet facing. Because they face the internet, these servers are the most susceptible to attack so should be separated from servers that do not require direct Internet access. By keeping these servers in separate zones, you can minimize the damage if one of your Internet facing servers is infiltrated.

In the diagram above, the permitted direction of traffic is shown with the red arrows. As you can see, bidirectional traffic is allowed between the internal zone and DMZ2 which includes the application/database servers, but only one-way traffic is permitted to take place between the internal zone and DMZ1, which is used for the proxy, email, and web servers. The proxy, email, and web servers have been located in a separate DMZ to the application and database servers for the highest possible protection.

Traffic from the Internet is permitted by the firewall to DMZ1. The firewall should only permit traffic through certain ports (80,443, 25 etc.). All other TCP/UDP ports should be closed. Traffic from the Internet to the servers in DMZ2 is not allowed, at least not directly.

A web server may to link up with a database server, and while it may seem a good idea to have both of these virtual servers operating on the same machine, from a security perspective this should be avoided. Ideally, both should be separated and located in different DMZs. The same applies to front end web servers and web application servers which should similarly be located in different DMZs. Traffic between DMZ1 and DMZ2 will no doubt be required, but it should only be permitted on certain ports. DMZ2 can connect to the internal zone for certain special cases such as backups or authentication through active directory.

The internal zone is made up of of workstations and internal servers, internal databases that do not have to be web facing, active directory servers, and internal applications. It is recommended that Internet access for users on the internal network to be directed through an HTTP proxy server located in DMZ 1.

Remember that the internal zone is isolated from the Internet. Direct traffic from the internet to the internal zone should not be allowed.

The above set up puts in place provides important security for your internal networks. In the event that a server in DMZ1 is impacted, your internal network will remain protected since traffic between the internal zone and DMZ1 is only allowed in one direction.

By complying with network segmentation best practices and using the above firewall security zone segmentation you can get the best out of network security. For more security, we also recommend using a cloud-based web filtering solution such as WebTitan which filters the Internet and stops end users from accessing websites known to host malware or those that break acceptable usage policies.

Versatile New Malware AdvisorsBot Distributed via Spam Email

Hotels, restaurants, and telecommunications businesses are being targeted with a new hacking email campaign that delivers a new form of malware called AdvisorsBot. AdvisorsBot is a malware installer which, like many malware variants, is being distributed using spam emails containing Microsoft Word attachments with malicious macros.

Clicking on an infected email attachment and enabling macros on the document will see Advisorsbot installed. Advisorsbot’s primary aim is to complete fingerprinting on an infected device. Data will be gathered on the infected device is then communicated to the threat actors’ command and control servers and further instructions are given to the malware based on the data gathered on the system. The malware records system data, details of programs installed on the device, Office account details, and other details. It is also able to capture screenshots on an infected device.

AdvisorsBot malware is so titled because the early examples of the malware that were first seen on May 2018 contacted command and control servers that contained the word advisors.

The spam email campaign is mainly being conducted on targets in the U.S., although infections have been detected worldwide. Several thousands of devices have been infected with the malware since May, according to the security experts at Proofpoint who discovered the new malware threat. The threat actors thought to be behind the attacks are a APT group known as TA555.

Various email lures are being implemented in this malware campaign to get the recipients to open the infected attachment and turn on macros. The emails sent to hotels seem to be from people who have been charged twice for their stay. The campaign on restaurants uses emails which say that the sender has suffered food poisoning after eating in a particular establishment, while the attacks on telecommunications firms use email attachments that seem to be resumes from job applicants.

AdvisorsBot is coded in C, but a second form of the malware has also been seen that is written in .NET and PowerShell. The second variant has been called PoshAdvisor. PoshAdvisor is executed via a malicious macro which runs PowerShell command that installs a PowerShell script which executes shellcode that runs the malware in the memory without writing it to the disk.

Fallout Exploit Kit Used to Deliver New GandCrab v5 Ransomware Variant

A new variety of GandCrab ransomware (GandCrab v5) has been shared. GandCrab is an extremely popular ransomware threat that is made available to affiliates under the ransomware-as-a-service distribution model. Affiliates receive a cut of the profits from any ransoms payed by people they manage to infect.

GandCrab was first made public released in January 2018 and fast grew into one of the most widely used ransomware variants. In July it was named the main ransomware threat and is regularly updated by the authors.

There have been many changes made in GandCrab v5, including the change to a random 5-character extension for encrypted files. The ransomware also implements an HTML ransom note rather than dropping a txt file to the desktop.

Bitdefender made free decryptors available for early versions of the ransomware, although steps were implemented by the authors to improve security for version 2.0. Since version 2.0 was released, no free decryptors for GandCrab ransomware have been created.

Recovery from a GandCrab v5 infection will only be possible by meeting the ransom – around $800 in the Dash cryptocurrency – or by restoring files from backups. Victims are only given a short period of time for paying the ransom before the price to decrypt doubles. It is therefore vital that backups are created of all data and for those backup files to be reviewed to make sure files can be recovered in the event of disaster.

Since this ransomware variant is made available under the ransomware-as-a-service model, different vectors are used to share the ransomware by different threat actors. Earlier versions of the ransomware have been shared via spam email and through exploit kits such as RIG and GrandSoft. GandCrab v5 has also been confirmed as being shared via the new Fallout exploit kit.

Traffic is sent to the exploit kit using malvertising – malicious adverts that redirect users to exploit kits and other malicious websites. These malicious adverts are placed on third party advertising networks that are used by many popular websites to generate an extra income stream.

Any user that clicks one of the malicious links in the adverts is sent to the Fallout exploit kit. The Fallout exploit kit contains exploits for several old flaws and some relatively recent exploits. Any user that has a vulnerable system will have GandCrab ransomware silently installed onto their device. Local files will be encrypted as well as files on all network shares, not just mapped drives.

Whenever a new zero-day vulnerability is found it doesn’t take long for an exploit to be incorporated into malware. The publication of proof of concept code for a Task Scheduler ALPC vulnerability was no different. Within a few days, the exploit had already been adopted by hackers and incorporated into malware.

The exploit for the Task Scheduler ALPC vulnerability permits executable files to operate on a vulnerable system with System privileges and has been incorporated into GandCrab v5. The exploit is believed to be used to carry out system-level tasks such as deleting Windows Shadow Volume copies to make it more difficult for victims to recover encrypted files without paying the ransom. Microsoft has now released a patch to correct the flaw as part of its September Patch Tuesday round of updates, but many firms have yet to apply the patch.

The key step to take is to ensure that recovery from a ransomware attack is possible is to ensure backups are begun. Without a viable backup the only way of recovering files is by paying the ransom. In this instance, victims can decrypt one file for free to show that viable decryption keys exist. However, not all ransomware variants permit file recovery.

Stopping ransomware infections requires software solutions that obstruct the main attack vectors. Spam filtering solutions like SpamTitan stop dangerous messages from being delivered to inboxes. Web filters such as WebTitan stop end users from visiting malicious sites known to host exploit kits. Remote desktop services are often exploited to obtain system access, so it is vital that these are disabled if they are not required, and if they are, they should only be accessible through VPNs.

Patches should be applied quickly to stop weaknesses from being exploited and advanced anti malware solutions should be used to find and quarantine ransomware before files are encrypted.

Viro Botnet Malware Encrypts Files, Logs Keystrokes and Hijacks Email Accounts

A new malware threat – titled Viro botnet malware – has been discovered that combines the file-encrypting powers of ransomware, with a keylogger to record passwords and a botnet capable of sending spam emails from infected devices.

Viro botnet malware is one of a new strain of malware variants that are highly flexible and have a wide variety of capabilities to maximize profit from a successful infection. There have been many recently discovered malware variants that have combined the file-encrypting properties of ransomware with cryptocurrency mining code.

The most recent threat was identified by security experts at Trend Micro who say that this new threat is still in development and seems to have been developed from scratch. The code is dissimilar to other known ransomware variants and ransomware families.

Some ransomware variants can self-propagate and can share from one infected device to other devices on the same network. Viro botnet malware achieves this by hijacking Outlook email accounts and using them to share spam email containing either a duplicate of itself as an attachment or a downloader to all people on the infected user’s contact list.

Viro botnet malware has been implemented in targeted attacks in the United States through spam email campaigns, although strangely, the ransom note dropped on the victims’ desktops is written in French. This is not the only new ransomware threat to include a French ransom note. PyLocky, a recently discovered new ransomware threat that looks like Locky ransomware, also had a French ransom note. This seems to be a coincidence as there are no indications that the two ransomware threats are linked or are being distributed by the same threat group.

With Viro botnet, Infection begins with a spam email containing a malicious attachment. If the attachment is opened and the content is permitted to run, the malicious payload will be installed. Viro botnet malware will first check registry keys and product keys to decide whether its encryption routine should run. If those checks are passed, an encryption/decryption key pair will be create through via a cryptographic Random Number Generator, which are then sent back to the hacker’s C2 server. Files are then encrypted via RSA and a ransom note is placed on the desktop.

Viro botnet malware also includes a basic keylogger which will log all keystrokes on an infected machine and send the data back to the hacker’s C2 server. The malware is also capable of downloading further malicious files from the hacker’s C2.

While the hacker’s C2 server was initially active, it has currently been deleted so any further devices that are infected will not have data encrypted. Connection to the C2 server is required for the encryption routine to start. Even though the threat has been neutralized this is thought to only be a brief hiatus. The C2 is expected to be resurrected and larger distribution campaigns are likely.

Safeguarding against email-based threats such as Viro botnet malware needs an advanced spam filtering solution such as SpamTitan to stop malicious messages from being sent to end users.  Advanced antimalware software should be downloaded to detect malicious files should they be downloaded, and end users should receive security awareness training to help them spot security threats and respond properly.

Multiple backups should also be set up – with one duplicate copy stored securely offsite – to ensure files can be rescued following file encryption.

New Xbash Malware Threat Includes Coin Mining and Ransomware Functionality

Xbash malware is one of many new malware threats to be discovered in recent times that uses the file-encrypting properties of ransomware with the coin mining functionality of cryptocurrency mining malware.

In 2018, several cybersecurity and threat intelligence companies have discovered that ransomware attacks have plateaued or are dropping. Ransomware attacks are still profitable, although there is potential to make more money through cryptocurrency mining.

The recent Internet Organized Crime Threat Report published by Europol notes that cryptojacking is a new cybercrime trend and is now a commonly-seen, low-risk revenue stream for cybercriminals, but that “ransomware remains the key malware threat”.  Europol states in its report that a decline has been witnessed in random attacks via spam email, instead cybercriminals are focusing on attacking businesses where greater profits lie. Those attacks are highly concentrated.

Another new trend offers cybercriminals the best of both worlds – the use of versatile malware that have the elements of both ransomware and cryptocurrency miners. These highly versatile malware variants provide cybercriminals with the chance to obtain ransom payments as well as the chance to mine for cryptocurrency. If the malware is downloaded on a system that is not ideally suited for mining cryptocurrency, the ransomware function is enabled and vice versa.

Xbash malware is one such danger, albeit with one major caveat. Xbash malware cannot restore files. In that respect it is more similar to NotPetya than Cerber. As was the case with NotPetya, Xbash malware just masquerades as ransomware and requests a payment to restore files – Currently 0.2 BTC ($127). Payment of the ransom will not lead to keys being supplied to unlock encrypted files, as currently files are not encrypted. The malware simply erases MySQL, PostgreSQL, and MongoDB databases. This function is enabled if the malware is installed on a Linux system. If it is downloaded on Windows devices, the cryptojacking function is turned on.

Xbash malware can also self-propagate. Once downloaded on a Windows system it will spread throughout the network by exploiting flaws in Hadoop, ActiveMQ and Redis services.

Xbash malware is programmed in Python and compiled into a portable executable (PE) format using PyInstaller. The malware will complete its file encrypting/deletion routine on Linux systems and use JavaScript or VBScript to download and run a coinminer on Windows systems. Palo Alto Networks’ Unit42 has said that the malware is being spread by a threat group known as Iron Group, which has previously been linked with ransomware attacks.

At present, infection takes place through the exploitation of unpatched flaws and brute force attacks on systems with weak passwords and unprotected services.  Protection from this threat requires the use of strong, unique non-default passwords, prompt patching, and endpoint security solutions. Restricting access to unknown hosts on the Internet will stop communication with its C2 if it is installed, and naturally it is important that multiple backups are regularly made to ensure file recovery can happen.

Kaspersky Lab have said that there has been a doubling of these multi-purpose remote access tools witnessed over the past 18 months and their popularity is likely to continue to rise. This sort of versatile malware could well become the malware of choice for advanced threat actors over the course of the next year.

Spam Email Campaigns in Europe Started using Python-Based PyLocky Ransomware

A new strain of Python-based ransomware has been discovered that appears to be Locky, one of the most widely deployed ransomware variants in 2016. The new ransomware variant has been labelled PyLocky ransomware by security researchers at Trend Micro who have noticed using it in hacking campaigns in Europe, particularly France, throughout July and August.

The spam email campaigns were, at first, sent in comparatively small batches, although over time the volume of emails sharing PyLocky ransomware has surged significantly.

Various social engineering tactics are being employed by the hackers to get the ransomware installed, including fake invoices. The emails identified by Trend Micro have included an embedded hyperlink which sends users to a malicious webpage where a zip file is installed. The zip file includes PyLocky ransomware which has been compiled using the PyInstaller tool, which allows Python applications to be changed to standalone executable files.

If downloaded, PyLocky ransomware will encrypt around 150 different file types including Office documents, image files, sound files, video files, databases, game files, archives, and program files. Files saved on all logical drives will be encrypted and the original copies will be replaced. A ransom note is then placed on the desktop which has been copied from the note used by the threat actors behind Locky, although the two cryptoransomware threats are not linked. Ransom notes are written in French, English, Korean, and Italian so it is likely that the attacks will become more widespread over the coming days.

While Python is not normally used to create ransomware, PyLocky is not the only Python-based ransomware variant to have been developed. Pyl33t was used in a number of attacks in 2017, and CryPy emerged in 2016. What makes the latest ransomware variant different is its anti-machine learning capabilities, which help to stop analysis using standard static analysis methods.

The ransomware attacks Windows Management Instrumentation (WMI) to figure out the properties of the system on which it is downloaded. If the total visible memory of a system is 4GB or greater, the ransomware will execute instantly. If it is lower than 4GB, the ransomware will remain dormant for 11.5 days – an attempt to figure out if it is in a sandbox environment.

 

Spam Email Campaigns in Europe Using Python-Based PyLocky Ransomware

A new Python-based form of ransomware has been discovered that closely resembles as Locky, one of the most commonly seen ransomware variants during 2016. The new ransomware variant has been titled PyLocky ransomware by security specialists at Trend Micro who have seen it being deployed in Europe, particularly France, during July and August.

The spam email campaigns were, at first, sent in relatively small batches, although over time the number of emails sending PyLocky ransomware has increased drastically.

Many social engineering tactics are being used by the hackers to get the ransomware downloaded to devices, including fake invoices. The emails captured by Trend Micro have included an embedded hyperlink which directs users to a malicious webpage where a zip file is installed. The zip file contains PyLocky ransomware which has been put together using the PyInstaller tool, which allows Python applications to be changed to standalone executable files.

If downloaded, PyLocky ransomware will encrypt around 150 different file variants including Office documents, image files, sound files, video files, databases, game files, archives, and program files. Files kept on all logical drives will be encrypted and the original files will be overwritten. A ransom note is then placed on the desktop which has been copied from the note used by the threat actors responsible for Locky, although the two cryptoransomware threats are not linked. Ransom notes are presented in French, English, Korean, and Italian so it is probable that the hacking campaigns will become more widespread going forward.

While Python is not normally used to develop ransomware, PyLocky is not the only Python-based ransomware variant to have been noticed. Pyl33t was used in many attacks in 2017, and CryPy was first seen in 2016. This, most recent ransomware variant is different in that is has anti-machine learning capabilities, which help to stop analysis using standard static analysis methods.

The ransomware uses Windows Management Instrumentation (WMI) to calculate the properties of the system on which it is downloaded. If the total visible memory of a system is 4GB or more, the ransomware will execute instantly. If it is less than 4GB, the ransomware will sleep for 11.5 days – an effort to determine if it is in a sandbox environment.

Stopping attacks can be done using a variety of cybersecurity measures. An advanced spam filtering solution like SpamTitan will help to stop the spam emails being send to end users’ inboxes. A web filter, such as WebTitan, can be implemented to control the websites that can be accessed by end users and block malicious file downloads. Security awareness training will allow end users recognize the threat for what it is. Advanced malware detection tools are necessary to spot the threat due to its anti-machine learning capabilities.

At present, there is no free decryptor for PyLocky available.

Hotel WiFi Networks Targeted in in Cyberattacks due to NSA Exploit

Security experts have identified a number of cyberattacks on hotel WiFi networks that target a known NSA exploit – EternalBlue – for a flaw that was patched by Microsoft in March.

The same exploit was part o the WannaCry ransomware attacks that took place in May and the NotPetya wiper attacks in June. Even though the malware campaigns impacted hundreds of companies and caused millions (if not billions) of dollars in financial losses, there are still many companies that not applied the update to address this flaw.

The recent cyberattacks on hotel WiFi networks have impacted venues in the Middle East and Europe. Once access is obtained to hotel networks and databases, the hackers spy on guests via hotel WiFi networks and steal their login details.

Security experts at FireEye discovered the new campaign, which they have blamed on the Russian hacking group APT28, also known as Fancy Bear. Fancy Bear is thought to have been sponsored by the Russian government and has compelted a large number of high profile cyberattacks in recent years, including the cyberattack on the World Anti-Doping agency (WADA). Following that attack, Fancy Bear published athletes’ therapeutic use exemption (TUE) data.

As opposed to the WannaCry and NotPetya attacks that were conducted remotely without any user involvement, the newest campaign is being conducted using a spear phishing campaign. The hacking group sends malicious emails to hotel staff and uses email attachments to configure their backdoor – Gamefish. In this case, the attachment looks like a reservation form for a hotel booking. Gamefish is downloaded if hotel employees enable the macros in the document.

Once the backdoor is configured, the hackers search for internal and guest WiFi networks using EternalBlue and spread to other devices. Once installed in computers that control the WiFi networks, the hackers can launch attacks on devices that attempt to log onto the hotel WiFi network.

The hackers implement the open-source Responder tool to listen for MBT-NS (UDP/137) broadcasts from devices that are trying to connect to WiFi network resources. Instead of connecting, they link to Responder which obtains usernames and hashed passwords. That information is then sent to a computer controlled by the hackers. Once the hashed passwords have been deciphered they can be used to attack hotel guests.

The identities of the affected hotels have not been disclosed, although FireEye has revealed that at least one Middle Eastern hotel and seven in Europe have been targeted in these attacks. The hotels were well respected venues likely to be frequented by high-net worth guests and business travellers.

Travellers have been told to exercise caution when connecting to hotel WiFi networks, such as avoiding logging into online bank accounts or better still, avoiding logging onto hotel WiFi networks altogether. While the use of a VPN when connecting to hotel WiFi networks is a wise move, in this case the attack can occur before a secure VPN connection is completed.

FireEye says that this sort of attack is difficult to detect and block. The attackers passively gather data and leave virtually no traces. Once login details have been obtained, guests are susceptible and not just while they are staying at the hotel. FireEye believes the credentials are then used to target individuals when they go back home and sign into their home networks.

The best method for hotels to obstruct cyberattacks on hotel WiFi networks such as this is by blocking the phishing and spear phishing attacks that lead to downloading of the malware. Hotels should ensure all employees are given security awareness training and a spam filtering solution such as SpamTitan is configured to stop malicious emails from being sent to employees’ inboxes.

Development of the System Administrator Role

The system administrator is a crucial role in any group. Without sysadmins to deal with IT issues on a daily basis, the business would cease to exist. Sysadmins also play an essential role in ensuring the security of the network by taking positive steps to keep systems secure as well as reacting to threats before they lead to a data breach. With more cyberattacks taking place, increasingly complex IT systems being implemented, and the fast pace of technological evolution, one thing is certain: The future of the system administrator is likely to go on using up long hours and hard work.

It is also easy to guess that the future of the system administrator will result in massive changes to job descriptions. That has always been the case and never more so than now. There will be a ongoing need for on the job training and new systems and processes must go on being learned. Being a System administrator is therefore unlikely to be tiresome.

Recent studies released by the US Bureau of Labor Statistics predict that there is likely to be sustained growth in the profession for the next two years. While the forecast was previously 12% growth, this has now been cut to 6% – similar to other occupations. The heightened automation of many sysadmin tasks is partly to blame for this decline in growth, since businesses are likely to need less staff as manual processes are cut. That said, the figures suggest that demand for IT workers will remain high. Even with newer, faster technology being adapted, staff are still asked to keep everything running smoothly.

XaaS, the Cloud, Virtualization, and VoIP Use to Rise

Sadly, while automation means increased efficiency, it can entail many hidden costs. Firstly, with more automation it can become harder to deduce the source of a problem when something goes wrong. More automation also means the system administrator must become even more savvy. Automation usually involves scripting in various languages, so while you may have been able to get away with knowing Python or Windows PowerShell, you will probably need to become knowledgeable in both, and maybe more.

If you are thinking about becoming a system administrator, now is the time to learn your first scripting language, as it will make it easier to learn others on the job if you understand the fundamentals. It will also help you to get the job in the first place.

Use of the cloud is growing, especially for backup and archiving, which has also lead to a drop in the need for server-centered tasks. While there has been a drop in labor-intensive routine data processes, there has been a rise in the need to become proficient in the use of Application Programming Interfaces (APIs).

While many duties are now being outsourced through XaaS, it is still vital to understand those duties. The future of the system administrator is likely to require XaaS to be reviewed and assessed to make sure those services match the IT requirements of the organization. Sales staff will likely say their XaaS meets all business needs. Having an SA that understands the functions, the technology, and the needs of the business will be vital for cutting out the services that are unsuitable.

To cut expenses, many businesses are using VoIP. While this does offer massive cost savings, businesses cannot tolerate less than the 99.999% of uptime offered by phone firms. The future of the system administrator is therefore likely to involve a thorough comprehension of the dynamics of network load.

Virtualization has also grown, with millions of virtual networks making the SA’s job more complex. That means knowledge of switching and routing will have to grow.

Communication, Collaboration, and Negotiation Skills in Demand

The SA’s job no longer just is simply studying manuals and learning new systems. SAs are now required to communicate more effectively, understand the business, and collaborate with others. SAs will require good communication skills, must become excellent collaborators, and also proficient at negotiation. Luckily, there are many courses out there to help.

New Malware Variant CamuBot Trojan Being Used in Targeted Attacks on Companies

Spam or junk email may be the primary method of sharing delivering banking Trojans, however there are many other ways of convincing employees to download and install malware on their computers.

The CamuBot Trojan the method used is vishing. Vishing is the voice equivalent of phishing – the use of the telephone to trick people, either by convincing them to reveal sensitive information or to take some other steps such as downloading malware or making fraudulent bank transfers.

Vishing is regularly used in tech support scams where people are convinced to install fake security software to delete fictitious viruses on their computers. The campaign used to install the CamuBot Trojan is a different type of malware was identified by IBM X-Force researchers.

The attack begins with some reconnaissance. The hackers identify a business that uses a specific bank. Individuals within that group are then identified that are likely to have access the bank accounts used by the business – payroll staff for example. Those people are then contacted by telephone.

The hackers tell people that they are calling from the bank and are completing a check of security software on the user’s computer. The user is told to visit a webpage where a program will run a scan to find out if they have an up-to-date security module downloaded on their computer.

The fake scan is finished, and the user is informed that their security module is an out of date version. The caller then tells them that they must download the latest version of the security module and install it on their device.

Once the file is installed and executed, it runs just like any standard software installer. The user is told about the minimum system requirements required for the security module to work and the installer includes the bank’s logo and color scheme to make it appear authentic.

The user is taken through the installation process, which first requires them to disable certain processes that are running on their computer. The installer shows the progress of the fake installation, but in the background, the CamuBot Trojan is being downloaded. Once the process is finished, it connects to its C2 server.

The user is then brought to what appears to be the login portal for their bank where they must enter their login credentials. The portal is a phishing webpage, and the details to access the users bank account are recorded by the hacker.

Many banks ask a second factor for authentication. If such a security measure is in place, the hackers will instruct the user that a further installation is needed for the security module to work. They will be talked through the installation of a driver that enables a hardware-based authentication device to be remotely shared with the hacker. Once that has been installed and approved, the attackers are able to intercept any one-time passwords that are broadcasted from the bank to the user’s device, allowing the attackers to take full control of the bank account and permit transactions.

The CamuBot Trojan indicates that malware does not need to be stealthy to be successful. Social engineering methods can be just a effective at getting staff members to install malware.

The CambuBot Trojan campaign is mainly being carried out in Brazil, but the campaign could be rolled out and used in attacks in other countries. The methods used in this campaign are not new and have been used in several malware campaigns previously.

 

Spear Phishing Attack Results in $16 Million Anthem Data Breach Settlement

In 2015, Anthem Inc., suffered a massive data breach. 78.8 million health plan records were illegally obtained. In 2018, the health insurer settled a class action data breach for $115 million and OCR has now agreed a $16 million Anthem data breach settlement.

The Anthem data breach came as a major surprise back in February 2015, due to the large scale of the breach. Healthcare data breaches were common, but the Anthem data breach is on another scale.

Prior to the news being shared, the unenviable record was held by Science Applications International Corporation, a vendor used by healthcare groups, that suffered a 4.9 million record breach in 2011. The Anthem data breach was on a completely different scale.

The hacking group to blame for the Anthem data breach was clearly skilled. Mandiant, the cybersecurity firm that assisted with the investigation, suspected the attack was a nation-state sponsored cyberattack campaign. The hackers managed to obtain access to Anthem’s data warehouse and exfiltrated a huge volume of data unnoticed. The time of the initial attack to discovery was almost 12 months.

While the attack was complex a foothold in the network was not gained through an elaborate hack or zero-day exploit but through phishing emails.

At least one employee answered a spear phishing email, sent to one of Anthem’s subsidiaries, which gave the hackers the entry point they needed to launch a further attack and gain access to Anthem’s health plan member database.

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) looks into healthcare data breaches that lead to the exposure or theft of 500 or more records. An in-depth review of the Anthem breach was therefore a certainty given its extent. A finey for non-compliance with Health Insurance Portability and Accountability Act (HIPAA) Rules was a very likely result as HIPAA requires healthcare groups to safeguard health data. The reach of the breach also made it likely that it would result in the largest ever penalty for a healthcare data breach.

Prior to the Anthem data breach settlement, the largest fine for a healthcare data breach was $5.55 million, which was agreed between OCR and Advocate Health Care Network in 2016. The Anthem data breach settlement was almost three times that amount, which reflected the seriousness of the breach, the number of people affected, and the extent to which HIPAA Rules were alleged to have been breach.

OCR alleged that Anthem Inc., had breached five provisions of HIPAA Rules, and by doing so failed to stop the breach and limit its severity. The Anthem data breach settlement was however agreed with no admission of liability.

The regulatory fine is just a small fraction of the total cost of the Anthem data breach. Along with  the Anthem data breach settlement with OCR, Anthem faced multiple lawsuits in the wake of the data breach. The consolidated class action lawsuit was settled by Anthem in January 2018 for $115 million.

The class action settlement document showed that Anthem had already paid out $2.5 to consultants in the wake of the breach, $31 million was spent mailing notification letters, $115 million went on enhancements to security, and $112 million was paid to provide identity theft protection and credit monitoring services to affected plan subscribers.

With the $115 million class action settlement and the $16 million OCR settlement, that brings the overall and complete cost of the Anthem data breach to $391.5 million.

 

Microsoft ADFS: Two Factor Authentication Flaws Discovered

Two-factor authentication is not perfect. In recent times, Reddit stated that it had suffered a data breach even though two factor authentication had been put in place. Rather than use a token, Reddit used SMS messages to a mobile phone owned by the account holder as the second authentication factor. As Reddit found out, SMS messages can be intercepted. The hacker was able to intercept a 2FA SMS message and obtain access to an employee’s account, through which it was possible to log onto an old database of user credentials.

Two-factor authentication was also in place at Yahoo in 2013, yet the company still suffered a massive data breach that resulted in all three billion of its users having their information obtained by cyber criminals. Go back a year and there was the massive 167 million record data breach at LinkedIn, which had also put in place two-factor authentication.

A phone call or text message to a phone owned by the account holder does not necessarily stop access to the account from being obtained by a third party. In August 2017, a Bitcoin investor had $150,000 of cryptocurrency stolen from his wallet after it was accessed by a third party. In that case, the investor’s second factor phone number had been re-routed to a device owned by the hacker after the phone company was duped.

Any second factor that uses the phone system of SMS messages supplies an additional layer of protection, but it is not enough to protect against a determined skilled hacker.

A major two-factor authentication vulnerability was recently noticed by a security researcher at Okta. Okta, like many companies, uses Microsoft’s Active Directory Federation Services (ADFS) to provide multi-factor authentication.

Okta security expert Andrew Lee discovered the system have a serious vulnerability that was not only simple to exploit, doing so would render an organization’s multi-factor authentication controls virtually useless.

Lee found that that someone with a username, password, and a valid 2-factor token for one account could use the same token to obtain access to any other account in the organization in AD with only a username and password. Any staff member who is given an account and specified their own second factor could use it to access other accounts. Essentially the token was like a hotel room key card that can access all rooms in the hotel.

Obtaining another employee’s login details would only require a phishing campaign to be carried out. If an individual responded and disclosed their credentials, their account could be accessed without the need for a second factor.

The flaw in question, which was patched by Microsoft on August 14 in its August Patch Tuesday updates, was present in how ADFA communicates. When a user attempts to login, an encrypted context log is sent by the server which includes the second factor token but not the username. This flaw could be exploited to trick the system into thinking the correct token had been supplied, as no check was completed to determine whether the correct token had been supplied for a specific user’s account. Once one valid username, password and 2FA token combo was owned, the 2FA system could be got around.

These two factor authentication vulnerabilities show that while 2-factor authentication is an important control to implement, businesses should not rely on the system to stop unauthorized accessing of accounts. The two-factor authentication flaws discussed here are unlikely to be the last to be discovered.

2-factor authentication should be just one factor of a group’s defenses against phishing and hacking, along with spam filters web filters, firewalls, intrusion detection systems, antivirus solutions, network segmentation, and employee security awareness training. 2FA should not be thought of as a silver bullet to stop unauthorized account access.

Businesses Web Filtering Advantages

Email spam is the most witnessed attack vector used to send malware, and while the threat from exploit kits is much lower than in 2015 and 2016, they still pose a problem for businesses.  Exploit kits are web-based apps that are loaded onto websites managed by cybercriminals – either their own sites or sites that have been hijacked.

Exploit kits contain code that exploits flaws in web browsers, plugins and browser extensions. When a user with a vulnerable browser views a malicious URL containing an exploit kit, the vulnerability is exploited and malware is installed.

With browsers becoming more safe, and Flash being phased out, it has become much more difficult to infect computers with malware via exploit kits and many threat actors have moved on to other types of attack. However, some exploit kits remain active and still pose a danger.

The exploit kits currently in use – RIG for instance – contain multiple exploits for known vulnerabilities. Most of the vulnerabilities are old and patches have been available for months or years, although zero-day vulnerabilities are occasionally included. Exploit kits are also updated with recently disclosed proof-of-concept code. Exploit code for two recently discovered flaws: one in Internet Explorer (CVE-2018-8174) and one in Adobe Flash (CVE-2018-4878) have been added to EKs already.

Keeping browsers and plugins relevant and using a top antivirus solution will provide a good level of protection, although companies can further enhance security by using a web filter. Web filtering for businesses ensures that any attempt to access a website known to host an exploit kit will be prevented.

Preventing Phishing Attacks

Phishing is one of the most serious threats faced by businesses. Phishing is a method of obtaining sensitive information by deception, such as impersonating a company in an attempt to obtain login credentials or to fool employees into making wire transfers to bank accounts controlled by hackers.

A spam filter can block most malicious messages from reaching inboxes, although some phishing emails will make it past the perimeter security, especially emails containing links to malicious websites. A web filter provides an extra level of protection against phishing by preventing users from visiting malicious websites sent via email and social media posts. When an attempt is made to view a known malicious website, access will be blocked, and the user will be directed to a block screen.

A web filter can also be employed to enforce safe search on search engines such as Google, Yahoo, and Bing. This will help to prevent improper website content from being accessed through search and image search results.

Reviewing Internet Access and Blocking Improper Websites

Staff can waste an extraordinary amount of time on the Internet. Permitting unfettered access to all website content can result in a serious reduction in productivity. If every employee spends an hour a day on the Internet instead of working, a company with 100 employees would waste 100 hours a day, 500 hours a week, and 26,000 hours a year. A major loss.

A web filter can be used to restrict access to websites such as gambling, gaming, and social media sites – all major drains on productivity. Web filters can also be used to review Internet activity. When staff are advised that the company monitors Internet use, employees will be less likely to spend time surfing the Internet instead of doing their daily duties.

Web filters can also be used to prevent visits to not-suitable-for-work (NSFW) content such as pornography and will limit company liability by blocking illegal online activities at work, such as installing copyright-protected content via P2P file sharing sites. Web filters can also limit bandwidth hogging activities such as the streaming of audio and video.

WebTitan Cloud – DNS-Based Web Filtering for Companies

DNS-based web filtering for companies is easy with WebTitan Cloud. WebTitan Cloud will help improve security posture, reduce company liability, and enhance the productivity of the workforce. Being 100% cloud-based, the solution requires no hardware purchases, no software downloads, and can be configured in a few minutes.

The solution filters websites into 53 pre-defined categories, making it straightforward for businesses to block specific types of content. More than half a billion URLs are categorized in the database and combined with cloud-based lookup, it is possible to see to it that highly accurate content filtering without overblocking valuable content. The solution can review all web traffic, including encrypted sites.

The solution allows policies to be set up for the entire workforce, groups, or individuals and secures employees who on and off the network. When employees use a number of different devices, the content filtering controls can be applied across the board and will work whether the user is on-site or roaming.

Administrators can use the comprehensive reporting suite, with 55 preconfigured reports and scope for customization, with report scheduling options and the ability to review browsing in real-time.

If you want to strengthen your security posture, improve bandwidth, cut legal liability, prevent NSFW content, and improve productivity, give TitanHQ a call today and find out more about how WebTitan Cloud can benefit your company.

Phishing Criminals Take Advantage of Lack of WhatsApp Anti-Phishing Protections

While most phishing attempts are conducted over email, there has been a noticable rise in the use of other communications platforms such messaging services, with WhatsApp phishing scams now increasing in popularity amongst hackers.

WhatsApp phishing attacks are seen often common for two reasons. First is the sheer number of individuals on the platform. In January 2018, the amount of monthly users of WhatsApp worldwide reached 1.5 billion, up from 1 billion users six months before then. Secondly, is the lack of anti-phishing measures to stop malicious messages from being sent.

Many businesses have put in place spam filtering solutions such as SpamTitan, while personal users are benefiting by big improvements to spam filtering on webmail services such as Gmail. Spam filtering solutions are highly effective at spotting phishing emails and other malicious messages and share them to the spam folder rather than delivering them to inboxes.

Messaging services often do not have spam filtering controls. Therefore, malicious messages have a much greater possibility of being delivered. Various tactics are used to entice recipients to click the links in the messages, usually an offer of a free gift, an exceptionally good discount on a product – the new iPhone for instance – or a money off voucher or gift card is on offer.

The messages include a link that directs the recipient to the phishing website. The link usually includes a preview of the website, so even if a shortlink is used for the URL, the recipient can see some data about the site. A logo may be displayed along with the page title. That makes it much more likely that the link will be visited.

Additionally, the message often comes from a known individual – a person in the user’s WhatsApp contacts. When a known person vouches for the site, the probability of the link being clicked is much better.

To add further legitimacy to the WhatsApp phishing scams, the websites often use  fake comments from social media sites confirming that a gift card has been won or a reward has been handed over. Some of those comments are positive, and some are neutral, as you would expect from a real prize draw in which not everyone is a winner.

The websites used in WhatsApp phishing scams often use HTTPS, which show a green tick next to the URL to indicate that the site is ‘secure.’ Even though the green tick is no guarantee of the legitimacy of a site, many people believe the green tick means the site is authentic.

Gift cards are often given out for participating in legitimate surveys, so the offer of either a gift card or entry into a free draw is not unusual. In return, the visitor to the site is required to answer some standard questions and provide information that would permit them to be contacted – their name, address, phone number, and email address for instance.

The data gathered through these sites is then used for additional phishing attempts via email, telephone, or snail mail which aim to obtain even more personal data. After completing the questions, the website may claim that the user has one, which requires entry of bank account information or credit card information… in order for prize money to be paid or for confirmation of age.

These WhatsApp phishing scams often have another feature which helps to share the messages much more efficiently to other potential victims. Before any individual can receive their free prize or even submit their details for a prize draw, they must first agree to share the offer with their WhatsApp contacts.

If you are sent an unsolicited link from a contact that offers a free gift or money-off voucher, there is a high probability that it may not be authentic and is a WhatsApp phishing scam.

Coin Mining and Ransomware Functionality Included in New Xbash Malware

Xbash malware is one of many new malware threats to be discovered in recent weeks that uses the file-encrypting features  of ransomware with the coin mining functionality of cryptocurrency mining malware.

In 2018, several cybersecurity and threat intelligence companies have reported that ransomware attacks have fallen. Ransomware campaigns are still profitable, although it is possible to make more money through cryptocurrency mining.

The recent Internet Organized Crime Threat Report issued by Europol notes that cryptojacking is a new cybercrime trend and is now a regular, low-risk revenue generator for hackers, but that “ransomware remains the key malware threat”.  Europol has reported that a decline has been seen in random attacks using spam email, instead cybercriminals are focusing on attacking businesses where greater profits lie. Those attacks are highly concentrated.

Another emerging trend provides cybercriminals the best of both worlds – the use of versatile malware that have the features of both ransomware and cryptocurrency miners. These highly versatile malware variants provide cybercriminals with the chance to obtain ransom payments as well as the ability to mine for cryptocurrency. If the malware is downloaded on a system that is not ideally suited for mining cryptocurrency, the ransomware function is enabled and vice versa.

Xbash malware is one of these threats, albeit with one major caveat. Xbash malware cannot to restore files. In that regard it is closer to NotPetya than Cerber. As was the case with NotPetya, Xbash malware just masquerades as ransomware and requests a payment to restore files – Currently 0.2 BTC ($127). Payment of the ransom will not lead to keys being given to unlock encrypted files, as currently files are not encrypted. The malware simply erases MySQL, PostgreSQL, and MongoDB databases. This function is switched off if the malware is installed on a Linux system. If it is downloaded on Windows devices, the cryptojacking function is enabled.

Xbash malware can also self-propagate. Once downloaded on a Windows system it will spread throughout the network by exploiting weaknesses in Hadoop, ActiveMQ and Redis services.

Xbash malware has been developed in Python and compiled into a portable executable (PE) format using PyInstaller. The malware will run its file encrypting/deletion process on Linux systems and use JavaScript or VBScript to download and run a coinminer on Windows systems. Palo Alto Networks’ Unit42 has attributed the malware to a threat group referred to as Iron Group, which has previously been linked with ransomware attacks.

At present, infection takes place through the exploitation of unpatched flaws and brute force attacks on systems with weak passwords and unprotected services.  Protection against this threat requires the use of strong, unique non-default passwords, swift patching, and endpoint security solutions. Preventing access to unknown hosts on the Internet will stop communication with its C2 if it is downloaded, and naturally it is important that multiple backups are regularly made to ensure file recovery is possible.

Kaspersky Lab discovered there has been a doubling of these multi-purpose remote access tools over the past 18 months and their popularity is likely to continue to rise. This type of versatile malware could well prove to be the prevalent malware for hacker over the next year.

HTTPS Phishing Websites Make Up One Third of Total

There has been a noticeable increase in HTTPS phishing website detections, phishing attacks are growing, and the threat of phishing attacks is greater than previously.

Phishing is the most serious cyber threats that businesses must now deal with. It is the easiest way for hackers to gain access to email accounts for business email compromise scams, steal credentials, and download malware.

The Anti-Phishing Working Group – an international organization of government agencies, law enforcement, trade associations, and security firm – recently published its phishing trends activity report for Q1, 2018. The report indicates that the threat from phishing is greater than ever, with more phishing websites detected in March 2018 than at any point in the past 12 months.

In the first six months of 2017, there was an average of 48,516 phishing websites spotted every month. The figure rose to 79,464 phishing websites detected on average per month in the second half of the year. In the first quarter of 2018, there was an average of 87,568 phishing websites discovered, with detections peaking in March when more than 115,000 phishing sites were identified.

The number of unique phishing reports registered in Q1, 2018 (262,704) was 12.45% higher than in the final quarter of 2017.

In the United States, the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare suppliers, health insurers, healthcare clearinghouses and business associates of HIPAA-covered bodies to report breaches of protected health information within 60 days of the discovery of the breach. The chief enforcer of HIPAA compliance, the Department of Health and Human Services’ Office for Civil Rights (OCR), publishes summaries of those breach reports. Those summaries show just how significant the threat from phishing is.

HIPAA-covered groups and business associates have reported 45 email hacking incidents in 2018 – 21.68% of all breaches reported.

PhishLabs, an anti-phishing vendor that supplies a security awareness training and phishing simulation platform, has been monitoring HTTPS phishing websites. The company has recently published figures showing there has been a sharp increase in HTTPS phishing websites in the past few months with HTTPS and SSL certificates now popular with phishers.

As companies make the move to HTTPS, the phishers have followed suit. In the final quarter of 2015, a little over 1% of all phishing websites were hosted on HTTPS. By the final quarter of 2016, the percentage had grown to a shade under 5%. By the end of the final quarter of 2017, 31% of phishing sites used HTTPS. The Q1, 2018 figures show HTTPS phishing websites now account for 33.3% of all phishing websites.

HTTPS websites ensure the link between the browser and the website is encrypted. This offers greater security for website visitors as information entered on the site – such as credit card numbers – is secure and protected from eavesdropping. However, if the site is controlled by a cybercriminal, HTTPS offers no security.

Securing against phishing attacks and malware installations via HTTPS websites requires the use of a web filtering solution that performs SSL inspection. If a standard web filtering solution is used that is unable to review HTTPS websites, it will not protect staff from visiting malicious websites.

It is certainly possible to block users from viewing all HTTPS websites, which solves the problem of SSL inspection, but with more websites now using HTTPS, many valuable internet resources and vital websites for business could not be seen.

While many companies may be reluctant to put in place SSL filtering due to the strain it can place on CPUs and the potential for slowing internet speed, TitanHQ has a solution. WebTitan incorporates HTTPS content filtering as standard to ensure businesses are safe from HTTPS phishing websites and other online threats while ensuring internet speeds are not adversely impacted.

You can discover more about how you can secure your business from phishing websites by contacting the TitanHQ sales team and asking about WebTitan services.

Payment Card Skimmer Used to Attack 7,339 Magneto Stores in MagnetoCore Malware Campaign

A huge MagnetoCore malware campaign has been discovered that has seen thousands of Magneto stores compromised and infiltrated with a payment card scraper. As visitors pay for their purchases on the checkout portals of compromised websites, their payment card information is sent to the hacker’s in real time.

Once access is obtained to a website, the source code is changed to include the MagnetoCore malware, which is hidden among legitimate files in the Magnetocore.net domain.

The hacking campaign was discovered by Dutch security researcher Willem de Groot. Over the past six months, the hacker to blame for the campaign has loaded MagnetoCore malware on at least 7,339 Magneto stores. The number of impacted websites is believed to be increasing at a rate of around 50 or 60 new stores per day.

Site owners have been told of the MagentoCore malware infections, although currently over 5,170 Magneto stores still have the script on the site.

The campaign was noticed when de Groot started scanning Magneto stores seeking for malware infections and malicious scripts. He says that around 4.2% of Magneto stores have been impacted and contain malware or a malicious script.

While a high number of small websites have been successfully attacked, according to de Groot, the script has also been installed onto the websites of multi-million-dollar publicly traded companies, suggesting the hacker responsible for the attack has been able to steal tens, or most likely, hundreds of thousands of payment cards.

With a complete set of payment card data selling for between $5 and $30 per card on darknet marketplaces, the individual(s) or hacking group to blame for the campaign has likely made a substantial profit.

Additional data on the threat actor(s) responsible for the attacks has come from RiskIQ, which reports that the MagnetoCore malware campaign is part of much larger payment card scraping campaign called MageCart. RiskIQ reports that MageCart has been working since at least 2015 and says the campaign being run by three groups. One of the groups was to blame for the TicketMaster breach reported in June that affected 5% of its customers.

All three groups are deploying the same tactics as part of a single campaign. It is likely the MagnetoCore malware campaign is being operated by the same individuals responsible for MageCart.

Access to the sites is obtained through a simple but time-consuming process – carrying out a brute force attack to guess the password for the administrator account on the website. De Groot said it can take months before the password is guessed. Other tactics known to be implemented are the use of malware such as keyloggers to obtain the login credentials and the exploitation of vulnerabilities in unpatched content management systems.

Stopping website compromises requires the use of very strong passwords and swift patching to ensure all vulnerabilities are tackled. CMS systems should also be updated as soon as a new version is made available.

It is also vital for site owners to complete regular scans of website CMSs to search for malicious scripts or code alterations, and to use a security solution that warns the webmaster when a code change is detected on a website.

Sadly, finding out that a site has been compromised and deleting the malicious code will not be enough. A painstaking check of the codebase is required as multiple backdoors are often added to compromised websites to ensure access can still be obtained should the malicious code be discovered and deleted.

New AdvisorsBot Malware Threat Spread Using Spam Email

Hotels, restaurants, and telecommunications companies are being focused on with a new spam email campaign that sends a new form of malware called AdvisorsBot. AdvisorsBot is a malware downloader which, like many strains of malware, is being shared using spam emails including Microsoft Word attachments with malicious macros.

Clicking on an infected email attachment and allowing macros on the document will see Advisorsbot installed. Advisorsbot’s main role is to perform fingerprinting on an infected device. Information will be obtained on the infected device is then communicated to the threat actors’ command and control servers and additional instructions are given to the malware based on the information gathered on the system. The malware records system data, details of programs downloaded to the device, Office account details, and other data. It is also able to take screenshots on an infected device.

AdvisorsBot malware is so labelled because the early samples of the malware that were first discovered in May 2018 contacted command and control servers that included the word advisors.

The spam email campaign is mainly being aimed on targets in the United States, although infections have been detected  worldwide. Several thousands of devices have been infected with the malware since May, according to the security experts at Proofpoint who discovered the new malware threat. The threat actors thought to be behind the attacks are a APT group known as TA555.

Various email lures are being implemented in this malware campaign to get the recipients to open the infected attachment and allow macros. The emails shared to hotels appear to be from individuals who have been charged twice for their stay. The campaign on restaurants shares emails which claim that the sender has suffered food poisoning after eating in a particular location, while the attacks on telecommunications firms use email attachments that seem to be resumes from job applicants.

AdvisorsBot is developed in C, but a second form of the malware has also been discovered that is written in .NET and PowerShell. The second variant has been given the title PoshAdvisor. PoshAdvisor is executed via a malicious macro which runs a PowerShell command that installs a PowerShell script which executes shellcode that runs the malware in the memory without writing it to the disk.

These malware threats are still under development and are the standard type see among many recent malware threats which have a wide variety of capabilities and the versatility to be used for many different types of attack such as information stealing, ransomware delivery, and cryptocurrency mining. The malicious actions carried out are determined based on the system on which the malware has been downloaded. If that system is ideally suited for mining cryptocurrency, the relevant code will be downloaded. If the business is of particular interest, it will be earmarked for a more thorough compromise.

The best method of security against this campaign is the use of an advanced spam filtering solution to stop the emails from being delivered and security awareness training for employees to train them how to respond when such a threat arrives in their inbox.

Email Archiving and its Importance for Businesses

It is evident that email archiving has become vital in today’s business environment, but what is email archiving and what is its importance to businesses?

What Email Archiving is

An email archive is a store for old emails which are not needed on a day to day basis but may need to be accessed from time to time. An email archive saves all email conversations securely in a searchable format that allows companies to satisfy various state, federal, and industry requirements.
Saving Storage Space with Email Archiving

Although emails could be left in personal mailboxes, the number of emails received on a daily basis means the storage space required for each mailbox would be considerable. This is especially the case considering the requirement in many industries to store emails for several years. If this approach was used, employees would have to exercise strict control over their inboxes and mailbox folders and diligently deleted spam and non-official emails. Even with these terms, storage space would still likely become an issue in a short space of time.

Emails are Easily Searchable in Archives

Another common solution to preserve emails is a mailbox backup. Email backups can be used to recover emails that have been accidentally deleted and can even allow an entire mailbox to be restored in the event of a disaster.

However, as is the case with any store, knowing that an item is in storage does not mean it is necessarily easy to find. While you may need to invest a little time to find a particular item in your work storeroom, it can take awfully long time to find a single email in an email backup containing thousands or even tens of thousands of messages. The reason behind this; backups are not searchable.

An email archive differs from a backup as messages can be searched due to them being indexed. Finding a message in a backup file can take hours, even days. However, locating a message in an archive takes a matter of seconds, a minute or two at most. An email archive allows emails to be quickly found if it is ever required to produce them.

Usually, IT staff have much more important things to be working on than recovering accidentally deleted emails. An archive means an email can be easily searched and accessed by employees without any involvement from the IT department. What’s more, emails can be accessed from any location and emails found even when the mail server is down, if a cloud-based archive is used.

Of course, there are also situations when more formal searches are required, such as when issues are identified with an employee and HR needs further information on the matter. Legal requests from eDiscovery require large quantities of emails to be resurfaced and provided to attorneys, also customer disputes require email conversations to be found quickly. Having an archive within the business significantly reduces the time taken for these tasks to be performed. A company-wide search of emails takes 80% less time, typically, when an archive is used.

Importance of Email Archives for GDPR Compliance

Since the General Data Protection Regulation has come into effect in May of 2018, email archives are even more critical. As soon as a request is received from an individual who wants to exercise their right to be forgotten, all data must be erased. This, of course, includes data contained in email accounts. An email archive can make this process much more efficient by allowing emails to easily be found and deleted.

The email archive ensures that regardless of what may happen, all emails can be located. Emails in the archive are also court admissible and tamper-evident which makes email archives important for compliance with state, federal, and industry regulations.

Email Archive: Time and Money Saver for Companies

Improvement in mail service efficiency, reduction in server management costs, minimised storage costs; these are results of using an email archiving system in your business. Companies can save up to 75% on storage space when an archive is used. Additionally, it is a much quicker process to migrate emails to a new server when the majority of emails have been placed in an archive.

Overall, an email archiving system’s importance to businesses cannot be underestimated. It ensures emails are never lost or deleted, provides a failsafe in the event of disaster, maintains an audit trail and and ensures emails can be found quickly and efficiently. An email archive can save companies time, money, along with helping compliance with state, federal, and industry regulations.

ArcTitan: An Efficient, Low Cost Solution to Email Archiving for Businesses

For businesses who have not yet started using an email archiving solution, TitanHQ has an optimal solution. ArcTitan is a fast, efficient, scalable, and low-cost archiving solution for SMBs and enterprises.

A cloud-based email archiving solution that integrates seamlessly with Outlook, ArcTitan allows emails to be quickly archived and retrieved on demand with ease via super-fast, user-friendly search screens.

Storage space is reduced through the de-duplication and compression of all emails and all messages and attachments are stored securely in IL5 certified datacenters.

If you are searching for an easy-to-use email archiving solution that can be implemented in minutes, get in touch with the TitanHQ team today for further information.

 

New AdvisorsBot Malware Threat Distributed Through Spam Email

Hotels, restaurants, and telecommunications businesses are the focus of a new spam email campaign that broadcasts a new form of malware titled AdvisorsBot. AdvisorsBot is a malware downloader which, like many malware variants, is being sent using spam emails containing Microsoft Word attachments with malicious macros.

Clicking on an infected email attachment and enabling macros on the document will allow the Advisorsbot to be downloaded. The software’s main role is to carry out fingerprinting on an infected device. Information will be gathered on the infected device is then sent to the threat actors’ command and control servers and further instructions are supplied to the malware based on the data gathered on the system. The malware records system information, details of programs downloaded to the device, Office account details, and other data. It can also capture screenshots on an infected device.

It has been given the title ‘AdvisorsBot’ due to the early samples of the malware that were first discovered in May 2018 which contacted command and control servers that included the word advisors.

The spam email campaign is mainly being aimed at targets in the United States, although infections have been seen globally. Several thousands of devices have been affected with the malware since May, according to the security researchers at Proofpoint who identified the new malware threat. The threat actors thought to be behind the attacks are a APT group called TA555.

Various email traps are being used in this malware campaign to encourage the recipients to open the infected attachment and turn on macros. The emails shared with hotels appear to be from individuals who have been doubly charged for their stay. The campaign targeting restaurants uses emails which claim that the sender has suffered food poisoning after eating in a particular establishment, while the campaign targeting attacks on telecommunications companies use email attachments that seem to be resumes from job applicants.

AdvisorsBot is programmed using C, but a second form of the malware has also been detected that is programmed in .NET and PowerShell. The second variant has been labelled PoshAdvisor. PoshAdvisor is executed via a malicious macro which runs a PowerShell command that installs a PowerShell script which executes shellcode that enables the malware in the memory without writing it to the disk.

These malware threats are still under development and are common to many recent malware threats which have a wide range of capabilities and the versatility to be used for various types of attack such as data stealing, ransomware delivery and cryptocurrency mining. The malicious actions carried out are determined based on the system on which the malware has been downloaded. If that system is perfectly suited for mining cryptocurrency, the relevant code will be downloaded. If the business is of particular interest, it will be earmarked for a more thorough compromise.

The action to take in order to guard against this campaign is the deploy an advanced spam filtering solution to stop the emails from being delivered and security awareness training for employees to condition them how to respond when such a threat is received to their inbox.

WhatsApp Users Targeted as Hackers Focus on Lack of Anti-Phishing Protections

Most phishing attempts are carried out using email. However, recently there has been a significant surge in the use of other messaging services with WhatsApp phishing scams now rising in popularity amongst phishers.

WhatsApp phishing attacks are increasing for two main reasons. Firstly, the massive amount of platform subscribers. In January 2018, the number of monthly users of WhatsApp worldwide topped 1.5 billion, up from 1 billion users in mid-2017. Secondly, is the absence of anti-phishing measures to prevent malicious messages from being sent.

Many businesses have put in place spam filtering solutions, while personal users are happy due to the spam filtering on webmail services such as Gmail. Spam filtering solutions are highly effective at spotting phishing emails and other malicious messages and send them to the spam folder rather than sending them to inboxes.

Messaging services often do not have spam filtering controls. Therefore, malicious messages have a much greater potential for being delivered. many tactics are used to entice recipients to click the links in the messages, usually an offer of a free gift, a very good special offer on a product – the new iPhone for instance – or a money off voucher or gift card is available.

The messages include a link that sends the recipient to the phishing website. The link usually includes a preview of the website, so even if a shortlink is used for the URL, the recipient can see some details about the site. A logo may be displayed beside the page title. That makes it much more likely that the link will be visitied.

Additionally, the message often comes from a known person – a contact in the user’s WhatsApp friends. When a known individual vouches for the site, the chance of the link being clicked is much higher.

To add further authenticity to the WhatsApp phishing scams, the websites often use fake comments from social media sites stating that a gift card has been won or a reward has been received. Some of those comments are positive, and some are neutral, as you would expect from a real prize draw where not everyone is successful.

The websites used in WhatsApp phishing scams often use HTTPS, which show a green tick next to the URL to show that the site is ‘secure.’ Even though the green tick is no guarantee of the legitimacy of a site, many people believe the green tick means the site is genuine.

Gift cards are often handed out for participating in legitimate surveys, so the offer of either a gift card or entry into a free draw is not unusual. In return, the visitor to the site is necessary to answer some standard questions and provide information that would permit them to be contacted – their name, address, phone number, and email address for instance.

The data gathered through these sites is then used for additional phishing attempts via email, telephone, or snail mail which aim to obtain even more personal data. After answering the questions, the website may claim that the user has one, which needs entry of bank account information or credit card details so that the prize money can be paid.

These new WhatsApp phishing scams often have an additional component which assists in spreading the messages much more efficiently to other potential victims. Before any person can claim their free prize or even send their details for a prize draw, they must first agree to share the message with some of their WhatsApp contacts.

Should you receive an unsolicited link from a contact that offers a free gift or money-off voucher, there is a very good chance it may not be authentic and is a WhatsApp phishing scam.

MyFitnessPal Data Breach Phishing Attacks Expected

Under Armour has been hit by a huge MyFitnessPal data breach that has lead to in the personal data of 150 million users being accessed and stolen by a cybercriminal.

The data impacted relates to users of the mobile MyFitnessPal app and the web version of the fitness and health tracking software. The types of data obtained in the MyFitnessPal data breach include hashed usernames, passwords and email details.

While payment card data is stored by Under Armour, the information is processed and saved separately and was not breached. Other highly sensitive information normally used for identity theft and fraud such as Social Security numbers was not obtained by the hacker.

The MyFitnessPal data breach is significant due to the sheer volume of data obtained and is the largest data breach to be noticed this year; however, the theft of hashed data would not usually pose an immediate danger to users. That is certainly the case for the passwords, which were hashed using bcrypt – a very strong hashing algorithm. However, usernames and passwords were only hashed using the SHA-1 hashing function, which does not provide the same level of security. It is possible to decode SHA-1 hashed data, which means the data could potentially be accessed by the hacker.

Further, the hacker has had the data for a long time. Under Armour became aware of the breach on March 25, 2018, but the attack took place more than a month before it was discovered – some six weeks before the announcement about the data breach was made.

Given the method used to safeguard the usernames and passwords, the data can be thought of as accessible and it is almost certain the person or persons to blame for the attack will attempt to monetize the data. If the attacker cannot personally decrypt the data, it is certain that the data will be some to someone who will be able to.

While it is possible that the bcrypt-encrypted passwords can be decoded, it is unlikely that decryption will be attempted. To do so would take a considerable amount of time and effort. Further, Under Armour is notifying affected users and is encouraging them to change their passwords as a precaution to ensure accounts cannot be accessed.

While MyFitnessPal accounts may remain safe, that does not mean that users of MyFitnessPal will be unaffected by the breach. The hacker – or current holders of the data – will no doubt use the 150 million email addresses and usernames for phishing attacks.

Under Armour started contacting impacting users four days following the MyFitnessPal data breach. Any user affected should login and change their password as a precaution to stop their account from being accessed. Users also need to be alert to the risk from phishing.

Phishing campaigns linked to the MyFitnessPal data breach can be expected although the hackers will likely develop a variety of phishing emails to attack breach victims.

An incident of the scale of the MyFitnessPal data breach also presents a danger to businesses. If an employee was to respond to a phishing campaign, it is possible that they could install malware onto their work device – an action that could lead to the business network being infiltrated.

Attacks on this scale are happening more often, and with huge volumes of email addresses now being used for phishing campaigns, advanced spam filtering solutions for companies are now a necessity.

If you have yet to put in place a spam filter, are unhappy with your current supplier and the detection/false positive rate, contact TitanHQ to find out about SpamTitan – The leading anti-spam software for enterprises and SMBs.

New Rakhni Ransomware Variant Discovered

Rakhni ransomware, a malware variant first discovered in 2013, has lead to a huge number of variants over the past three years and is still a dangerous threat. Rakhni ransomware locks files on an infected device to stop the user from accessing their data. A ransom demand is sent and if payment is completed, the hackers will supply the keys to unlock the encryption. If the ransom is not paid the files will stay encrypted. In such cases, the only option for file recovery is to rescue files from backups.

Now the creators of Rakhni ransomware have added new functionality. Checks are carried out on an infected device to determine whether it has enough processing power to be used as a cryptocurrency mining slave. If so, cryptocurrency mining malware will be installed. If not, ransomware will be activated.

This new development should not come as a major shock. The huge increase in the value of many cryptocurrencies has made mining cryptocurrencies far more profitable for hackers than ransomware. When ransomware is downloaded, many victims decide not to pay and instead recover files from backups. Infection is no guarantee that a payment will be received. If a cryptocurrency miner can be downloaded, it gets straight to work generating money for the hackers. Ransomware attacks are still a massive threat, although many hackers have switched their operations to mining cryptocurrencies. In fact, cryptocurrency mining malware attacks are now much more witnessed than ransomware attacks.

However, not all computers have enough CPU processing power to make cryptocurrency mining advantageous, so the method used by the threat actors behind Rakhni ransomware helps them maximize their returns.

The new Rakhni ransomware campaign was discovered by experts at Kaspersky Lab. The malware used is Delphi-based and is being shared in phishing emails containing a Microsoft Word file attachment.

The user is warned to save the document and enable editing. The document includes a PDF file icon which, if clicked, launches a fake malfunction message suggesting the DLL file required to open the PDF file has not been found. The user needs to click on the OK box to close the malfunction message.

When the error box is closed, the malware carries out a series of checks on the machine to identify the processes running on the device and assesses those processes to see if it is running in a sandbox environment and the chance of it being able to run undetected. After these checks have been carried out the system is assessed to determine its capabilities.

If the machine has more than two processors and does not have a Bitcoin folder included in the AppData folder, a cryptocurrency miner will be downloaded. The cryptocurrency miner uses fake root certificates which show the program has been released by Microsoft Corporation to help disguise the miner as a trusted application.

If a Bitcoin folder is present, certain processes will come to a halt, and Rakhni ransomware will be installed and run. If there is no Bitcoin folder and only one processor, the malware will deploy its worm component and twill attempt to spread to other devices on the network where the process starts again.

Advanced anti-virus software can supply protection against this attack, while spam filtering solutions can stop the phishing emails from being sent to end users. Companies should also ensure that their workers are made aware of the risk of these types of attacks through security awareness training. Workers should be told never to open attachments in emails from unknown senders and trained regarding the warning signs of a potential attack that is running. Naturally, good data backup practices are vital to ensure that if all other security measures fail, files can be rescued without paying a ransom.

 

Cryptocurrency Mining PowerGhost Malware on the Rise

A huge cryptocurrency mining campaign has been discovered by security researchers at Kaspersky Lab – aA campaign that has lead to the growth of a vast network of devices infected with PowerGhost malware.

PowerGhost malware is being downloaded on all types of devices including servers, endpoints, and POS devices. Once infected, each device creates a small amount of a cryptocurrency each day by using the device’s processing power to solve complex computational problems.

While a single device can be used to mine a few dollars of cryptocurrency every day, the returns are major when the hackers are able to infect server farms and add hundreds of thousands of endpoints to their army of cryptocurrency mining devices.

Once a device has been infected, the cryptocurrency mining tool is installed and gets to work. A part of an infected device’s processing power is then focused on mining cryptocurrency until the infection is identified and the malware is deleted. PowerGhost malware also spreads laterally to all other vulnerable networked devices.

What makes PowerGhost such a difficult threat to identify is the fact that it doesn’t use any files, instead it can mine cryptocurrency from the memory. PowerGhost is an obfuscated PowerShell script that includes a number of add-on modules, including the cryptocurrency mining component, mimikatz, and the DLLs needed for the operation of the miner. Various fileless techniques are used to infect devices, ensure persistence, and prevent detection by anti-virus solutions. The malware also includes shellcode for the EternalBlue exploit to permit it from spreading across a network to other vulnerable devices. Attacks are taking place through the exploitation of unpatched flaws and through remote administration tools.

PowerGhost malware is mainly being used in attacks on businesses in Latin America, although it is far from confined to this geographical region with India and Turkey also heavily targeted and infections seen in Europe and North America.

Companies are being focused on. If a foothold can be obtained in a corporate network, hundreds, thousands or tens of thousands of devices can be infiltrated and used for cryptocurrency mining. The potential rewards for a successful attack on a medium to large enterprise is massive.

Along with cryptocurrency mining, Kaspersky Lab researchers said that one version of the PowerGhost malware can be used for DDoS attacks, offering another source of income for the cybercriminal gang to blame for the campaign.

Coinminer Malware Being Delivered with New Underminer Exploit Kit

Exploit kit activity may not be as widespread as it once was, but the threat has not completely disappeared. Rig exploit kit activity has increased steadily in 2018 and now a new exploit kit has been discovered.

The exploit kit has been named underminer by Trend Micro security experts, who noticed it in July 2018. The Underminer exploit kit is being used to share bootklits which deliver coinminer malware. The EK is primarily being used in attacks in Japan, although other East Asian countries have also seen attacks with activity now spreading beyond this specific area.

The underminer exploit kit was also noticed by Malwarebytes researchers who note that the exploitation framework was first spotted by the Chinese cybersecurity firm Qihoo360 in late 2017, when it was being used to deliver adware. Now the exploit kit is being used to share Hidden Bee (Hidden Mellifera) cryptocurrency mining malware. Trend Micro notes that evidence has been found that strongly suggests the exploit kit was developed by the developers of Hidden Mellifera coinminer malware.

The exploit kit deploys complex methods to deliver the payload with different methods used for a range of different exploits. The developers have also included several controls to hide malicious activity including the obfuscation of exploits and landing pages and the use of encryption to package exploits on-the-fly.

The EK reviews the user via a user-agent to determine if the user is of interest. If not, the user will be directed to a HTTP 404 error page. If a user is of interest, a browser cookie will be used to identify that user to make sure that the payload will only be delivered once, preventing reinfection and hampering attempts by researchers to reproduce an attack. URLs used in the attacks are also randomized to prevent detection by standard AV solutions. The coinminer is sent using a bootkit which is downloaded through encrypted TCP tunnels.

The underminer exploit kit contains a restricted number of exploits: The Adobe Flash Player exploit CVE-2018-4878, the use-after-free Adobe Flash Player vulnerability CVE-2015-5119, and the Internet Explorer memory corruption vulnerability CVE-2016-0189. Patches for all of the vulnerabilities were made available in February 2018, July 2015, and May 2016 respectively.

The best defense against exploit kit attacks is swift patching. All systems and applications should be kept 100% up to date, with virtual patching deployed on legacy systems and networks. Since there will always be a delay between the identification of a vulnerability and a patch being shared, patching alone may not be sufficient to prevent all attacks, although EK developers tend to use old flaws rather than zero days.

Along with prompt patching, cybersecurity solutions should be deployed to further reduce risk, such as a web filtering solution (WebTitan) to block users from visiting malicious websites and redirects through malvertising. In this instance, one of the main ways that users are directed to the exploit kit through adult-themed malvertising on legitimate adult websites. Using the web filter to block access to adult sites will reduce exposure.

Cybersecurity solutions should also be deployed to scan for malware installations and monitor for unusual activity and standard cybersecurity best practices should also be used… the principle of least privilege and removing unused or unnecessary applications, plugins, and browser extensions.

The fact that a new exploit kit has been implemented, and that it was recently updated with a new exploit, shows that the threat of web-based attacks has not disappeared EK activity may be at a fraction of the level of 2016, but businesses should not assume that attacks will not take place and should implement appropriate defenses to address the threat.

Python-Based PyLocky Ransomware Shared in Spam Email Attacks in Europe

A new Python-based form of ransomware has been discovered that disguises itself as Locky, one of the most widely experienced ransomware variants in 2016. The new ransomware variant has been titled PyLocky ransomware by security experts at Trend Micro who have seen  it being used in attacks in Europe, particularly France, throughout July and August.

The spam email campaigns were, at first, sent in relatively small batches, although over time the volume of emails sharing PyLocky ransomware has increased significantly.

Various social engineering tactics are being used by the hackers to get the ransomware downloaded, including fake invoices. The emails intercepted by Trend Micro have included an embedded hyperlink which sends users to a malicious webpage where a zip file is installed. The zip file includes PyLocky ransomware which has been put together using the PyInstaller tool, which permits Python applications to be converted to standalone executable files.

If downloaded, PyLocky ransomware will encrypt around 150 different file types including Office documents, image files, sound files, video files, databases, game files, archives, and program files. Files saved on all logical drives will be encrypted and the original copies will be overwritten. A ransom note is then placed on the desktop which has been copied from the note used by the threat actors behind Locky, although the two cryptoransomware threats are not linked. Ransom notes are written in French, English, Korean, and Italian so it is likely that the attacks will become more widespread over the coming weeks.

While Python is not usually used to create ransomware, PyLocky is not the only Python-based ransomware variant to have been developed. Pyl33t was used in many attacks in 2017, and CryPy emerged in 2016. What makes the most recent ransomware variant stand out is its anti-machine learning capabilities, which help to stop analysis using standard static analysis methods.

The ransomware attacks Windows Management Instrumentation (WMI) to determine the properties of the system on which it is downloaded. If the total visible memory of a system is 4GB or greater, the ransomware will execute instantly. If it is lower than 4GB, the ransomware will sleep for 11.5 days – an effort to determine if it is in a sandbox environment.

Stopping attacks requires a variety of cybersecurity measures. An advanced spam filtering solution like SpamTitan will help to stop the spam emails being sent to end users’ inboxes. A web filter, such as WebTitan, can be set up to control the websites that can be accessed by end users and block malicious file downloads. Security awareness training will help to make sure that end users recognize the threat for what it is. Advanced malware detection tools are required to spot the threat due to its anti-machine learning capabilities.

 

DNS Filtering Explained

If you browse the web you will be faced with a wide variety of threats, some of which could lead to your bank account being emptied, others could result in sensitive information being exposed and your accounts being infiltrated. Then there is ransomware, which could be used to stop you from obtaining your data (unless you have backups or pay the ransom payment).

More malicious websites are now being set up than legitimate sites, so how can you remain safe online? One solution used by companies and ISPs is the use of a web filter. A web filter can be set up to restrict access to certain specific categories of Internet content and block most malicious websites.

While it is possible for companies or ISPs to purchase appliances that sit between end users and the Internet, DNS filters permit the Internet to be filtered without having to purchase any hardware or download any software. So how does DNS filtering operate?

How Does DNS Filtering Operate?

DNS filtering – or Domain Name System filtering to give it the proper title – is a method of blocking access to specific websites, webpages, or IP addresses. DNS is what allows easy to remember domain names to be used – like Wikipedia.com – rather than typing in very hard to remember IP addresses – like 198.35.26.96. DNS maps IP addresses to domain names.

When a domain is bought from a domain register and that domain is hosted, it is given a unique IP address that allows the site to be located. When you try to access a website, a DNS query will be performed. Your DNS server will look up the IP address of the domain/webpage, which will permit a link to be established between the browser and the server where the website is hosted. The webpage will then be loaded.

With DNS filtering in place, rather than the DNS server returning the IP address if the website is active, the request will be subjected to certain controls. If a particular webpage or IP address is known to be malicious, the request to access the site will be denied. Instead of linking to a website, the user will be sent to a local IP address that will display a block page stating that the site cannot be accessed.

This control could be implemented at the router level, via your ISP, or a third party – a web filtering service supplier. In the case of the latter, the user – a business for example – would point their DNS to the service provider. That service provider maintains a blacklist of malicious webpages/IP addresses. If a site is known to be malicious, access to malicious sites will be prevented.

Since the service supplier will also categorize webpages, the DNS filter can also be used to prevent access to certain categories of webpages – pornography, child pornography, file sharing websites, gambling, and gaming sites for instance. Once a business creates an acceptable usage policy (AUP) and sets that policy with the service provider, the AUP will be enforced. Since DNS filtering is low-latency, there will be next to no time delay in accessing safe websites that do not breach an group’s acceptable Internet usage policies.

Sadly, no DNS filtering solution will block all malicious websites, as in order to do so, a web page must first be labelled as malicious. If a hacker sets up a brand-new phishing webpage, there will be a delay between the page being set up and it being reviewed and added to a blocklist. However, a DNS web filter will block the majority of malicious websites.

The quick answer is yes. Proxy servers and anonymizer sites could be used to hide traffic and bypass the DNS filter unless the chosen solution also prevents access to these anonymizer sites. An end user could also manually amend their DNS settings locally unless they have been locked down. Determined people may be able to find a way to bypass DNS filtering, but for most end users, a DNS filter will block any effort to access forbidden or damaging website content.

No single cybersecurity solution will let up prevent access to 100% of malicious websites or all NSFW websites, but DNS filtering should certainly be an element of your cybersecurity defences as it will allow the majority of malicious sites and malware to be restricted.

If you have yet to put in place a web filtering solution, are unhappy with your current supplier, or you have questions about web filtering in the workplace, get in touch with the TitanHQ team today and ask about WebTitan Cloud.

Business Web Filtering

Email spam is the most commonly witnessed attack method used to deliver malware, and while the threat from exploit kits is nowhere near the level in 2015 and 2016, they still pose a problem for companies.  Exploit kits are web-based apps that are installed on websites controlled by hackers – either their own sites or sites that have been hijacked.

Exploit kits contain code that exploits flaws in web browsers, plugins and browser extensions. When a user with a vulnerable browser clicks on a malicious URL containing an exploit kit, the vulnerability is exploited and malware is installed.

With browsers becoming safe, and Flash being a thing of the past, it has become much harder to infect computers with malware via exploit kits and many threat actors have changed to other methods of attack. However, some exploit kits remain live and still pose a real danger.

The exploit kits presently in use – RIG for instance – include multiple exploits for known flaws. Most of the flaws are old and patches have been available for months or years, although zero-day vulnerabilities are occasionally installed. Exploit kits are also updated with recently shared proof-of-concept code. Exploit code for two recently discovered flaws: one in Internet Explorer (CVE-2018-8174) and one in Adobe Flash (CVE-2018-4878) have been added to EKs.

Keeping browsers and plugins up to date and using a top antivirus solution will implement a good level of protection, although companies can further enhance security by using a web filter. Web filtering for companies ensures that any effort to access a website known to host an exploit kit will be blocked.

Phishing is one of the largest threats faced by companies. Phishing is a method of obtaining sensitive data by deception, such as impersonating a company in an attempt to obtain login credentials or to trick employees into making wire transfers to bank accounts controlled by hackers.

A spam filter can stop most malicious messages from reaching inboxes, although some phishing emails will make beyond the perimeter defenses, especially emails containing links to malicious websites. A web filter provides an extra tier of protection against phishing by preventing users from visiting malicious websites sent via email and social media posts. When an effort is made to visit a known malicious website, access will be blocked, and the user will be sent to a block screen.

A web filter can also be used to ensure safe search on search engines such as Google, Yahoo, and Bing. This will help to stop inappropriate website content from being accessed through search and image search results.

Workers can waste an extraordinary amount of time on the Internet. Permitting unfettered access to all website content can result in a serious reduction in productivity. If every worker wastes an hour a day on the Internet instead of working, a company with 100 employees would lose 100 hours a day, 500 hours a week, and 26,000 hours a year. A considerable loss.

A web filter can be used to restrict access to websites such as gambling, gaming, and social media sites – all major drains on productivity. Web filters can also be used to review Internet activity. When workers are told that the company monitors Internet use, employees will be less likely to spend time surfing the Internet rather than working.

Web filters can also be used to restrict not-suitable-for-work (NSFW) content such as pornography and will restrict company liability by blocking illegal online activities at work, such as the installing of copyright-protected content via P2P file sharing sites. Web filters can also restrict bandwidth hogging activities such as the streaming of audio and video.

DNS-based web filtering for businesses is simple with WebTitan Cloud. WebTitan Cloud will help enhance security posture, reduce company liability, and improve the productivity of the workforce. Being 100% cloud-based, the solution requires no hardware purchases, no software installations, and can be implemented in a few minutes.

The solution filters websites into 53 pre-defined categories, making it easy for companies to restrict specific types of content. More than half a billion URLs are categorized in the database and combined with cloud-based lookup, it is possible to ensure highly accurate content filtering without overblocking important content. The solution can review all web traffic, including encrypted sites.

The solution allows policies to be established for the entire workforce, groups, or people and secures workers who on and off the network. When workers use multiple devices, the content filtering controls can be put in place across the board and will work whether the user is on-site or roaming.

Administrators have their roles made easier with a comprehensive reporting suite, with 55 preconfigured reports and scope for customization, with report scheduling options and the power to view browsing in real-time.

If you want to enhance your security posture, save bandwidth, reduce legal liability, block NSFW content, and strengthen productivity, give TitanHQ a call today and find out more about how WebTitan Cloud can benefit your company.

Datto’s Network Security Solutions adds WebTitan

It has been announced, by TitanHQ, that as part of its working alliance with networking and security solution supplier Datto, WebTitan Cloud and WebTitan Cloud for Wi-Fi have been included in the Datto networking range and are available to MSPs as of now.

Datto is the leading supplier of enterprise-level technology to small to medium sized businesses through its MSP partners. Datto provides data backup and disaster recovery solutions, cloud-to-cloud data protection tools, managed networking services, professional services automation, and remote monitoring and management utilities.

This means means that MSP partners can now provide their clients another level of security to safeguard them from malware and ransomware downloads and phishing campaigns.

WebTitan is a completely cloud-based DNS web filtering tool developed with MSPs in mind. Along with In addition allowing businesses to carefully manage the types of websites their employees can access through corporate wired and wireless networks, the solution provides high level t protection against phishing attacks and web-based threats.

With phishing now the main threat faced by SMBs and a rise in ransomware attacks, businesses are asking their MSPs to provide security solutions to counter the threat. Companies that put in place the solution are given real-time protection against malicious URLs and IPs, and employees are stopped from accessing malicious websites through general web browsing and via malicious URLs included in phishing emails.

TitanHQ CEORonan Kavanagh said: “We are delighted that Datto has chosen TitanHQ as a partner in web security. By integrating TitanHQ’s secure content and web filtering service, we are well positioned to offer Datto MSPs a best of breed solution for their small to mid-size customers. We pride ourselves in equipping our community of Managed Service Provider partners with the right products and tools to allow each and every customer to succeed,” said John Tippett, VP, Datto Networking. “With that in mind, I’m delighted to welcome TitanHQ as a security partner and look forward to growing our partnership.”

MSPs will be able to see WebTitan in action at the TitanHQ-sponsored DattoCon 2018 conference in Austin, TX – the largest MSP event in the United States. TitanHQ’s full team will be present.

Gmail and Office 365 Cloud Email Accounts Encrypt in Ransomcloud Attack

A new sort of ransomware attack could be on the horizon. The attack method, called ransomcloud, was developed by a white hat hacker to show just how easy it is to launch an attack that leads to cloud-based emails being encrypted.

A successful attack will see the hacker obtain full control of a cloud-based email account, allowing them to deploy a ransomware payload that encrypts all emails in the account. This method could also be used to obtain complete control of the account to use for spamming and other malicious purposes.

The attack works on all cloud-based email accounts that permit third party applications account access via OAuth, which includes Gmail and Office 365 accounts.

The ransomcloud attack begins with a phishing email. In this example, the message appears to have been shared by Microsoft offering the user the chance to sign up and use a new email spam filtering service called AntiSpamPro. The email includes the Microsoft logo and seems to be a new Microsoft service that provides the user with better spam protection.

In order to use this service, the user is required to click a hyperlink in the email to give permission for the new service to be installed. Visiting the link will result in a popup window appearing that requires the user to authorize the app to access their email account.

Such a request is perfectly ok, as an app that offers protection against spam would naturally require access to the email account. Emails would have to be read in order for the app to determine whether the messages are genuine or spam. Clicking on ‘accept’ would give the hacker full control of the email account via an OAuth token. If access is given, the user loses control of their email account.

In this scenario, ransomware is downloaded which encrypts the body text of all emails in the account. An email then lands in the inbox containing the ransom note. The user must pay a ransom to regain access to their emails.

Along with this, the hacker could claim the email account as their own and lock the user out, send phishing emails to all the user’s contacts, access sensitive data in emails, use email information to learn about the individual to use in future attacks such as spear phishing campaigns to obtain access to their computer.

The ransomcloud attack method is very easy to pull off and could be adopted by cybercriminals as a new way of stealing money and gaining access to sensitive data.