Office 365 Credentials Stolen Using Sneaky Tactics

Over the last few months organizations using Office 365 are being attacked using a sneaky phishing campaign that is using a variety of different tactics to trick recipients and email security measures.

The focus of this campaign is to get recipients to unwittingly share Office 365 credentials that can be used to commit further email fraud. 

The campaign begins with phishing emails being shared from email addresses that appear to be authentic. This is accomplished as spoofed display names are being included to make the sender appear genuine. The campaign concentrates on specific groups and includes believable usernames and domains for sender display names linked to the target and the messages also incorporate authentic logos for the targeted company and Microsoft branding.

Additionally the messages feature believable Microsoft SharePoint lures to fool recipients into clicking on an embedded hyperlink that will take them to the phishing URL. Those who receive the email messages are advised that a co-worker has shared a file-share request that they may have missed, along with a link that will take the recipient to a web portal hosting a fake Microsoft Office 365 login form.

To get recipients to click on the URL, the emails say that the shared file includes information in relation to bonuses, staff reports, or price books. The phishing emails incorporate two different URLs with malformed HTTP headers. The main phishing URL is for a Google storage resource which points to an AppSpot domain. If the user  completes the signs-in process, they are brought to a Google User Content domain with an Office 365 phishing page. The second URL is embedded in the notification settings and brings users to a compromised SharePoint site, which again requires the user to sign in to get to the final page.

To trick email security solutions, the messages employ extensive obfuscation and encryption for file types often connected with malicious messages, such as JavaScript, along with multi-layer obfuscation in HTML. The threat actors have employed old and unusual encryption tactics, including the use of morse code to mask segments of the HTML deployed in the attack. A variety of the code segments used in the attacks are found in several open directories and are called by encoded scripts. Microsoft cybersecurity specialists found, and tracked, the campaign and compared it to a jigsaw puzzle, where all the pieces look normal on their own and only become dangerous when they are correctly pieced together.

This campaign is very dangerous, with the threat actor having gone to great trouble to mask their true intentions in order to get end users to hand over their credentials. 

Should you be worried in relation to your cybersecurity measures and wish to tackle attacks like this, contact the TitanHQ team now to find out more in relation to security solutions that can be easily put in place to prevent phishing and other email threats to enhance your security suite.



MSP Cybersecurity Selling Tactics

While a lot of companies are unable to invest a large amount of money in cybersecurity solutions, many do opt to avail of the services provided by Managed Service Providers (MSPs).

Due to this it is important for MSPs to make smaller companies aware of the crucial service that they can provide for them. The lack of a good cybersecurity service can lead to data breaches and, in some cases, regulatory fines and legal issues. 

It is no surprise that cash-strapped small businesses have not invested thousands of dollars on cybersecurity measures so it is the role of their MSP to make them aware of the importance of having an adequate cybersecurity structure in place to prevent hacking attacks. So the onus is on the MSP to ensure that their client(s) are completely aware of the level of risk they are facing. As the needs of all businesses are different there will be different levels of threat that each faces. An audit of the risk the client is facing will provide them with the knowledge to enable them to make a smart decision when it comes to investment in cybersecurity. This is much more useful for a small company as they will not find themselves investing in a package with many features that are of no use to them.

Small companies will appreciate the level of risk that they are facing, rather than being bewildered with the technical aspects of each solution that they are being provided with. While this technical information should certainly be provided, it is not going to be the thing that pushes most small companies into making an investment decision. 

Monitoring is equally important for the prevention of cybersecurity attacks. Once installed, cybersecurity solutions must be maintained. This means it is important for MSPs to see to it that there is an adequate amount of staff working to spot all potential cyberattacks and work swiftly to mitigate them. In order for the client to know what they are investing in they need to be made aware of the difference between IT and cybersecurity support. A lot of clients will think that these two solutions are the same thing when this is really not the case. 

It is important to MSPs to be able to educate and add value for the stakeholders at their client companies so that the value of investment is appreciated and there is a build up in trust. This is one place where MSP clients can be assist4e by TitanHQ.

Through the provision of smartly priced , robust and proven cybersecurity solutions to address the threat posed by typical hacking attack vectors, in addition to a solution for backing up and archiving business critical data, Titan HQ enhances security measures everywhere. 

If you would like additional details in relation to the cybersecurity solutions for MSPs ,provided by TitanHQ, contact them now to find out more about TitanHQ email security, DNS filtering, and email archiving, and the TitanShield Partner Program.

Once up and running with the TitanShield Program, MSPs will gain strong tools, marketing assistance, and training support to help them sell cybersecurity solutions to their clients.


Some Credit Unions Still Lacking Strong Email Security

It is well known that financial institutions are an ideal target for cybercriminal. Despite this Credit unions still lag behind when it comes to configuring adequate cybersecurity for their email systems. This shortcoming leaves these bodies wide open or hackers who aim to get access to banking systems and financial data.

With a strong email security system in place internal employees and the financial institution’s customers are safeguarded from possible infiltration. It can prevent a phishing email tricking an account holder believing that they have received what looks like an email from the credit union. A spoofed message will be designed so that only a closer look will reveal that it is not genuine. Skilled cybercriminals are availing of email servers that don’t have any spam flags in place so they will be able to bypass basic security measures to land in a prospective victim’s inbox. Additionally there is a chance that the account holders use an email provider with poor spam detection, which means that the malicious message will not be quarantined.

However, if the account holder has good email filters, the malicious message will be marked as spam. As this is not, typically, the case cybercriminals are aware that their phishing messages will reach a good number of the intended recipients, potentially earning them thousands of dollars.

Credit unions require a minimum of Domain-based Message Authentication, Reporting & Conformance (DMARC) in order to tackle phishing messages. In order for this to be as successful as possible, both the recipient email system and the domain owner (the credit union) must configure DMARC.

There are two parts to a DMARC system: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). SPF is the IP addresses that are permitted to send email for the domain. The SPF entry is placed on the domain owner’s name server as a DNS record, from here it will prevent email spoofing. When email messages are issued with an unauthorized IP address, it is marked as a “failed” DMARC status and is not shared with the intended recipient. There is, however, an onus on the recipient’s email service to review the status and quarantine/delete the incoming message.

DKIM is a signature system that makes sure that cybercriminals have not altered a message. An encrypted signature is shared including the headers of the message using the recipient’s public key placed as a DNS entry at the host. The recipient’s mail server can then authenticate the recipient message to deduce if the signature is the same by encrypting the same message and comparing it to the resulting value. The resulting value should be the same if no content within the message has been changed.

It is often, incorrectly, believed that small businesses are not a valued target of phishers. However, Credit Unions are small financial institutions that can be perfect targets as they are known for not having a strong cybersecurity suite in place. DMARC rules will address the threat posed to these bodies. 

Phishing can be conducted at a low cost by hackers so it is crucial for organizations to focus their efforts on fighting it. Using DMARC will safeguard internal staff members and account holders who are being sent emails



Case Study: Home Depot Data Breach Cost $179 Million

When pondering how much to spend on cybersecurity defenses, be sure to consider the cost of a retail data breach. Ill-advised security practices and a lack of proper cybersecurity defenses can cost a company dearly. That was certainly the case for Home Depot.

A data breach of the scale of that which impacted Home Depot in 2014 can cost hundreds of millions of dollars to address. The Home Depot data breach was huge. It was the largest retail data breach involving a point of sale system ever to be reported. Malware had been downloaded that allowed cyber criminals to obtain over 50 million credit card numbers from Home Depot customers and around 53 million email addresses.

The Home Depot cyberattack was conducted using credentials that had been stolen from one of the retailer’s vendors. Those credentials were used to obtain access to the network, the attackers then elevated privileges, and moved laterally undetected until they found what they were looking for: The POS system. Malware was downloaded that recorded credit card details as payments were made, and the information was silently exfiltrated to the attacker’s servers. The malware infection went unnoticed for five months between April 2014 and September 2014.

DNS blocking is one of the most effective ways of preventing Internet users from visiting malicious websites. Book a FREE WebTitan demo.
Book Free Demo

Last year, Home Depot agreed to pay out $19.5 million in damages to customers that had been impacted by the breach. The payout included the costs of providing credit monitoring services to those affected by the breach. Home Depot has also paid out a minimum of $134.5 million to credit card companies and banks. The latest settlement amount will permit banks and credit card companies to submit claims for $2 per compromised credit card without having to show proof of losses suffered. If banks can show losses, they will have up to 60% of their losses compensated.

The total cost of the retail data breach is approximately $179 million, although that figure does not incorporate all legal fees that Home Depot must pay, and neither does it include undisclosed settlements. The final cost of the retail data breach will be much bigger and is likely to pass the $200 million mark.

Then there is the reputation damage suffered as a result of the data breach. Following any data breach, customers often take their business elsewhere and many consumers that were affected by the Home Depot breach said they would not shop there again. A number of studies have been carried out on the fallout from a data breach, with one HiTrust study suggesting companies may lose up to 51% of their customers following a breach of sensitive data.


MSP Cybersecurity Selling Tips

Managed Service Providers (MSPs) are often used by smaller organizations that do not have their own IT department, in order to meet the technology and cybersecurity requirements.

The challenge in this scenario is that MSPs need to be able to relay to the small companies that are trying to make their budgets stretch as far as possible the importance of investing in the strongest possible cybersecurity measures. 

It is crucial that small businesses are fully aware of the dangers that they are facing unless they introduce a strong cybersecurity suite. Any data breach could lead to regulatory fines and costly litigation. There are a number of different ways that MSPs can get this message across to their clients and we have detailed them below. 

Focus on Enhancing Cybersecurity

There is a good business opportunity for MSPs to increase their revenue by selling cybersecurity security services to small companies that currently have no structure in place.The easiest way to do this is to show clients the risks that they are taking by not having strong cybersecurity measures implemented. As all companies have different needs it is up to the MSP to spot where the need of the company sits in relation to cybersecurity and concentrate on this. 

This is easier following an audit of the company’s current cybersecurity strategy, or lack thereof. Companies will appreciate a bespoke level of cybersecurity measure, matched to their specific needs, rather than being sold a package that includes a range of measures that they have no need for. Providing the company with the audit will assist in the sales process also as these companies may not have the resources to complete this themselves.

With the audit a step-by-step process for addressing each vulnerability can be included to allow the company to see how their worries will be alleviated. As configuring and investing in cybersecurity solutions is a massive step for small companies with a limited budget it is crucial that the decision makers for potential clients are able to quantify the benefits that they are gaining from any possible investment. 

Importance of Cybersecurity Support Being Provided by an MSP

In order for them to be effective, cybersecurity solutions have to be properly set up and managed. MSPs must do their utmost to ensure that clients also invest in cybersecurity so that the product they are selling is set up correctly. 

By relaying to the client the importance of this aspect, and the difference between IT support and cybersecurity support, clients will be more likely to invest in this service. After communicating with the client there should be no confusion between the two and the needs for the latter should be obvious to the purchaser. Doing this successfully will make the business relationship easier going forward as there will be less issues and a stronger level of service provided. 


TitanHQ can be an excellent solution for MSP clients to avail of as it is competitively priced, strong and configured to tackle the most common attack vectors, along with a solution for backing up and archiving business critical data.

Contact TitanHQ nwo to find out more in relation to TitanHQ email security, DNS filtering, and email archiving for MSPs, and the TitanShield Partner Program. MSPs that are a member of the TitanShield Program will be given in-depth and strong tools, marketing advice, and training support.


Should You Block File Sharing Websites in the Workplace to Stop Malware Infecting Your Network?

There are valid reasons why you should block file sharing websites in the workplace. These websites are mainly used to share pirated software, music, films, and TV shows. It would be improbable that the owner of the copyright would take action against an employer for failing to stop the illegal sharing of copyrighted material, but this is an unnecessary legal danger and there is currently a crackdown on illegal file sharing.

The main risk from using these websites comes in the form of malware. There is limited data on malware downloads from pirated software, although data from a study in 2013 highlight how common it is. The study as conducted by IDC on 533 websites and peer-2-peer file sharing networks, the downloading of pirated software led to spyware and tracking cookies being downloaded to users’ computers 78% of the time. More concerning is the fact that Trojans were downloaded with pirated software 36% of the time.

A survey carried out on IT managers and CIOs at the time showed that malware was downloaded 15% of the time with the software.  IDC found that overall there was a 33.3% chance of infecting a machine with malware by using pirated software.

Even browsing on torrent sites can be harmful. Malwarebytes has reported users of the popular torrent site The Pirate Bay were shown malicious adverts. An advertiser used a pop-under to silently redirect users to a malicious site that had the Magnitude exploit kit which was used to install Cerber ransomware onto users’ devices.

A study completed by UC San Diego involved testing pirated software downloads using VirusTotal. VirusTotal reviews files against the databases of 68 different anti-virus services. The research team found that 50% of pirated files were infected with malware.

Dealing with malware from pirated software was found to take around 1.5 billion hours per year. For companies the cost can be considerable. IDC estimated the cost to enterprises to be around $114 billion in 2013 alone. And that was just for the clean-up. The cost of data breaches caused by illegal software installations was calculated at around $350 billion.

New malware variants are often discovered in pirated software and fake software available through P2P file sharing websites. In 2021, NordLocker identified a previously unknown malware variant that was being distributed in pirated video games and software such as Adobe Photoshop. The malware was not detected for 2 years, during which time it had infected more than 3.2 million computers.

Businesses can monitor devices and check for unauthorized software downloads on individual devices; however, by the time a software installation has been identified, malware is likely to already have been downloaded. A recent report by Verizon indicates that on average, hackers are able to extract data within 28 minutes of obtaining access to a system.

One of the simplest ways to manage risk is to block file sharing websites including P2P and torrent sites. A web filter can be easily set up to block file sharing websites and stop them from being accessed. Many web filters can also be set up to block specific file types from being installed, including keygens and other executables.

If organizations block file sharing websites in the workplace they will ensure that copyright-violating activities are stopped and and the risk of malware downloads is effectively mitigated and users are prevented from visiting websites hosting phishing kits.

Choosing not to block file sharing websites in the workplace could turn out to be expensive for a company. It is far better to block possibly dangerous websites and online activities than to have to cover the cost of removing malware infections and remediating data breaches.

Remote Working on Public Wi-Fi Concerns

The problems associated with working via public Wi-Fi are well known, especially now as workers globally shift to a remote working or hybrid model of office use. 

Even though a large number of companies have recognized the advantages linked to remote working and having staff members work from home, many other organizations are putting in place the hybrid working routine that permits employees to be based away from the office for part of their working week at least. 

However, there are many things to be wary of when it comes to accessing the Internet via public Wi-Fi networks, one of the most significant being the Wi-Fi access point that people log on to is not the same as the Wi-Fi network of the individual’s employer. It has happened on previous occasions that cybercriminals have created WiFi networks which are designed to look like authentic Wi-Fi access points. This type of connection has been labelled as ‘evil twins’.

Hackers are known to set up malicious proxies, view network activity, and create user redirects to take Wi-Fi users to websites that are loaded with malware. If Bluetooth and NFC are enabled, a hacker could locate nearby devices and download information that could allow them to locate and focus on a specific individual.

There are a range of different tactics that should be implemented to prevent remotely-based workers from sharing their details due to  a phishing attack, or otherwise impact their device or their organization’s databases. The most straightforward of these is to restrict or forbid the use of public Wi-Fi networks. However, doing so may greatly impact the productivity of remote workers.

Logging on to a public WiFi network, if there is no other solution available, should only be done if there is encryption and strong authentication in place to ensure a high level of security. It is also wide to make sure that a password is necessary to access the WiFi hotspot.

It is advisable for organizations to implement a variety of different security measures such as setting up a company policy that bans the use of public Wi-Fi networks or uploading any sensitive data on websites that do not begin with ‘HTTPS’. Creating a Virtual Private Network (VPN) for employees with enough capacity to permit everyone to log on at the same time is a smart move as it extends the scope of web filters to remote workers’ devices. This will stop access to web pages known to be malicious and stop malware downloads.

Options like WebTitan are simple to configure so as to secure remote workers’ devices, and filtering controls will then be managed in the same manner as if the employee was sitting at a workstation in the corporate headquarters.

It is also important that cybersecurity best practices are followed like running all patches and software updates once they are available. Multi-Factor authentication should be enabled and anti-malware software installed. Anti-spam services – like SpamTitan  – should also be configured to stop email attacks, and firewalls should be switched on to stop unauthorized inbound and outbound connections.



2020 Witnessed Massive Surge in Healthcare Data Breaches

According to figures from the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), 2020 saw record numbers of healthcare data breaches reported – more than in any other year since healthcare data breaches started to be tracked. An article published on HIPAA Journal in January, 2021 included an analysis of healthcare data breaches in 2020 with the following findings:

  • Over 29 million healthcare records were breached from January 1 to December 31, 2020
  • There was a rate of 1.76 healthcare data breaches reported per day
  • Healthcare data breaches grew by 25% year-over-year
  • During 2020, 642 healthcare data breaches of 500 or more records were discovered

In addition to this:

  • The total number of healthcare data breaches has doubled since 2014 and tripled since 2010.
  • Over 3,700 breaches of 500 or more records have been reported since October 2009
  • Since 2009, more than 268 million healthcare records have been breached

How Data Breaches Occur

There are many different causes of healthcare data breaches, the most common of which are:

  • Hacking of servers and email accounts
  • Portable devices being stolen or lost
  • Unauthorized disclosures of personal healthcare information

The size of some of the data breaches is staggering. One largest breaches of the year was reported by the Dental Care Alliance, and was discovered on October 11, 2020. The payment card numbers of more than 1 million patients were compromised in the attack. The hackers initially obtained access to DCA systems on September 18, and access remained possible until October 13. Along with payment card data, those responsible may have illegally taken patient names and contact information as well as medical information and insurance information.  Patients were made aware of the attack in early December and approximately 10% of the patients later reported misuse of their data.

There are many factors that have led to the huge spike in attacks that took place over the last 12 months. Ultimately, the increase in attacks is simply due to cybercriminals targeting the healthcare sector to gain access to sensitive data. Patient records are extremely valuable as they can be used for multiple types of fraud. While credit card information will only garner a few dollars on their own, patient data can be sold for up to $150 per record. For healthcare providers, the cost of mitigating data breaches is considerable. the IBM Security Cost of a Data Breach Report shows the cost of a healthcare data breach has risen by 16% and is now costs and average of $499 per record.

Healthcare organizations have a responsibility to secure patient data and prevent attackers from accessing systems containing patient data. TitanHQ can assist healthcare organizations by providing solutions to block the most common attack vectors. Get in touch with TitanHQ now to discover how our award winning solutions can stop hackers from gaining access to patient data.

Businesses Face Massive Challenges as Phishing Attacks Surge

Since the beginning of 2020 there has been a noticeable spike in the amount of ransomware attacks recorded. Less noticeable however, has been that phishing attacks are also extremely widespread nowadays.  

Phishing attacks aim to steal passwords and other login credentials that will unlock access to databases and, potentially, much more valuable private data. Particularly attractive for phishers are email credentials. For instance, a healthcare worker’s email account will often hold valuable healthcare data, health insurance details, and Social Security information. This range of information can be deployed to carry out identity theft or other fraudulent activity. 

The start of most phishing attacks is when a phishing email is sent in order to try and trick the recipient into handing over access details for a database. There have been many different research studies completed that have indicated that phishing is one of the main threats facing groups. In the UK and the US, two recent surveys have revealed that 75% of companies had suffered a data breach in the last year while another study showed that more than 50% of IT management have witnessed a surge in phishing attacks in the past year.

Employee training courses are crucial in order to increase awareness of the phishing threat. The current trend towards remote  working has made providing this a much more tricky challenge. Refresher classes must be conducted on an ongoing basis or vulnerabilities can come to the surface. Phisher often change their tactics and new trends must be made known to employees so that they know what to look out for. As phishing emails evolve and continue to look more and more realistic the challenge linked to spotting these attacks becomes all the greater.

Two of the best technical approaches to combating phishing attacks are spam filters and web filters. When used in tandem they can provide a strong forcefield to bolster cybersecurity measures and block all attempts to infiltrate your databases.

A spam filter must have specific features configured to tackle complex phishing threats. By using blacklists emails from known malicious IP addresses will be blocked. However, IP addresses can often be changed so machine learning approaches are required to tackle brand new phishing tactics and threats from IP addresses not regarded as malicious. Using multiple AV engines malware threats can be handled, while sandboxing can be used to identify spot malware straind. DMARC is also vital to take on email impersonation attacks, while outbound scanning is important for quickly discovering infiltrated inboxes. All of these features are used by SpamTitan, which is why the solution registers a high block rate (over 99.97%) and low false positive rate.

Web filters are mainly used to limit access to potentially dangerous websites, whether they are sites with pornographic content or malicious sites employed for phishing and malware transmission. Web filters, especially DNS-based filters, greatly enhance security in the face of threats. they will also prevent access to known malicious websites and block malware installations. WebTitan provides all of this and can easily be set up to safeguard remotely-based employees workers.

With phishing attacks are on the rise it is crucial for companies to configure solutions to address this threat. For more details on SpamTitan and WebTitan, and how they can make your company safer, contact TitanHQ now. 



Public Wi-Fi Issues for Remote Working

The issues caused by using public Wi-Fi are widely known and should be more widely recognized and the global shifts towards remote working. Since the beginning of the COVID19 pandemic. a large number of companies have had little choice but to permit the staff members to work from a remote location.

While a lot of companies have witnessed the benefits to remote working and having staff members work from home, many other businesses are beginning to operate with a hybrid working model that allows staff to work remotely for a portion of the week as a minimum. 

There are a range of dangers to be addressed when using the Internet on public Wi-Fi networks, one of the most serious being the Wi-Fi access point that people log on to is not really the Wi-Fi network of the company that the employees work for. In many cases hackers create WiFi networks that appear to be genuine Wi-Fi access points. Using these – often referred to as evil twins – connections are reviewed, and no communicated data is safe.

Cybercriminals often create malicious proxies, monitor network activity traffic, and deploy user redirects to bring Wi-Fi users to malware laded web portals. If Bluetooth and NFC are turned on, a hacker could search for nearby devices and steal information that could allow them to identify and target a specific person.

There are many different measures that should be put in place to see to it that remote workers are not tricked into sharing their details in a phishing attack, or otherwise compromise their device, and in turn, the network of their company. The simplest of these measures is to stop the use of public Wi-Fi networks, although that is not always possible for travelling workers.

If there is no other option available then a connection should only be made to a Wi-Fi hotspot with encryption and strong authentication, as security will be strongest. Make sure that there is a password required to access the WiFi hotspot and there is less chance of any transmitted data being intercepted. 

Companies need to put a range of precautions in place. These can include creating a company policy that forbids the use of public Wi-Fi networks or sharing any sensitive data on websites that do not begin  with HTTPS. Providing a Virtual Private Network (VPN) for staff with adequate capacity to allow all workers to connect is a smart move as it extends the range of web filters to remote workers’ devices. This will prevent access to recognized dangerous web pages and prevent malware installations.

Solutions such as WebTitan are easy to set up in order to secure remote workers’ devices, and filtering controls will then be placed as though the user is situated in the corporate headquarters.

Standard cybersecurity best practices should also be adhered to, such as seeing to it that patches and software updates are applied quickly. Multi Factor authentication should be turned on and anti-malware software configured. Anti-spam services should also be used to prevent email attacks, and firewalls and DNS filtering should be turned on to prevent unauthorized inbound and outbound connections.

It is also advisable to turn off Link-Local Multicast Name Resolution (LLMNR) and Netbios Name Service (NBT-NS) on Windows laptops and to set up Web-Proxy Autodiscovery Protocol (WPAD) to allow only corporate proxy servers and to disable device file and printer sharing on public networks.


Haron & BlackMatter: Two New Ransomware-as-a-Service Operations in Action

July has witnessed the emergence of two new ransomware-as-a-service (RaaS) groups, Haron and BlackMatter. Cybersecurity experts have been closely examining the attacks that these groups are believed to be responsible for and have discovered links to some well known RaaS operations that have recently gone quiet – Avaddon, REvil, and DarkSide.

There is still no solid proof of a connection aside from a range of similarities which suggest that either the Avaddon, REvil, and DarkSide RaaS operations have reorganized their attacks or that those who worked on these attacks have begun their own group. 

Even though it is forbidden to advertise RaaS operations on some cybercrime forums, the BlackMatter RaS has been advertising for affiliates on Russian speaking cybercrime forums – even though they are not stating outright that this is an RaaS operation. A user referred to as “BlackMatter” created an account on July 19 on both the XSS and Exploit criminal forums looking for help seeking assistance to register on the networks of U.S., UK, Australian, or Canadian businesses with more than $100 million in annual revenues. They also made it clear that they were not seeking access to state institutions or any targets in the healthcare sector. This was not long after REvil and Avaddon revealed that they would also cease these types of attacks following the colonial pipeline attack.

An Escrow account, to be used to settle disputes over payments, was set up by the BlackMatter operator with a $120,000 deposit. A reward of between $3K and $100K is being offered by the group along with a share in any ransoms earned in exchange for access. The BlackMatter operators boast that their group uses the strongest features of DarkSide, REvil, and LockBit, all three of which are believed to have operated from inside Russia.

Similarities were identified between BlackMatter and REvil and DarkSide by several cybersecurity groups, with Recorded Future labelling BlackMatter as the heir to DarkSide and REvil, although proof remains circumstantial at this point in time.  For example, BlackMatter is very similar to BlackLivesMatter, which was the label for the Windows registry used by REvil. Mandiant reports that it has found some proof which indicates at least one member of the DarkSide operation working with Black Matter, although that individual may just be an affiliate that has moved their partnership.

S2W Lab has found similarities between Haron ransomware and Avaddon, notably a largely copy and pasted ransom note, similar appearances and wording on the ransom negotiation sites, the same structures on the data leak sites, and identical sections of JavaScript code for chat. However, while the Avaddon gang created its own ransomware, Haron was created using the Thanos ransomware.

There may be nothing in the similarities, or the code was just stolen by the BlackMatter creator to save time, as there are some significant differences between the two. As has been previously stated here, no clear proof has been found to indicate that Avaddon and Haron are one and the same.

Cybersecurity experts have ongoing investigations into the new groups, but regardless of who is managing the operations, their aims look quite similar. Both are focusing on large businesses with a lot of revenue and if the RaaS operations that have gone quiet remain out of action, there will be any affiliates looking for a new RAAS operation to avail of.



Attacks on Windows and Linux Systems Using LemonDuck Malware Increasing

Those managing the LemonDuck malware campaigns have increased their activity, whilst introducing new attack features, in the last few weeks.

While this strain of malware is chiefly known for the power of its botnet and the cryptocurrency mining targets there have been moves to concentrate on other aspects of their hacking attempts. Even though the bot and cryptocurrency mining activities remain live continue, now malware has been added that can disable security measures on infiltrated devices, quickly shifting laterally inside networks, dropping a range of tools onto infected devices, and stealing and stealing credentials.

Those operating the attacks have craft campaigns which feature emails related to recent news and events for their phishing attempts launched via Microsoft Office attachments.There are also attempts made to infect devices with new exploits and some older vulnerabilities. During 2020 this group was spreading malware through phishing emails using COVID-19 themed lures, and while phishing emails are still being used to broadcast the malware, the threat actor has also been targeting recently addressed vulnerabilities in Microsoft Exchange to gain access to systems, according to a recent security warning from Microsoft.

LemonDuck malware is slightly unusual as it is relatively unique for these malware strains to be deployed via Windows and Linux systems. The malware operators prefer to have complete management of infected devices so they can erase competing malware if it is present. To make sure no other malware variants have been downloaded, after accessing a device, the vulnerability LemonDuck exploited to gain access to a system is addressed.

If the malware is downloaded on a device with Microsoft Outlook installed, a script is activated that uses saved credentials to obtain access to the mailbox and copies of itself are then sent in phishing emails to all contacts in the mailbox, using a preset message and a malware downloader as an attached file.

The malware was first discovered during May 2019, with the previous forms of LemonDuck malware deployed in attacks within China, but the malware is now being shared on a larger scale. It has now been spotted in attacks launched in the United States, United Kingdom, Russia, France, India, Germany, Korea, Canada, and Vietnam.

To date, Microsoft has discovered two different operating structures that both use LemonDuck malware which could suggest that the malware is being used by multiple groups with different aims. The ‘LemonCat’ infrastructure was put to action in a campaign focused on Microsoft Exchange Server vulnerabilities to identify backdoors, exfiltrate credentials and data, and deliver other malware variants, including Ramnit.

Preventing infiltration attempts using this malware requires a range of tactics. A robust spam filter like SpamTitan should be implemented to tackle the phishing emails used to broadcast the malware. SpamTitan also reviews outbound messages to stop malware strains with emailing capabilities from being shared with contacts. Since vulnerabilities are targeted to obtain access to networks, it is important to have a rigorous patch management policy and to apply patches quickly after they are made available.  Antivirus software should be configured and set to automatically update, and a web filter is recommended to block malware installs over the Internet.

For additional details on enhancing your cybersecurity measures against LemonDucck malware and other malware attacks, call the TitanHQ now.


Phishing Campaign Using ZLoader Banking Trojan Disables Office Macro Warnings

It is very common for malware to be broadcast via phishing emails that seek some level of user interaction like visiting a URL to download a Microsoft Office file. Malicious payloads are often sent using Word and Excel files via macros.

You should always be wary of Macros as they can be used to infiltrate your systems with malicious code. In most cases they are not enabled and will only be allowed to run if they are manually enabled by the end user. When an Office file is clicked on and it includes a macro, an alert will pop up to state that there is a macro and that it is potentially malicious. If the macro is not manually activated by the end user, malware cannot infect your systems.

A phishing attack has recently been discovered that is employing the usual phishing campaign for spreading malware. The first attack point is a phishing email, and Office files are attached that are filled with macros that install the malware payload – in this case ZLoader. However, a new method is used to spread the dangerous Office files by turning off usual macro warnings and security mechanisms.

In this attack, malicious DLLs – Zloader malware – are sent masquerading as the payload, but the first phishing email does not have the malicious code attached. The phishing email has a Microsoft Word file which will lead to the download of a password-protected Excel spreadsheet from the hacker’s remote server when the file is opened and macros are turned on.

The attack depends on Microsoft Word Visual Basic for Applications (VBA) and the Dynamic Data Exchange (DDE) fields of Microsoft Excel, and is effective on systems that support the legacy .xls file format.

Once the encrypted Excel file is installed, Word VBA-based instructions in the file read the cell contents from the specially designed XLS file. Word VBS then writes the cell contents into XLS VBA to set up a new macro for the XLS file. When the macros are prepared, Excel macro defenses are turned off by the Word document by setting the policy in the registry to Disable Excel Macro Warning. The Excel VBA is then run and downloads the malicious DLL files, which are  run using rundll32.exe.

While the malicious files will be silently installed and executed, this attack still needs the recipient to turn on the macros in the first Word document. Victims are fooled into doing this by informing them “This document was created in an earlier version of Microsoft Office Word. To access or amend this document, please click the ‘Enable editing’ button on the top bar, and then click ‘Enable content’,” when they open the Word file. That one click will initiate the entire infection chain.

ZLoader is a string of the Zeus banking Trojan, which first reared its head during 2006. The malware is also referred to asc ZBot and Silent Night and is used by a range of different attack groups. The malware was deployed in large scale attacks during 2020 using COVID-19 themed lures, such as COVID-19 prevention tips, along with more standard lures such as job applications.

Once downloaded, the malware uses webinjects to capture passwords, login details and browser cookies. 

If you wish to prevent this from impacting your business contact the TitanHQ team now to find out more about SpamTitan Email Security and WebTitan Web Security. There is no obligation for a 14-day free trial so you can see for yourself how easy they are to use and how effective they are at blocking malware attacks.


Education Sector Targeted by Pysa Ransomware Group

During 2020, the healthcare sector has been constant focus of ransomware gangs, but the education sector is also dealing with a rise in attacks, with the Pysa (Mespinoza) ransomware gang now extensively targeting the education sector.

Pysa ransomware is another strain of Mespinoza ransomware that was first seen in ransomware campaigns during October 2019. The threat group responsible for the attacks, like many other ransomware gangs, uses double extortion tactics. Files are encrypted and a ransom demand is issued that must be paid to obtain the keys to decrypt files, but to improve the chances of the ransom being paid, data is stolen before file encryption. The gang threatens to sell the stolen data on the darkweb if the ransom is not paid. Many targeted healthcare organizations have been forced to pay the ransom demand even when they have backups, solely to prevent the sale of their data.

Since October 2019, the Pysa ransomware gang has focused on large companies, the healthcare sector, and local government bodies, but there has been a recent rise in attacks on the education sector. Attacks have been carried out on K12 schools, higher education institutions, and colleges, with attacks being reported in 12 U.S. states and in the United Kingdom. The rise in attacks led the FBI to issue a Flash Alert in March 2020 warning the education sector about the heightened risk of Pysa ransomware attacks.

Reviews of attacks revealed the gang carries out network reconnaissance using open source tools like Advanced Port Scanner and Advanced IP Scanner. Tools including PowerShell Empire, Koadic, and Mimikatz are employed to obtain credentials and elevate privileges and move laterally inside networks. The gang looks for sensitive data that can be easily monetized and exfiltrates the data before delivering the ransomware payload.

Discovering a Pysa ransomware attack in progress is tricky, so it is crucial for defenses to be hardened to prevent attackers from gaining access to networks. In attacks on French firms and government agencies, brute force tactics were used against management consoles and exposed Active Directory accounts. Some attacks have included exploitation of Remote Desktop Protocol flaws, with the gang also known to use spam and phishing emails to obtain credentials to gain a foothold in education networks.

As a range of methods are used for obtaining access, there is no one option that can be implemented to block attacks. Educational institutions need to use a combination of security solutions and cybersecurity best practices to improve their security posture and block attacks. Antivirus/antimalware solutions are vital, as is ensuring they are kept updated. Since many attacks begin with a phishing email, an advanced email security gateway is also crucial. Picking a solution such as SpamTitan that uses dual AV engines and sandboxing will increase the probability of malware being installed, which is used by ransomware gangs for persistent access to networks. SpamTitan also blocks phishing emails containing links to websites where credentials are harvested. SpamTitan uses machine learning methods to identify new types of email attacks.

Patches and security updates should be implemented quickly after they have been released to stop software and operating system vulnerabilities from being exploited. You should employ the rule of least privilege for accounts, limit the use of administrative accounts as far as you can, and segment networks to hamper efforts to move laterally once access has been gained. You should also be scanning your network for suspicious activity and investigate alerts to ensure infiltrations are quickly discovered. All redundant RDP ports should be closed, and a VPN used for remote access.

It is crucial for backups to be created of all critical data to ensure that file recovery can take place without paying the ransom. Multiple backups of data should be created, those backups should be tested to make sure file recovery is possible, and at least one copy should be stored on an air-gapped device.

Malware Being Shared Using Fake Windows 11 Installers

Microsoft announced, on June 24 2021, that the release on Windows 11 will be happening soon and represents a significant upgrade of the Windows NT operating system, the successor to Windows 10.

The last time an update of this scale was completed was when Windows 10 was released during 2015. Hence this has caused quite a stir as everyone is eager to see what will be included. The specifics of the launch date remain unknown but it will be before the end of the current calendar year. However, some users are being offered the chance to obtain a free copy before the official launch date. 

The first Insider Preview of Windows 11 was announced by Microsoft on June 28. Installing the upgrade to Windows 11 is quite easy. A small number are being offered a simple upgrade that simply requires them to register for the Dev channel of the Windows Insider Program.  Despite the obvious dangers of downloaded software updates from unknown or unofficial sources many people have been trying to locate one.

It is no surprise that unofficial ISOs are pretending to provide Windows 11 even though they are not in a position to do so. Their true aim is to install and share malware. Hackers have been sharing these fake Windows 11 download tools to share a wide variety of malicious payloads. There is a strong chance that these fake Windows 11 installers will place adware or unwanted programs on your devices, even worse they may install malware with various degrees of maliciousness, such as Remote Access Trojans and backdoors that give the attackers full access to the victims’ devices, information stealers such as keyloggers that obtain passwords and other sensitive data, cryptocurrency miners, and ransomware.

Cybersecurity experts working at Kaspersky Lab have discovered many fake Windows 11 installers being shared around the world, including one seemingly genuine downloader titled 86307_windows 11 build 21996.1 x64 + activator.exe. Despite the title and 1.76GB file size, it was not what it appeared to be. If the user executed the file and agreed to the terms and conditions, the file would then be installed to place a different executable that places a range of malicious software onto the user’s device.

As the publicity around the official Window 11 release date ramps up, we can expect there to be many other fake installers deployed. Hackers are fond of a long-awaited software release, as it’s easy to get users to double click on executable files. Malicious adverts, websites, and emails offering free copies of Windows 11 will increase, so be careful.

If it is wise to make sure that you have an advanced and effective spam filtering solution configured like SpamTitan. This will safeguard you in the face of malicious emails. A web filter like WebTitan will protect you from malicious file downloads and see to it that you only download software or applications from authentic sources.


Cybersecurity in Education: Five Key Components You Must Have

K-12 educational sector cybersecurity legal requirements are a constant area of concern for Information Technology managers in that sector. 

The K-12 Cybersecurity Resource Center reported that there were as many as three times the amount of cyber incidents registered during 2019 in United States school districts than during 2018.

With this in mind, and with the thought in mind that school districts need to spend more time bolstering their cybersecurity efforts we have put together a list of five key elements that should be a part of any K12 security strategy. They are: 

  1. Never Allocate Local Admin Rights: When students are assigned local admin privileges bad things can happen quite easily. If a user installs malware or other types of malicious code it obtains the rights and privileges of that user. Hackers aim for younger people to try and tick them into downloading games and other applications that are hiding malicious payloads. Once local admin rights are allocated it is much easier for cybercriminals to share malware and viruses.
  2. Advanced Internet Filtering: The educational sector has changed considerably and a lot of online classes are held these days. Due to this an internet filtering solution is a must and any school systems that receives e-Rate funding is legally obliged to have a configured content filtering solution.  But content filtering is not adequate for Internet filtering.  Schools require an advanced DNS Security and DNS content filtering system like WebTitan.  WebTitan’s DNS Security system prevents students from accessing malicious websites and internet based malware portals.  It audits and lists malicious threats in real time and strips internet packets of malware and malicious code, thus preserving the safety of the online learning process.
  3. Removing Legacy Technology: Removing legacy technology is important as, when they are no longer supported with updates and patches, such as Windows 7 machines and can cause havoc by allowing malware variants to infiltrated databases that they are linked to.
  4. Apply Updates and Patches Quickly: A lot of the time updates and patching are delayed so as not to impact any learning times in schools. This can result in hundreds or thousands of computers with unpatched vulnerabilities and security gaps.  Patches must be run as a priority as soon as they become available.  Internal IT must have some way to manage the update process using a device management system such as Group Policy or an MDM solution.
  5. Configure an Email Security System: Email will always be the primary delivery system for malware and virus attacks, as long as it remains the most common messaging solution globally. An education enterprise grade email security solution should be able to tackle spam, viruses, ransomware and embedded links to malicious web pages, but incorporates data leak prevention policies as schools host a great deal of highly personal data related to the  student body and staff members.  SpamTitan is perfect for this as it uses double antivirus protection as well as protection from zero-day attacks. 


Incorporating these five key components into a K12 Security strategy will go a long way ensuring that K-12 institutions remain safe in the face of cyberattacks. Fet in touch with a TitanHQ Security Expert today to see how they can help protect your school’s students and teachers.


5 Crucial Elements of a Robust Education Cybersecurity Solution

Recent updates from the K-12 Cybersecurity Resource Center have revealed the number of cyberattacks that targeted US schools tripled during 2019 before accounting for 61% percent of all malware attacks during 2020 – according to Microsoft research. Now is the time for all educational bodies to enhance their cybersecurity measures.   There is absolutely no doubt that school districts need to focus on cybersecurity efforts. Here we have listed 5 key characteristic robust K12 compliance security solutions.

  1. Apply Patches & Updates ASAP: All disruption to the annual school cycle is welcome, even  more so after the intermittent lock downs that were caused by the COVID-19 pandemic. However, updates should not be postponed to try and avoid any down time. If software patches and  updates are not applied as quickly as possible then bodies are running the risk of having known vulnerabilities targeted. IT staff need to create a process to conduct the update process using a device management system such as Group Policy or an MDM solution.
  2. Removing Legacy Technology: Schools have a habit, in order to make resources stretch as far as possible, to delay removing legacy tech from their network. While it is natural for teachers and administrators to distribute as many computing devices into the hands of students as they can, it can result in devices that are no longer supported (and therefore vulnerable) creating a vulnerability on the network. These devices should be removed no matter what.
  3. A Strong Security System: An education enterprise grade email security solution should measures to tackle spam, viruses, ransomware and embedded links to malicious websites while also preventing data leaks from educational bodies. SpamTitan can complete this as it features double antivirus email protection as well as protection from zero-day attacks. 
  4. Avoid Allocating Local Admin Rights: When students are assigned local admin privileges it creates a major vulnerability on the network in question.  When a user downloads malware or other types of malicious code it obtains the rights and privileges of that user. Children could be tempted to install software and download games without thinking. While allotting local admin rights to all standard users makes it more straightforward for internal IT to deploy machines, it also makes it easier for hackers to distribute malware and viruses.
  5. Advanced Internet Filtering: All schools that are given e-Rate funding must configure some element of content filtering solution in place.  As content filtering is no longer sufficient when it comes to Internet filtering there is also a requirement for an advanced DNS Security and DNS content filtering system such as WebTitan.  The DNS Security system of WebTitan prevents students from viewing malicious web pages and internet based malware depositories.  It checks for, and spots, malicious threats in real time and removes internet packets of malware and malicious code, in doing so maintaining the safety of the online learning process.


It is crucial that all educational institutions Wsee to it that they are kept safe from the ever increasing threat posed by cybercriminals.  Configuring the above five elements to a K12 Security strategy will greatly assist in this happening. In order to keep your K12 body safe using a multi-layer security solution, contact the TitanHQ Security team now to find out how you can safeguard your group.


Fake Kaseya Update Used in MSP Cobalt Phishing Campaign

It is believed that, on July 2, the managed service provider (MSP) customers of Kaseya were impacted in a ransomware attack.

Leveraging the Kaseya Virtual System Administrator (VSA) platform cybercriminals were able to share ransomware with, Kaspersky Lab believes, approximately 5,000 attempts to infiltrate databases in roughly 22 countries. These attacks are believed to have taken place during the first three days after the initial breach. While it is, as of yet, unknown how many of the attempts bore fruit Kaseya estimates that 1,500 of its direct customers and downstream businesses were impacted during the attack.

The attack took advantage of reported KSA platform vulnerabilities identified in April by the Dutch Institute for Vulnerability Disclosure (DIVD). Following this discovery Kaseya released patches to address four of the seven reported vulnerabilities during April and May and was working on patches to fix the remaining three flaws. However, the REvil ransomware gang targeted a credential leaking flaw, referred to as CVE-2021-30116, before the patch was made available.

Once the breach was spotted by Kaseya they took action and created mitigations to restrict the potential reach of the attacks. These mitigations shut down all additional attempts to infiltrate the system but Kaseya users remain in danger from Kaseya phishing attacks.

Now hackers have created phishing Cobalt Strike attacks aimed at Kaseya customers pushing. These attacks are spoofed Kaseya VSA security updates. Cobalt Strike is an authentic penetration testing and threat emulation solution. Sadly, hackers are known to use it to obtain remote access to corporate databases.

The Malwarebytes Threat intelligence team were first to discover the attacks, using emails that carried a file titled SecurityUpdates.exe. There is also a URL that claims to host a Microsoft update to address the Kaseya vulnerability targeted by the ransomware group.

Users are directed to click on the included file or browse to an update page where they can download the Kaseya VSA to keep them safe from ransomware campaigns. Unfortunately completing this action will only result in Cobalt Strike beacons being delivered and allowing the hackers access to protected databases.

This is quite an intelligent attack as users will be expecting a security update to address the known flaw on Kaseya. Due to this the company (Kaseya) has broadcasted a warning to all users advising them not to click on any files or visit URLs click links in emails that appear to carry updates for the Kaseya VSA. Kaseya said any email sent in relation to this will never have hyperlinks or attachments included.

Alway deal with inbound emails that say they have security updates or files related to the same as potential ransomware attacks. Never visit a link in an email like this download attached files. If you must, go to the official company website to see if there are any security updates available.


Huge Rise in Crypto Phishing Campaigns

The Federal Trade Commission has recently revealed that crypto phishing scams have grown by over 1,000% since last October according to a report from CBS News.

It has been calculated that 2020 bore witness to some 400,000 cryptocurrency scams. Hackers have been focused on the new monetary currency for some time and are estimated to have stolen some $80m in the USA alone. These attacks typically involve investment scams, digital wallet thefts and phishing attacks.The FBI has stated that crypto-related BEC scams have risen significantly in the past 24 months, with businesses having around $10m stolen during 2020.

The factors behind the massive spike in these types of attack are quite varied. They include:

  • As this is a very new type of currency, most people remain unfamiliar with the intricacies of the technology Blockchain is a neoteric frontier and the average layperson does not completely understand how it works. The knowledge gap creates a potential attack point for cybercriminals
  • The large number of currencies also assists cybercriminals with their campaigns. Currently there are more that 5,000 cryptocurrencies in existence globally. Additionally new cryptocurrencies are being created almost every day so hackers can move from one to the other as they try to find a susceptible target.
  • Third party identification documents are a major attraction for hackers in data exfiltration attacks.  These can be used to access cryptocurrency wallets using this seized personal information.
  • The associated anonymity is also an attractive element for hackers. While their supportive blockchains provide a record of the actual financial transaction, most of them do not share personal data related to transactions.  All of this makes it difficult for authorities to ascertain any sort of financial pattern concerning that can aid their investigations.  Crypto, as it turns out, is a payment paradise for cyberattack managers.

The majority of BEC attacks are expertly managed as the hackers have often thoroughly researched their targets. In a lot of cases a compromised company email system  might have been initially infiltrated as long as months before the initial attack takes place. This gives them time to learn the protocols and culture of the organization. Following this period of time the attack is normally conducted using the impersonation of a key executive such as the CEO or CFO as a tactic.  The aim is to get a lower level employee that has privileges to the company’s payment system to send funds for a stated reason such as a large business deal or company transaction.  The employee asked to complete the bank transfer to an account belonging to the hacking group. Once the funds hit the account, the bank automatically changes the money into cryptocurrency.

FBI Guideline

Along with releasing an annual update the FBI has also made public a list of specific measures that companies and individuals should adopt in order to prevent them from being a target of a BEC cryptocurrency scam.  These include:

  • Individuals are urged to constantly review bank accounts to see if there is any evidence of indiscretions and unrecognized transactions.
  • Use a multi-factor authentication (MFA) solution to augment your authentication processes. One of the best ways is to have a PIN sent through text or email for authentication.
  • Use a robust best anti-phishing protection like SpamTitan that feature double antivirus, data leak prevention, real-time blacklists (RBLs), email content filtering as well an inbuilt Bayesian auto-learning heuristics.
  • IT managers should make sure that their corporate email applications are set up to permit users to see the full email extensions of received emails.



87% growth in HMRC Phishing Attacks in Past Year

In the United Kingdom, Her Majesty’s Revenue and Customs (HMRC) – the UK government department responsible for tax collection – is often impersonated in order to conduct cyberattacks.

Phishing campaigns using this mode of attack have been surging in the past year, with official figures obtained by Lanop Outsourcing under a Freedom of Information request showing the growth in HMRC impersonation attacks to be 87% with the amount of attacks jumping from 572,029 in 2019/2020 to 1,069,522 in 2020/2021. 

Email scams are the most common phishing vector and the most often leverage lures being fake notifications about tax rebates and refunds. These grew by 90% in the last year and the amount of HMRC phishing attacks sent using email grew by 109% to 630,193. Additionally growth was experienced in text-based phishing (smishing) campaigns. These jumped by 52% year-over-year and voice phishing (vishing) attacks were up by 66%.

Another public body which was used to try and trick recipients via impersonation scams was the Driver and Vehicle Licensing Agency (DVLA). There was a massive 661% increase in reports of phishing scams impersonating the DVLA during the past 12 months.

While these attacks are mainly focused on individuals they are also a serious concern for business groups due to their aim of stealing sensitive data such as passwords. If they get hold of these then there is a strong possibility that they will be used in attacks on companies. Phishing campaigns also attempt to spread malware to business networks. If this is successful then hackers can access  the databases before moving laterally and cause damage across an entire group network.

In order to defend your company from attacks like this it is vital to implement a thorough set of measures. Staff training is crucial so that those using the systems and software on your network know how to spot and mark an incoming cyberattack. As a minimum all staff should be aware what to do if a suspicious email lands in their inbox. When staff are engaging in distance and remote working, as is more common than ever these days, this is even more important.

All we all know is that staff training will not completely eliminate mistakes from happening. Individuals will either fail to pay sufficient attention, due to burn out or lack of interest, or try to use a shortcut, to get their work done more quickly, which is not best practice for cybersecurity. This means that you need a robust cybersecurity suite to bolster the staff training method and keep your organization safe.

A robust cybersecurity suite will alway include an advanced spam filtering solution that will spot and block phishing attacks. Remember that all spam filters are not created equal though. Some are proficient at tackling phishing emails from known malicious IP addresses only. However, stronger solutions like SpamTitan are able to spot previously unseen phishing scams thanks to artificial intelligence and predictive technologies for addressing the danger posed by  zero-day attacks. Additionally sandboxing fights malware attacks that have not yet been added to antivirus engines and DMARC mitigates the dangers presented by email impersonation attacks.

In order to safeguard your group from these types of attack contact TitanHQ now to discover more in relation to enhancing your cybersecurity suite.


Webinar: June 30, 2021: How to Deal with Phishing and Ransomware Threats

Businesses that permitted their employees to work from home during the pandemic faced challenges giving their workers to access internal networks remotely while maintaining security. Cybercriminals took advantage of vulnerabilities that were introduced and readily exploited weaknesses. Attacks on businesses increased and remote employees were the natural target. Throughout the pandemic, phishing and ransomware attacks were rife, with many businesses falling victim to attacks.

Now that restrictions have been eased, businesses have been able to open their offices once again, but many have now adopted a hybrid working model where employees continue to work from home at least some of the week. Businesses that have adopted this model need to now focus on cybersecurity strategies to combat phishing and ransomware attacks targeting their home workers.

A recent Osterman Research/TitanHQ survey of cybersecurity professionals revealed the challenges they faced during the pandemic and the extent to which their businesses were attacked. 85% of the 130 security professionals surveyed said they had experienced at least 1 security incident in the past 12 months, with phishing and ransomware perceived to be the biggest threats.

Even though IT professionals are well aware of the seriousness of the threat from phishing and ransomware attacks, only 37% of organizations surveyed rated their defenses as highly effective at combatting these threats. Security budgets had increased by an average of 28% from 2020 to 2021, yet defenses were still not up to the job.

When asked about the biggest threats their organization faced, the top three threats were email related. The biggest threat was business email compromise (BEC) attacks that trick low-level employees into divulging sensitive information, followed by phishing messages that result in malware infections and phishing emails that result in an account compromise.

Phishing emails are commonly used to deliver ransomware, either via the theft of credentials that give the attackers a foothold in the network or via the delivery of malware such as TrickBot, which is subsequently used to deliver ransomware.

The survey revealed many businesses are struggling to deal with phishing and ransomware threats, despite increases in security budgets. To help businesses improve their defenses against phishing and ransomware attacks, TitanHQ and Osterman Research will be hosting a webinar. During the webinar, attendees will learn about the advanced security threats uncovered by the in-depth survey, learn about the most effective mitigations against phishing and ransomware attacks, and will receive actionable information and best practices to reduce the risk of attacks succeeding.

Webinar Details:

How to Reduce the Risk of Phishing and Ransomware Attacks

Wednesday, June 30, 2021

7:00 p.m. to 8:00 p.m. BST / 2:00 p.m. to 3:00 p.m. EST / 11:00 a.m. to 12:00 p.m. PST

The webinar will be conducted by Michael Sampson, Senior Analyst at Osterman Research and Sean Morris, Chief Technology Officer at TitanHQ.

Register Your Place Here

Why SpamTitan is the Best MSP Defense Against Email Threats?

At present the main way that hacking groups are accessing business networks is via phishing campaigns.

The single best way of tacking phishing campaigns is using an email spam filter. This type of cybersecurity solution will audit all incoming email traffic to check for spam signature, phishing characteristics and any indication of malware.

An award-winning anti-spam software, SpamTitan boasts the best possible tools to safeguard your group from phishing and other email-leveraging campaigns. At present more than 1,500 organizations use SpamTitan globally.

While you may see a multitude of spam filtering solutions available which will claim to adequately safeguard your group from the smarted phishing tactics, one has become the chosen solution of managed service providers (MSP) – TitanHQ. Here we examine the reasons for this choice.

  1. Advanced email blocking: SpamTitan uses upload block and permits lists per policy, advanced reporting, recipient verification and outbound email reviewing. There is also a capability for whitelisting/blacklisting at all hierarchical levels of permissions within your network.
  2. Excellent malware protection: There are dual antivirus engines from two leading AV providers and sandboxing that leverages machine learning and behavioral analysis to tackle any file which appears to be dangerous.
  3. Protection against zero-day attacks: Machine learning predictive technology takes zero-day attacks foen and there is also AI-driven threat intelligence to tackle block zero-minute attacks head on.
  4. Office 365 environment security measures: There are a range of protection measures present that secure in depth against email threats. These can be simply added to Office 365 environments to greatly enhance security in the face of phishing and email-based malware campaigns.
  5. Easy integration: There is a straightforward configuration process for adding this to your existing Service Stack through TitanHQ API’s and MSPs benefit from streamlined management with RMM integrations.
  6. Data leak prevention: Strong data leak prevention rules that are easy to create and allow for tagging of data to spot and block internal data loss.
  7. Intuitive multi-tenant dashboard: MSP-client hierarchy means that you can keep clients segregated and decide if you need to manage client settings in bulk or on an individual basis. This is a set and forget solution, meaning a low level of IT service intervention is all that is required.
  8. White labelling: Can be supplied a #white label version to reinforce an MSP’s brand.
  9. Industry-leading customer support: TitanHQ customer service is the industry leader in the field with world class pre-sales and technical support and sales & technical guidance. MSPs are allocated a  dedicated account manager, assigned sales engineer support, access to the Global Partner Program Hotline, and 24/7 priority technical support.
  10. Competitive pricing and monthly billing: SPs benefit can view the transparent pricing policy, competitive pricing, excellent margins, and monthly billing. The sales cycle is just 14 days.

If you would like to begin providing SpamTitan for your clients, contact the TitanHQ channel team at once and begin your free trial.

Common Cybersecurity Errors that Leave you Vulnerable

There has been a surge in the amount of profit-generating cyberattacks in the last year, particularly within the healthcare sector in the USA.

In tandem with this the amount of money demanded to release encrypted data, by hackers, has gone through the roof. Even in cases where this ransom is handed over the recovery process can be very tricky and in a lot of cases the data is never handed by the cybercriminals at all. 

This is a situation that no group wants to find themselves in so it is important to be sure you have addressed all possible weaknesses in relation to your cybersecurity measures. Here we have listed the areas which, if unaddressed, are likely to allow hackers to disrupt your organization’s ability to operate. 

Security Mistakes That Must Be Addressed

  1. Multi Factor Authentication: When log in details are stolen there is huge potential for hackers to access your databases. However, if you have multi-factor authentication configured then this risk is mitigated as there is a second stage of verification that must be completed in order for access to be granted.
  2. Email Security: Phishing presents a huge danger to all networks. Hackers send email trying to get staff to either reply or click on a link that will lead to the installation of malware or adware on your servers. Ideally cybercriminals are seeking the log in credentials of a high level executive who has permission to access all parts of the network. Configuring  an advanced AI-based spam filter that uses sandboxing and greylisting will prevent this from happening 99% of the time.
  3. Security Awareness Training: As a lot of attacks, liek email attacks mentioned above, focus on interaction with employees, it is vital that you train these people to spot potential attacks. Regular refresher training courses are also important to keep everything fresh in the mind and educate in relation to new threats that have appeared since the last training session.
  4. Web Security: It is important to add security to police Internet activity on your networks. It would be very easy for an employee to unknowingly browse onto a site that is loaded with adware and malware. Using web filtering software will cut off access to malicious websites.
  5. Applying Patches & Software Updates: Hackers are swift to try and take advantage of software, firmware, and operating system flaws. Due to this it is vital that your organization applies patches and runs updates as soon as they become available. If this task is not not then it is bound to be just a matter of time before someone gains access to your network and servers.
  6. Password Management Software: Creating weak passwords leaks you vulnerable to brute force attacks Staff should be given the tools to set up and save strong secure passwords.
  7. Creating an Incident Response Plan & Back-ups: ‘Fail to prepare, prepare to fail’ as the saying goes. Companies that have not planned for what to do in the event that they are infiltrated by a cyberattack could have irreparable damage inflicted upon them. Regular backups must be created and tested. It is also wise to store one copy of the backup off site. 

Colonial Pipeline Ransomware Attack Started with a Compromised Password

During April 2021, cybercriminals were able to log onto the databases of Colonial Pipeline and install ransomware that led to the shutdown of a fuel pipeline system that provides service to the entire eastern Eastern Seaboard of the USA.

This resulted in a lot of panic buying of fuel by Americans on the East Coast as fuel supplies were threatened. The knock-on effect of this was local fuel shortages and a surge in the price of gasoline to their highest level since 2015. There was a 4.6 million barrels drop in the level of stockpiles of gasoline on the East Coast.

The DarkSide ransomware-as-a-service operation was blamed for the attack and has now been taken down. Before it was shut down, Colonial Pipeline handed over a $4.4 million ransom to remove the encryption from their files. They took the decision to pay the ransom due to the danger facing the fuel supplies. Colonial Pipeline provided almost half (45%) of fuel to the East Coast. Though handing over the ransom was a difficult move to make, it had to be done due to the threat to fuel supplies. Another consideration was the length of time that it might take to retrieve the files without having the attacker-supplied decryption keys.

This attack should not have been allowed to gain access to such a critical infrastructure. The subsequent review into the cyberattack showed that all it took for the attack to be successful was the use of one compromised password to remotely access the database. The account that was compromised was not secured using multi-factor authentication.

According to Charles Carmakal, senior vice president at cybersecurity firm Mandiant which was involved in the investigation, the compromised password was for a virtual private network account. The account may have been dormant but it was still possible to use the login credentials to gain access to Colonial Pipeline’s network.

As of yet it remains unknown how the cybercriminals came to be in possession of this password. The password has since been located in a database of breached passwords that was made available via the dark web. There is a chance that an individual had created a password for the account and it was also in use on a separate account that was infiltrated. It is typical for passwords from data breaches to be used in brute force attacks as password reuse is commonplace. Phishing campaigns are used to obtain passwords also.

Mandiant searched for anything to suggest how the password was stolen by the cybercriminals. The cybersecurity experts found no evidence of hacker activity prior to April 29, 2021 nor any proof of phishing attempts. At this point in time it appears that how the password was obtained and the username determined may never come to be known.

Is it quite obvious that this hack could have been stopped using cybersecurity best practices including carrying out audits of accounts and closing down dormant accounts, creating setting unique and complex passwords for every account, configuring multi-factor authentication to prevent stolen compromised passwords from being used for access, and installing a robust anti-spam solution.

GitHub Repository Weaknesses Create Attack Points

Created in 2008, GitHub has recorded massive growth amongst developers and companies for its hosting, sharing and software code capabilities. These are available in both open source and proprietary codemaking it very popular with more than 100 million code repositories currently on the platform.

Sadly, this also means that GitHub is a very attractive target for cybercriminals who have used the platform’s popularity as as a basis for several attack types, including ranoms, backdoor attacks and code injection campaigns. GitHub Actions is a feature of GitHub that allows a CI/CD workflow pipeline for software delivery into production. It is one of the main infrastructures in GitHub that automates software workflow. In a recent exploit, experts at Google Project Zero discovered a design vulnerability in GitHub Actions. This vulnerability could allow a hacker write access to a repository, meaning that they could reveal encrypted secrets. One of the experts, Felix Wilhelm, was able to show the vulnerability using Microsoft’s Visual Studio Code GitHub repository, where he could inject code which was then shared with the project’s new issue workflow.

The flaws in Actions allow ways for cybercriminals to exploit the GitHub database network. Recently  code injection flaws and vulnerabilities in GitHub Actions allowed crypto-criminals to conduct bit mining malware. The attacks have been registering since late last year. The attack targets repositories using Actions, the automatic execution of software workflows feature to place malicious code into a software workflow. The process leveraged by the hackers is smooth slick: the malicious GitHub Actions code is first forked from original workflows, but then a Pull Request merges the code back, in tandem with the crypto miner code. The key to the attack uses GitHub’s infrastructure to share malware and mine cryptocurrency on GitHub’s servers. The flaw in Actions means that the attack does not need the repository owner to give permission for the Pull Request: The crypto-miner code, misnamed as npm.exe. is hosted on GitHub. The whole attack is expertly devised using a mechanism that has, so far, made a mockery of the critical infrastructure of GitHub.

The worry in relation to this recent crypto mining attack on GitHub repositories, is that the hacker, yet again, leveraging inherent infrastructure of a network. Any weakness in the corporate structure can be targeted. Bolstering the security of these infrastructure hatches is crucial to stopping cyber-attacks. Source code is a critical system and GitHub a critical infrastructure. Firms and vendors using GitHub should ensure they use best security practices. But even groups not using GitHub as a source code repository may well be receiving source code hosted via GitHub. To address this cybersecurity best practices must be implemented. People, processes, and technology are the some of the tje cyber best practices, but adding in awareness of possible infrastructure hacks is vital to keeping your business protected.

Some of the steps that you need to implement include:

  • Stopping employees from visiting dangerous URLs or installing malicious software/files
  • Preventing staff from accessing infected web portals
  • Implementing GitHub security best steps when using the infrastructure to host source code
  • Training staff to ensure they are conscious of security tricks and tactics

Preventing these attacks is possible with WebTitan Cloud DNS filter. It will tackle malware, phishing, viruses, ransomware & malicious sites.

How to Improve Your Defenses Against Business Email Compromise Attacks

A recent survey of IT security professionals, conducted by TitanHQ along with Osterman Research, has indicated that businesses most commonly witness security incidents involving business email compromise (BEC) attacks.

This type of attack is when a hacker pretends to be a genuine contact or company to fool someone into completing a fraudulent financial transfer, shreare protected information or attempt to encrypt servers in order to demand a ransom for this to be removed. 

These attacks can pretend to be a known company or else leverage a contact’s email that has already been infiltrated in a hacking attack. The other route of attack normally is as simple as altering the display name to make the recipient believe the email has been sent by a real contact, often the CEO, CFO, or a supplier.

Lookalike  or similar domains are also deployed in BEC attacks. This is where the cybercriminal copoes the spoofed company’s email template or layout so that it seems perfectly real to the recipient. 

BEC emails are expertly composed, most of the time, and aim to take advantage of an individual within an organization or a person in a specific position, more often than not the finance section of the organization. However, attacks have also been known to aim for the HR department, marketing department, IT department, and management.

In a lot of cases the hackers use the fact that the emails are quite realistic to engage with an employee in a stream of emails before asking for a money transfer or data swap to be completed. Even though this style of hacking attack is not as common as phishing attacks, the money stolen using it is much greater year on year.

There are a number of important steps to take to defend against these attacks:

  • Raise awareness of the threat by conducting staff training sessions that teach individuals how to spot a BEC attack.
  • Created policies and processes that state all email requests in relation to bank account details, payment methods, or make changes to direct deposit information for payroll to be verified by calling the known contact directly via the telephone number that you have on file.
  • Implement a solid email security system.

A solid email security system mitigates the chance of human error leaving you vulnerable to BEC attacks. it will prevent all efforts hackers make to steal email credentials. If there are machine learning techniques then you will be protected from zero-day attacks and DMARC and sender policy framework (SPF) will identify emails from individuals not permitted to send messages from a particular domain.

Ideally you should use an email security system like SpamTitan. This solution used all of the aforementioned methods of securing your organization from BEC attacks. When this is used along with the correct staff training and administrative measures, your group will be properly kitted out to address the threat posed by BEC attacks.

If you would like to learn more about how SpamTitan secures your company, call the TitanHQ team as soon as you can.



PDF File Phishing Trends

There has been a surge in phishing since the beginning of the COVID-19 pandemic in early 2020 and there is no sign, or likelihood, that this wille ase off due to the massive profits that cybercriminals are making from these attacks. Hackers continues to devise new and more believable strategies in order to counter individuals and group becoming aware of their attack methods and cybersecurity measures are enhanced to takcle them. Recently, a sharp focus from hackers on the leverage of PDF files for phishing purposes has been noticed.

The use of files like this permits the use of rich-text information such as URLS, pictures, GIFs, and internal scripts linked to the file. In the most recent string of attacks, phishing campaigns incorporate PDF attachments that conduct a range of tactics to bring users to a malicious site as they try to harvest data. Here are five styles of PDF phishing attacks to look be aware of at present:

  1. File Sharing and Phishing: The majority of web users either a Google Drive account or a Microsoft OneDrive account. Access one of these will give hackers enough info and private data to. Cybercriminals implement the use of PDF files to make viewers hand over the private log on details which will allow them to infiltrated targeted victim accounts. The picture shows a prompt that will grant access a file that the user instinctively knows should click on within their cloud drive. However a phishing page appears when the user clicks the URL. This phishing page identical to OneDrive or Google Drive’s landing page, so users who do not see the actual domain name in their browser window will just hand over their username and password details. Once they do this the hacker will receive it and be able to access the cloud drive account.
  2. Fake CAPTCHA Redirects: A CAPTCHA is a recognized symbol for Internet users and therefore is a straightforward way to fool users into visiting a URL. This attack features the hacker placing an image of the common Google CAPTCHA interface within the sent email. Users recognize the image and choose “Continue” and expect to see the website that they are attempting to access. When the link is visited, the user is taken to a cybercriminal-controlled site where users must hand over their private information.
  3. Ecommerce Site Scams: The most recent PDF phishing attacks feature popular common ecommerce logos to trick users into thinking that clicks are genuine. Ecommerce portals often require private information and credit card data, so attackers can harvest products using the targeted victim’s data information. In some cases the PDF file might include the official Amazon logo and request users to visit  the link to buy products. Rather that visiting Amazon in the user’s browser, a cybercriminal-controlled website pretending to be the legitimate portal asks users to authenticate. When users hand over details credentials, the cybercriminal gains their login information to access their ecommerce account.
  4. Play Buttons on Static Images: If there is a play button present on a picture it will, typically, be clicked on in order to play a video. A recent scam, targeting cryptocurrency traders and investors, gets PDF readers to open the file in the hop ethat they will click the link on the fake video image. Rather than playing a video, users are taken to a phishing website that asks them to hand over their credit card information for a dating portal.
  5. Using Popular Logos for Malicious Redirects: It is not difficult to prompt users to click links using recognizable logos. When hackers use a logo from a well-known brand, they can fool users into visiting the logo. With this attack, an image of a well-known brand is placed within the PDF file with the offer of a discount. It appears to be the same as a common brand sale, so it fools users into clicking on the image. After the user does so, a browser opens and targets a redirect site. The redirect site then shares an attacker-controlled phishing page to the user. Just like with the CAPTCHA scam, users who do not realizethat the redirect is not what it seems may hand over private data or login credentials to access the platform.


Using email filters to stop these attacks will mean that malicious attachments are recognized and prevented from reaching the intended recipient’s inbox. A SpamTitan email filter will prevent blocks spam, viruses, malware, phishing attempts and other email threats that are targeting companies, MSP’s and educational bodies worldwide.

Employees Returning to Offices Targeted in New COVID-19 Phishing Campaign

As workers begin to return offices following the COVID-19 vaccine roll out hackers are launching new campaigns to take advantage of this turn of events.

This follows previous attacks that sought to take advantage of the interest in the COVID-19 virus at the height of the pandemic. Workers going back to their usual place of work has created  opportunity for scammers, who have launched a new phishing campaign targeting workers returning to offices.

The new attacks claim to be sent from the organizations Chief Information Officer to advise the staff in relation to new protocols and processes that have been devised to assist the returning workers avoid any possibility of infection. They appear to have been only broadcast internally in the organization, and even include the logo of the group and what looks like a signature of the CIO. There is a URL included that advises recipients to visit (a Microsoft SharePoint page) to view/download two documents in relation to this – a COVID-19 information sheet and an implementation letter that lists steps that the company has implemented as a result of the guidance from the Centers for Disease Control and Prevention (CDC), World Health Organization (WHO), and local health bodies.

While the majority of phishing attacks attempt to bring recipients of emails to a phishing form to collate Office 365 credentials, this campaign goes one step further in that phish is only initiated once the link is clicked on. When this is done, a fake Microsoft login prompt pops up and details must then be shared in order to access the files. Once the details are handed over, a message appears informing the staff member that their account or password is incorrect, and they must enter it again before they are finally brought to a genuine Microsoft page and are given access to the documents on OneDrive. This means that there is no clear indication that credentials have been phished.

This COVID-19 phishing campaign, like many others launched during the pandemic, feature. In this case, the emails have been excellently compose and have been written for individually-targeted groups, making them appear authentic and likely to trick lots of people. It remains unknown what the cybercriminals are aiming to do with the stolen data once it has been collected. They could be used to harvest lots of protected data held within Office 365 email accounts, would allow the cybercriminals to establish a footing in the corporate network for a more extensive compromise, or they could be sold for a profit to different cybercriminal collectives.

The best tactic for dealing with this level of threat is to using an advanced spam filtering solution like SpamTitan. With SpamTitan implemented, phishing attacks like this will be spotted and dealt with at the gateway so that employee are not being relied on to prevent the databases being infiltrated.

Contact the TitanHQ team now in order to enhance your security posture and tackle the dangers of cybercriminal attacks for your organization.

Safari Scareware Targets Porn Viewers

A flaw in the mobile Safari browser has been targeted by cybercriminals and used to extort money from people who have previously used their mobile device to access pornography or other illegal content. The Safari scareware stops the user from logging on to the Internet on their device by loading a series of pop-up messages.

A popup is shown that states Safari cannot open the requested page. Clicking on OK to shut the message triggers another popup warning. Safari is then locked in an endless loop of popup ads that cannot be removed.

A message is shown in the background stating the device has been locked because the user has been identified as having viewed illegal web content. Some users have reported messages including Interpol banners, which are intended to make the user believe the lock has been put on their phone by law enforcement. The only way of regaining access to the device, according to the popups, is to pay a fine.

One of the domains used by the hackers is; however, few users would likely be tricked into thinking the browser lock was put in place by a police department as the fine had to be paid in the form of an iTunes gift card.

Other messages tell the user that police action will be taken if the payment is not made. The hackers claim they will send the user’s browsing history and installed files to the Metropolitan Police if the ransom is not paid.

This sort of Safari scareware is nothing new. In this example, the hackers loaded code onto a number of websites which targeted a flaw in the way the Safari browser handles JavaScript pop-up windows. The code targeted iOS versions 10.2 and earlier.

The Safari scareware campaign was discovered by Lookout, which passed details of the exploit onto Apple which addressed the flaw to block the attacks in iOS version 10.3. Scareware attacks such as these are common.

Scareware is not the same as ransomware, although both are used to extort money. In the case of ransomware, access to a device is obtained by the hacker and malicious file-encrypting malware is installed. That malware then locks users’ files with powerful encryption. If a backup of the encrypted files is not maintained, the user faces loss of data if they do not pay the hackers for the key to decrypt their locked files.

Scareware may incorporate malware, although more commonly – as was the case with this Safari scareware campaign – it involves inserting malicious code on websites. The code is run when a user with a vulnerable browser visits an infected webpage. The thinking behind scareware is to scare the end user into paying the ransom demand to unlock their computer. In contrast to ransomware, which cannot be unlocked without the necessary decryption key, it is usually possible to unlock scareware-locked browsers with a little computer knowledge. In this instance, control of the phone could be regained by clearing the Safari cache of all cookies and data.

Infected Devices Turned into Cryptocurrency Miners with Digimine Malware

Digimine malware was first spotted in a campaign targeting users in South Korea; however, the attacks have now gone global. Digimine is a cryptocurrency mining malware that is installed and used to hijack the CPU and GPU on an infected device and use it to mine the cryptocurrency Monero.

The increase in popularity of cryptocurrency, and its meteoric rise in value, means mining cryptocurrency can be highly profitable. Mining cryptocurrency is the verification of cryptocurrency transactions for digital exchanges, which involves using computers to complete complex numerical problems. For verifying transactions, cryptocurrency miners are rewarded with coins, but cryptocurrency mining requires a lot of processing power. To make it profitable, it must be carried out on an industrial scale and hackers have realized the best way to do this is to use other people’s computers and servers. The processing power of hundreds of thousands of devices would result in the operation becoming highly profitable for cybercriminals, a fact that has certainly not been missed by the creators of Digimine malware.

Infection with Digimine malware will see the victim’s device slowed, as its processing power is being used mining Monero. However, that is not the only problem. The campaign spreading this malware variant works via Facebook Messenger, and infection can see the victim’s contacts targeted, and could possibly lead to the victim’s Facebook account being hijacked.

The Digimine malware campaign is being conducted through the Desktop version of Facebook Messenger, via Google Chrome instead of the mobile app. Once a victim is infected, if their Facebook account is set to login automatically, the malware will send links to all individuals in the victim’s contact list. Visiting those links will result in the installation of the malware, the generation of more messages to contacts and more infections, building up an army of hijacked devices for mining Monero.

Infections were first seen in South Korea; however, they have now spread throughout east and south-east Asia, and beyond to Vietnam, Thailand, Philippines, Azerbaijan, Ukraine, and Venezuela, according to Trend Micro.

A similar campaign has also been seen by FortiGuard Labs. That campaign is being carried out by the actors behind the ransomware VenusLocker, who have similarly changed to Monero mining malware. That campaign also began in South Korea and is spreading quickly. Instead of using Facebook Messenger, the VenusLocker gang is using phishing emails.

Phishing emails for this campaign include infected email attachments that install the miner. One of the emails claims the victim’s details have been accidentally revealed exposed in a data breach, with the attachment containing details of the attack and instructions to follow to mitigate risk.

Rise in Phishing Threatens Patient Data Privacy

Cybercriminals will always focus a lot of their efforts on stealing healthcare records due to the high return they can make from getting hold of information on addresses, social security financial data. A hackers can make these available for a high price on darknet markets or use them to commit identity theft.

So far in 2021, millions of records holding the valuable private information have been illegally obtained by cybercriminals using phishing tactics. Once a breach is discovered by the healthcare organization it has a legal responsibility to contact impacted patients to make them aware of it, as per the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Department of Health and Human Services (HHS) published a web portal which allows the reporting of HIPAA breach incidents can be reported. This portal can also be accessed by the public where they can see the details of confirmed HIPAA breaches.

Phishing campaigns can be targeted at individuals with high-privilege attacks, or they could be randomized where millions of users receive the same email. Untargeted attacks focus on quantity over quality. The attacker hopes that just a small percentage of people will fall for the phishing message. With just a small percentage of victims, an attacker can still generate thousands in revenue from a single campaign.

Spear-phishing campaigns are much more targeted and effective. Fewer email messages are sent to targeted users, but the campaign can be much more potent. With a high-privileged account or successful ransomware installation, an attacker could make millions from their efforts. Ransomware targeting businesses asks for thousands in return for private keys to decrypt data, or an attacker could use stolen credentials to exfiltrate data from corporate servers.

Both types of phishing campaigns are damaging to corporate reputation and patient data privacy, which is why healthcare providers and other organizations should take several steps to protect users from being phishing targets. Users don’t have the training necessary to identify phishing campaigns, but even IT administrators fall victim to these attacks. The best way to protect users is to stop malicious messages from reaching targeted recipient inboxes. This can be done using email filters.

The best way to prevent phishing attacks on your email servers is to configure a robust and constantly update cybersecurity solution. Email filters using artificial intelligence (AI) are the best way to discover dangerous emails. They can be quarantined prior to landing in the intended recipient’s inbox. The quarantined emails can still be monitored by system administrators for review and, should they find that a message has been incorrectly quarantined, they can forward the emails to the intended recipients.

Additionally, attachments and files are often leveraged to fool email recipients into downloading ransomware on the network. This tactic is typically used to deploy ransomware, another dangerous attack style that targets data privacy and integrity. Threat actors often use it to target on healthcare providers knowing that it can bring business workflows and productivity to a stand still. Cybersecurity systems can track and review attachments to see if they hold macros used to install ransomware and place it on corporate systems.

Your organization should be aiming to put in place a multi-layer cybersecurity to safeguard its databases. If you do not have

Without a layered cybersecurity approach, healthcare providers could become part of the next large data breach.  Implementing a strong email filter and the correct type of web content filters will allow your organization to mitigate the dangers posed by human mistakes. Email filters will spot malicious emails, quarantine them, and allow administrators to double check messages.

Content Filtering Crucial for K12 Schools Chromebook

The widespread use of Chromebooks in educational institutions worldwides has seen the device implement by up to 40 million users in this sector.

While these devices solve an issue in relation to the close equity, technology and homework gaps that many school districts need to address there is also the issue of cybersecurity that needs to be addressed A Chromebook in the end is only a tool that should be used in the proper manner. The main reason these device are supplied in an educational setting is to provide access to something online, usually an educational application or a game app.

Enforcing borders is crucial for young users as they prevent students from remaining connected to game sites and searching for malicious content. Along with this there is the issue of CIPA compliance for K12 institutions that depend on e-rate funding.  CIPA forces school districts to implement an internet safety policy that blocks and filters images and content that is classified as harmful to minors.  Secure borders are a requirement for school districts that implement Chromebooks on any scale.

Chromebooks required the same security as other computing devices. as they are susceptible to malicious code.  Even thought they will not run traditional .exe files can’t run on a Chromebook, Android malware and other dangers are an active threat. The main attacked vector is the internet for malware and other malicious campaigns.  Next generation DNS blocking is important for any multi-level cybersecurity strategy and should be used in all educational filtering solutions.

WebTitan on-the go for Chromebooks offers a level of excellence similar used by Windows admins to delivering user and device-level web filtering for their system’s Windows 10 devices. This is also available at a bespoke level for Chromebook. The WebTitan Cloud management interface is very easy to use and has a web-based intuitive design.

WebTitan is designed for the “Anywhere Workforce” as well as “Anywhere Learning.”  Whether your students are using their devices on campus within a traditional classroom or at a remote place, they and their devices are secured by the same granular internet filtering policies. The cloud based solution gives internal IT the ability to fully manage your web filtering system from anywhere globally.

This allows admins the same tools and interface regardless of there they are based. For onboarding, rather than relying on-premise or user client software, WebTitan simply redirects the DNS traffic of all of your devices in the cloud. Because there is no inline device, you don’t have to worry about intranet traffic being blocked or non HTTP/HTTPS traffic.

When it comes down to it, there is probably no institution more difficult to configured web filters for than K12.  WebTitan on-the-go for Chromebooks was created to work on the most complex of environments using a simple 3-step process.

  • Set up your desired groups
  • Configure granular filtering policies to prevent various categories
  • Assign those policies to your groups

You can also override your policies with manually created exceptions.

The reporting feature of WebTitan allows for querying relevant information in relation to a student’s internet history and summarize it into a simple to read report.  Administrators and IT personnel can also identify broad based behavior patterns surrounding student internet usage at the system and group level.

Another reassuring feature is WebTitan’s malicious detection service which is always searching for malicious threats in real time with the assistance of AI-powered protection that can combat emerging phishing URLs and even zero-minute attacks.


How Your Business can Fight Ransomware Attacks

The first quarter of 2021 has seen the surge in ransomware attacks on companies continue, with most of the victims targeted when they had insufficient security measures in place to fight the attacks,leaving both their databases and valuable data vulnerable,

In most cases the use of a range of recommended measures would have prevented an attack from being successful. Here we have listed the standard measures that will bolster your cybersecurity suite.

Measure that can Fight Ransomware Attacks on your Business

There are several ransomware mitigations that can be implemented to reduce the risk of ransomware attacks and limit the severity of an attack should a network be compromised.

  1. Limit access to network resources: Use the principle of least privilege and implement a strict restriction administrative access and the ability to download and run software.
  2. Configure a strong spam filter: The use of a strong spam filter will prevent phishing attacks and malware delivered via email from infiltrating your databases.
  3. Use a web filter to review network traffic: Configuring a web filter will allows you systems to spot access attempts to malicious websites and recognise malicious IP addresses.
  4. Set up multi-factor authentication: Stolen log in details, taken during phishing attacks, allow ransomware actors to invade networks. Multi-factor authentication will stop this and act as an additional safeguard if one log-in credential is stolen.
  5. Limit or obstruct Remote Desktop Protocol (RDP): Consider if RDP is necessary and disable it wherever possible. Double check originating sources are restricted and implement multi-factor authentication as mentioned previously.
  6. Provide end-user security awareness training: This is make sure employees are aware of how to spot phishing emails and be conscious of cybersecurity best practices and participating in dangerous online activity.
  7. Invest in the best available AV software: Using an advanced anti-virus solution that conducts regular scans of all IT assets for malware, will keep your network safe.
  8. Apply patches promptly and update software regularly: This is crucial in order to fight the exploitation of vulnerabilities. The majority of vulnerabilities exploited in attacks are months old, yet patches were not applied.
  9. Turn off macro scripts in Office files: Turn off Office macros on all devices unless there is a business need for allowing them. Open Office files sharing using email using Office Viewer software rather than the full Office application.
  10. Do not allow inbound connections from Cobalt Strike servers: Do this and restrict the use of other post-exploitation tools where possible.
  11. Add application allowlisting: Only allow applications and systems to run programs as permitted by your security policy. Prevent the execution of programs from popular ransomware locations such as temporary folders and the LocalAppData folder.
  12. Put in place network segmentation: This is limit the harm that can be caused on different parts of your databases should an attack infiltrate your network.
  13. Prevent inbound connections from anonymization services: Turn off access from Tor and other anonymization services to IP addresses and ports where external connections are not standard or required.
  14. Create a robust backup policy: See to it that backups of critical data completed on a regular basis and tested to ensure file recovery can take place. Keep a copy of the backup in a secure offline place.


Arrests made in UK after Smishing Attack

Arrests have been made in the United Kingdom after a group of hacker was discovered to be sending large amounts of text messages to try and trick recipient into sharing their login details.

The Birmingham-based cybercriminals published their own website and using online advertising to reach more potential victims. When these activities were discovered police issued a warrant for the arrest of those responsible.

The group, referred to as ‘SMS Bandits’ advertised across several mediums and sent text messages which included a link to a malicious website that request visitors to share their login credentials and other sensitive data. SMS Bandits pledged to attack a large amount of phone numbers with smishing messages for just $40 to $125 per week using the service they called ‘OTP Agency’.

The service they advertised was offering to conduct smishing attacks, the SMS bandits offered “bulletproof hosting,” meaning the attack site could not be taken down by standard legal efforts. In most cases, these attacks fail when the site is reported and hosting is disable by the host. The smishing attacks could be bespoke, allowing the specific targeting of small businesses, large businesses, and individuals.

It is important for organization to be conscious of the threat posed by smishing and take steps to training staff in relation to this. Hacker aim to use smishing to begin an attack and steal intellectual property or private corporate information that could be damaging to an organization reputation.

Email filters are a excellent at preventing messages from spoofed senders and malicious message content, but text messages do no tnormally have a feature like this. This best tactic to prevent smishing is to educate staff members in relation to spotting them. The content is typically similar to a phishing attack with offers of discounts or money in exchange for clicking a link and entering private data. If this data happens to be corporate data, then it would be disclosed to the cybercriminals.

One of the main characteristics of a smishing attack is the use of short links – denying readers full visibility of the site behind the URL. Short links should be the first warning sign in relation to smishing, the second being the promise of money or discounts. Seeing both of these together is a sure sign that message is malicious and should be deleted.

Companies need to train staff members so they can spot these signs and characteristics of smishing attacks. The importance of never handing over credentials to any third party, or filling out a form that included them on a linked website, needs to be emphasised.

Using a solution like that offered by multi-award winning TitanHQ would add a security suite renowned for advanced email security, DNS filtering and safe email archiving. Make the first move and get in touch with the team at TitanHQ today.

WebTitan OTG (on-the-go) for Chromebooks Launched in WebTitan Cloud 4.16

TitanHQ has released WebTitan Cloud 4.16 which adds new functionality to the DNS-based web filtering solution to make management even easier. The latest release also includes a new school web filtering solution.

WebTitan Cloud 4.16 includes DNS Proxy 2.06, which allows filtering of users in Azure Active Directory, as well as on-premise AD and directory integration for Active Directory to make the management of filtering controls for users, groups of users, and organization-wide controls even easier. The latest version includes several fixes and enhanced security to better protect users from web-based threats.

TitanHQ is pleased to announce the release of WebTitan OTG (on-the-go) for Chromebooks with the latest version of WebTitan Cloud. This new service has been specifically developed for the education sector to ensure students can access the Internet safely and securely.

The use of Chromebooks has been growing, with the devices popular in schools as they are a cost-effective way of giving students Internet access. While the Internet offers many learning opportunities, it is important to protect students from threats and web content that could cause them harm.

Schools should implement controls to restrict access to inappropriate content as well as block threats such as phishing, malware, and ransomware.  WebTitan OTG for Chromebooks makes that a very quick and simple process.

WebTitan OTG (on-the-go) for Chromebooks allows IT professionals in the education sector to apply web filtering controls for individuals, school years, all students, and separate controls for staff members. From start to finish, set up takes just a few minutes.

Administrators have precision control over the content that can be accessed, allowing them to easily comply with state and federal laws, including the Children’s Internet Protection Act (CIPA).

WebTitan OTG for Chromebooks is a DNS-based web filter that filters the Internet before any content is downloaded. As such, there is no latency, regardless of where the Internet is accessed – in the classroom, at home, or elsewhere.

No hardware is required, there are no proxies or VPNs, and administrators have full visibility into Internet access, including locations, web pages visited, and attempts made to visit restricted content.

Key Features of WebTitan OTG for Chromebooks

  • Cost effective web filtering for schools.
  • Easy to install and manage remotely.
  • Full reporting across Chromebook users and locations.
  • User level policies.
  • No additional on-premises hardware required.
  • No slow & expensive VPNs or Proxies required.
  • Chromebooks can be locked down to avoid circumvention.
  • Fast, customizable & accurate DNS filtering.

Using WebTitan OTG for Chromebooks provides an effective way to apply filtering policies to your Chromebooks from the cloud.

“This new release comes after an expansive first quarter. The launch of WebTitan Cloud 4.16 brings phenomenal new security features to our customers,” Said TitanHQ CEO, Ronan Kavanagh. “After experiencing significant growth in 2020, TitanHQ expects these product enhancements and new features to make 2021 another record-breaking year.”

Babuk Ransomware Among new Cyberattack Threats in 2021

Babuk Ransomware Among new Cyberattack Threats in 2021

2021 has, so far, seen a massive rise in the introduction of new strains of ransomware being used to infiltrate the networks of enterprise organizations.

This represents a shift in the tactics of cybercriminals who spent most of 2020 trying to take advantage of workers who were forced into unsecured home-working environments by the COVID-19 pandemic. In the opening months of 2021 there is a clear surge in the amount of attacks that are concentrating on the employees who are slowly returning to large office settings.

One such strain of ransomware is called Babuk. This involves a request being sent to individuals, whose data has been encrypted, that seeks a $60k-$85k ransom to be transferred in order for the private keys to remove encryption to be handed over. Babuk, which is similar to regular ransomware campaign, includes a number of characteristics that have been designed specifically with companies in mind as a target.

Babuk disables many of the backup features available in Windows. The first feature to be made redundant is the Volume Shadow Copy Service (VSS) used to take backups of files in use. With this feature disabled, users cannot retrieve their current active files. It also disables file locking mechanism used on open and active files. For businesses using backup features in Microsoft Office, Babuk also turns off these features.

Babub then moves on to encrypting the database. This is completed by double-encrypting files that are smaller that 41MB, files larger than this are split prior to encryption. The encryption cipher being used is ChaCha8 which is generated from a SHA-256 hash – a cryptographically secure hashing algorithm. Unlike normal ransomware, Babuk only uses one private key as it is focused on infiltrating enterprise users.

There are a couple of ways that you can prepare for Babuk trying to attack and encrypt your databases. You will mitigate some of the danger by placing your own encryption on particularly important files. This will prevent Babuk from doing the same. Additionally, using a cloud backup will mean that there backups available for you to restore your information without handing over a ransom.

Monitoring software will weed out suspicious traffic on the network and, in doing so, prevent malware from encrypting files or exfiltrating data. System administrators will then be made aware of this and review the activity in question to gauge the threat level. Another strong security measure is using email filters with artificial intelligence (AI) that will allow you to spot potentially dangerous messages and attachments. They can then be quarantined and reviewed by an administrator. This method cuts out the possibility of human error leading to a malicious file being downloaded and initiating an encryption process.

Training and user education will also assist in preventing human error. This will involve providing staff with the knowledge required to spot threat. They will also be able to warn administrators about potential attacks and avoid running attachments on their local devices.

SpamTitan Email Security is a strong cybersecurity solution that will assist greatly in bring the risk of network infiltration down to an acceptable and manageable level. Call SpamTitan now to enquire about a free trial to witness the strength and value of the solution for yourself.

Teachers the Focus of New Phishing Attacks

Teachers the Focus of New Phishing Attacks

A recently-discovered phishing attack is attempting to invade messages sent between students and teachers. In the campaign an email is spoofed to look like it was sent from the parent of a student. However it includes an attachment file with a malicious macro. The message informs the teacher that an earlier message with a student assignment did not successfully reach their inbox.

It appears that the phishers came into possession of a directory of teacher email addresses via faculty contact lists available on a school website. The message looks extremely authentic as it includes the teacher’s name. Once the malicious file is opened, the macro downloads the ransomware executable files.

Some new tactics seen in this campaign include an SMS alerting the phisher once a recipient downloads the file and the use of Go programming language to create the malicious file. Files encrypted by the ransomware are listed in a text file named “About_Your_Files.txt” and stored on the user’s desktop.

Schools are an attractive target for phishers as they, typically, do no have massive funds to invest in cybersecurity. However, there are a number of measures that schools should introduce, as a minimum, to prevent attacks like this infiltrating their databases.

Email filters will block ransomware attachments before they reach targeted user inboxes. They spot malicious messages and files and place them in a quarantine folder where they can be reviewed by a system administrators to see if they are a false positive. If this is the case then the mail can be sent to the intended recipient.

Backups come into play once a database has been encrypted. They allow schools and other organizations to restore data without handing over any requested ransom. Best practice in this regard is to store backups off-site. Cloud backups are primarily used in disaster recovery strategies required after a ransomware attack. Training and user education is another security measure. Cybersecurity training will help teaching staff identify the tell tale signs of a phishing email and cut off the attack as soon as it begins.

The vast majority of schools have begun to implement digital means of communicating and working with students and parents. This a very efficient way of corresponding and allowed education to continue during all of the COVID-19 enforced lockdowns. However, this also brings new challenges for educational bodies. Cybersecurity may only have been a minimal concern ten years ago but now it needs to be tackled head on to avoid students and staff becoming the victims of hackers.

One very useful tool is WebTitan on-the go (OTG) for Chromebooks. This will allow your organization to safeguard all of your Chromebook users from the dangers associated with online usage. This security solution has been specifically created with the education sector in mind. Along with supporting CIPA compliance it is an inexpensive security filtering solution for Chromebooks.

Schools implementing the use of WebTitan Chromebook client can simply pply policies for all of their Chromebook users by group.

Hackers Infiltrate Passwordstate Notification Letters to Spread Malware

A cybercriminal group has managed to leverage email alerts, sent to notify users of an available update, in order to infect databases with malware.

The software update feature of the Passwordstate password manager was infiltrated to attack enterprise users of the password manager solution. The supply chain attack also successfully targets account holders with malware known as Moserpass at different points from April 20 to April 22.

Anyone who sought to avail of an update using the In-Pass Upgrade mechanism was potentially in receipt of the  malicious file downloaded titled file.

If the file was installed then it will kick off a chain of events allowing Moserpass to become active and gathering valuable information to any linked device or network in tandem with password data from the Passwordstate app. The malware also had a loader feature which may allow for the download of other malware strains onto victims’ devices. Due to the fact that passwords may have been stolen, impacted have been warned to change all of their passwords.

While the cyberattack was mitigated in less that 30 hours device users were issued to a request from Click Studios, the developer of the password app, to apply a hotfix to remove the malware from their systems. Sadly, having discovered the requests being shared via social media platforms, the hackers shared an identical email to conduct a phishing campaign who provided a link to a website that they controlled. As opposed to a fix to remove the Moserpass malware, an updated version of Moserpass malware was shared to anyone unfortunate enough to fall for the scam.

The email were, naturally enough, extremely realistic and recipients who followed the instructions in the email would likely think they were removing malware, when they were actually downloading it. The fake versions of the emails do not include a domain suffix used by Click Studios, request the hotfix is installed from a subdomain, and claim an ‘urgent’ update is necessary toto fix a bug, but it is easy to see how these messages could trick end users.

Click Studios provided password management services for approximately 29,000 companies and the solution has hundreds of thousands of users, many of whom will have heard of the breach and be worried about a malware infection. Click Studios said only a very small number of its customers were affected and had the malware installed – those who downloaded the update in the 28-hour period between April 20 and April 22 – but anyone receiving the fake email could well have been convinced that the email was genuine and implemented the download as directed.

It is a common tactic of cybercriminals to attempt and leverage fake security warnings to conduct attack, and data breach notifications are perfect to deploy in phishing attacks. This Passswordstate breach notification phishing campaign shows how crucial it is to double check every message for any indication of phishing, even if the email content appears to be authentic and the message includes what looks like the proper logos etc., and the dangers of posting copies of genuine breach notification letters on social media networks.

Many phishing attacks are complex by their nature, and it can be trciky for email recipients to spot that what is genuine and what is malicious. This is why your group requires an advanced spam and phishing security solution. If you want the best defenses against phishing, contact TitanHQ now and see how SpamTitan Email Security can enhance your security and keep your organization safe from phishing and other email-based attacks.

Malware Campaigns Being Shared Using Telegram Messaging Platform

The popularity of the Telegram messaging platform has grown a lot in recent years, with massive migration in WhatsApp users jumping ship following amendments to that service’s privacy and data management policies.

In particular Telegram has been widely used by hackers to conduct malware campaigns. Recently, a campaign has been discovered that shares a new malware strain called ToxicEye. ToxicEye malware is a Remote Access Trojan (RAT) that gives hackers complete management of an infected device. The malware is used to exfiltrate sensitive data and download other malware strains.

The malware takes advantage of the command and control server communications of Telegram accounts. Using the hacker’s Telegram account, an infected can be managed using ToxicEye to steal data and share more malicious payloads.

Telegram is a popular messaging service with over 63 million downloads and has approximately 500 million active users globally. IN particular there has been massive growth since the beginning of the COVID 19 pandemic with the app being implemented by many businesses who have been using it to allow their remote workers to communicate and collaborate. The app supports secure, private messaging and most companies allow Telegram to be implemented and do not block or audit communications.

Creating a Telegram account is simple and hackers can hide their identity. All that is needed to create an account is a mobile phone number, and the communication infrastructure permits hackers to easily steal data and send files to malware-infected devices unnoticed.

Telegram is also being implemented for sharing malware. Hackers can set up an account, use a Telegram bot to interact with other users and send files, and it is also possible to share files to non-Telegram users via phishing emails with malicious attachments. It is phishing emails that are being used to share ToxicEye malware. Emails are issued with a .exe file attachment, with one campaign using a file titled  “paypal checker by saint.exe” to download the malware.

If the attachment is opened and initiated, a connection will be made to Telegram which allows malware to be downloaded by the hacker’s Telegram bot. The attackers can carry out a variety of malicious activities once the malware is in place, with the main goals of the cybercriminals being gathering information about the infected device, locating and exfiltrating passwords, and exfiltrating cookies and browser histories.

ToxicEye malware can disable active processes and take management of Task Manager, capture audio and video, remove clipboard contents, and launch other malware strains – including keyloggers and ransomware.

TitanHQ has two solutions available that can safeguard your network and devices from ToxicEye and other Telegram-based phishing and malware campaigns. SpamTitan is a strong email security solution that will prevent malicious emails sharing the executable files that download the ToxicEye RAT and other malware. For even more security, SpamTitan should be connected to WebTitan web security. WebTitan is a DNS-based web filtering service that can be set up to prevent access to Telegram if it is not in use and review traffic in real time to discover possibly dangerous message.

To find out more about these solutions, how much it costs, and to register for a free trial, get in touch with TitanHQ now.

Phishing and Malware Distribution Campaigns focus on Discord

Cybercriminals have long targeted cloud-based instant messaging service which provide easily communication between users. One of the these services that was recently leveraged by hackers is Discord, The platform is now being extensively used to spread phishing and malware.

VoIP, instant messaging and digital distribution is available from Discord and, due to this, it was used by gaming community before gaining more popularity among a wider variety of users. 150 million users worldwide were registered during 2019 and the surge in membership has continued since then. Additionally, the service has, for some time, been use by cybercriminals vie the platform’s live chat feature for selling and trading stolen data, anonymous communications, and to act as C2 servers for communicating with malware-infected devices.

Throughout 2021, the service has been widely used for sharing malware variants including information stealers, cryptocurrency miners, Remote Access Trojans, and ransomware by abusing the service.

Similar to other collaboration apps, Discord uses content delivery networks (CDNs) for storing shared files within channels. Hackers can place malicious files on Discord and create a public link for sharing, and that link can be shared with anyone, not just Discord users. The URL generated for sharing begins with so anyone who is sent the link will see that the link is for a legitimate site. While there are controls to stop malicious files from being uploaded, in a lot of cases hackers can bypass those protections have get their malicious files hosted, and alerts are not always shown to users about the risk of clicking on files from Discord.  Since the malicious payloads are sent over  encrypted HTTPS, the downloads can be masked from security solutions.

Additionally, once uploaded, the malware can be removed from a thread, but it is still accessible using the public URL. Users are often fooled into installing these malicious files under the guise of pirated software or games. Gamers have been focused on as their PCs typically have a high spec for gaming, which makes them perfect for cryptocurrency mining.

This style of malware campaign means that malware developers and distributers can simply share their malicious payloads with a high degree of anonymity. A review by Zscaler discovered over 100 unique malware samples from Discord in the Zscaler cloud in just a two-month time space. Another review of Discord CDN results discovered approximately 20,000 results on VirusTotal.

The Discord app is also easy to configure to carry out malicious actions. Malicious JavaScript code can simply be added to the legitimated Discord client files and can be set up and run every time the client is initiated or when specially designed URLs are opened by the client.

Discord is not the sole communication and collaboration solution to be leveraged by hackers. Slack and Telegram are also being abused in phishing campaigns and for malware campaigns.

If you would like to enhance email security get in touch with TitanHQ now to discover more about these award-winning cybersecurity solutions.

DriveSure Clients Exposed Publicly as 3.2 Million Data Records Breached

Despite the fact that the vast majority of companies invest in the training for the workforce and implement security measures to protect their networks and data from cybercriminals, security breaches still happen which exposed huge  amounts of sensitive data.

Recently, cybercriminals illegally obtained more than 3.2 million data records from DriveSure, a training site used to help car dealerships sell and retain customers. This data had been stored in the company’s MySQL database, and the credentials for that and other data points had been publicly exposed on the Internet.

DriveSure has millions of customers that subscribe for access to its training and course material. Those customers provided names, addresses, phone numbers, emails, vehicle VIN numbers, service records, and damage claims among many other pieces of information. The breach resulted in data from large corporate accounts being exposed and military addresses being compromised.

Previously in 2021, experts discovered this information had been published on a number of hacking forums. While the majority of cybercriminals sell data like this for a profit, in this case, hackers did not seem interested in making money. Instead the hacker made the entire database of stolen data available for free and did not request any payment. The attacker’s motives remain unclear, but actions like this are often a way for hackers to make a name for themselves and gain respect among the hacking community.

Whatever the motive, the data was made available free of charge on many hacking forums and was available to anyone who wanted to download the files. As more people downloaded the files, the data started to appear in other locations as other hackers started sharing the data. Any user who subscribed to DriveSure needs to make sure their passwords are changed.

Apart from the private sensitive data leaked online, the individual responsible for the DriveSure breach made over 93,000 bcrypt hashed passwords available for download. In a secure application, the developer saves a password as a hashed value with a salt to make it more difficult to figure out. The bcrypt function is standard for hashing passwords, so DriveSure used a cryptographically secure way to store passwords. Even if a password is cryptographically secure, downloaded passwords can be brute forced as brute force tactics can be conducted for longer as there are no restrictions on the number of attempts.

The problem with having hashed passwords available is that a hacker can spend days running scripts against all of them. Any poor passwords can be brute forced, and many users employ the same password across multiple sites. Since email addresses are also available, an attacker can use scripts to take over accounts across multiple sites using the same passwords stolen from the DriveSure site. Further, while the company encrypted data according to compliance standards, but much of the data was stored in plaintext.

With such a large amount of data available, it is certain to be used in phishing and email spoofing attacks. Cybercriminals will be able to create convincing phishing campaigns using information in the data set, so businesses nee to be alert to the risk an should implement measures to block attacks. An email security solution such as SpamTitan can ensure the leaked database cannot be used in a phishing or email spoofing attack on the business, by ensuring those messages are blocked and not delivered to inboxes. Additionally, it is recommended to provide security awareness training to the workforce teaching employees cybersecurity best practices such as not reusing passwords on multiple accounts and how to identify phishing attacks.

Phishing Emails & Hijacked Web Forms Used to Boost IcedID Malware Campaigns

Cybercriminals are constantly coming up with new ways to infiltrate databases in order to maximise the return on the investment they make in these attacks.

Even so, campaigns involving the use of spam and phishing emails remain the most witnessed attack vectors for spreading delivering malware. However, a new method has been identified recently in a campaign conducted by the threat group managing the IcedID banking Trojan cum malware downloader. This new method involves hijacking contact forms on company web pages. Contact forms are a feature of the vast majority of websites and are used to gather information on website visitors for follow up contacts. More often than not these forms  have CAPTCHA security measures to safeguard the form from malicious campaigns.

Despite this those responsible for the IcedID banking Trojan have discovered a workaround to avoid the CATCHA security measures and, due to this, have been able to implement contact forms to deliver malicious emails. The emails the the contact forms transmit are normally sent to to inboxes that have whitelisted their email address. This means that that avoid email security gateways.

In the IceID campaign, the contact forms are being implemented to share messages claiming the recipient is going to be subjected to a legal action in relation to a copyright violation. The messages submitted claim the company has incorporated images on its web page, added without the image owner’s explicit authorization. The recipient is informed that a legal action will commence message if the images are not immediately removed from the website at once. It also provides a hyperlink to a Google Site that lists details of the copyrighted images and proof they are the intellectual property of the sender of the message.

If the hyperlink is visited to review the supplied evidence then the browser will install a zip file containing an obfuscated .js downloader that will send the IcedID payload. Once IcedID is placed, it will deliver secondary payloads such as TrickBot, Qakbot, and Ryuk ransomware.

IcedID distribution has been on the rise recently, not only via this attack vector but also in phishing campaigns. A large-scale phishing drive has been discovered that employs a range of business-themed lures in phishing campaigns with Excel attachments that have Excel 4 macros that transmit the banking Trojan.

The surge in IcedID malware distribution is thought to be just one element of a campaign to infect large numbers of devices to evolve a botnet that can be rented out to other cybercriminal collectives under the malware-as-a-service model. Now that the Emotet botnet has been deactivated there is a gap in the market for something like this and IcedID seems to be trying to take advantage of this.

If you would like to discover how you can safeguard your company from IceID and other malware attacks, at a reasonable price, contact the TitanHQ as soon as you can to see how TitanHQ email and web security measures are give 5-star recommendations from users for security, cost, simplicity, and customer service and support.

How Can You Prevent Email Impersonation Attacks on Your Businesses?

In 2020, ransomware attacks increased and soaring and phishing and email impersonation attacks were witnessed at worryingly high levels.

Specialists in cybersecurity have already calculated that 2020 saw a global cost to businesses caused by ransomware will come in around $20bn. It has also be predicted that the ransomware will remain the main attack vector of hackers for years to come as it is a proven way of earning money for these groups.

The main focus of these attacks has always been large companies due to the huge amounts of personal data they manages and the potential for using this in identity theft campaigns. Smaller companies are a less attractive target. However, they also manage considerable amounts of customer data and attacks can still be return a lot of money for hackers. While the large enterprises are a lucrative target they can be tricky to infiltrate as they invest so much in cybersecurity measures. As smaller enterprises would not have a large budget to invest in cybersecurity they can have a number of weaknesses that would make them much easier for hackers to infiltrate.

This is why small to medium enterprises are often targeted with phishing campaign. Should a phishing email makes it to an employee inbox, there is a good possibility that he message will be opened and important details will  be compromised or malware will be downloaded.

The 2018 KnowBe4 Phishing Industry Benchmarking Report shows that on average, the probability of an employee clicking on a malicious hyperlink or taking another fraudulent request is 27%. That means one in four employees will click a link in a phishing email or obey a fraudulent request.

In these phishing emails the sender of the message is spoofed so the email looks like it was shared from a known individual or company. The email will feature an authentic email address on a known business domain. Without proper security measures configured, that message will land in inboxes and many staff members are likely to be tricked into sharing their credentials or open an infected file which downloads malware. More often than not, they will not realize they have been tricked.

One way of blocking these phishing messages from landing in staff inboxes is to apply Domain-based Message Authentication, Reporting and Conformance (DMARC) rules. Simply put, DMARC includes two technologies – Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).

SPF is a DNS-based filtering security measure that helps to discover spoofed messages. SPF established authorized sender IP addresses on DNS servers. Recipient servers carry out lookups on the SPF records to make sure that the sender IP is one of the authorized vendors on the group’s DNS servers. If there is a match the message is sent to the requested inbox. If the check does not match, the message is rejected or quarantined.

DKIM includes the use of an encrypted signature to prove who the sender is. That signature is created using the organization’s public key and is decrypted using the private key available to the email server. DMARC rules are then applied to either reject or quarantine messages that do not meet the authentication requirements. Quarantining messages is useful as it means network managers can review to see if genuine emails have not been flagged by mistake.

Reports can be made available d to monitor email activity and network managers can see the number of messages that are being rejected or dropped. A quick rise in the number of rejected messages indicates an attack is current.

DMARC might appear complicated. However, if it is set proper properly it will prove an invaluable security tool that defends against phishing and dangerous email content.

TitanHQ’s anti-phishing and anti-spam service used DMARC to prevent email impersonation attacks in addition to advanced anti-malware features such as a Bitdefender-powered sandbox. For more details about tackling  email impersonation on your organization contact TitanHQ now.


Multiple Malware Variants Delivered with Gootloader Malware via SEO Poisoning

Recently, there has been rapid growth in the the use of a JavaScript-based infection framework known as Gootloader which is being used to deliver several different malware payloads. Gootloader been implemented for distributing the Gootkit banking Trojan, REvil ransomware, Cobalt Strike, and the Kronos Trojan via compromised WordPress websites.

Those responsible for Gootloader target susceptible WordPress websites and generate hundreds of pages of fake content, often totally unconnected to the theme of the website. A wide variety of websites have been impacted across many industry sectors, including retail, education, healthcare, travel, music, and many more, with the common denominator that they all leverage the WordPress CMS.

It is not yet known how the WordPress sites have been infected. It is possible that the sites have not been updated to the most recent WordPress version or had vulnerable plugins that were targeted. Legitimate admin accounts could have been hacked using brute force tactics, or other methods may have been employed.

The content placed on the compromised sites takes the format of forum posts and fake message forums, providing answers to specific questions. The questions are mostly linked to certain types of legal agreements and other documents. A review of the campaign by eSentire researchers found the majority of the posts on the compromised websites included the word “agreement”. The posts feature a question, such as “Do I need a party wall agreement to sell my house?” with a post added below using the exact same search term that users can click to install a template agreement.

These pages have very specific questions for which there are minimal search engine results, so when search engines crawl the websites, the content ranks highly in the SERPs for that specific search term. There may be relatively few people searching for these particular search terms, but most of those that do are looking for a sample agreements and will download them and unwittingly install malware.

The malicious file downloaded by users is a JavaScript file hidden inside file. If that file is executed, the rest of the infection process takes place in the memory, beyond the reach of traditional antimalware solutions. An autorun entry is established that loads a PowerShell script for persistence, which will ultimately be used to deliver whatever payload the threat actor wishes to put in place.

The content placed on the websites contains malicious code that displays the malicious forum posts only to visitors from certain places, with an underlying blog post that at first appears authentic, but is mostly gibberish. The blog post will be displayed to all visitors who are not being actively targeted. The campaign uses black hat SEO techniques to get the content listed in the SERPs, which will eventually be deleted by the likes of Google; however, that process may take some time and there are new questions and answers constantly being created to ensure Gootloader survives.

Preventing these attacks requires a range of security solutions and end user training. Installing any document or file from the Internet comes with a danger of a malware infection. Risk can be minimized by using a web filtering solution. Web filters will prevent access to websites that have been labelled as malicious and will perform a content review on new content. You can also create a web filter to block downloads of certain files types, such as JavaScript files and Zip files.

Endpoints should be configured to show known file types, as this is not set by default in Windows. This will make sure that the file extension – .js – is shown. End users should be advised not to install these files but ideally, endpoints should be configured to prevent JavaScript and Visual Basic scripts from trying to install and run files.

New Saint Bot Malware Dropper Shared using Phishing Emails

A new malware variant being referred to as Saint Bot malware is being shared using phishing emails that feature a Bitcoin-themed lure. As Bitcoin values continue surge upwards it is thought that the lure will be more effective than ever and fool many into clicking on the attached files to use the bitcoin wallet.

The phishing emails inform the recipient that a Bitcoin wallet in the included Zip file. The Zip file comes with a text file with instructions and a LNK file that has an embedded PowerShell script. A PowerShell downloader installs an obfuscated .Net dropper and downloader, which will then load a BAT script that disables Windows Defender and the Saint Bot malware binary. If someone should follows these instructions it will set off a process that will result in the Saint Bot malware being installed on the device.

A feature of the Saint Bot malware dropper is that is can deliver secondary payloads including information stealers, although it can be used to drop any possible strain of malware. This new strain was initially discovered by researchers at Malwarebytes. They found that there are no novel techniques at play with this malware. However, appears that the malware is being continually evolved. Currently, detections have been at a comparatively minimal but Saint Bot malware could grow into a serious threat for email users.

Once installed the malware can find out if it is in a controlled environment and will remove itself should that be the case. Conversely, should it not be a controlled environment the malware will communicate with its hard-coded command and control servers, send information collated from the infected system, and install secondary payloads to the infected device using Discord.

The malware is not characteristic of a particular threat group and could well be shared to multiple actors using darknet hacking forums, but it could well become a significant threat and be used in widespread campaigns to take advantage of the opportunity in the malware-as-a-service (MaaS) market created by the takedown of the Emotet Trojan.

Safeguarding your database from malware downloaders such as Saint Bot malware requires a defense in depth approach. The simplest method of preventing infections is to implement an advanced spam filtering solution such as SpamTitan to block the phishing emails that spread the malware. Antivirus software should also be configured on all endpoints and set to update automatically, and communication with the C2 servers should be tackled using firewall rules.

Along with technical security, it is crucial to conduct security awareness training to the workforce to help staff spot malicious emails and show them how to react when a possible threat is discovered.

IRS Phishing Scam Promising Tax Refunds targets Universities

The chance for cybercriminals to make massive profits by filing fake tax return submissions is significant, many time leasing to refunds of thousands of dollars being processed by the U.S. Internal Revenue Service (IRS). Every year tax workers being sent a range of IRS phishing messages that seek to steal sensitive data that can be leverage by the cybercriminals to illegally obtain identities and send in fraudulent tax returns using their victims detail.

In 2021 many tax season phishing scams have been uncovered including the subject lines such as “Tax Refund Payment” and “Recalculation of your tax refund payment” that tries to trick the recipient’s into opening the emails. The emails feature the authentic IRS logo and tells recipients that they qualify for an additional tax refund, but in order to be transferred the payment they must click a link and fill out a form. The form in question looks like a real form, with the page an exact replica of the IRS website, although the website on which the form is displayed is not an official IRS portal.

The form seeks a wide range of private personal information to be supplied so that the refund can be processed. The form requests the individual’s identity, birth data, Social Security information, driver’s license number, existing address, and electronic filing PIN. For extra realism, the phishing portal also shows a popup notification saying, “This US Government System is for Authorized Use Only”, which is the same warning message that is displayed on the genuine IRS website.

The cybercriminals look like they are focusing on universities and other educational bodies, both public and private, profit and nonprofit with many of the reported phishing emails from staff and students with .edu email addresses.

Educational agencies should employ measure to mitigate the chance of their staff and students being tricked by these scams. Warning all .edu account holders to warn them about the campaign is crucial, particularly as these messages are getting around Office 365 anti-phishing measures and are landing in inboxes.

Any educational entity that depends on Microsoft Exchange Online Protection (EOP) for preventing spam and phishing emails – EOP is the default protection provided free with Office 365 licenses – should strongly think about enhancing anti-phishing security with a third-party spam filter.

SpamTitan has been created to supply better protection for Office 365 environments. The solution used along with Office 365 and easily integrates with Office 365 email while greatly improving spam and phishing email security, dual antivirus engines and sandboxing provide excellent security from malware.

To find out more in relation to SpamTitan anti-phishing security for higher education institutions call Spam. You can avail of a free trial to allow you to assess the solutions prior to deciding to buy it.

Extensive Amount of Personal Information Sought in new PayPal Phishing Scam

A new PayPal phishing scam has been discovered that tries to steal an extensive amount of personal data from victims by pretending to be a PayPal security warning.

Fake PayPal Email Alerts

The emails seem to have been issued from PayPal’s Notifications Center and inform users that their account has been temporarily closed due to an attempt to log into their account from a previously unknown browser or device.

The emails feature a hyperlink that users are advised to click to log in to PayPal to verify their identity. A button is included in the email which users are told to visit a “Secure and update my account now !” link. The hyperlink is a shortened address, that brings the victim to a spoofed PayPal page on a htacker-controlled domain using a redirect mechanism.

If the link is visited, the user is shown with a spoofed PayPal login. After entering PayPal account details, the victim is asked to enter a range of sensitive data to prove their identity as part of a PayPal Security check. The information must be provided to unlock the account, with the list of steps listed on the page along with the progress that has been made toward accessing the account.

AT first the hackers ask for the user’s full name, billing address, and phone number. Then they miust sharetheir credit/debit card details in full. The next page asks for the user’s date of birth, social security number, ATM or Debit Card PIN information, and finally the user is required to send a proof of identity document, which must be either a scan of a credit card, passport, driver’s license, or a government-issued photo Identification card.

Request for Excessive Data

This PayPal phishing campaign seeks an extensive amount of data, which should serve as an alert that all is not what it appears, especially the request to enter highly sensitive data including a Social Security number and PIN.

There are also indicators in the email that the request is not what it appears. The email is not sent from a domain linked with PayPal, the message begins with “Good Morning Customer” and not the account holder’s name, and the notice included at the bottom of the email advising the user to mark whitelist the sender if the email was sent to the spam folder is poorly composed. However, the email has been written to get the recipient to move quickly to prevent financial loss. As with other PayPal phishing campaigns, many users are likely to be tricked into sharing at least some of their personal data.

Consumers need to always be extremely careful caution and should never reply instantly to any email that warns of a security breach, instead they should stop and consider their next move prior to doing anything and carefully check the sender of the email and text. To review if there exists a genuine issue with the account, the PayPal website should be visited by viewing the proper URL into the address bar of the browser. URLs in emails should never be clicked on.

To discover more about current phishing campaigns and some of the key security measures you can put in place to enhance your protection from these campaigns, get in touch with the SpamTitan team now.

Employees Password Sharing Policies

On how many times have you received a phone call or an email from a manager in your group requesting he password of an employee to allow them to log onto their email account?

This request is typically issued when an employees is on annual leave and a call is received from a client or co-worker wishing to know if they have completed a request sent before they left. More often than not a client has sent an email to their account manager before he or she went on vacation, but it was accidentally neglected.

Access to the email account is crucial to prevent embarrassment or to ensure that a sales opportunity is not gone a begging. Maybe the specific employee has failed to configure their Out of Office reply and clients are not aware that they need to get in touch with a different person to get their questions addressed.

In years previously, managers used to maintain a log of all users’ passwords in a file on their computer. Should an emergency occur, they could discover the password and access any user account. However, this is dangerous. Nowadays this is not an acceptable thing to do. It also compromises the privacy of employees. If a password is known by any other person, there is nothing to prevent that person from using those login details any time they like. Since passwords are often used for personal accounts as well as work accounts, sharing that password could compromise the individual’s personal accounts also.

Keeping lists of passwords also makes it more difficult to take action over inappropriate internet and email usage. If a password has been shared, there is no way of ascertaining whether an individual has broken the law or breached company policies. It could have been someone else using that person’s login credentials.

IT workers are therefore not allowed to share passwords. Instead they must reset the user’s password, create a temporary one, and the user will need to reset it when they go back to work. Many managers will be ill at ease with these procedures and will still want to maintain their lists. Workers will be unhappy as they often use their work email accounts to send personal emails. Resetting a password and sharing manager access could be perceived as a major invasion of privacy.

However, there is an easy solution which will ensure that the privacy of individuals is assured, while forgotten Out of Office auto-responders can be created. Crucial emails will not go unnoticed either. To complete this you can establish shared mailboxes, although these are not always popular.

If this is done in Outlook and a manager may need to set it up in their Outlook program. It will also be a requirement for them to guide staff members how to use the shared mailboxes, and policies might need to be devised. They may have to permanently keep the mailboxes of multiple teams open in Outlook.

There is a different option, and that is to share permissions. It is more difficult to set up this control as it requires an MS Exchange Administrator to allow Delegate Access. Using Delegate Access will make it possible for a person, with the appropriate authorizations, to share an email on behalf of another staff member. This means mailboxes do not have to be accessible all the time. They can just be opened when an email must be sent. This may be perfect, but it will not allow a manager to implement a forgotten Out-of-Office auto-responder.

That would mean a member of the IT department such a domain manager would have to create it. A ticket would need to be filed requesting the action to be completed. This may not be desirable with managers, but it is the only way for the task to be completed without sharing the user’s login credentials or creating up a temporary password which would breach their privacy.

Groups must tackle an ever-growing threat from hackers. In 2019 and 2020, we have witnessed many high-profile data breaches, leading to significant financial repercussions and damaged brand reputation. Password-sharing at work comes with a huge danger for groups. 81% of breaches begin with stolen or weak passwords. When cybercriminals obtain entry to your database, shared passwords make it easier for them to access other sections of your network.

Multi-Factor Authentication to Prevent Password Sharing

 When MFA is configured, access is only allowed when the user approves the use of two authentication factors. For instance, they initially complete the password process and then must complete another authentication request. This could be a code sent to a device. Multi-factor authentication, like any security process, works best when employed along with other security strategies.

If a complete ban on password sharing in not in place in your organization, it must be set up as soon as possible. To discover more in relation to password security and some of the key protections you can implement to enhance your resilience against attacks, contact the SpamTitan team now.

Three3 Experts Insights’ 2021 Best-Of Awards for TitanHQ

TitanHQ has been awarded for its email security, web cyber security, and email archiving solutions, being given three awards from Expert Insights.

Expert Insights was created in 2018 to help companie identify cybersecurity solutions to safeguard their networks and devices from an ever-increasing amount of cyber threats. Identifying cybersecurity solutions can be a long process, and the insights and information made available by Expert Insights considerably shortens that process. Unlike many resources listing the best software solutions, Expert Insights has ratings from verified users of the products to provide users of the resource valuable insights about how simple products are to use and how effective they are at preventing threats. Expert Insights has assisted more than 100,000 businesses choose cybersecurity solutions and the website is used by over 40,000 people every month.

Once annually, Expert Insights recognizes the best and most innovative cybersecurity solutions available in its “Best-Of” Awards. The editorial team at Expert Insights reviews vendors and their products on a variety of criteria, such as technical features, ease-of-use, market presence, and reviews by verified users of the solutions. Every product is reviewed by technology experts to decide the winners in a broad range of categories, including cloud, email, endpoint, web, identity, and backup cybersecurity.

Craig MacAlpine, CEO and Founder, Expert Insights saidL: “2020 was an unprecedented year of cybersecurity challenges, with a rapid rise in remote working causing a massive acceleration in cybercrime. Expert Insights’ Best-Of awards are designed to recognize innovative cybersecurity providers like TitanHQ that have developed powerful solutions to keep businesses safe against increasingly sophisticated cybercrime.”

Three TitanHQ cybersecurity products were chosen and named winners in the Expert Insights’ 2021 “Best-Of” Awards in the Email Security Gateway, Web Security, and Email Archiving categories. SpamTitan took the title for Best Email Security Gateway, WebTitan won the Web Security award and ArcTitan was picked as winner in the Email Archiving category. SpamTitan and WebTitan were acknowledged for the level of security supplied, while being among the simplest to use and most cost-effective solutions in their respective categories.

All three products are consistently identified as best in class in relation to the level of protection provided and are a bit hit with enterprises, SMBs, and MSPs.  The solutions are given many 5-star reviews from real users on the Expert Insights site and many other review web portals, including Capterra, GetApp, Software Advice, Google Reviews, and G2 Crowd.  The cybersecurity solutions are now deployed by more than 8,500 companies and over 2,500 MSPs.

Ronan Kavanagh, CEO, TitanHQ said: “The recent pandemic and the growth of remote working initiatives have further highlighted the need for multiple layers of cybersecurity and our award-winning solutions form key pillars in this security strategy. We will continue to innovate and provide solutions that MSPs can use to deliver a consistent, secure and reliable experience to their customers.”

Caution Advised as all Devices on the Network Can be Automatically Infected by Ryuk Ransomware

One of the most dangerous ransomware groups has amended the ransomware it is using, adding worm-like capabilities that can lead to it self-propagating and being distributed to other devices on the local database.

Ryuk ransomware initially came on the scene during the summer of 2018 and has evolved to become one of the most serious strains of ransomware. It is thought that the ransomware attacks are being conducted by an Eastern European threat group referred to as Wizard Spider, aka UNC1878.

In 2020, Ryuk ransomware was witnessed being included in ransomware attacks on large groups and companies. While some ransomware gangs opted to leave frontline healthcare organizations out of their attacks, that was not so with Ryuk. In fact, the threat group initiated a major campaign specifically targeting the healthcare sector in the United States. In October 2020, the gang targeted 6 U.S. hospitals in a single day. If security experts had not discovered a plan by the gang to attack around 400 hospitals, the campaign would have been much more successful.

The ransomware remediation company Coveware said that Ryuk ransomware was the third most prolific ransomware strain during 2020 and was deployed in 9% of all ransomware attacks. A review of the Bitcoin wallets linked with the gang suggest more than $150 million in ransoms have been transferred to the gang.

Ryuk ransomware is always being updated. The Ryuk gang was one of the first ransomware operators to use double-extortion tactics first launched by the operators of Sodinokibi and Maze ransomware, which include stealing data before the use of encryption and threatening to publish or sell the stolen data if the ransom is not transferred.

Ryuk ransomware was also amended to allow it to attack and encrypt the drives of remote computers. The ransomware uses the ARP table on a compromised device to capture a list of IP addresses and mac addresses, and a wake-on-LAN packet is shared to the devices to power them up to permit them to be encrypted.

The most recent update was first seen by the French national cybersecurity agency ANSSI during an incident response it managed in January. ANSSI discovered the most recent strain had worm-like capabilities that allow it to propagate automatically and infect all devices within the Windows domain. Every reachable device on which Windows RPC accesses are possible can be attacked and encrypted.

Ryuk is a human-operated ransomware strain, but the new update will greatly cut the manual tasks that need to be completed. This will allow the group to complete a greater number of attacks and will cut the amount of time from infection to encryption, which gives security teams even less time to identify and address an attack in progress.

While various methods are used for first access, Ryuk ransomware is usually shared by a malware dropper such as Emotet, TrickBot, Zloader, Qakbot, Buer Loader, or Bazar Loader. These malware droppers are distributed using phishing and spear phishing emails. Approximately 80% of Ryuk ransomware attacks use phishing emails as the first attack vector.

Once a device has been infiltrated it is often too late to spot and prevent the attack before data theft and file encryption, especially since the attacks normally take place overnight and during the weekend when IT teams are depleted. The best security is to prevent the initial attack vector: The phishing emails that distribute the malware droppers.

Having an advanced spam filtering solution in place is crucial for preventing Ryuk ransomware attacks. By spotting and quarantining the phishing emails and blocking them from reaching inboxes, the malware droppers that deliver Ryuk will not be installed.

To prevent these attacks, think about augmenting your email security tactics with SpamTitan. SpamTitan is an award-winning email security solution that will prevent phishing emails that deliver malware downloaders.

To discover more, callthe SpamTitan team or start a free trial of the solution now.