titanadmin - Page 10
by titanadmin | Dec 15, 2017 | Email Scams, Network Security, Phishing & Email Spam, Spam News, Spam Software |
Antivirus software vendor Symantec has detected a massive spam email campaign that is spreading Adwind RAT variants. While the Adwind RAT may sound like relatively harmless adware, that could not be further from the truth.
The latest Adwind RAT variants have a wide range of malicious functions, and serve as keyloggers that can record login credentials and monitor user activity, take screenshots, hijack the microphone and webcam to record audio and video, and as if that was not enough, the Adwind RAT allows the attacker to download further malicious files.
As is now the norm, the emails spreading Adwind RAT variants are convincing and appear to be genuine communications from legitimate firms. At a time when parcels are likely to arrive in the mail, the attackers have chosen a particularly relevant ploy to maximize the chance of emails being opened. Notifications about parcels that could not be delivered.
Businesses are also being targeted with malicious attachments claiming to be account statements, invoices, purchase orders, and payment receipts. The emails are well written and appear to have been sent from legitimate firms.
The spam emails include two malicious email attachments, a JAR file and what appears to be a PDF file. In the case of the latter, it has a double file extension, which will appear as a PDF file if file extensions are not displayed. In reality, it is another JAR file. The files contain layers of obfuscation in an attempt to bypass antivirus controls.
If the JAR files are executed, they drop a further JAR file and run VBS scripts which launch legitimate Windows tools to investigate the environment, identify the firewall in use, and other security products installed on the device. They then set about disabling monitoring controls.
The timing of this Adwind RAT campaign is ideal to catch out as many people as possible. The festive period is a busy time, and the rush to find bargains and purchase presents online sees many Internet users let their guard down. Further, as many businesses close over the festive period it gives the attackers more time to explore networks.
Infection with the Adwind RAT can see sensitive data stolen, and login credentials obtained, email accounts to be pilfered and abused and access to be gained to corporate bank accounts. A single successful installation of the Adwind RAT can be devastating.
The AdWind RAT is one of 360,000 New Daily Threats
Of course, the Adwind RAT spam email campaign is just one example of a malicious actor spreading malware. One example from tens of thousands, each spreading different malware and ransomware variants.
Each day new campaigns are launched. Figures from Kaspersky Lab indicate 2017 has seen an astonishing 360,000 new malicious files detected each day.
While consumers must be alert to the threat from spam email, the threat to businesses is far greater. The threat is multiplied by the number of employees who have a work email account.
A single computer infected with malware is serious, although once a foothold has been gained, the infection can spread rapidly. Recent research by SafeBreach, published in the Hacker’s Playbook Findings Report, suggests that 70% of the time, hackers are able to navigate the network and move laterally once access has been gained. A single malware attack can turn into an organization-wide nightmare infection.
The recent ransomware attacks in the United States are a good example. A ransomware attack on the Mecklenburg County government in South Carolina resulted in 48 servers being taken out of action, and that attack was identified rapidly. The Texas Department of Agriculture experienced a similar attack that impacted 39 schools via its network connections.
It is now essential to implement a host of defenses to prevent malware attacks. One of the most effective defenses is to upgrade your spam filter to an advanced solution such as SpamTitan.
SpamTitan blocks more than 99.9% of spam emails and detects and blocks malware using dual anti-virus engines. SpamTitan not only scans messages for the presence of malware and malware downloaders, but also message content for the common signatures of spam and malicious links. When threats are detected, the emails are quarantined before they can do any harm.
If you have a spam filter, yet have still experienced an email-based malware or ransomware attack, now is the ideal time to switch providers and discover the difference SpamTitan can make. If you have yet to install a third-party spam filter, there is no time to lose. Take advantage of the free trial and start protecting your organization from email spam and malware attacks.
Call the TitanHQ team today for further information on SpamTitan, details of pricing, and for further details on how you can sign up for the no-obligation free trial. The knowledgeable sales team will be able to answer any questions you have.
by titanadmin | Dec 13, 2017 | Email Scams, Internet Security, Network Security, Phishing & Email Spam, Spam News, Spam Software |
A particularly nasty new threat has emerged: Spider ransomware. The new crypto-ransomware variant was discovered by security researchers at Netskope on December 10, and the campaign is ongoing.
While many ransomware variants give victims a week to make contact and pay the ransom, the actors behind Spider ransomware are far less patient. If the ransom payment is not made within 96 hours of infection, the key to unlock files will be blocked and files will be permanently encrypted. Further, victims are warned “do not try anything stupid, the program has several security measures to delete all your files and cause damage to your PC.”
Naturally, that something stupid is not attempting to recover files from backups. If viable backups exist, victims will be able to recover their files without paying the ransom, but the warning may put off some victims from trying.
Such a short window for payment does not give victims much time. Many ransomware attacks occur on a Friday, and are only discovered when employees return to work on a Monday. Discovering a Spider ransomware attack in this scenario means businesses will have to act particularly quickly in order to avoid file loss.
While the threat is severe, the attackers have made it as easy as possible for victims to pay by providing a detailed help section. Payment must be made in Bitcoin via the Tor browser and detailed instructions are provided. The attackers say in the ransom note, “This all may seem complicated to you, actually it’s really easy.” They even provide a video tutorial showing victims how to pay the ransom and unlock their files. They also point out that the process of unlocking files is similarly easy. Pasting the encryption key and clicking on a button to start the decryption process is all that is required.
As with the majority of crypto-ransomware variants, Spider ransomware is being distributed by spam email. The emails use the hook of ‘Debt Collection’ to encourage recipients of the email to open the attachment. That attachment is a Microsoft Office document containing an obfuscated macro. If allowed to run, the macro will trigger the download of the malicious payload via a PowerShell script.
The latest Spider ransomware campaign is being used to attack organizations in Croatia and Bosnia and Herzegovina, with the ransom note and instructions written in Croatian and English. It is possible that attacks will spread to other geographical areas.
There is currently no free decryptor for spider ransomware. Protecting against this latest ransomware threat requires technological solutions to block the attack vector. If spam emails are not delivered to end user’s inboxes, the threat is mitigated.
Using an advanced cloud-based anti-spam service such as SpamTitan is strongly advisable. SpamTitan blocks more than 99.9% of spam emails ensuring malicious email messages are not delivered.
As an additional protection against ransomware and malware threats such as this, organizations should disable macros to prevent them from running automatically if a malicious attachment is opened. IT teams should also enable the ‘view known file extensions’ option on Windows PCs to prevent attacks using double file extensions.
End users should also receive security awareness training to teach them not to engage in risky behaviors. They should be taught never to enable macros on emailed documents, told how to recognize a phishing or ransomware emails, and instructed to forward messages on to the security team if they are received. This will allow spam filter rules to be updated and the threat to be mitigated.
It is also essential for regular backups to be performed, with multiple copies stored on at least two different media, with one copy kept on an air-gapped device. Backups are the only way of recovering from most ransomware attacks without paying the ransom.
by titanadmin | Dec 11, 2017 | Email Scams, Network Security, Phishing & Email Spam, Spam News, Spam Software |
A large-scale North Carolina ransomware attack has encrypted data on 48 servers used by the Mecklenburg County government, causing considerable disruption to the county government’s activities – disruption that is likely to continue for several days while the ransomware is removed and the servers are rebuilt.
This North Carolina ransomware attack is one of the most serious ransomware attacks to have been reported this year. The attack is believed to have been conducted by individuals operating out of Ukraine or Iran and the attack is understood to have involved a ransomware variant called LockCrypt.
The attack started when a county employee opened an email attachment containing a ransomware downloader. As is now common, the email appeared to have been sent from another employee’s email account. It is unclear whether that email account was compromised, or if the attacker simply spoofed the email address.
Opening the email and malicious attachment resulted in the installation of ransomware. The infection then spread to 48 of the 500 servers used by the county. A ransom demand of $23,000 was issued by the attackers, the payment of which would see keys supplied to unlock the encryption.
While many businesses pay the ransom demands to allow them to recover files quickly and limit disruption, Mecklenburg County refused to give in to the extortionist’s demands.
After the deadline for paying the ransom passed, the individuals behind the attack attempted another email-based attack on county employees although those attempts failed.
Recovery from the attack is possible without data loss as the county has backup files that were not encrypted in the attack; however, restoring data on all the affected servers will be a slow and laborious task and the county will continue to experience severe disruption to its services.
A similarly large-scale ransomware attack hit Texas school districts in October. The attack occurred at the Texas Department of Agriculture. The Texas Department of Agriculture overseas breakfast and lunch programs at Texas Schools and has access to computer networks used by Texas school districts.
Similarly, the attack involved a single employee being fooled into downloading ransomware by a phishing email. The ransomware spread across the network affecting 39 independent Texas schools, and potentially resulting in the exposure of hundreds of student records.
Such extensive ransomware attacks are becoming much more common. Rather than simply infecting one device, ransomware is now capable of scanning networks for other vulnerable devices and rapidly spreading laterally to affect multiple computers. In the case of the Texas Department of Agriculture ransomware attack, it was rapidly identified, but not in time to prevent it spreading across the network.
As these incidents show, all it takes is for a single employee to open a malicious email attachment for an entire network of computers and servers to be taken out of action. Even if the ransom demand is paid, recovery can be a slow and costly process.
Ransomware attacks are increasing, as is the sophistication of both the ransomware and the scams that fool employees into downloading the malicious software. Fortunately, it is possible to implement defenses against these attacks.
Both of these attacks could have easily been prevented with basic security measures – An advanced and effective spam filter to prevent malicious emails from being delivered to employees and an effective security awareness training program to raise awareness of the threat from ransomware and phishing emails.
Security awareness training and phishing email simulations can reduce susceptibility to email-based cyberattacks by up to 95% according to several anti-phishing training firms, while a spam filter such as SpamTitan can ensure that employees are not tested. SpamTitan blocks more than 99.9% of spam emails, ensuring ransomware and other malware-laced emails are quarantined so they can cause no harm.
To find out more about SpamTitan and how you can secure your organization and mount an impressive defense against email and web-based threats, call the TitanHQ team today.
by titanadmin | Nov 30, 2017 | Email Scams, Phishing & Email Spam, Spam Advice, Spam News, Spam Software, Website Filtering |
Black Friday deals and Cyber Monday discounts see consumers head online in droves looking for bargain Christmas presents, but each year many thousands of consumers are fooled by holiday season email scams. This year will be no different. Scammers are already hard at work developing new ruses to fool unwary online shoppers into parting with their credentials or installing malware.
In the rush to purchase at discounted rates, security awareness often goes out the window and cybercriminals are waiting to take advantage. Hidden among the countless emails sent by retailers to advise past customers of the latest special offers and deals are a great many holiday season email scams. To an untrained eye, these scam emails appear to be no different from those sent by legitimate retailers. Then there are the phishing websites that capture credentials and credit card numbers and websites hosting exploit kits that silently download malware. It is a dangerous time to be online.
Fortunately, if you take care, you can avoid holiday season email scams, phishing websites, and malware this holiday period. To help you stay safe, we have compiled some tips to avoid holiday season email scams, phishing websites and malware this festive period.
Tips to Keep You Safe This Holiday Season
In the run up to Christmas there will be scams aplenty. To stay safe online, consider the following:
Always carefully check the URL of websites before parting with your card details
Spoofed websites often look exactly like the genuine sites that they mimic. They use the same layouts, the same imagery, and the same branding as retail sites. The only thing different is the URL. Before entering your card details or parting with any sensitive information, double check the URL of the site and make sure you are not on a scam website.
Never allow retailers to store your card details for future purchases
It is a service that makes for quick purchases. Sure, it is a pain to have to enter your card details each time you want to make a purchase, but by taking an extra minute to enter your card details each time you will reduce the risk of your account being emptied by scammers. Cyberattacks on retailers are rife, and SQL injection attacks can give attackers access to retailer’s websites – and a treasure trove of stored card numbers.
Holiday season email scams are rife – Be extra vigilant during holiday season
While holiday season email scams used to be easy to detect, phishers and scammers have become a lot better at crafting highly convincing emails. It is now difficult to distinguish between a genuine offer and a scam email. Emails contain images and company branding, are free from spelling and grammatical errors, and the email requests are highly convincing. Be wary of unsolicited emails, never open email attachments from unknown senders, and check the destination URL of any links before clicking.
If a deal sounds too good to be true, it probably is
What better time than holiday season to discover you have won a PlayStation 4 or the latest iPhone in a prize draw. While it is possible that you may have won a prize, it is very unlikely if you haven’t actually entered a prize draw. Similarly, if you are offered a 50% discount on a purchase via email, there is a high chance it is a scam. Scammers take advantage of the fact that everyone loves a bargain, and never more so than during holiday season.
If you buy online, use your credit card
Avoid the holiday season crowds and buy presents online, but use your credit card for purchases rather than a debit card. If you have been fooled by a holiday season scam or your debit card details are stolen from a retailer, it is highly unlikely that you be able to recover stolen funds. With a credit card, you have better protections and getting a refund is much more likely.
Avoid HTTP sites
Websites secured by the SSL protocol are safer. If a website starts with HTTPS it means the connection between your browser and the website is encrypted. It makes it much harder for sensitive information to be intercepted. Never give out your credit card details on a website that does not start with HTTPS.
Beware of order and delivery confirmations
If you order online, you will no doubt want to check the status of your order and find out when your purchases will be delivered. If you recent an email with tracking information or a delivery confirmation, treat the email as potentially malicious. Always visit the delivery company’s website by entering in the URL into your browser, rather than clicking links sent via email. Fake delivery confirmations and parcel tracking links are common. The links can direct you to phishing websites and sites that download malware, while email attachments often contain malware and ransomware downloaders.
Holiday season is a busy, but take your time online
One of the main reason that holiday season email scams are successful is because people are in a rush and fail to take the time to read emails carefully and check attachments and links are genuine. Scammers take advantage of busy people. Check the destination URL of any email link before you click. Take time to think before you take any action online or respond to an email request.
Don’t use the same password on multiple websites
You may choose to buy all of your Christmas gifts on Amazon, but if you need to register on multiple sites, never reuse your password. Password reuse is one of the easiest ways that hackers can gain access to your social media networks and bank accounts. If there is a data breach at one retailer and your password is stolen, hackers will attempt to use that password on other websites.
Holiday season is a time for giving, but take care online and when responding to emails to make sure your hard-earned cash is not given to scammers.
by titanadmin | Nov 30, 2017 | Email Scams, Network Security, Phishing & Email Spam, Spam News |
A spam email campaign has been detected that is distributing a form of Cobalt malware. The attackers use the Cobalt Strike penetration testing tool to take full control of an infected device. The attack uses an exploit for a recently patched Microsoft Office vulnerability.
The spam emails appear to have been sent by Visa, informing the recipient about recent changes to its payWave service. The emails contain a compressed file attachment that is password-protected. The password required to extract the contents of the zip file is contained in the body of the email.
This is an apparent attempt to make email recipients believe Visa had included security controls to prevent unauthorized individuals from viewing the information in the email – a reasonable security measure for a financial communication. Also contained in the email is a RTF file that is not password protected. Opening that file will launch a PowerShell script that will download a Cobalt Strike client that will ultimately give the attackers full control of the infected device.
The attackers leverage a vulnerability in Microsoft Office – CVE-2017-11882 – which was patched by Microsoft earlier this month. The attackers use legitimate Windows tools to execute a wide range of commands and spread laterally across a network.
The campaign was detected by researchers at Fortinet, who report that by exploiting the Office flaw, the attackers download a Cobalt Strike client and multiple stages of scripts which are then used to download the main malware payload.
The flaw has existed in Office products for 17 years, although it was only recently detected by Microsoft. Within a few days of the vulnerability being detected, Microsoft issued a patch to correct the flaw. Within a few days of the patch being released, threat actors started leveraging the vulnerability. Any device that has a vulnerable version of Office installed is vulnerable to attack.
This campaign shows just how important it is for patches to be applied promptly. As soon as a vulnerability is disclosed, malicious actors will use the vulnerability in attacks. When patches are released, malicious actors get straight to work and reverse engineer the patch, allowing them to identify and exploit vulnerabilities. As these attacks show, it may only take a few hours or days before vulnerabilities are exploited.
The recent WannaCry and NotPetya malware attacks showed just how easy it is for vulnerable systems to be exploited. Both of those attacks leveraged a vulnerability in Windows Server Message Block to gain access to systems. A patch had been released to address the vulnerability two months before the WannaCry ransomware attacks occurred. Had patches been applied promptly, it would not have been possible to install the ransomware.
Protecting against this Cobalt malware campaign is straightforward. Users simply need to apply the Microsoft patch to prevent the vulnerability from being exploited. Using a spam filter such as SpamTitan is also recommended, to prevent malicious emails from reaching end users’ inboxes.
by titanadmin | Nov 29, 2017 | Email Scams, Network Security, Phishing & Email Spam, Spam News |
Millions of spam emails containing Scarab ransomware have been detected over the past few days. The massive spam campaign is being conducted using the Necurs botnet – one of the largest botnets currently in use.
The Necurs botnet has been active for at least five years and now contains more than 6 million zombie computers that are used to send masses of spam emails. Necurs has previously been used to send banking Trojans and many other forms of malware, although recently, the operators of the botnet have turned to spreading ransomware, including Locky.
The latest campaign saw the Necurs botnet send out spam emails to more than 12.5 million email accounts in the space of just 6 hours, with individuals in the United States, France, Germany, Australia, and the UK targeted.
The emails were typical of other phishing campaigns conducted in recent months. The emails appear to have been sent from well known, trusted brands to increase the likelihood of the malicious attachments being opened. This campaign spoofs printer manufacturers such as HP, Canon, Lexmark and Epson.
The emails contain a 7zip file attachment which claims to be a scanned document, with the subject line “Scanned from [Printer company]. The zip file contains a VBScript which, if run, will download Scarab ransomware.
Scarab ransomware is a relatively new ransomware variant, first detected over the summer. While most ransomware variants have a fixed price for obtaining the key to unlock the encryption, the authors of Scarab ransomware do not ask for a specific amount. Instead, the ransom payment depends on how quickly the victim responds.
As with the NotPetya wiper, users are required to make contact with the attackers via email. This method of communication has caused problems for victims in the past, as if the domain is taken down, victims have no method of contacting the attackers. In this case, an alternative contact method is provided – victims can also contact the attackers via BitMessage.
Even though Scarab ransomware is unsophisticated, it is effective. There is no free decryptor available to recover files encrypted by Scarab ransomware. Recovery without paying the ransom is only possible if backups of the encrypted files exist, and if the backup has not also been encrypted.
Scarab ransomware is believed to be the work of relatively small players in the ransomware arena. However, the scale of the campaign and the speed at which the spam emails are being sent shows that even small players can conduct massive, global ransomware campaigns by teaming up with the operators of botnets.
By using ransomware-as-a-service, anyone can conduct a ransomware campaign. Ransomware can be hired on darknet forums for next to nothing and used to extort money from businesses. More players mean more ransomware attacks, and the ease of conducting campaigns and the fact that many victims pay up, mean ransomware is still highly profitable.
Security experts are predicting that 2018 will see even more ransomware attacks. AV firm McAfee has predicted that next year will see cybercriminal gangs step up their attacks and target high-net worth individuals and small businesses, while the campaigns will become more sophisticated.
With the threat likely to increase, businesses need to ensure that they have solutions in place to prevent ransomware from being delivered to end users. By implementing an advanced spam filtering solution, businesses can ensure that phishing and spam emails do not get delivered to end users, mitigating the threat from ransomware. Fail to block malicious emails, and it will only be a matter of time before an employee responds, opens an infected email attachment, and installs ransomware on the network.
If you are looking for the best spam filter for business use, contact the TitanHQ team today for further information on SpamTitan.
by titanadmin | Nov 20, 2017 | Email Scams, Internet Security, Network Security, Phishing & Email Spam, Spam Advice, Spam Software |
All organizations should take steps to mitigate the risk of phishing, and one of those steps should be training employees how to spot a phishing email. Employees will frequently have their phishing email identification skills put to the test.
Since all it takes is for one employee to fall for a phishing scam to compromise a network, not only is it essential that all employees are trained how to spot a phishing email, their skills should assessed post-training, otherwise organizations will not know how effective the training has been.
How Common are Phishing Attacks?
Phishing is now the number one security threat faced by businesses in all sectors. Research conducted by the security awareness training company PhishMe suggests that more than 90% of cyberattacks start with a phishing or spear phishing email. While all industry sectors have to deal with the threat from phishing, the education and healthcare industries are particularly at risk. They are commonly targeted by scammers and spammers, and all too often those phishing attacks are successful.
The Intermedia 2017 Data Vulnerability Report showed just how common phishing attacks succeed. Workers were quizzed on security awareness training and successful phishing attacks at their organizations. 34% of high level execs admitted falling for a phishing scam, as did 25% of IT professionals – Individuals who should, in theory, be the best in an organization at identifying phishing scams. The same study revealed 30% of office workers do not receive regular security awareness training. 11% said they were given no training whatsoever and have not been taught how to spot a phishing email.
Overconfidence in Phishing Detection Capabilities Results in Data Breaches
Studies on data breaches and cybersecurity defenses often reveal that many organizations are confident in their phishing defenses. However, many of those companies still suffer data breaches and fall for phishing attacks. Overconfidence in phishing detection and prevention leaves many companies at risk. This was recently highlighted by a study conducted by H.R. Rao at the University of Texas at San Antonio. Rao explained that many people believe they are smarter than phishers and scammers, which plays into the scammers’ hands.
Training Should be Put to The Test
You can train employees how to spot a phishing email, but how can you tell how effective your training has been? If you do not conduct phishing simulation exercises, you cannot be sure that your training has been effective. There will always be some employees that require more training than others and employees that do not pay attention during training. You need to find these weak links. The best way to do that is with phishing simulation exercises.
Conduct dummy phishing exercises and see whether your employees are routinely putting their training into action. If an employee fails a phishing test, you can single them out to receive further training. Each failed simulation can be taken as a training opportunity. With practice, phishing email identification skills will improve.
How to Spot a Phishing Email
Most employees receive phishing emails on a daily basis. Some are easy to identify, others less so. Fortunately spam filters catch most of these emails, but not all of them. It is therefore essential to train employees how to spot a phishing email and to conduct regular training sessions. One training session a year is no longer sufficient. Scammers are constantly changing tactics. It is important to ensure employees are kept up to speed on the latest threats.
During your regular training sessions, show your employees how to spot a phishing email and what to do when they receive suspicious messages. In particular, warn them about the following tactics:
Spoofed Display Names
The 2017 Spear Phishing Report from GreatHorn indicates 91% of spear phishing attacks spoof display names. This tactic makes the recipient believe the email has been sent from a trusted colleague, friend, family member or company. This is one of the most important ways to spot a phishing email.
Mitigation: Train employees to hover their mouse arrow over the sender to display the true email address. Train employees to forward emails rather than reply. The true email address will be displayed.
Email Account Compromises
This year, business email compromise (BEC) scams have soared. These scams were extensively used to obtain W-2 Form tax information during tax season. This attack method involves the use of real email accounts – typically those of the CEO or senior executives – to send requests to employees to make bank transfers and send sensitive data.
Mitigation: Implement policies that require any email requests for sensitive information to be verified over the phone, and for all new bank transfer requests and account changes to be verified.
Hyperlinks to Phishing Websites
The Proofpoint Quarterly Threat Report for Q3 showed there was a 600% increase in the use of malicious URLs in phishing emails quarter over quarter, and a 2,200% increase from this time last year. These URLs usually direct users to sites where they are asked to login using their email credentials. Oftentimes they link to sites where malware is silently downloaded.
Mitigation: Train employees to hover their mouse arrow over the URL to display the true URL. Encourage employees to visit websites by entering the URL manually, rather than using embedded links.
Security Alerts and Other Urgent Situations
Scammers want email recipients to take action quickly. The faster the response the better. If employees stop and think about the request, or check the email carefully, there is a high chance the scam will be detected. Phishing emails often include some urgent request or immediate need for action. “Your account will be closed,” “You will lose your credit,” “Your parcel will not be delivered,” “Your computer is at risk,” Etc.
Mitigation: Train employees to stop and think. An email request may seem urgent and contain a threat, but this tactic is commonly used to get people to take quick action without engaging their brains.
Look for Spelling Mistakes and Grammatical Errors
Many phishing scams come from African countries, Eastern Europe and Russia – Places where English is not the main language. While phishing scams are becoming more sophisticated, and more care is taken crafting emails, spelling mistakes and poor grammar are still common and are a key indicator that emails are not genuine.
Mitigation: Train employees to look for spelling mistakes and grammatical errors. Companies check their emails carefully before sending them.
Why a Spam Filter is Now Essential
Training employees how to spot a phishing email should be included in your cybersecurity strategy, but training alone will not prevent all phishing-related data breaches. There may be a security culture at your organizations, and employees skilled phish detectors, but every employee can have an off day from time to time. It is therefore important to make sure as few phishing emails as possible reach employees’ inboxes, and for that to happen, you need an advanced spam filtering solution.
SpamTitan blocks more than 99.9% of spam email and includes dual anti-virus engines to ensure malicious messages are blocked. The low false positive rate also ensures genuine emails do not trigger the spam filter and are delivered.
If you want to improve your security defenses, train employees how to spot a phishing email and implement SpamTitan to stop phishing emails from reaching inboxes. With technological and human solutions you will be better protected.
Handy Infographic to Help Train Staff How to Spot a Phishing Email
We have compiled a useful infographic to highlight how important it is to train staff how to spot a phishing email and some of the common identifiers that an email is not genuine:
by titanadmin | Nov 17, 2017 | Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam News |
The Ponemon Institute has published the findings of a new report on endpoint security risk, which shows that ransomware attacks have occurred at most companies, the risk of fileless malware attacks has increased significantly, and successful cyberattacks are resulting in average losses of more than $5 million.
For the Barkly-sponsored endpoint security risk study, the Ponemon Institute surveyed 665 IT security professionals that were responsible for the management of their organization’s security risk.
7 out of ten respondents claimed endpoint security risk was significantly higher this year than in 2016, and one of the biggest threats was now fileless malware. Companies are still using traditional anti-virus and anti-malware solutions, although they are not effective at preventing fileless malware attacks.
Fileless malware is not detected by most anti-virus solutions since no files are written to the hard drive. Instead, fileless malware remains in the memory, oftentimes leveraging legitimate system tools to gain persistence and spread to other devices on the network.
These fileless malware attacks are occurring far more frequently, with respondents estimating a 20% rise in attacks in 2017. 29% of all cyberattacks in 2017 involved fileless malware, and the threat is expected to continue to increase, and will account for more than a third of all attacks in 2018.
The switch from file-based malware to fileless malware is understandable. The attacks are often successful. 54% of companies surveyed said they had experienced at least one cyberattack that resulted in data being compromised, and 77% of those attacks involved exploits or fileless malware. 42% of respondents said they had experienced a fileless malware attack that resulted in systems or data being compromised in 2017.
Fileless malware attacks are increasing, but so are ransomware attacks. Over half of companies that took part in the endpoint security risk study said they had experienced at least one ransomware attack in 2017, while four out of ten firms experienced multiple ransomware attacks. Even though most companies backup their files, 65% of respondents said they had paid a ransom to recover their data, with the average amount being $3,675. The primary method of ransomware delivery is email.
While the ransom payments may be relatively low, that represents only a small proportion of the costs of such attacks. For the endpoint security risk study, firms were asked to estimate the total cost of cyberattacks – On average, each successful attack on endpoints cost an average of $5,010,600 to resolve – $301 per employee.
Protect Against Malware Attacks by Blocking the Primary Delivery Vector
Email is the primary method for distributing malware. Implementing a spam filtering solution, preferably a gateway solution, can keep an organization protected from malicious emails and will prevent malicious messages from being delivered to end users, and is important for helping organizations manage endpoint security risk.
Many companies opt for an email gateway filtering appliance – an appliance located between the firewall and email server. These solutions are powerful, but they come at a cost since the appliance must be purchased. These appliance-based solutions also lack scalability.
If you want the power of an appliance, but want to keep costs to a minimum, consider a solution such as SpamTitan. SpamTitan offers the same power as a dedicated appliance, without the need to purchase any additional hardware. SpamTitan can be deployed as a virtual appliance on existing hardware, offering the same level of protection as an email gateway filtering appliance at a fraction of the cost.
Don’t Forget to Train Your Employees to be More Security Conscious
A recent InfoBlox survey on healthcare organizations in the United States and United Kingdom revealed that companies in this sector are realizing the benefits of training employees to be more security aware, although only 35% of firms currently provide training to employees.
No matter what email filtering solution you use, there will be times when spammers succeed, and messages are delivered. It is therefore important that staff are trained how to identify and respond to suspicious emails. If end users are not aware of the threats, and do not know how to recognize potential phishing emails, there is a higher chance of them engaging in risky behavior and compromising their device and the network.
by titanadmin | Nov 17, 2017 | Industry News, Network Security, Phishing & Email Spam, Spam Advice, Spam News |
A serious MS Office remote code execution vulnerability has been patched by Microsoft – One that would allow malware to be installed remotely with no user interaction required. The flaw has been present in MS Office for the past 17 years.
The flaw, which was discovered by researchers at Embedi, is being tracked as CVE-2017-11882. The vulnerability is in the Microsoft Equation Editor, a part of MS Office that is used for inserting and editing equations – OLE objects – in documents: Specifically, the vulnerability is in the executable file EQNEDT32.exe.
The memory corruption vulnerability allows remote code execution on a targeted computer, and would allow an attacker to take full control of the system, if used with Windows Kernel privilege exploits. The flaw can be exploited on all Windows operating systems, including unpatched systems with the Windows 10 Creators Update.
Microsoft addressed the vulnerability in its November round of security updates. Any unpatched system is vulnerable to attack, so it is strongly advisable to apply the patch promptly. While the vulnerability could potentially have been exploited at any point in the past 17 years, attacks exploiting this MS Office remote code execution vulnerability are much more likely now that a patch has been released.
The flaw does not require the use of macros, only for the victim to open a specially crafted malicious Office document. Malicious documents designed to exploit the vulnerability would likely arrive via spam email, highlighting the importance of implementing a spam filtering solution such as SpamTitan to block the threat.
End users who are fooled into opening a malicious document can prevent infection by closing the document without enabling macros. In this case, malware would be installed simply by opening the document.
Microsoft has rated the vulnerability as important, rather than critical, although researchers at Embedi say this flaw is “extremely dangerous.” Embedi has developed a proof of concept attack that allowed them to successfully exploit the vulnerability. The researchers said, “By inserting several OLEs that exploited the described vulnerability, it was possible to execute an arbitrary sequence of commands (e.g. to download an arbitrary file from the Internet and execute it),”
EQNEDT32.exe is run outside of the Microsoft Office environment, so it is therefore not subject to Office and many Windows 10 protections. In addition to applying the patch, security researchers at Embedi recommend disabling EQNEDT32.EXE in the registry, as even with the patch applied, the executable still has a number of other vulnerabilities. Disabling the executable will not impact users since this is a feature of Office that is never needed by most users.
by titanadmin | Nov 15, 2017 | Email Scams, Network Security, Phishing & Email Spam, Spam News |
Ordinypt malware is currently being used in targeted attacks on companies in Germany. While Ordinypt malware appears to victims to be ransomware, the malware is actually a wiper.
Infection sees files made inaccessible, and as with ransomware, a ransom demand is issued. The attackers ask for 0.12 Bitcoin – around $836 – to restore files.
Ordinypt malware does not encrypt files – it simply deletes the original file name and replaces it with a random string of letters and numbers. The contents of files are also replaced with random letters and numbers.
Even if the ransom demand is paid, the attackers do not have a mechanism to allow victims to recover their original files. The only sure-fire way to recover files is to restore them from a backup. In contrast to many ransomware variants that make it difficult to recover files by deleting Windows Shadow Volume copies, those are left intact, so it may be possible for users to recover some of their files.
Ordinypt malware – or HSDFSDCrypt as it was originally known – was discovered by Michael Gillespie. A sample of the malware was obtained and analyzed by German security researcher Karsten Hahn from G Data Security. G Data Security renamed the malware Ordinypt.
Hahn notes that Ordinypt malware is poorly written with a bad coding style, indicating this is not the work of a skilled hacker. Hahn said, this is “A stupid malware that destroy information of enterprises and innocent people and try steal money.”
The attackers are using a common technique to maximize the number of infections. The malware is disguised as PDF files which are distributed via spam email. The messages claim to be applications in reply to job adverts. Two files are included in a zip file attachment, which appear to be a resume and a CV.
While the files appear to be PDFs, and are displayed as such, they actually have a double extension. If the user’s computer has file extensions hidden, all that will be displayed is filename.pdf, when in actual fact the file is filename.pdf.exe. Clicking on either of the files will run the executable and launch Ordinypt malware.
In recent months there have been several wiper malware variants detected that pretend to be ransomware. The attackers are taking advantage of the publicity surrounding ransomware attacks, and are fooling end users into paying a ransom, when there is no way of recovering files. It is not clear whether the reason for the attacks is to make money. It is possible that these attacks are simply intended to cause disruption to businesses, as was the case with the NotPetya wiper attacks.
Regardless of how poorly written this malware is, it is still effective and can cause significant disruption to businesses. Protecting against this, and other email-based malware threats, requires a combination of end user training and technology.
End users should be informed of the risks of opening attachments from unknown senders and should assume that all such emails could be malicious. In this case, the malware is poorly written but the emails are not. They use perfect German and are highly believable. HR employees could be easily fooled by a ruse such as this.
The best protection against threats such as these is an advanced spam filter such as SpamTitan. Preventing these emails from reaching inboxes is the best defense.
By configuring the spam filter to block executable files, the messages will be rerouted to a quarantine folder rather than being delivered, mitigating the threat.
For further information on how a spam filter can help to block email-based threats and to register for a free trial of SpamTitan for your business, contact the TitanHQ team today.
by titanadmin | Nov 14, 2017 | Email Scams, Internet Security, Network Security, Phishing & Email Spam, Spam News |
A new variant of the Ursnif banking Trojan has been detected and the actors behind the latest campaign have adopted a new tactic to spread the malware more rapidly.
Ransomware attacks may make the headlines, but banking Trojans can cause considerably more damage. The $60 million heist from a Taiwanese bank last month shows just how serious infection with banking Trojans can be. The Dridex Trojan raked in more than $40 million in 2015.
The Ursnif banking Trojan is one of the most commonly used Trojans. As with other banking Trojans, the purpose of the Ursnif Trojan is to steal credentials such as logins to banking websites, corporate bank details, and credit card numbers. The stolen credentials are then used for financial transactions. It is not uncommon for accounts to be emptied before the transactions are discovered, by which time the funds have cleared, have been withdrawn, and the criminal’s account has been closed. Recovering the stolen funds can be impossible.
Infection will see the malware record a wide range of sensitive data, capturing credentials as they are entered through the browser. The Ursnif banking Trojan also takes screenshots of the infected device and logs keystrokes. All of that information is silently transmitted to the attacker’s C2 server.
Banking Trojans can be installed in a number of ways. They are often loaded onto websites where they are downloaded in drive-by attacks. Traffic is generated to the malicious websites via malvertising campaigns or spam emails contacting hyperlinks. Legitimate websites are compromised using brute force tactics, and kits loaded to the sites that prey on individuals who have failed to keep their software up to date. Oftentimes, downloads are sent via spam email, hidden in attachments.
Spam email has previously been used to spread the Ursnif banking Trojan, and the latest campaign is no different in that respect. However, the latest campaign uses a new tactic to maximize the chance of infection and spread infections more rapidly and widely. Financial institutions have been the primary target of this banking Trojan, but with this latest attack method they are far more widespread.
Infection will see the user’s contact list abused and spear phishing emails sent to each of the user’s contacts. Since the spear phishing emails arrive from a trusted email account, the likelihood of the emails being opened is significantly increased. Simply opening the email will not result in infection. For that to occur, the recipient must open the email attachment. Again, since it has come from a trusted sender, that is more likely.
The actors behind this latest Ursnif banking Trojan campaign have another trick to increase trust and ensure their payload is delivered. The spear phishing emails contain message threads from past conversations. The email appears to be a response to a previous email, and include details of past conversations.
A short line of text is included as a prompt to get the recipient to open the email attachment – A Word document containing a malicious macro. That macro needs to be authorized to run – if macros have not been set to run automatically, but it will not until the Word document is closed. When the macro runs, it launches PowerShell commands that download the Ursnif Trojan, which then starts logging activity on the infected device and sends further spear phishing emails to the new victim’s contact list.
This is not a brand-new tactic, but it is new to Ursnif – and it is likely to see infections spread much more quickly. Further, the malware incorporates a number of additional tactics to hamper detection, allowing information to be stolen and bank accounts emptied before infection is detected – the Trojan even deletes itself once it has run.
Malware is constantly evolving, and new tactics are constantly developed to increase the likelihood of infection. The latest campaign shows just how important it is to block email threats before they reach end users’ inboxes.
With an advanced spam filter such as SpamTitan in place, malicious emails can be blocked to stop them from reaching end user’s inboxes, greatly reducing the risk of malware infections.
by titanadmin | Nov 2, 2017 | Email Scams, Industry News, Phishing & Email Spam, Spam News |
A new wave of cyberattacks on financial institutions using malware called the Silence Trojan has been detected. In contrast to many attacks on banks that target the bank customers, this attack targets the bank itself. The attack method bears a number of similarities to the attacks conducted by the Eastern European hacking group, Carbanak.
The Silence Trojan is being used to target banks and other financial institutions in several countries, although so far, the majority of victims are in Russia. The similarity of the Silence Trojan attacks to Carbanak suggests these attacks could be conducted by Carbanak, or a spinoff of that group, although that has yet to be established.
The attacks start with the malicious actors behind the campaign gaining access to banks’ networks using spear phishing campaigns. Spear phishing emails are sent to bank employees requesting they open an account. The emails are well written, and the premise is believable, especially since in many cases the emails are sent from within using email addresses that have previously been compromised in other attacks. When emails are sent from within, the requests seem perfectly credible.
Some of these emails were intercepted by Kaspersky Lab. Researchers report that the emails contain a Microsoft Compiled HTML Help file with the extension .chm.
These files contain JavaScript, which is run when the attachments are opened, triggering the download of a malicious payload from a hardcoded URL. That initial payload is a VBS script, which in turn downloads the dropper – a Win32 executable binary, which enables contact to be established between the infected machine and the attacker’s C2 server. Further malicious files, including the Silence Trojan, are then downloaded.
The attackers gain persistent access to an infected computer and spend a considerable amount of time gathering data. Screen activity is recorded and transmitted to the C2, with the bitmaps combined to form a stream of activity from the infected device, allowing the attackers to monitor day to day activities on the bank network.
This is not a quick smash and grab raid, but one that takes place over an extended period. The aim of the attack is to gather as much information as possible to maximize the opportunity to steal money from the bank.
Since the attackers are using legitimate administration tools to gather intelligence, detecting the attacks in progress is complicated. Implementing solutions to detect and block phishing attacks can help to keep banks protected.
Since security vulnerabilities are often exploited, organizations should ensure that all vulnerabilities are identified and corrected. Kaspersky Lab recommends conducting penetration tests to identify vulnerabilities before they are exploited by hackers.
Kaspersky Lab notes that when an organization has already been compromised, the use of .chm attachments in combination with spear phishing emails from within the organization has proved to be a highly effective attack method for conducting cyberattacks on financial institutions.
by titanadmin | Oct 30, 2017 | Email Scams, Internet Security, Network Security, Phishing & Email Spam, Spam Advice, Spam News, Spam Software, Website Filtering |
2017 has seen a major rise in malicious spam email volume. As the year has progressed, the volume of malicious messages sent each month has grown. A new report from Proofpoint shows malicious spam email volume rose by 85% in Q3, 2017.
A deeper dive into the content of those messages shows cybercriminals’ tactics have changed. In 2017, there has been a notable rise in the use of malicious URLs sent via email compared to malicious attachments containing malware. URL links to sites hosting malware have jumped by an astonishing 600% in Q3, which represents a 2,200% increase since this time last year. This level of malicious URLs has not been seen since 2014.
The links direct users to malicious websites that have been registered by cybercriminals, and legitimate sites that have been hijacked and loaded hacking toolkits. In many cases, simply clicking on the links is all that is required to infect the user’s computer with malware.
While there is a myriad of malware types now in use, the biggest threat category in Q3 was ransomware, which accounted for 64% of all email-based malware attacks. There are many ransomware variants in use, but the undisputed king in Q3 was Locky, accounting for 55% of total message volume and 86% of all ransomware attacks. There was also a rising trend in destructive ransomware – ransomware that encrypts files but does not include the option of letting victims’ recover their files.
The second biggest malware threat category was banking Trojans, which accounted for 24% of malicious spam email volume. Dridex has long been a major threat, although in Q3 it was a Trojan called The Trick that become the top banking Trojan threat. The Trick Trojan was used in 70% of all banking Trojan attacks.
Unsurprisingly, with such as substantial rise in malicious spam email volume, email fraud has also risen, up 12% quarter over quarter and up 32% from this time last year.
Cybercriminals are constantly changing tactics and frequently switch malware variants and attack methods, but for the time being at least, exploit kits are still not favored. Exploit kit attacks are at just 10% of the level of last year’s high, with spam email now the main method of malware delivery.
With malicious spam email volume having increased once again, and a plethora of new threats and highly damaging malware attacks posing a very real risk, it is essential that businesses double down on their defenses. The best way to defend against email threats is to improve spam defenses. An advanced spam filtering solution is essential for blocking email threats. The more malicious emails that are captured and prevented from being delivered, the lower the chance of end users clicking on malicious links and downloading malware.
SpamTitan blocks more than 99.9% of spam emails and is one of the most advanced and best spam filters for business use. SpamTitan helps keep inboxes free from malware threats. No single solution can block all email threats, so a spam filtering solution should be accompanied with endpoint security solutions, web filters to block malicious links from being visited, antimalware and antivirus solutions, and email authentication technology.
While it is easy to concentrate on technology to protect against email threats, it is important not to forget to train employees to be more security aware. Regular training sessions, cybersecurity newsletters and bulletins about the latest threats, and phishing simulation exercises can help employees improve their threat detection skills and raise cybersecurity awareness.
by titanadmin | Oct 26, 2017 | Industry News, Internet Security, Network Security, Phishing & Email Spam |
A global data breach study by Gemalto provides valuable insights into data breaches reported over the first six months of 2017, showing there has been a significant increase in data breaches and the number of records exposed.
Barely a day has gone by without a report of a data breach in the media, so it will probably not come as a surprise to hear that data breaches have risen again in 2017. What is surprising is the scale of the increase. Compared to the first six months of 2016 – which saw huge numbers of data breaches reported – 2017 saw a 13% increase in incidents. However, it is the scale of those breaches that is shocking. 2017 saw 164% more records exposed than in 2016.
During the first six months of 2017, a staggering 918 data breaches were confirmed, resulting in 1.9 billion records and email credentials being exposed or stolen. Further, that figure is a conservative. According to Gemalto’s global data breach study, it is unknown how many records were compromised in 59.3% of data breaches between January and June 2017.
What is clear is the data breaches are increasing in size. Between January and the end of June, there were 22 breaches reported that each impacted more than 1 million individuals.
To put the global data breach study figures into perspective, more than 10.5 million records were exposed each day in the first half of 2017 – or 122 records per second.
What is the Biggest Cause of Data Breaches in the First Half of 2017?
While malicious insiders pose a significant threat, and caused 8% of breaches, accidental loss of devices or records accounted for 18% of incidents. But the biggest cause of data breaches was malicious outsiders, who caused 74% of all tracked data breaches.
However, in terms of the severity of breaches, it is accidental loss that tops the list. There many have only been 166/918 breaches due to accidental loss according to the global data breach study, but those incidents accounted for 86% of all records – That’s 1.6 billion.
Malicious outsiders may have caused the most breaches – 679/918 – but those breaches involved just 13% of the total number of records – 254 million. In the first half of 2016, malicious outsiders were the leading breach cause and data breaches and accounted for 76% of breached records.
It is worth noting that while malicious insiders were responsible for just 8% of incidents, those incidents saw 20 million records exposed. Compared to 2016, that’s a 4114% increase.
Which Regions Had the Most Data Breaches in the First Half of 2017?
While North America was the hardest hit, accounting for 88% of all reported breaches, that does not necessarily mean that most breaches are occurring in the United States. In the U.S. there are far stricter reporting requirements, and companies are forced to disclose data breaches.
In Europe, many companies choose not to announce data breaches. It will therefore be interesting to see how the figures change next year. From May 2018, there will be far stricter reporting requirements due to the introduction of the General Data Protection Regulation (GDPR). For this report, there were 49 reported breaches in Europe – 5% of the total. 40% of those breaches were in the United Kingdom. There were 47 breaches in the Asia Pacific region – 5% of the total – with 15 in India and the same percentage in Australia.
Which Industries Suffer the Most Data Breaches?
The worst affected industry was healthcare, accounting for 25% of all breaches. However, bear in mind that HIPAA requires healthcare organizations to report all breaches in the United States. The financial services industry was in second place with 14% of the total, followed by education with 13% of breaches. The retail industry recorded 12% of breaches, followed by the government on 10% and technology on 7%.
In terms of the number of records breached, it is ‘other industries’ that were the worst hit. Even though that group accounted for just 6% of breaches they resulted in the exposure of 71% of records. Government breaches accounted for 21% of the total, followed by technology (3%), education (2%), healthcare (2%) and social media firms (1%).
How Can These Breaches be Stopped?
In the most part, these data breaches occurred due to poor cybersecurity protections, basic security failures, poor internal security practices, and the failure to use data encryption. Previous research by PhishMe has shown that 91% of data breaches start with a phishing email. Anti-spam defenses are therefore critical in preventing data breaches. If phishing emails are prevented from being delivered, a large percentage of external attacks can be stopped.
Organizations that have yet to use two factor authentication should ensure that this basic security control is employed. Employees should receive cybersecurity awareness training, and training programs should be ongoing. In particular, employees should be trained how to identify phishing emails and the actions they should take when a suspicious email is encountered.
Accidental loss of data from lost and stolen devices can be prevented with the use of encryption, although most accidental losses were due to poorly configured databases. Organizations should pay particular attention to their databases and cloud instances, to make sure they are appropriately secured and cannot be accessed by unauthorized individuals.
by titanadmin | Oct 25, 2017 | Industry News, Internet Security, Network Security, Website Filtering |
Bad Rabbit ransomware attacks have been reported throughout Russia, Ukraine, and Eastern Europe. While new ransomware variants are constantly being developed, Bad Rabbit ransomware stands out due to the speed at which attacks are occurring, the ransomware’s ability to spread within a network, and its similarity to the NotPetya attacks in June 2017.
Bad Rabbit Ransomware Spreads via Fake Flash Player Updates
While Bad Rabbit ransomware has been likened to NotPetya, the method of attack differs. Rather than exploit the Windows Server Message Block vulnerability, the latest attacks involve drive-by downloads that are triggered when users respond to a warning about an urgent Flash Player update. The Flash Player update warnings have been displayed on prominent news and media websites.
The malicious payload packed in an executable file called install_flash_player.exe. That executable drops and executes the file C:\Windows\infpub.dat, which starts the encryption process. The ransomware uses the open source encryption software DiskCryptor to encrypt files with AES, with the keys then encrypted with a RSA-2048 public key. There is no change to the file extension of encrypted files, but every encrypted file has the .encrypted extension tacked on.
Once installed, it spreads laterally via SMB. Researchers at ESET do not believe bad rabbit is using the ETERNALBLUE exploit that was incorporated into WannaCry and NotPetya. Instead, the ransomware uses a hardcoded list of commonly used login credentials for network shares, in addition to extracting credentials from a compromised device using the Mimikatz tool.
Similar to NotPetya, Bad Rabbit replaces the Master Boot Record (MBR). Once the MBR has been replaced, a reboot is triggered, and the ransom note is then displayed.
Victims are asked to pay a ransom payment of 0.5 Bitcoin ($280) via the TOR network. The failure to pay the ransom demand within 40 hours of infection will see the ransom payment increase. It is currently unclear whether payment of the ransom will result in a valid key being provided.
So far confirmed victims include the Russian news agencies Interfax and Fontanka, the Ministry of Infrastructure of Ukraine, the Odessa International Airport, and the Kiev Metro. In total there are believed to have been more than 200 attacks so far in Russia, Ukraine, Turkey, Bulgaria, Japan, and Germany.
How to Block Bad Rabbit Ransomware
To prevent infection, Kaspersky Lab has advised companies to restrict the execution of files with the paths C:\windows\infpub.dat and C:\Windows\cscc.dat.
Alternatively, those files can be created with read, write, and execute permissions removed for all users.
by titanadmin | Oct 23, 2017 | Email Scams, Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam Advice, Spam News, Website Filtering |
On Friday, the U.S. Department of Homeland Security’s (DHS) computer emergency readiness team (US-CERT) issued a new warning about phishing attacks on energy companies and other critical infrastructure sectors.
Advanced persistent threat (APT) actors are conducting widespread attacks on organizations in the energy, aviation, nuclear, water, and critical manufacturing sectors. Those attacks, some of which have been successful, have been occurring with increasing frequency since at least May 2017. The group behind the attack has been called Dragonfly by AV firm Symantec, which reported on the attacks in September.
DHS believes the Dragonfly group is a nation-state sponsored hacking group whose intentions are espionage, open source reconnaissance and cyberattacks designed to disrupt energy systems.
These cyberattacks are not opportunistic like most phishing campaigns. They are targeted attacks on specific firms within the critical infrastructure sectors. While some firms have been attacked directly, in many cases the attacks occur through a ‘staging’ company that has previously been compromised. These staging companies are trusted vendors of the targeted organization. By conducting attacks through those companies, the probability of an attack on the target firm succeeding is increased.
DHS warns that the attackers are using several methods to install malware and obtain login credentials. The phishing attacks on energy companies have included spear phishing emails designed to get end users to reveal their login credentials and malicious attachments that install malware.
In the case of the former, emails direct users to malicious websites where they are required to enter in their credentials to confirm their identity and view content. While some websites have been created by the attackers, watering hole attacks are also occurring on legitimate websites that have been compromised with malicious code. DHS warns that approximately half of the attacks have occurred through sites used by trade publications and informational websites “related to process control, ICS, or critical infrastructure.”
Phishing emails containing malicious attachments are used to directly install malware or the files contain hyperlinks that direct the user to websites where a drive-by malware download occurs. The links are often shortened URLS creating using the bit.ly and tinyurl URL shortening services. The attackers are also using email attachments to leverage Windows functions such as Server Message Block (SMB) protocol to retrieve malicious files. A similar SMB technique is also used to harvest login credentials.
The malicious attachments are often PDF files which claim to be policy documents, invitations, or resumés. Some of the phishing attacks on energy companies have used a PDF file attachment with the name “AGREEMENT & Confidential.” In this case, the PDF file does not include any malicious code, only a hyperlink to a website where the user is prompted to download the malicious payload.
US-CERT has advised companies in the targeted sectors that the attacks are ongoing, and action should be taken to minimize risk. Those actions include implementing standard defenses to prevent web and email-based phishing attacks such as spam filtering solutions and web filters.
Since it is possible that systems may have already been breached, firms should be regularly checking for signs of an intrusion, such as event and application logs, file deletions, file changes, and the creation of new user accounts.
by titanadmin | Oct 23, 2017 | Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam News, Spam Software |
The average enterprise data breach cost has risen to $1.3 million, according to a new report from antivirus firm Kaspersky Lab – An increase of $100,000 year over year. Small to medium size businesses are also having to dig deeper to remediate data breaches. The average data breach cost for SMBs is now $117,000.
For the cost of a data breach study, Kaspersky Lab surveyed more than 5,000 businesses, asking questions about how much firms are spending on data breach resolution and how those costs are split between various aspects of the breach response. Businesses were also asked about future spending and how much their IT security budgets are increasing year over year.
The survey reveals that in North America, the percentage of the budget being spent on IT security is increasing. However, overall budgets are reducing, so the net spend on IT security has decreased year over year. Last year, businesses were allocating 16% of their budgets to IT security, which has risen to 18% this year. However, average enterprise IT security budgets have dropped from $25.5 million last year to just $13.7 million this year.
Breaking Down the Enterprise Data Breach Cost
So how is the enterprise data breach cost broken down? What is the biggest cost of resolving a data breach? The biggest single data breach resolution cost is additional staff wages, which costs an average of $207,000 per breach.
Other major costs were infrastructure improvements and software upgrades ($172,000), hiring external computer forensics experts and cybersecurity firms ($154,000), additional staff training ($153,000), lost business ($148,000), and compensation payments ($147,000).
The average SMB data breach resolution cost was $117,000. The biggest costs were contracting external cybersecurity firms to conduct forensic investigations and the loss of business as a direct result of a breach, both cost an average of $21,000 each. Additional staff wages cost $16,000, increases in insurance premiums and credit rating damage cost an average of $11,000, new security software and infrastructure costs were $11,000, and new staff and brand damage repair cost $10,000 each. Further staff training and compensation payouts cost $9,000 and $8,000 respectively.
The high cost of data breach mitigation shows just how important it is for enterprises and SMBs to invest in data breach prevention and detection technologies. Blocking cyberattacks is essential, but so too is detecting breaches when they do occur. As the IBM/Ponemon Institute 2017 Cost of a Data Breach Study showed, the faster a breach is detected, the lower the enterprise data breach cost will be.
The Importance of an Effective Spam Filter
There are many potential vulnerabilities that can be exploited by hackers, so it is important for businesses of all sizes to conduct regular risk assessments to find holes in their defenses before cybercriminals do. A risk management plan should be devised to address any vulnerabilities uncovered during the risk assessment. Priority should be given to the most serious risks and those that would have the greatest impact if exploited.
While there is no single cybersecurity solution that can be adopted to prevent data breaches, one aspect of data breach prevention that should be given priority is a software solution that can block email threats. Spam email represents the biggest threat to organizations. Research conducted by PhishMe suggests 91% of all data breaches start with a phishing email. Blocking those malicious emails is therefore essential.
TitanHQ has developed a highly effective spam filtering solution for enterprises – and SMBs – that blocks more than 99.9% of spam email, preventing phishing emails, malware, and ransomware from reaching employees’ inboxes.
To find out how SpamTitan can protect your business from email threats, for a product demonstration and to register for a free trial of SpamTitan, contact the TitanHQ team today.
by titanadmin | Oct 20, 2017 | Email Scams, Phishing & Email Spam, Spam News, Spam Software |
The U.S. Department of Homeland Security (DHS) has made the use of email authentication technology mandatory for all federal agencies.
There have been numerous email security incidents affecting government agencies in recent years. Federal agencies are a major target for spammers, scammers, and phishers and the email security defenses of federal agencies are constantly tested.
One of the latest incidents involved the spoofing of an email account used by Jared Kushner, causing considerable embarrassment for White House officials. Homeland Security Adviser Tom Bosser was one of the individuals who was fooled into believing the emails were genuine. In his case, the emails were not part of a phishing campaign but were just ‘a bit of fun’ by a UK prankster. However, there are plenty of individuals and groups that have much more sinister motives.
When those cybercriminals succeed, not only is it a major embarrassment for government agencies, it can pose a major threat to national security. When national security is at stake, it pays to have excellent email defenses. However, in the United States (and elsewhere) they are often found to be lacking.
Action clearly needs to be taken to prevent phishing attacks, reduce the potential for government domains to be spoofed, and to make it much harder for phishing emails to be delivered to federal employees’ inboxes. Agari has reported that 90% of 400 government agencies’ protected domains have been targeted with deceptive emails and 25% of all federal agency emails are fraudulent. Even so, email authentication technology is often not used. That is, until now.
DHS Makes DMARC Mandatory for Federal Agencies
Now the DHS has taken action and has made it mandatory for all federal agencies to adopt DMARC. While some federal agencies have already implemented DMARC – the Social Security Administration and the Federal Trade Commission for example – they number in the few. Only 9% of domains have implemented DMARC and use it to block unauthenticated emails, while 82% of federal domains do not use the DMARC email authentication standard at all. Now all federal agencies have been given just 30 days to submit a plan of action and 90 days to implement DMARC. DHS has also made it mandatory for all federal websites to be switched to a secure connection (HTTPS) and for STARTTLS to be implemented for email.
DMARC is an email authentication technology that can be adopted to help authenticate emails, block spam, and reduce the volume of phishing emails that are delivered to inboxes. DMARC is not infallible, but it does offer an additional layer of protection for email, reducing the volume of email threats by around 77%. DMARC also restricts use of domains to legitimate senders. By adopting DMARC, when consumers receive an email from a federal agency such as the IRS, FEMA, or DHHS, they should be able to trust that email, at least once DMARC is implemented.
Many Businesses Struggle with DMARC
While some large enterprises have already adopted DMARC, two thirds of Fortune 500 companies do not use DMARC at all. Implementing the email authentication control is not without its problems. For small to medium sized businesses, implementing DMARC can be problematic. Part of the problem is many businesses need to secure their own internal email systems, but also cloud-based email, and third-party mailing services such as MailChimp or Salesforce. The task of implementing DMARC is often seen as too complex, and even when DMARC is used, it often fails and rarely are the full benefits gained. Consider that even when DMARC is adopted, 23% of phishing emails still make it past defenses, and it is easy to see why it is often not implemented. That said, email authentication technology is required to keep businesses protected from phishing threats.
SpamTitan Protects Businesses from Email Threats
Office 365 uses DMARC to help filter out phishing emails, but on its own it is not sufficient to block all threats. Businesses that use Office 365 can greatly improve their defenses against malicious emails by also adopting a third-party spam filtering solution such as SpamTitan.
SpamTitan incorporates many of the control mechanisms used by Microsoft, but also adds greylisting to greatly improve spam detection rates. Greylisting involves rejecting all emails and requesting they are resent. Since genuine emails are resent quickly, and spam emails are typically not resent as spam servers are busy conducting huge spamming campaigns, this additional control helps to identify far more malicious and unwanted emails. This additional control, along with the hundreds of checks performed by SpamTitan helps to keep spam detection rates well above 99.9%.
If you want to secure your email and block more phishing threats, contact the TitanHQ team today for more information on how SpamTitan can help to keep your inboxes spam free and your networks protected from malware and ransomware.
by titanadmin | Oct 19, 2017 | Internet Security |
DoubleLocker ransomware is a new Android threat, which as the name suggests, uses two methods to lock the device and prevent victims from accessing their files and using their device.
As with Windows ransomware variants, DoubleLocker encrypts files on the device to prevent them from being accessed. DoubleLocker ransomware uses a powerful AES encryption algorithm to encrypt stored data, changing files extensions to .cryeye
While new ransomware variants sometimes have a poorly developed encryption process with flaws that allow decryptors to be developed, with DoubleLocker ransomware victims are out of luck.
While it is possible for victims to recover their files from backups, first they must contend with the second lock on the device. Rather than combine the encryption with a screen locker, DoubleLocker ransomware changes the PIN on the device. Without the PIN, the device cannot be unlocked.
Researchers at ESET who first detected this new ransomware variant report that the new PIN is a randomly generated number, which is not stored on the device and neither is it transmitted to the attacker’s C&C. The developers allegedly have the ability to remotely delete the PIN lock and supply a valid key to decrypt data.
The ransom demand is much lower than is typical for Windows ransomware variants, which reflects the smaller quantity of data users store on their smartphones. The ransom demand is set at 0.0130 Bitcoin – around $54. The payment must be made within 24 hours of infection, otherwise the attackers claim the device will be permanently locked. The malware is set as the default home app on the infected device, which displays the ransom note. The device will be permanently locked, so the attackers claim, if any attempts are made to block or remove DoubleLocker.
Researchers at ESET have analyzed DoubleLocker ransomware and report that it is based on an existing Android banking Trojan called Android.BankBot.211.origin, although the ransomware variant does not have the functionality to steal banking credentials from the user’s device.
While many Android ransomware variants are installed via bogus or compromised applications, especially those available through unofficial app stores, DoubleLocker is spread via fake Flash updates on compromised websites.
Even though this ransomware variant is particularly advanced, it is possible to recover files if they have been backed up prior to infection. The device can also be recovered by performing a factory reset. If no backup exists, and the ransom is not paid, files will be lost unless the device has been rooted and debugging mode has been switched on prior to infection.
This new threat shows just how important it is to backup files stored on mobile devices, just as it is with those on your PC or Mac and to think before downloading any web content or software update.
by titanadmin | Oct 17, 2017 | Industry News, Network Security, Phishing & Email Spam, Spam Software |
Healthcare organizations are being targeted by hackers and scammers and email is the No1 attack vector. 91% of all cyberattacks start with a phishing email and figures from the Anti-Phishing Working Group indicate end users open 30% of phishing emails that are delivered to their inboxes. Stopping emails from reaching inboxes is therefore essential, as is training healthcare employees to be more security aware.
Since so many healthcare data breaches occur as a result of phishing emails, healthcare organizations must implement robust defenses to prevent attacks. Further, email security is also an important element of HIPAA compliance. Fail to follow HIPAA Rules on email security and a financial penalty could follow a data breach.
Email Security is an Important Element of HIPAA Compliance
HIPAA Rules require healthcare organizations to implement safeguards to secure electronic protected health information to ensure the confidentiality, integrity, and availability of health data.
Email security is an important element of HIPAA compliance. With so many attacks on networks starting with phishing emails, it is essential for healthcare organizations to implement anti-phishing defenses to keep their networks secure.
The Department of Health and Human Services’ Office for Civil Rights has already issued fines to healthcare organizations that have experienced data breaches as a result of employees falling for phishing emails. UW medicine paid OCR $750,000 following a malware-related breach caused when an employee responded to a phishing email. Metro Community Provider Network settled a phishing-related case for $400,000.
One aspect of HIPAA compliance related to email is the risk assessment. The risk assessment should cover all systems, including email. Risk must be assessed and then managed and reduced to an appropriate and acceptable level.
Managing the risk of phishing involves the use of technology and training. All email should be routed through a secure email gateway, and it is essential for employees to receive training to raise awareness of the risk of phishing and the actions to take if a suspicious email is received.
How to Secure Email, Prevent and Identify Phishing Attacks
Email phishing scams today are sophisticated, well written, and highly convincing. It is often hard to differentiate a phishing email from a legitimate communication. However, there are some simple steps that all healthcare organizations can take to improve email security. Simply adopting the measures below can greatly reduce phishing risk and the likelihood of experiencing an email-related breach.
While uninstalling all email services is the only surefire way to prevent email phishing attacks, that is far from a practical solution. Email is essential for communicating with staff members, stakeholders, business associates, and even patients.
Since email is required, two steps that covered entities should take to improve email security are detailed below:
Implement a Third-Party AntiSpam Solution Into Your Email Infrastructure
Securing your email gateway is the single most important step to take to prevent phishing attacks on your organization. Many healthcare organizations will already have added an antispam solution to block spam emails from being delivered to end users’ inboxes, but what about cloud-based email services? Have you secured your Office 365 email gateway with a third-party solution?
You will already be protected by Microsoft’s spam filter, but when all it takes is for one malicious email to reach an inbox, you really need more robust defenses. SpamTitan integrates perfectly with Office 365, offering an extra layer of security that blocks known malware and more than 99.9% of spam email.
Continuously Train Employees and they Will Become Security Assets
End users – the cause of countless data breaches and a constant thorn in the side of IT security staff. They are a weak link and can easily undo the best security defenses, but they can be turned into security assets and an impressive last line of defense. That is unlikely to happen with a single training session, or even a training session given once a year.
End user training is an important element of HIPAA compliance. While HIPAA Rules do not specify how often training should be provide, given the fact that phishing is the number one security threat, training should be a continuous process.
The Department of Health and Human Services’ Office for Civil Rights recently highlighted some email security training best practices in its July cybersecurity newsletter, suggesting “An organization’s training program should be an ongoing, evolving process and flexible enough to educate workforce members on new cybersecurity threats and how to respond to them.”
The frequency of training should be dictated by the level of risk faced by an organization. Many covered entities have opted for bi-annual training sessions for the workforce, with monthly newsletters and security updates provided via email, including information on the latest threats such as new phishing scams and social engineering techniques.
OCR also reminded HIPAA covered entities that not all employees respond to the same training methods. It is best to mix it up and use a variety of training tools, such as CBT training, classroom sessions, newsletters, posters, email alerts, team discussions, and phishing email simulation exercises.
Simple Steps to Verify Emails and Identify Phishing Scams
Healthcare employees can greatly reduce the risk of falling of a phishing scam by performing these checks. With practice, these become second nature.
- Hovering the mouse over an email hyperlink to check the true domain. Any anchor text –hyperlinked text other than the actual URL – should be treated as suspicious until the true domain is identified. Also check that the destination URL starts with HTTPS.
- Never reply directly to an email – Always click forward. It’s a little slower, but you will get to see the full email address of the person who sent the message. You can then check that domain name against the one used by the company.
- Pay close attention to the email signature – Any legitimate email should contain contact information. This can be faked, or real contact information may be used in a spam email, but phishers often make mistakes in signatures that are easy to identify.
- Never open an email attachment from an unknown sender – If you need to open the attachment, never click on any links in the document, or on any embedded objects, or click to enable content or run macros. Forward the email to your IT department if you are unsure and ask for verification.
- Never make any bank transfers requested by email without verifying the legitimacy of the request.
- Legitimate organizations will not ask for login credentials by email
- If you are asked to take urgent action to secure your account, do not use any links contained in the email. Visit the official website by typing the URL directly into your browser. If you are not 100% of the URL, check on Google.
by titanadmin | Oct 13, 2017 | Email Scams, Internet Security, Phishing & Email Spam |
Microsoft Office documents containing malicious macros are commonly used to spread malware and ransomware. However, security researchers have now identified Microsoft Office attacks without macros, and the technique is harder to block.
Microsoft Office Attacks Without Macros
While it is possible to disable macros so they do not run automatically, and even disable macros entirely, that will not protect you from this new attack method, which leverages a feature of MS Office called Dynamic Data Exchange or DDE, according to researchers at SensePost. This in-built feature of Windows allows two applications to share the same data, for example MS Word and MS Excel. DDE allows a one- time exchange of data between two applications or continuous sharing of data.
Cybercriminals can use this feature of MS Office to get a document to execute an application without the use of macros as part of a multi-stage attack on the victim. In contrast to macros which flash a security warning before being allowed to run, this attack method does not present the user with a security warning as such.
Opening the MS Office file will present the user with a message saying “This document contains links that may refer to other files. Do you want to open this document with the data from the linked files?” Users who regularly use files that use the DDE protocol may automatically click on yes.
A second dialog box is then displayed asking the user to confirm that they wish to execute the file specified in the command, but the researchers explain that it is possible to suppress that warning.
This technique has already been used by at least one group of hackers in spear phishing campaigns, with the emails and documents appearing to have been sent from the Securities and Exchange Commission (SEC). In this case, the hackers were using the technique to infect users with DNSMessenger fileless malware.
Unlike macros, disabling DDE is problematic. While it is possible to monitor for these types of attacks, the best defense is blocking the emails that deliver these malicious messages using a spam filter, and to train staff to be more security aware and to verify the source of the email before opening any attachments.
Locky Ransomware Updated Again (..and again)
If you have rules set to detect ransomware attacks by scanning for specific file extensions, you will need to update your rules with two new extensions to detect two new Locky ransomware variants. The authors of Locky ransomware have updated their code again, marking four new changes now in a little over a month.
In August and September, Locky was using the .lukitus and .diablo extensions. Then the authors switched to the .ykcol extension. In the past week, a further campaign has been detected using the .asasin extension.
The good news regarding the latter file extension, is it is being distributed in a spam email campaign that will not result in infection. An error was made adding the attachment. However, that is likely to be corrected soon.
The ykcol variant is being spread via spam email and uses fake invoices as the lure to get users to open the attachments. The documents contain a macro that launches a JavaScript or PowerShell downloader than installs and runs the Locky binary. The .asasin variant is being spread via emails that spoof RightSignature, and appear to have been sent from the documents[@]rightsignature.com email address. The emails claim the attached file has been completed and contains a digital signature.
The authors of Locky are constantly changing tactics. They use highly varied spam campaigns, a variety of social engineering techniques, and various attachments and malicious URLs to deliver their malicious payload.
For this reason, it is essential to implement a spam filtering solution to prevent these emails from being delivered to end users’ inboxes. You should also ensure you have multiple copies of backups stored in different locations, and be sure to test those backups to make sure file recovery is possible.
To find out more about how you can protect your networks from malicious email messages – those containing macros as well as non-macro attacks – contact the TitanHQ team today.
by titanadmin | Oct 12, 2017 | Network Security, Phishing & Email Spam, Spam News, Spam Software |
Ransomware growth in 2017 has increased by 2,502% according to a new report released this week by Carbon Black. The firm has been monitoring sales of ransomware on the darknet, covering more than 6,300 known websites where malware and ransomware is sold, or hired as ransomware-as-a-service. More than 45,000 products have been tracked by the firm.
The file encrypting code has been embraced by the criminal fraternity as a quick and easy method of extorting money from companies. Ransomware growth in 2017 was fueled by the availability of kits that allow campaigns to be easily conducted.
Ransomware-as-a-service now includes the malicious code, admin consoles that allow the code to be tweaked to suit individual preferences, and instructions and guidelines for conducting campaigns. Now, no coding experience is necessary to conduct ransomware campaigns. It is therefore no surprise to see major ransomware growth in 2017, but the extent of that growth is jaw-dropping.
Ransomware sales now generate $6.2 million a year, having increased from $249,287 in 2016. The speed at which ransomware sales have grown has even surprised security experts. According to the report, the developers of a ransomware variant can make as much as $163,000 a year. Compare that to the amount they would make working for a company and it is not hard to see the attraction. That figure is more than double the average earnings for a legitimate software developer.
Ransomware can now be obtained via these darknet marketplaces for pocket change. The report indicates ransomware kits can be purchased for as little as 50 cents to $1 for screen lockers. Some custom ransomware variants, where the source code is supplied, sell for between $1,000 and $3,000, although the median amount for standard ransomware is $10.50. The developers of the code know full well that they can make a fortune on the back end by taking a cut of the ransomware profits generated by their affiliates.
Ransomware attacks are profitable, so there is no shortage of affiliates willing to conduct attacks. Carbon Black suggests 52% of firms are willing to pay to recover encrypted files. Many businesses would pay up to $50,000 to regain access to their files according to the report. A previous study conducted by IBM in 2016 showed that 70% of businesses attacked with ransomware have paid the ransom to recover their files, half of businesses paid more than $10,000 and 20% paid over $40,000.
Figures released by the FBI suggest ransomware revenues were in excess of $1 billion last year, up from $24 million in 2015. However, since many companies keep infections and details of ransomware payments quiet, it is probable that the losses are far higher.
Since the ransomware problem is unlikely to go away, what businesses must do is to improve their defenses against attacks – That means implementing technology and educating the workforce to prevent attacks, deploy software solutions to detect attacks promptly when they occur to limit the damage caused, and make sure that in the event of an attack, data can be recovered.
Since the primary attack vector for ransomware is email, companies should ensure they use an advanced spam filtering solution to prevent the malicious emails from being delivered to end users. SpamTitan block more than 99.9% of spam email, keeping inboxes ransomware free.
Employee education is critical to prevent risky behavior and ensure employees recognize and report potentially malicious emails. To ensure recovery is possible without paying the ransom, firms should ensure multiple backups are made. Those backups should be tested to make sure data can be recovered. Best practices for backing up data are to ensure three copies exist, stored on at least two different media, with one copy stored off site.
by titanadmin | Oct 11, 2017 | Industry News, Internet Security |
Email may be the primary vector used to conduct cyberattacks on businesses, but there has been a massive rise in cyberattacks on websites in recent months. The second quarter of 2017 saw a 186% increase in cyberattacks on websites, rising from an average of 22 attacks per day in Q1 to 63 attacks per day in Q2, according to a recent report from SiteLock. These sites were typically run by small to mid-sized companies.
WordPress websites were the most commonly attacked – The average number of attacks per day was twice as high for WordPress sites as other content management platforms. That said, security on WordPress sites is typically better than other content management platforms.
Joomla websites were found to contain twice the number of vulnerabilities as WordPress sites, on average. Many users of Joomla were discovered to be running versions of the CMS that are no longer supported. One in five Joomla sites had a CMS that had not been updated in the past 5 years. Typically, users of Joomla do not sign up for automatic updates.
WordPress sites are updated more frequently, either manually or automatically, although that is not the case for plugins used on those sites. While the CMS may be updated to address vulnerabilities, the updates will not prevent attacks that leverage vulnerabilities in third party plugins.
The study revealed 44% of 6 million websites assessed for the study had plugins that were out of date by a year or more. Even when websites were running the latest version of the CMS, they are still being compromised by cybercriminals who exploited out of date plugins. Seven out of 10 compromised WordPress sites were running the latest version of the WordPress.
There is a common misconception than website security is the responsibility of the hosting provider, when that is not the case. 40% of the 20,000 website owners who were surveyed believed it was their hosting company that was responsible for securing their websites.
Most cyberattacks on websites are automated. Bots are used to conduct 85% of cyberattacks on websites. The types of attacks were highly varied, including SQL injection, cross-site scripting attacks, local and remote file inclusion, and cross-site request forgery.
SiteLock noted that in 77% of cases where sites had been compromised with malware, this was not picked up by the search engines and warnings were not being displayed by browsers. Only 23% of sites that were compromised with malware triggered a browser warning or were marked as potentially malicious websites by search engines.
Due to major increase in attacks, it is strongly recommended that SMBs conduct regular scans of their sites for malware, ensure their CMS is updated automatically, and updates are performed on all plugins on the site. Taking proactive steps to secure websites will help SMBs prevent website-related breaches and stop their sites being used to spread malware or be used for phishing.
by titanadmin | Oct 11, 2017 | Email Scams, Network Security, Phishing & Email Spam, Spam Advice, Spam News, Spam Software |
FormBook malware is being used in targeted attacks on the manufacturing and aerospace sectors according to researchers at FireEye, although attacks are not confined to these industries.
So far, the attacks appear to have been concentrated on organizations in the United States and South Korea, although it is highly likely that attacks will spread to other areas due to the low cost of this malware-as-a-service, the ease of using the malware, and its extensive functionality.
FormBook malware is being sold on underground forms and can be rented cheaply for as little as $29 a month. Executables can be generated using an online control panel, a process that requires next to no skill. This malware-as-a-service is therefore likely to be used by many cybercriminals.
FormBook malware is an information stealer that can log keystrokes, extract data from HTTP sessions and steal clipboard content. Via the connection to its C2 server, the malware can receive and run commands and can download files, including other malware variants. Malware variants discovered to have already been downloaded by FormBook include the NanoCore RAT.
FireEye researchers also point out that the malware can steal passwords and cookies, start and stop Windows processes, and force a reboot of an infected device.
FormBook malware is being spread via spam email campaigns using compressed file attachments (.zip, .rar), .iso and .ace files in South Korea, while the attacks in the United States have mostly involved .doc, .xls and .pdf files. Large scale spam campaigns have been conducted to spread the malware in both countries.
The U.S campaigns detected by FireEye used spam emails related to shipments sent via DHL and FedEx – a common choice for cybercriminals. The shipment labels, which the emails say must be printed in order to collect the packages, are in PDF form. Hidden in the document is a tny.im URL that directs victims to a staging server that downloads the malware. The campaigns using Office documents deliver the malware via malicious macros. The campaigns conducted in South Korea typically include the executables in the attachments.
While the manufacturing industry and aerospace/defense contractors are being targeted, attacks have been conducted on a wide range of industries, including education, services/consulting, energy and utility companies, and the financial services. All organizations, regardless of their sector, should be alert to this threat.
Organizations can protect against this new threat by adopting good cybersecurity best practices such as implementing a spam filtering solution to block malicious messages and stop files such as ISOs and ACE files from being delivered to end users. Organizations should also alert their employees to the threat of attack and provide training to help employees recognize this spam email campaign. Macros should also be disabled on all devices if they are not necessary for general work duties, and at the very least, should be set to be run manually.
by titanadmin | Oct 4, 2017 | Internet Security, Network Security, Phishing & Email Spam |
The 2013 Yahoo data breach was already the largest data breach in U.S. history, now it has been confirmed that it was even larger than first thought.
Verizon has now confirmed that rather than the breach impacting approximately 1 billion email accounts, the 2013 Yahoo data breach involved all of the company’s 3 billion email accounts.
Prior to the disclosure of the 2013 Yahoo data breach, a deal had been agreed with Yahoo to Verizon. The disclosure of a 1-billion record data breach and a previous breach impacting 500 accounts during the final stages of negotiations saw the sale price cut to $4.48 billion – A reduction of around $350 million or 7% of the sale price. It is unclear whether this discovery will prompt Verizon to seek a refund of some of that money.
Verizon reports that while Yahoo’s email business was being integrated into its new Oath service, new intelligence was obtained to suggest all of Yahoo’s 3 billion accounts had been compromised. Third party forensic experts made the discovery. That makes it the largest data breach ever reported by a considerable distance, eclipsing the 360 million record breach at MySpace discovered in 2016 and the 145 million record breach at E-Bay in 2015.
The data breach involved the theft of email addresses and user ID’s along with hashed passwords. No stored clear-text passwords are understood to have been obtained, and neither any financial information. However, since the method used to encrypt the data was outdated, and could potentially be cracked, it is possible that access to the email accounts was gained. Security questions and backup email addresses were also reportedly obtained by the attackers.
The scale of the cyberattack is astonishing, and so is the potential fallout. Already there have been more than 40 class action lawsuits filed by consumers, with the number certain to grow considerably since the announcement that the scale of the breach has tripled.
Verizon has said all of the additional breach victims have been notified by email, but that many of the additional accounts were opened and never used, or had only been used briefly. Even so, this is still the largest data breach ever reported.
The 2013 Yahoo data breach was investigated and has been linked to state-sponsored hackers, four of whom have been charged with the hack and data theft, including two former Russian intelligence officers.One of those individuals is now in custody in the Untied States.
by titanadmin | Oct 2, 2017 | Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam Advice, Spam Software, Website Filtering |
Today is the start of the 14th National Cyber Security Month – A time when U.S. citizens are reminded of the importance of practicing good cyber hygiene, and awareness is raised about the threat from malware, phishing, and social engineering attacks.
The cybersecurity initiative was launched in 2004 by the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security (DHS) with the aim of creating resources for all Americans to help them stay safe online.
While protecting consumers has been the main focus of National Cyber Security Month since its creation, during the past 14 years the initiative has been expanded considerably. Now small and medium-sized businesses, corporations, and healthcare and educational institutions are assisted over the 31 days of October, with advice given to help develop policies, procedures, and implement technology to keep networks and data secure.
National Cyber Security Month Themes
2017 National Cyber Security Month focuses on a new theme each week, with resources provided to improve understanding of the main cybersecurity threats and explain the actions that can be taken to mitigate risk.
Week 1: Oct 2-6 – Simple Steps to Online Safety
It’s been 7 years since the STOP. THINK. CONNECT campaign was launched by the NCSA and the Anti-Phishing Workshop. As the name suggests, the campaign encourages users learn good cybersecurity habits – To assume that every email and website may be a scam, and to be cautions online and when opening emails. Week one will see more resources provided to help consumers learn cybersecurity best practices.
Week 2: Oct 9-13 – Cybersecurity in the Workplace
With awareness of cyber threats raised with consumers, the DHS and NCSA turn their attention to businesses. Employees may be the weakest link in the security chain, but that need not be the case. Education programs can be highly effective at improving resilience to cyberattacks. Week 2 will see businesses given help with their cyber education programs to develop a cybersecurity culture and address vulnerabilities. DHS/NCSA will also be promoting the NIST Cybersecurity Framework and explaining how its adoption can greatly improve organizations’ security posture.
Week 3: Oct 16-20 –Predictions for Tomorrow’s Internet
The proliferation of IoT devices has introduced many new risks. The aim of week three is to raise awareness of those risks – both for consumers and businesses – and to provide practical advice on taking advantage of the benefits of smart devices, while ensuring they are deployed in a secure and safe way.
Week 4: Oct 23-27 –Careers in Cybersecurity
There is a crisis looming – A severe lack of cybersecurity professionals and not enough students taking up cybersecurity as a profession. The aim of week 4 is to encourage students to consider taking up cybersecurity as a career, by providing resources for students and guidance for key influencers to help engage the younger generation and encourage them to pursue a career in cybersecurity.
Week 5: Oct 30-31 – Protecting Critical Infrastructure
As we have seen already this year, nation-state sponsored groups have been sabotaging critical infrastructure and cybercriminals have been targeting critical infrastructure to extort money. The last two days of October will see awareness raised of the need for cybersecurity to protect critical infrastructure, which will serve as an introduction to Critical Infrastructure Security and Resilience Month in November.
European Cyber Security Month
While National Cyber Security Month takes place in the United States, across the Atlantic, European Cyber Security Month is running in tandem. In Europe, similar themes will be covered with the aim of raising awareness of cyber threats and explaining the actions EU citizens and businesses can take to stay secure.
This year is the 5th anniversary of European Cyber Security Month – a collaboration between The European Union Agency for Network and Information Security (ENISA), the European Commission DG CONNECT and public and private sector partners.
As in the United States, each week of October has a different theme with new resources and reports released, and events and activities being conducted to educate the public and businesses on cybersecurity.
European Cyber Security Month Themes
This year, the program for European Cyber Security Month is as follows:
Week 1: Oct 2-6 – Cybersecurity in the Workplace
A week dedicated to helping businesses train their employees to be security assets and raise awareness of the risks from phishing, ransomware, and malware. Resources will be provided to help businesses teach their employees about good cyber hygiene.
Week 2: Oct 9-13 – Governance, Privacy & Data Protection
With the GDPR compliance date just around the corner, businesses will receive guidance on compliance with GDPR and the NIS Directive to help businesses get ready for May 2018.
Week 3: Oct 16-20 – Cybersecurity in the Home
As more IoT devices are being used in the home, the risk of cyberattacks has grown. The aim of week 3 is to raise awareness of the threats from IoT devices and to explain how to keep home networks secure. Awareness will also be raised about online fraud and scams targeting consumers.
Week 4: Oct 23-27 – Skills in Cyber Security
The aim in week 4 is to encourage the younger generation to gain the cyber skills they will need to embark upon a career in cybersecurity. Educational resources will be made available to help train the next generation of cybersecurity professionals.
Use October to Improve Your Cybersecurity Defenses and Train Your Workforce to Be Security Titans
This Cyber Security Month, why not take advantage of the additional resources available and use October to improve your cybersecurity awareness and train your employees to be more security conscious.
When the month is over, don’t shelve cybersecurity for another 12 months. The key to remaining secure and creating a security culture in the workplace is to continue training, assessments, and phishing tests throughout the year. October should be taken as a month to develop and implement training programs and to work toward creating a secure work environment and build a cybersecurity culture in your place of work.
by titanadmin | Sep 29, 2017 | Email Scams, Phishing & Email Spam, Spam Advice, Spam News |
A warning has been issued to digital civil liberties activists by the Electronic Frontier Foundation about the risk of targeted spear phishing attacks. The phishing warning comes after spate of phishing attacks on digital civil liberties groups over the summer, at least one of which resulted in the disclosure of login credentials.
The attacks were directed at two NGOs – Free Press and Fight for Future – both of which are advocates of net neutrality. The campaign appears to have been conducted by the same individual and included at least 70 phishing attempts between July and August. The attacks started on July 12, which is Save Net Neutrality Day of Action – a day of protest against the FCC’s proposed rollback of net neutrality protections.
While phishing emails are often sent with the purpose of installing malware, in this case the aim was to obtain login credentials to LinkedIn, Google, and Dropbox accounts.
Spear phishing emails were sent using a variety of themes from standard phishing emails to sophisticated and highly creative scams. While most of the attempts failed, the scammer was able to obtain the credentials of at least one account. The compromised Google account was used to send further spear phishing emails to other individuals in the organization. It is unclear what other goals the attacker had, and what the purpose of gaining access to the accounts was.
The phishing campaign was analysed by Eva Galperin and Cooper Quintin at the Electronic Frontier Foundation. They said some of the phishing emails were simple phishing attempts, where the attacker attempted to direct end users to a fake Google document. Clicking the link would direct the user to a site where they were required to enter their Google account details to view the document. Similar phishing emails were sent in an attempt to obtain LinkedIn credentials, using fake LinkedIn notifications. Others contained links to news stories that appeared to have been shared by contacts.
As the campaign progressed, the attacker got more inventive and the attacker started researching the targets and using personal information in the emails. One email was sent in which the scammer pretended to be the target’s husband, signing the email with his name. Another email was sent masquerading as a hateful comment on a video the target had uploaded to YouTube.
A pornography-related phishing scam was one of the most inventive attempts to gain access to login credentials. Emails were sent to targets masquerading as confirmations from well-known pornographic websites such as Pornhub and RedTube. The emails claimed the recipient had subscribed to the portals.
The initial email was then followed up with a further email containing a sexually explicit subject line. The sender name was spoofed to make it appear that the email was sent from Pornhub. The unsubscribe link on the email directed the user to a Google login page where they were asked for their credentials.
It is not clear whether the two NGOs were the only organizations targeted. Since these attacks may be part of a wider campaign, EFF is alerting all digital civil liberties activists to be aware of the threat. Indicators of compromise have been made available here.
by titanadmin | Sep 29, 2017 | Email Scams, Network Security, Phishing & Email Spam, Spam News, Spam Software |
A new malware threat named RedBoot has been discovered that bears some similarities to NotPetya. Like NotPetya, RedBoot malware appears to be a form of ransomware, when in actual fact it is a wiper at least in its current form.
RedBoot malware is capable of encrypting files, rendering them inaccessible. Encrypted and given the .locked extension. Once the encryption process is completed, a ‘ransom’ note is shown to the user, providing an email address to use to find out how to unlock the encrypted files. Like NotPetya, RedBoot malware also makes changes to the master boot record.
RedBoot includes a module that overwrites the current master boot record and it also appears that changes are made to the partition table, but there is currently no mechanism for restoring those changes. There is also no command and control server and even though an email address is provided, no ransom demand appears to be issued. RedBoot is therefore a wiper, not ransomware.
According to Lawrence Abrams at BeepingComputer who has obtained a sample of the malware and performed an analysis, RedBoot is most likely a poorly designed ransomware variant in the early stages of development. Abrams said he has been contacted by the developer of the malware who claimed the version that was studied is a development version of the malware. He was told an updated version will be released in October. How that new version will be spread is unknown at this stage.
Even if it is the intention of the developer to use this malware to extort money from victims, at present the malware causes permanent damage. That may change, although this malware variant may remain a wiper and be used simply to sabotage computers.
It is peculiar that an incomplete version of the malware has been released and advance notice has been issued about a new version that is about to be released, but it does give businesses time to prepare.
The attack vector is not yet known, so it is not possible to give specific instructions on how to prevent RedBoot malware attacks. The protections that should be put in place are therefore the same as for blocking any malware variant.
A spam filtering solution should be implemented to block malicious emails, users should be alerted to the threat of phishing emails and should be training how to identify malicious emails and told never to open attachments or click on hyperlinks sent from unknown individuals.
IT teams should ensure all computers and servers are fully patched and that SMBv1 has been disabled or SMBv1 vulnerabilities have been addressed and antivirus software should be installed on all computers.
It is also essential to back up all systems to ensure that in the event of an attack, systems can be restored and data recovered.
by titanadmin | Sep 27, 2017 | Email Scams, Network Security, Phishing & Email Spam, Spam Advice, Spam News, Spam Software |
Ransomware developers have leveraged the EternalBlue exploit, now the criminals behind the Retefe banking Trojan have added the NSA exploit to their arsenal.
The EternalBlue exploit was released in April by the hacking group Shadow Brokers and was used in the global WannaCry ransomware attacks. The exploit was also used, along with other attack vectors, to deliver the NotPetya wiper and more recently, has been incorporated into the TrickBot banking Trojan.
The Retefe banking Trojan is distributed via malicious Microsoft Office documents sent via spam email. In order for the Trojan to be installed, the emails and the attachments must be opened and code must be run. The attackers typically use Office documents with embedded objects which run malicious PowerShell code if clicked. Macros have also been used in some campaigns to deliver the malicious payload.
Researchers at Proofpoint have now obtained a sample of the Retefe banking Trojan that includes the EternalBlue SMBv1 exploit. The EternalBlue module downloads a PowerShell script and an executable. The script runs the executable, which installs the Trojan.
The researchers noted the module used in the WannaCry attacks that allowed rapid propagation within networks – Pseb – was lacking in Retefe, although that may be added at a later date. It would appear that the criminals behind the campaign are just starting to experiment with EternalBlue.
Other banking Trojans such as Zeus have been used in widespread attacks, although so far attacks using the Retefe banking Trojan have largely been confined to a limited number of countries – Austria, Sweden, Switzerland, Japan, and the United Kingdom.
Businesses in these countries will be vulnerable to Retefe, although due to the number of malware variants that are now using EternalBlue, all businesses should ensure they mitigate the threat. Other malware variants will almost certainly be upgraded to include EternalBlue.
Mitigating the threat from EternalBlue (CVE-2017-0144) includes applying the MS17-010 patch and also blocking traffic associated with the threat through your IDS system and firewall. Even if systems have been patched, a scan for vulnerable systems should still be conducted to ensure no devices have been missed.
Since the Retefe Trojan is primarily being spread via spam email, a spam filter should be implemented to prevent malicious messages from reaching end users. By implementing SpamTitan, businesses can protect their networks against this and other malware threats delivered via spam email.
by titanadmin | Sep 27, 2017 | Internet Security, Network Security |
While most ransomware attacks occur via phishing emails or exploit kits and require some user interaction, SMBv1 ransomware attacks occur remotely with no user interaction required.
These attacks exploit a vulnerability in Windows Server Message Block protocol (SMB), a communication protocol typically used for sharing printers and other network resources. SMB operates in the application layer and is typically used over TCP/IP Port 445 and 139.
A critical flaw in SMBv1 was identified and addressed by Microsoft in a March 14, 2017 security update – MS17-010. At the time, Microsoft warned that exploitation of the flaw could allow remote code execution on a vulnerable system.
An exploit for the flaw, termed EternalBlue, was reportedly used by the U.S. National Security Agency’s Equation Group for four years prior to the vulnerability being plugged. That exploit, along with several others, was obtained by a hacking group called Shadow Brokers. The EternalBlue exploit was disclosed publicly in April, after attempts to sell the exploit failed. Following its release, it was not long before malware developers incorporated the exploit and used it to remotely attack vulnerable systems.
The exploit was primarily used to attack older operating systems such as Windows 7 and Windows Server 2012, although other systems are also vulnerable, including Windows Server 2016. The security update addresses the flaw in all vulnerable systems. Microsoft also released a patch for the long-retired Windows XP.
The most widely reported SMBv1 ransomware attacks occurred in May and involved WannaCry ransomware. WannaCry exploited the SMBv1 vulnerability and used TCP Port 445 to propagate. These SMBv1 ransomware attacks were conducted around the globe, although fortunately a kill switch was found which was used to disable the ransomware and prevent file encryption.
While that spelled the end of WannaCry, the SMBv1 attacks continued. NotPetya – not a ransomware variant but a wiper – also used the EternalBlue exploit to attack systems, and with the code still publicly available, other malware developers have incorporated the exploit into their arsenal. Any business that has not yet applied the MS17-010 patch will still be vulnerable to SMBv1 ransomware attacks. Other malware developers are now using the exploit to deliver banking Trojans.
While most businesses have now applied the patch, there are some that are still running vulnerable operating systems. There is also a risk that even when patches have been applied, devices may have been missed.
All businesses should therefore make sure their systems have been patched, but should also perform a scan to ensure no devices have slipped through the net and remain vulnerable. All it takes is for one unpatched device to exist on a network for ransomware or malware to be installed.
There are several commercially available tools that can be used to scan for unpatched devices, including this free tool from ESET. It is also recommended to block traffic associated with EternalBlue through your IDS system or firewall.
If you still insist on using Windows XP, you can at least stop the SMB flaw from being exploited with this patch, although an upgrade to a supported OS is long overdue. The MS17-010 patch for all other systems can be found on this link.
Comment arrêter les attaques de ransomware SMBv1 ?
by titanadmin | Sep 21, 2017 | Industry News, Network Security |
The CCleaner hack that saw a backdoor inserted into the CCleaner binary and distributed to at least 2.27 million users was far from the work of a rogue employee. The attack was much more sophisticated and bears the hallmarks of a nation state actor. The number of users infected with the first stage malware may have been be high, but they were not being targeted. The real targets were technology firms and the goal was industrial espionage.
Avast, which acquired Piriform – the developer of Cleaner – in the summer, announced earlier this month that the CCleaner v5.33.6162 build released on August 15 was used as a distribution vehicle for a backdoor. Avast’s analysis suggested this was a multi-stage malware, capable of installing a second-stage payload; however, Avast did not believe the second-stage payload ever executed.
Swift action was taken following the discovery of the CCleaner hack to take down the attacker’s server and a new malware-free version of CCleaner was released. Avast said in a blog post that simply updating to the new version of CCleaner – v5.35 – would be sufficient to remove the backdoor, and that while this appeared to be a multi-stage malware
Further analysis of the CCleaner hack has revealed that was not the case, at least for some users of CCleaner. The second stage malware did execute in some cases.
The second payload differed depending on the operating system of the compromised system. Avast said, “On Windows 7+, the binary is dumped to a file called “C:\Windows\system32\lTSMSISrv.dll” and automatic loading of the library is ensured by autorunning the NT service “SessionEnv” (the RDP service). On XP, the binary is saved as “C:\Windows\system32\spool\prtprocs\w32x86\localspl.dll” and the code uses the “Spooler” service to load.”
Avast determined the malware was an Advanced Persistent Threat that would only deliver the second-stage payload to specific users. Avast was able to determine that 20 machines spread across 8 organizations had the second stage malware delivered, although since logs were only collected for a little over 3 days, the actual total infected with the second stage was undoubtedly higher. Avast estimates the number of devices infected was likely “in the hundreds”.
Avast has since issued an update saying, “At the time the server was taken down, the attack was targeting select large technology and telecommunication companies in Japan, Taiwan, UK, Germany.”
The majority of devices infected with the first backdoor were consumers, since CCleaner is a consumer-oriented product; however, consumers are believed to be of no interest to the attackers and that the CCleaner hack was a watering hole attack. The aim was to gain access to computers used by employees of tech firms. Some of the firms targeted in this CCleaner hack include Google, Microsoft, Samsung, Sony, Intel, HTC, Linksys, D-Link, and Cisco.
The second stage of the attack delivered keylogging and data collection malware. Kaspersky and FireEye researchers have connected the attack to the hacking group APT 17, noting similarities in the infrastructure with the nation state actor. It was APT 17 that was behind the Operation Aurora attack which similarly targeted tech companies in 2009. Cisco Talos researchers noted that one of the configuration files was set to a Chinese time zone, further suggesting this was the work of a nation-state hacking group based in China.
While Avast previously said upgrading to the latest version would be sufficient to remove the backdoor, it would not remove the second-stage malware. Data could still be exfiltrated to the attackers C2 server, which was still active. Avast is currently working with the targeted companies and is providing assistance.
Cisco Talos criticized Avast’s stance on the attack, explaining in a recent blog post, “it’s imperative to take these attacks seriously and not to downplay their severity,” also suggesting users should “restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system.”
by titanadmin | Sep 20, 2017 | Email Scams, Network Security, Phishing & Email Spam, Spam News, Spam Software |
A new spam email ransomware campaign has been launched that has potential to infect users twice, with both Locky and FakeGlobe ransomware.
The campaign, which was launched earlier this month, sees the attackers alternate the payload between Locky and FakeGlobe ransomware. The researchers that discovered the campaign suggest the payload alternates each hour.
This method of distribution cpould result in victims being infected twice, first having their files encrypted by Locky ransomware, and then re-encrypted by FakeGlobe ransomware or vice versa. In such cases, two ransom payments would have to be paid if files could not be recovered from backups.
While the use of two malware variants for spam email campaigns is not new, it is much more typical for different forms of malware to be used, such as pairing a keylogger with ransomware. In such cases, if the ransom is paid to unlock data, the keylogger would likely remain and allow data to be stolen for use in further attacks.
As with previous attacks involving Locky, this double ransomware campaign involves fake invoices – one of the most effective ways of getting business users to open infected email attachments. In this campaign, the attachment claims to be the latest invoice which takes the form of a zip file. Opening that zip file and clicking to open the extracted file launches a script that downloads the malicious payload.
The emails also contain a hyperlink with the text “View Your Bill Online,” which will download a PDF file containing the same script as the attachment, although it connects to different URLs.
This campaign is widespread, being distributed in more than 70 countries with the large-scale spam campaign involving hundreds of thousands of messages.
Infections with Locky and FakeGlobe ransomware see a wide range of file types encrypted and there is no free decryptor to unlock the infections. Victims must either restore their files from backups or pay the ransom to recover their data.
If businesses are targeted, they can easily see multiple users fall for the campaigns, requiring multiple computers to be decrypted. However, since ransomware can spread across networks, all it takes is for one user to be fooled into downloading the ransomware for entire systems to be taken out of action. If data cannot be recovered from backups, multiple ransom payments will need to be made.
Good backup policies will help protect businesses against file loss and prevent them from having to pay ransoms; although, even if backups exist, organizations can experience considerable downtime while the malware is removed, files are restored, and networks are analyzed for other malware infections and backdoors.
Spam email remains the vector of choice for distributing ransomware. Organizations can reduce the risk of ransomware attacks by implementing an advanced spam filter such as SpamTitan. SpamTitan blocks more than 99.9% of spam emails, preventing malicious emails from reaching end users’ inboxes.
While most organizations are now using spam filtering software to prevent attacks, a recent study conducted by PhishMe suggests 15% of businesses are still not using email gateway filtering, leaving them at a high risk of ransomware attacks. Given the volume of phishing and ransomware emails now being sent, email filtering solutions are a necessity.
by titanadmin | Sep 20, 2017 | Internet Security, Network Security |
CCleaner malware infections continued for a month before the compromised binary was detected and the backdoor was removed.
Avast, which acquired Piriform over the summer, announced that between August 15 and September 15, a rogue version of the application was available on its server and was being downloaded by users. During that time, around 3% of users of the PC cleaning application had been infected according to Piriform.
Cisco Talos, which independently discovered the build of CCleaner had malware included, reported around 5 million users download the program each week, potentially meaning up to 20 million users may have been affected. However, Piriform suggests around 2.27 users had downloaded and installed the backdoor along with the legitimate application. On Monday this week, around 730,000 users had not yet updated to the latest, clean version of the program.
Any individual that downloaded the application on a 32-bit system between August 15 and September 15 was infected with the CCleaner malware, which was capable of gathering information about the users’ system. The malware in question was the Floxif Trojan, which had been incorporated into the build before Avast acquired Piriform.
The CCleaner malware collected details of users’ IP addresses, computer names, details of software installed on their systems and the MAC addresses of network adaptors, which were exfiltrated to the attackers C2 server. The CCleaner malware laced application was only part of the story. Avast says the attack involved a second stage payload, although it would appear the additional malware never executed.
The versions of the software affected were v5.33.6162 and CCleaner Cloud v1.07.3191. The malware reportedly did not execute on 64-bit systems and the Android app was unaffected. The malware was detected on September 13, 2017, although an announcement was not initially made as Avast and Piriform were working with law enforcement and did not want to alert the attackers that the malware had been detected.
The individuals behind the attack used a valid digital signature that was issued to Piriform by Symantec along with a Domain Generation Algorithm to ensure that new domains could be generated to receive exfiltrated data from compromised systems in the event that the main domain was taken down.
Now that the malware has been removed, users can simply download version 5.34 of the application which will remove the backdoor. Users of the Cloud version need do nothing, as the application has been updated to a clean version automatically. While simply updating the software should resolve all issues, users are advised to perform a full virus scan to make sure no additional malware has been introduced onto their system.
At present, it is unclear who was responsible for this supply chain attack or how the Floxif Trojan was introduced. It is possible that external hackers gained access to the development or build environment or that the Trojan was introduced from within.
Attacks such as this have potential to infect many millions of users since downloads from the developers of an application are trusted. In this case, the malware was included in the binary which was hosted on Piriform’s server – not on a third-party site.
A similar supply chain attack saw a software update for the Ukrainian accounting application MeDoc compromised. That attack resulted in the download of the NotPetya wiper, which caused billions of dollars of losses for companies.
by titanadmin | Sep 15, 2017 | Email Scams, Phishing & Email Spam, Spam Advice, Spam News, Spam Software |
Consumers should be wary of Equifax phishing scams in the wake of the massive data breach announced earlier this month. The 143 million records potentially stolen in the breach will be monetized, which means many will likely be sold to scammers.
Trend Micro has suggested a batch of data of this scale could easily be sold for $27 million on underground marketplaces and there would be no shortage of individuals happy to pay for the data. The records include the exact types of information that is sought by identity thieves, phishers, and scammers.
However, it is not necessary to have access to the stolen records to pull of scams. Many opportunistic cybercriminals are taking advantage of consumer interest in the breach and are preparing phishing websites to fool the unwary into revealing their sensitive information. Equifax’s response to the breach has also made it easier for phishers to ply their trade.
Equifax has taken the decision not to inform all breach victims by mail. Only the 209,000 individuals whose credit card numbers were exposed will be receiving a breach notification letter in the mail. All the remaining breach victims will have to check the Equifax website to find out if their information was compromised in the breach. With almost half the population affected, and next to no one being directly informed, virtually the entire population of the United States will need to head online to find out if they have been affected by the breach.
Equifax has set up a new domain where information is provided to consumers on the steps they can take to secure their accounts and minimize the risk of financial harm. The official website is equifaxsecurity2017.com. Via this website, U.S consumers can get regular updates and enroll in the free credit monitoring services being offered.
To obtain the free credit monitoring services, consumers will be routed to a website with the domain trustedidpremier.com and will need to enter their name and the last six digits of their social security number to start the process. Cybercriminals have been quick to take advantage and have registered swathes of websites and are using them to phish for sensitive information.
Consumers Should Be Wary of Equifax Phishing Scams
USA Today reports that 194 domains closely resembling the site used by Equifax have already been registered in the past few days. Those domains closely mimic the site used by Equifax, with transposed letters and common typos likely to be made by careless typists. Many of the sites have already been shut down, but more are likely to be registered.
The purpose of these sites is simple. To obtain sensitive information such as names, addresses, Social Security numbers and dates of birth.
The technique is called typosquatting. It is extremely common and very effective. The websites use the same logos and layouts as the genuine sites and they fool many visitors into revealing their sensitive information. Links to the websites are sneaked into malicious adverts displayed via third-party ad networks and are emailed out in large scale phishing campaigns. Consumers should therefore exercise extreme caution and be alert to Equifax phishing scams sent via email and text message.
Consumers should also be careful about revealing sensitive information online and should treat all email attachments and emailed hyperlinks as potentially malicious. Consumers should look for the warning signs of phishing attacks in any email received, especially if it appears to have been sent from Equifax or another credit monitoring bureau, a credit card company, bank or credit union. Email, text messages and telephone scams are likely to be rife following an attack on this scale.
Additionally, all U.S. citizens should closely monitor their credit and bank accounts, Explanation of Benefits Statements, and check their credit reports carefully. Criminals already have access to a large amount of data and will be using that information for identity theft and fraud over the coming days, weeks, months and years.
by titanadmin | Sep 15, 2017 | Industry News, Internet Security, Network Security |
It has been confirmed that poor patch management policies opened the door for hackers and allowed them to gain access to the consumer data stored by the credit monitoring bureau Equifax. The massive Equifax data breach announced earlier this month saw the personal information – including Social Security numbers – of almost half the population of the United States exposed/stolen by hackers.
Poor Patch Management Policies to Blame for Yet Another Major Cyberattack
The vulnerability may have been different to that exploited in the WannaCry ransomware attacks in May, but it was a similar scenario. In the case of WannaCry, a Microsoft Server Message Block vulnerability was exploited, allowing hackers to install WannaCry ransomware.
The vulnerability, tracked as CVE-2017-010, was corrected in March 2017 and a patch was issued to prevent the flaw from being exploited. Two months later, the WannaCry ransomware attacks affected organizations around the world that had not yet applied the patch.
Few details about the Equifax data breach were initially released, with the firm only announcing that access to consumer data was gained via a website application vulnerability. Equifax has now confirmed that access to data was gained by exploiting a vulnerability in Apache Struts, specifically, the Apache Struts vulnerability tracked as CVE-2017-5638.
As with WannaCry, a patch had been released two months before the attack took place. Hackers took advantage of poor patch management policies and exploited the vulnerability to gain access to consumer information.
The Exploited Apache Struts Vulnerability
Apache Struts is used by many Fortune 100 firms and is popular with banks, airlines, governments, and e-commerce stores. Apache Struts is an open-source, MVC framework that allows organizations to create front and back-end Java web applications, such as applications on the public website of Equifax.
The CVE-2017-5638 Apache Struts vulnerability is well known. Details of the vulnerability were published in March 2017 and a patch was issued to correct the flaw. The flaw is relatively easy to exploit, and within three days of the patch being issued, hackers started to exploit the vulnerability and attack web applications that had not been patched.
The remote code execution vulnerability allows an attacker to execute arbitrary code in the context of the affected application. While many organizations acted quickly, for some, applying the patch was not straightforward. The process of upgrading and fixing the flaw can be a difficult and labor-intensive task. Some websites have hundreds of apps that all need to be updated and tested. While it is currently unclear if Equifax was in the process of upgrading the software, two months after the patch had been released, Equifax had still not updated its software. In mid-May, the flaw was exploited by hackers and access was gained to consumer data.
Poor Patch Management Policies Will Lead to Data Breaches
All software contains vulnerabilities that can be exploited. It is just a case of those vulnerabilities being found. Already this year, there have been several vulnerabilities discovered in Apache Struts of varying severity. As soon as new vulnerabilities are discovered, patches are developed to correct the flaws. It is up to organizations to ensure patches are applied promptly to keep their systems and data secure. Had the patch been applied promptly, the breach could have been prevented.
Even though a widely exploited vulnerability was known to exist, Equifax was not only slow to correct the flaw but also failed to detect that a breach had occurred for several weeks. In this case, it would appear that the attackers were throttling down on data exfiltration to avoid detection, although questions will certainly be asked about why it took so long for the Equifax cyberattack to be discovered.
Since zero-day vulnerabilities are often exploited before software developers become aware of flaws and develop patches, organizations – especially those of the size of Equifax – should be using intrusion detection solutions to monitor for abnormal application activity. This will help to ensure any zero-day exploits are rapidly identified and action is taken to limit the severity of any breach.
What Will the Cost of the Equifax Data Breach Be?
The cost of the Equifax data breach will be considerable. State attorneys general are lining up to take action against the credit monitoring bureau for failing prevent the breach. 40 attorneys general have already launched and Massachusetts attorney general Maura Healey has announced the state will be suing Equifax for breaching state laws.
Healey said, the Equifax data breach was “the most egregious data breach we have ever seen. It is as bad as it gets.” New York Attorney General Eric Schneiderman has also spoken out about the breach promising an in-depth investigation to determine whether state laws have been violated. If they have, action will certainly be taken.
U.S. consumers are also extremely angry that their highly sensitive information has been breached, especially since they did not provide their data to Equifax directly. Class-action lawsuits are certain to be launched to recover damages.
As if the breach itself is not bad enough, questions have been raised about the possibility of insider trading. Three Equifax executives allegedly sold $2 million in stock just days after the breach was discovered and before it had been made public.
The final cost of the Equifax data breach will not be known for years to come, although already the firm has lost 35% of its stock value – wiping out around $6 billion. Multiple lawsuits will be filed, there are likely to be heavy fines. The cost of the Equifax breach is therefore certain to be of the order of hundreds of millions. Some experts have suggested a figure of at least 300 million is likely, and possibly considerably more.
by titanadmin | Sep 14, 2017 | Email Scams, Network Security, Phishing & Email Spam, Spam Advice, Spam News, Spam Software |
Cyberattacks on Office 365 users are increasing and Office 365 email security controls are not preventing account compromises at many businesses. If you want to block phishing and malware attacks and prevent costly data breaches, there is no better time than the present to improve Office 365 email security.
Microsoft Office 365 – An Attractive Target for Cybercriminals
Microsoft’s figures suggest there are now more than 70 million active users of Office 365 making it the most widely adopted enterprise cloud service by some distance. 78% of IT decision makers say they have already signed up to Office 365 or plan to do so in 2017 and Microsoft says it is now signing up a further 50,000 small businesses to Office 365 every month. 70% of Fortune 500 companies are already using Office 365 and the number of enterprises transitioning to Office 365 is likely to significantly increase.
Office 365 offers many advantages for businesses but as the number of users grows, the platform becomes and even bigger target for hackers. Hackers are actively seeking flaws in Office 365 and users of the service are increasingly coming under attack. The more users an operating system or service has, the more likely hackers are to concentrate their resources on developing new methods to attack that system.
Cyberattacks on Office 365 are Soaring
Microsoft is well aware of the problem. Its figures show that malware attacks on Office 365 users increased by a staggering 600% last year and a recent survey conducted by Skyhigh Networks showed 71.4% of Office 365 business users have to deal with at least one compromised email account every month. Surveys often overestimate security problems due to having a limited sample size. That is unlikely to be the case here. The survey was conducted on 27 million users of Office 365 and 600 enterprises.
The majority of new malware targets Windows systems simply because there are substantially more users of Windows than Macs. As Apple increases its market share, it becomes more profitable to develop malware to attack MacOS. Consequently, MacOS malware is becoming more common. The same is true for Office 365. More users means successful attacks are much more profitable. If a flaw is found and a new attack method developed, it can be used on millions of users, making searching for flaws and developing exploits well worth the time and effort.
Phishers and hackers are also studying how the security functions of O365 work and are searching for flaws and developing exploits to take advantage. For a few dollars a month, hackers can sign up for accounts to study Office 365. Hackers are also taking advantage of poor password choices to gain access to other users’ accounts to trial their phishing campaigns to ensure they bypass Office 365 email security controls.
Office 365 Email Security Controls are Often Lacking
Given the resources available to Microsoft and its frequent updates, you would expect Office 355 email security to be pretty good. While Office 365 email security is not terrible, for standard users it is not great either. Standard subscriptions include scant security features. To get enhanced security, the enterprise subscription must be purchased or extra email security add-ons must be purchased separately at a not insignificant cost.
Pay for the enterprise subscription and you will get a host of extra security features provided through the Advanced Threat Protection (ATP) security package. This includes message sandboxing, phishing protection, URL tracking and reporting, and link reputation checking. Even when Advanced Threat Protection is used, getting the settings right to maximize protection is not always straightforward.
APT will certainly improve email security, but it is worth bearing in mind that hackers can also sign up for those features and have access to the sandbox. That makes it easier for them to develop campaigns that bypass Office 365 security protections.
Even with both layers of security, the level of protection against malware and phishing is only OK. A 2017 study by SE Labs revealed that even with Microsoft’s Exchange Online Protection and Advanced Threat Protection enabled, email security only achieved a similar score to solutions in the low-middle level of the market. Far lower than the level of protection provided by advanced third party email spam filters such as SpamTitan that work alongside Office 365 to provide even greater protection from malicious email threats.
The Cost of Mitigating an Cybersecurity Incident is Considerable
The cost of mitigating a cyberattack can be considerable, and certainly substantially more than the cost of prevention. The Ponemon Institute/IBM Security 2017 Cost of a Data Breach study shows the average cost of mitigating a cyberattack is $3.62 million.
The recent NotPetya and WannaCry attacks also highlighted the high cost of breach mitigation. The NotPetya attack on Maersk, for example, has been estimated to cost the company up to $300 million, the vast majority of which could have been saved if the patches released by Microsoft in March had been applied promptly.
These large companies can absorb the cost of mitigating cyberattacks to a certain extent, although smaller businesses simply do not have the funds. It is no therefore no surprise that 60% of SMBs end up permanently closing their doors within 6 months of experiencing a cyberattack. Even cash-strapped businesses should be able to afford to improve security to prevent email-based attacks – The most common vector used by cybercriminals to gain access to systems and data.
Increase Office Email 365 Security with a Specialist Email Security Solution
No system can be made totally impervious to hackers and remain usable, but it is possible to improve Office 365 email security and reduce the potential for attacks to an minimal level. To do that, many enterprises are turning to third-party solution providers – specialists in email security – to increase Office 365 email security instead of paying extra for the protection offered by APT.
According to figures from Gartner, an estimated 40% of Microsoft Office 365 deployments will incorporate third-party tools by the end of 2018 with the figure predicted to rise to half of all deployments by 2020.
One of the best ways of improving Office 365 email security is to use an advanced, comprehensive email spam filtering solution developed by a specialist in email security, TitanHQ.
TitanHQ’s SpamTitan offers excellent protection against email-based attacks. The solution has also been developed to perfectly compliment Office 365 to block more attacks and keep inboxes spam and malware free. SpamTitan filters out more than 99.97% of spam and malicious emails, giving businesses the extra level of protection they need. Furthermore, it is also one of the most cost-effective enterprise email security solutions for Office 365 on the market.
SpamTitan Offers Defense In Depth for Office 365 Users
Even with Office 365 Advanced Threat Protection, there are areas where Office 365 does not perform well. According to a study by Osterman Research, Office 365 is capable of blocking all known malware threats. The solution is nowhere near as effective at blocking new malware variants, which are constantly being released. When these new threats are detected and the signatures are added to the database, the threats can be blocked. Until that point, users will be vulnerable. SpamTitan on the other hand is capable of detecting and blocking new malware threats. SpamTitan is able to anticipate new attacks thanks to pattern learning and intelligence. These predictive capabilities ensures protection against the latest malware variants that signature-based email security solutions fail to detect. By using Bayesian analysis, heuristics and machine learning, new types of spear phishing, whaling, and zero day attacks can be detected and blocked that would otherwise be delivered to inboxes.
SpamTitan includes URL reputation analysis to assess all embedded hyperlinks in an email, including shortened URLs. SURBL filtering and URL detection mechanisms offer superior protection against malicious links contained in emails. Heuristics are used to identify phishing emails from message headers and are constantly updated to detect the latest emerging threats. SpamTitan also includes a greylisting option. Greylisting involves the rejection of all messages along with a request for the message to be resent. Most email servers respond and redeliver messages quickly. Email servers used for spamming are usually busy and these requests are ignored. This is included as an optional feature in SpamTitan, and can be used in combination with whitelists to ensure trusted senders’ messages are always delivered without any delay. Spam confidence levels can be set by user, user group or domain and the solution integrates with Active Directory and LDAP for easy synchronization.
These combinations of features provide superior protection against phishing, spear phishing, ransomware, malware, BEC, impersonation, and zero-day attacks via email, ensuring businesses are protected and messages do not reach end users’ inboxes.
To find out more about SpamTitan and how it can improve Microsoft Office 365 email security at your business, contact TitanHQ today.
MSPs Can Profit from Providing Additional Office 365 Email Security
The days when MSPs could offer out of the box email services to clients and make big bucks are sadly gone. MSPs can sell Office 365 subscriptions to their clients, but the margins are small and there is little money to be made. However, there are good opportunities for selling support services for MS products and also for providing enhanced email security for Office 365 users.
SpamTitan can be sold as an add-on service to enhance security for clients subscribing to Office 365, and since the solution is easy to implement and has a very low management overhead, it allows MSPs to easily boost monthly revenues.
SpamTitan can also be provided in white label form; ready to accept MSP branding. The solution can even be hosted within an MSPs infrastructure. On top of that, there are generous margins for MSPs.
With SpamTitan it is easy for MSPs to provide valued added service, enhance Office 365 email services, and improve Microsoft Office 365 email security for all customers.
To find out more about how you can partner with SpamTitan and improve Office 365 email security for your customers, contact the MSP Sales team at TitanHQ today.
Vous pouvez lire cet article sur le site TitanHQ.fr.
by titanadmin | Sep 14, 2017 | Industry News, Internet Security, Network Security, Phishing & Email Spam |
A new attack method – termed Bashware – could allow attackers to install malware on Windows 10 computers without being detected by security software, according to research conducted by Check Point.
The Windows Subsystem for Linux (WSL) was introduced to make it easier for developers to run Linux tools on Windows without having to resort to virtualization; however, the decision to add this feature could open the door to cybercriminals and allow them to install and run malware undetected.
Checkpoint researchers have conducted tests on Bashware attacks against leading antivirus and antimalware security solutions and in all cases, the attacks went undetected. Check Point says no current antivirus or security solutions are capable of detecting Bashware attacks as they have not been configured to search for these threats. Unless cybersecurity solutions are updated to search for the processes of Linux executables on Windows systems, attacks will not be detected.
Microsoft says the Bashware technique has been reviewed and has been determined to be of low risk, since WSL is not turned on by default and several steps would need to be taken before the attack is possible.
For an attack to take place, administrator privileges would need to be gained. As has been demonstrated on numerous occasions, those credentials could easily be gained by conducting phishing or social engineering attacks.
The computer must also have WSL turned on. By default, WSL is turned off, so the attacks would either be limited to computers with WSL turned on or users would have to turn on WSL manually, switching to development mode and rebooting their device. The potential for Bashware attacks to succeed is therefore somewhat limited.
That said, Check Point researchers explained that WSL mode can be switched on by changing a few registry keys. The Bashware attack method automates this process and will install all the necessary components, turn on WSL mode and could even be used to download and extract the Linux file system from Microsoft.
It is also not necessary for Linux malware to be written for use in these attacks. The Bashware technique installs a program called Wine that allows Windows malware to be launched and run undetected.
WSL is now a fully supported feature of Windows. Check Point says around 400 million computers are running Windows 10 are currently exposed to Bashware attacks.
Researchers Gal Elbaz and Dvir Atias at Check Point said in a recent blog post, “Bashware is so alarming because it shows how easy it is to take advantage of the WSL mechanism to allow any malware to bypass security products.”
Check Point has already updated its solutions to detect these types of attacks, and Kaspersky Lab is making changes to its solutions to prevent these types of attacks. Symantec said its solutions already check for malware created using WSL.
by titanadmin | Sep 13, 2017 | Internet Security, Network Security, Phishing & Email Spam |
Microsoft has corrected 27 critical vulnerabilities this Patch Tuesday, including a Microsoft .Net Framework flaw that is being actively exploited to install Finspy surveillance software on devices running Windows 10.
Microsoft .Net Framework Flaw Exploited by ‘Multiple’ Actors
Finspy is legitimate software developed by the UK-based Gamma Group, which is used by governments around the world for cyber-surveillance. The software has been installed in at least two attacks in the past few months according to FireEye researchers, the latest attack leveraged the Microsoft .Net Framework flaw.
The attack starts with a spam email containing a malicious RTF document. The document uses the CVE-2017-8759 vulnerability to inject arbitrary code, which downloads and executes a VB script containing PowerShell commands, which in turn downloads the malicious payload, which includes Finspy.
FireEye suggests at least one attack was conducted by a nation-state against a Russian target; however, FireEye researchers also believe other actors may also be leveraging the vulnerability to conduct attacks.
According to a blog post on Tuesday, the Microsoft .Net Framework flaw has been detected and neutralized. Microsoft strongly recommends installing the latest update promptly to reduce exposure. Microsoft says the flaw could allow a malicious actor to take full control of an affected system.
BlueBorne Bluetooth Bug Fixed
Several Bluetooth vulnerabilities were discovered and disclosed on Tuesday by security firm Aramis. The vulnerabilities affect billions of Bluetooth-enabled devices around the world. The eight vulnerabilities, termed BlueBorne, could be used to perform man-in-the-middle attacks on devices via Bluetooth, rerouting traffic to the attacker’s computer. The bugs exist in Windows, iOS, Android and Linux.
In order to exploit the vulnerabilities, Bluetooth would need to be enabled on the targeted device, although it would not be necessary for the device to be in discoverable mode. An attacker could use the vulnerabilities to connect to a device – a TV or speaker for example – and initiate a connection to a computer without the user’s knowledge. In order to pull off the attack, it would be necessary to be in relatively close proximity to the targeted device.
In addition to intercepting communications, an attacker could also take full control of a device and steal data, download ransomware or malware, or perform other malicious activities such as adding the device to a botnet. Microsoft corrected one of the Bluetooth driver spoofing bugs – CVE-2017-8628 – in the latest round of updates.
Critical NetBIOS Remote Code Execution Vulnerability Patched
One of the most pressing updates is for a remote code execution vulnerability in NetBIOS (CVE-2017-0161). The vulnerability affects both servers and workstations. While the vulnerability is not believed to be currently exploited in the wild, it is of note as it can be exploited simply by sending specially crafted NetBT Session Service packets.
The Zero Day Initiative (ZDI) said the flaw “is practically wormable within a LAN. This could also impact multiple virtual clients if the guest OSes all connect to the same (virtual) LAN.”
In total, 81 updates have been released by Microsoft this Patch Tuesday. Adobe has corrected eight flaws, including two critical memory corruption bugs (CVE-2017-11281, CVE-2017-11282) in Flash Player, a critical XML parsing vulnerability in ColdFusion (CVE-2017-11286) and two ColdFusion remote code execution vulnerabilities (CVE-2017-11283, CVE-2017-11284) concerning deserialization of untrusted data.
by titanadmin | Sep 13, 2017 | Internet Security, Phishing & Email Spam |
Xafecopy malware is a new Trojan that is being used to steal money from victims via their smartphones. The malware masquerades as useful apps that function exactly as expected, although in addition to the useful functions, the apps have a malicious purpose.
Installing the apps activates Xafecopy malware, which silently subscribes the infected smartphone to a number of online services via websites that use the WAP billing payment method. Rather than require a credit card for purchases, this payment method adds the cost of the service to the user’s mobile phone bill. Consequently, it can take up to a month before the victim realizes they have been defrauded.
Several apps are used to deliver the malware, including BatteryMaster – An app that can kill processes on a smartphone to save battery life. Once installed, Xafecopy malware searches for websites that have the WAP billing feature and subscribes to the services. These websites often use the captcha system to verify that the user is human, although the malware uses JavaScript to bypass this control.
Additional features of Xafecopy malware include the ability to send text messages from the user’s device to premium rate phone numbers. The malware can also delete incoming text messages, such as text messages notifying users about services they have subscribed to and warnings from network operators about potential fraud.
To date, there are more than 4,800 victims spread across 47 countries around the world, although most of the WAP billing attacks have been seen in India, Mexico, Turkey and Russia, with India accounting for 37.5% of the WAP billing attacks. WAP billing attacks are concentrated in countries where WAP billing is most popular.
Kaspersky Lab senior malware analyst Roman Unucheck said, “WAP billing can be particularly vulnerable to so-called ‘clickjacking’ as it has a one-click feature that requires no user authorization. Our research suggests WAP billing attacks are on the rise.”
While most PC users have antivirus software installed, the same is not true for users of Android devices. Many users still do not use a security suite on their mobile devices to protect them from malware, even though they often use their smartphones to sign up and pay for online services or access their bank accounts.
Installing antivirus software can help to prevent Xafecopy malware infections. It is also important not to download apps from unofficial stores and to scan all apps with the Verify Apps utility.
by titanadmin | Sep 8, 2017 | Industry News, Internet Security, Network Security |
Shadow Brokers are offering a new National Security Agency (NSA) hacking tool – UNITEDRAKE malware – making good on their promise to issue monthly releases of NSA exploits. The latest malware variant is one of several that were allegedly stolen from the NSA last year.
Shadow Brokers previously released the ETERNALBLUE exploit which was used in the WannaCry ransomware attacks in May that affected thousands of businesses around the world. There is no reason to suggest that this new hacking tool is not exactly what they claim.
UNITEDRAKE malware is a modular remote access and control tool that can capture microphone and webcam output, log keystrokes, and gain access to external drives. Shadow Brokers claim UNITEDRAKE malware is a ‘fully extensive remote collection system’ that includes a variety of plugins offering a range of functions that allow malicious actors to perform surveillance and gather information for use in further cyberattacks. UNITEDRAKE malware gives attackers the ability to take full control of an infected device.
Plugins include CAPTIVATEDAUDIENCE, which records conversations via an infected computer’s microphone, GUMFISH gives the attackers control of the webcam and allows them to record video and take images. FOGGYBOTTOM steals data such as login credentials, browsing histories and passwords, SALVAGERABBIT can access data on external drives such as flash drives and portable hard drives when they are connected, and GROK is a keylogger plugin. The malware is also able to self-destruct when its tasks have been performed.
The malware works on older Windows versions including Windows XP, Vista, Windows 7 and 8 and Windows Server 2012.
According to documents released by Edward Snowden in 2014, the malware has been used by the NSA to infect millions of computers around the world. The malware will soon be in the hands of any cybercriminal willing to pay the asking price of 500 Zcash – around $124,000. Shadow Brokers have released a manual for the malware explaining how it works and its various functions.
TrendMicro said in a recent blog post there is currently no way of blocking or stopping the malware. When attacks occur, they will be analyzed by security researchers looking for clues as to how the malware works. That should ultimately lead to the development of tools to block attacks.
In the meantime, organizations need to improve their security posture by ensuring all systems are patched and operating systems are upgraded to the latest versions. An incident response plan should also be developed to ensure it can be implemented promptly in the event of an attack.
A further NSA exploit is expected to be released later this month, with the monthly dumps scheduled for at least the next two months.
