Blog
by titanadmin | Dec 28, 2023 | Network Security, Phishing & Email Spam, Security Awareness |
The cyber threat landscape is constantly changing, with cybercriminals and nation-state actors developing new tactics, techniques, and procedures for use in attacks on businesses to steal intellectual property and sensitive customer data, and for extortion. Threat actors gain access to internal networks by exploiting human weaknesses through social engineering and phishing, exploiting vulnerabilities such as unpatched and misconfigured software, and using malware for remote access.
The latter has seen an increase in 2023, with Kaspersky reporting in its end-of-the-year statistics report that malicious file detections have increased by 3% from 2022, with an average of 411,000 malicious files detected each day. The biggest increase was malicious desktop files such as Word documents, Excel spreadsheets, and PDF files, which are used for distributing malware. More than 125 million malicious desktop files were detected in 2023, with documents such as Word files and PDF files seeing the biggest increase, up 53% from 2022.
The company attributed the large increase to the number of email phishing attacks using malicious PDF files. PDF files have become more popular due to the steps Microsoft has taken to block email attacks using Office documents and spreadsheets. In the summer of 2022, Microsoft started blocking Visual Basic Applications (VBA) macros in Office apps by default to stop malicious actors from using them to deliver malware. Macros are now blocked by default in all Office documents that are delivered via the Internet. Threat actors responded by switching to other file formats for delivering malware such as LNK, ISO, RAR, ZIP, and PDF files, with the latter commonly used to hide links to malicious websites from email security solutions. These links direct users to malicious websites where drive-by malware downloads occur and also to phishing sites that steal credentials. The most common malware types in 2023 were Trojans such as Magniber, WannaCry, and Stop/Djvu, with a notable increase in backdoors, which provide threat actors with remote access to victims’ devices and allow them to steal, alter, and delete sensitive data and download other malware variants such as ransomware.
These email-based attacks usually require some user interaction to succeed, such as opening a malicious file or clicking a link. Threat actors are adept at social engineering and trick users into taking the action they need but the availability of artificial intelligence tools has made social engineering even easier. AI has significantly lowered the entry barrier into cybercrime and can be used by anyone to create convincing phishing lures and social engineering tricks. Artificial intelligence tools are also being leveraged to develop new malware variants faster than before, which allows threat actors to defeat signature-based antivirus and antimalware solutions.
With cyberattacks increasing in both number and sophistication, businesses need to ensure they have appropriate defenses in place. To defend against attacks, businesses need to take a defense-in-depth approach to security and implement multiple overlapping layers of protection. Should one single component fail to detect a threat, others will be in place to provide protection. Endpoint detection solutions such as antivirus software are essential. These solutions work after malware has been delivered and can detect and neutralize the threat; however, multiple layers of security should be in place to make sure threats are not delivered, especially due to the increase in zero-day malware threats – novel malware variants that have yet to have their signatures added to the malware definition lists used by these solutions.
TitanHQ offers three layers of protection through SpamTitan Email Security, Web Titan Web Filtering, and SafeTitan Security Awareness Training. SpamTitan is an advanced email security solution that protects against all email threats, including known and zero-day threats. SpamTitan offers protection against malicious links in emails, and features dual antivirus engines and email sandboxing to protect against malware threats, with the latter used to detect previously unseen malware variants. SpamTitan also uses artificial intelligence and machine learning to predict new attacks.
WebTitan is a leading DNS filtering solution that allows businesses to carefully control the web content that can be accessed via wired and wireless networks. The solution blocks access to known malicious websites, and high-risk websites, and can be configured to block the file types that are commonly used for malware delivery, such as executable files. SafeTitan is a comprehensive security awareness training and phishing simulation platform for teaching employees security best practices and improving resilience to the full range of cybersecurity threats. The platform provides training in real-time in response to poor security behaviors, with training sessions triggered immediately when bad behaviors are detected. This ensures that training is delivered when it is likely to have the biggest impact.
To improve protection against the full range of cyber threats, give the TitanHQ team a call today. You can discuss your needs and explain the current security solutions you have, and the TitanHQ team will be more than happy to talk about the TitanHQ solutions that can plug the security gaps. All solutions are competitively priced and are available on a free trial to allow you to test them thoroughly before making a purchase decision.
by titanadmin | Dec 23, 2023 | Phishing & Email Spam |
A new callback phishing campaign has been detected that uses Google Forms to add credibility to the campaign. Callback phishing involves sending an email and tricking the recipient into calling a customer service helpline, where they are convinced to download software that provides the attacker with remote access to their device. Since the emails contain no malicious content, only a phone number, these emails are usually delivered to inboxes.
A typical campaign involves an email about an impending charge for a subscription for software or a service, payment for which is about to be taken shortly. The user is told that they must respond within 24 hours if they have any dispute and that the subscription will auto-renew if no action is taken. Companies typically impersonated in these attacks include Netflix, Hulu, Disney+, Masterclass, McAfee, Norton, and GeekSquad.
The impending charge is excessive, typically $50 to $500, and the only way to prevent the payment is to call the customer service number included in the email. Subscriptions for software, streaming platforms, and other services are often set to auto-renew by default, and many people end up paying for another term even if they have discontinued using that service. The lure is therefore plausible, and since the charge is excessive, the recipient is likely to make the call.
The phone number is manned by the threat actor who pretends to be customer support and helps the user block the charge; however, in order to do so, software must be downloaded onto the user’s device. The user is convinced to install the software, the threat actor appears to remove the offending software, and the payment issue is resolved; however, the threat actor has installed malware that provides access to the user’s device.
In late 2020/ early 2021, this method was used in BazarCall attacks, so named because they were conducted to deliver BazarLoader malware. The malware is used to download additional malware payloads to the user’s device, such as ransomware. A new version of this campaign has recently been detected that employs Google Forms to add legitimacy to the campaign. Google Forms is free to use and allows forms to be easily created for surveys and quizzes, which can be integrated with websites or shared. In the latest BazarCall campaign, Google Forms is used to create details of a fake transaction, complete with invoice number, payment method, payment date, and information about the product or service.
Google Forms includes the option for a response receipt in the settings, so when a form is completed, it is submitted to the entered email address – that of the target. Google sends the completed form from its own servers, which adds legitimacy to the campaign and increases the probability of the form reaching an inbox. Email security solutions trust the sender (noreply@google.com) and the messages contain no malware or phishing links, the email is guaranteed to be delivered. The form instructs the recipient to call the number within 24 hours if they have any dispute about the charge.
Google is aware of the campaign and is taking steps to improve detection and said that the campaign has so far been used for a small number of users; however, it is worthwhile updating your security awareness training to include this new method of attack. That is quick and easy to do and roll out with the SafeTitan security awareness training platform. SafeTitan also allows you to easily add this method of phishing to the phishing simulator, to see if your employees are likely to fall for callback phishing scams.
by titanadmin | Dec 18, 2023 | Phishing & Email Spam |
In the summer of 2023, a multinational law enforcement operation caused major disruption to the botnet and malware known as QakBot, aka Qbot & pinkslipbot. Now the malware is back and being used in a campaign targeting the hospitality industry.
QakBot was first detected in 2008 and was primarily a banking Trojan which was used to steal financial information from infected devices; however, the malware has evolved over the years and its capabilities have been significantly enhanced. Check Point researchers have described the malware as “a Swiss army knife” due to its extensive capabilities. QakBot can steal financial information, browser data, and has keylogging capabilities, allowing it to steal credentials and other sensitive information. Infected devices are added to a botnet that can be used for a range of nefarious activities, and the malware also serves as a downloader and can deliver other malicious payloads, including ransomware. QakBot has previously partnered with major ransomware groups including Egregor, REvil, Conti, and ALPHV/BlackCat.
At the time of the takedown, QakBot had been installed on more than 700,000 computers worldwide. According to the U.S. Department of Justice, the August takedown was “the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals to commit ransomware, financial fraud, and other cyber-enabled criminal activity.” The law enforcement operation resulted in access being gained to the botnet’s encryption keys that were used for malware communication The botnet was hijacked and a custom Windows DLL was pushed out to all infected devices, which terminated the malware and disabled the botnet. These takedowns are, unfortunately, only temporary. As was the case with the takedown of the Emotet botnet, the threat actors simply rebuild their infrastructure.
QakBot malware is primarily distributed via phishing emails and the first QakBot malware campaign since the takedown was detected on Monday. The latest campaign uses an Internal Revenue Service (IRS) themed lure, where an IRS employee is impersonated. As is common in these campaigns, there is little body text in the emails, apart from the IRS logo and contact information. The emails contain a PDF attachment called GuestListVegas.pdf, and the subject line is “clients information”.
The recipient is told that they cannot preview the PDF file and must download it; however, the file they download is an MSI installer that will launch QakBot in the memory. Microsoft confirmed that this version of QakBot has not been seen before. While this appears to only be a relatively small campaign, distribution is expected to be significantly ramped up. In addition to this method of distribution, the QakBot operators have previously used OneNote files, Office files with malicious macros, Windows shortcut files, ISO attachments, and other executables, some of which have been known to exploit unpatched vulnerabilities.
Defending against attacks requires a combination of measures to block the initial access vector, the most important of which are an advanced spam filter – such as SpamTitan – security awareness training, and phishing simulations. A spam filter will block the majority of malicious emails to reduce the number of threats that are delivered to inboxes. By providing ongoing security awareness training to the workforce, employees will learn how to recognize, avoid, and report potential threats. Phishing simulations are an important part of the training process and allow employees to be tested to determine whether they are applying their training. When a phishing simulation is failed it can be turned into a training opportunity. With the SafeTitan platform, training is automated and delivered in real-time in response to failed phishing simulations.
For more information on advanced spam filtering and workforce cybersecurity training, give the TitanHQ team a call.
by titanadmin | Dec 16, 2023 | Email Archiving, Industry News, Security Awareness, Spam Software, Website Filtering |
TitanHQ products have received four “Top Solution Awards” from Expert Insights in Q4, 2023 in the Email Security, Web Filtering, Security Awareness Training, and Email Archiving categories.
Expert Insights is a leading business software review website that is used by IT decision-makers for researching the best business software solutions. The platform has more than 1 million readers a year and helps more than 85,000 businesses each month with their software purchase decisions. The website includes honest and impartial technical reviews and helpful guides to allow IT decision-makers to purchase with confidence.
Each Quarter, Expert Insights recognizes the world’s best B2B technology solutions through its awards program. The awards are based on Expert Insights’ independent technical analysts and editorial team, customer feedback, and industry recognition. In Q4, 2023, Expert Insights issued awards in over 40 categories, from authentication to zero trust security.
“We are thrilled to unveil our list of the ‘Top Solutions’ for Winter 2023, highlighting the extraordinary innovation in the B2B technology landscape,” said Craig MacAlpine, CEO and Founder of Expert Insights. “These awards celebrate leading solutions across more than 40 product categories, based on our own technical analysis and the engagement of thousands of enterprise tech professionals that use Expert Insights to research solutions each month.”
TitanHQ’s cybersecurity solutions were recognized and were named top solution in four categories:
- Email Security – SpamTitan
- Web Filtering -WebTitan
- Security Awareness Training – SafeTitan
- Email Archiving – ArcTitan
SpamTitan is a cutting-edge email security solution for blocking spam and protecting against email threats. The solution has artificial intelligence and machine learning capabilities and can block all known malware, zero-day malware threats, and phishing, spear phishing, and business email compromise attacks.
WebTitan is a leading DNS filtering solution that allows businesses to carefully control the web content that can be accessed via wired and wireless networks and allows businesses to restrict access to certain websites to improve productivity, reduce legal risk, and protect against phishing, malware, ransomware, and other online threats.
SafeTitan is a comprehensive security awareness training and phishing simulation platform for teaching employees security best practices and improving resilience against the full range of cybersecurity threats. The platform provides training in real-time in response to poor security behaviors, which are triggered immediately when those behaviors are detected to ensure that training is delivered when it is likely to have the biggest impact.
ArcTitan is an easy-to-implement “set-and-forget” email archiving solution that helps businesses meet their legal responsibilities for data retention and ensures that no email is ever lost, with lightning-fast search and retrieval.
“Our team is truly honored by Expert Insights’ acknowledgment of TitanHQ as the ‘Top Solution’ Provider in their Q4 2023 Awards.,” said TitanHQ CEO, Ronan Kavanagh. “This recognition across multiple categories underscores our commitment to empowering our partners and MSPs with cutting-edge technology, enabling them to deliver advanced network security solutions to their clients.”
by titanadmin | Nov 26, 2023 | Phishing & Email Spam, Spam Advice |
A malware phishing campaign has been running since September 2023 that is distributing DarkGate malware. Now, the threat actor behind the campaign has switched to PikaBot malware, and the campaign has several similarities to those conducted by the threat actor behind Qakbot.
DarkGate malware was first detected in 2017 but was only offered to other cybercrime groups this summer. Since then, distribution of the malware has increased significantly, with phishing emails and malvertising – malicious adverts – the most common methods of delivery. DarkGate malware is a multi-purpose Windows malware with a range of capabilities, including information stealing, malware loading, and remote access. In September, security researchers at Cofense identified a malware phishing campaign that was spreading DarkGate malware that has since evolved into one of the most advanced active phishing campaigns making it clear that it is being conducted by an experienced threat group. Then in October 2023, the threat actor behind the campaign switched to distributing Pikabot malware. Pikabot malware was first detected in early 2023 and functions as a downloader/installer, loader, and backdoor.
Security researchers have analyzed the malware phishing campaign and have identified several similarities to those used to distribute Qakbot (Qbot) malware including the behavior of the malware upon infection, the method of distribution, as well as internal campaign identifiers. Qakbot was one of the most active malware botnets; however, in August this year, an international law enforcement operation headed by the U.S. Department of Justice successfully took down the infrastructure of Qakbot.
The emergence of the phishing DarkGate/Pikabot campaign around a month after the Qakbot takedown, the use of a similar campaign that was used to distribute Qakbot, and no detected Qakbot activity since the takedown has led security researchers to believe the operators of Qakbot have switched to distributing DarkGate/Pikabot. Both of those malware families have similar capabilities to Qakbot and that could indicate the Qakbot operators have switched to newer malware botnets. As was the case with Qakbot, the new malware variants provide the threat actor with initial access to networks and it is probable that attacks will result in data theft and potentially the use of ransomware. Given the pervasive nature of Qakbot, if the same threat actors are behind the latest DarkGate/Pikabot campaign it poses a significant threat to businesses. The phishing campaign starts with an email that forwards or replies to a stolen message thread. Since the message threat contains genuine previous conversations there is a much higher probability of the recipient responding to the message. The emails contain an embedded URL that directs the user to a.ZIP archive that contains a malware dropper, which delivers the final DarkGate or Pikabot payload.
The phishing campaign continues to evolve and it is the work of a very experienced threat actor. One of the best defenses against these attacks is security awareness training. Employees should be warned of the tactics that are being used to distribute the malware and should be instructed to be vigilant, especially requests received via email that appear to be responses to previous communications that prompt them to visit a website and download a compressed file. They should be instructed to report any such email to their security teams for analysis.
With SafeTitan, TitanHQ’s security awareness training platform, it is easy to incorporate the latest threat intelligence into training content and push out short training sessions to employees to raise awareness of the latest malware phishing campaigns. SafeTitan also includes a phishing simulator that allows custom simulated phishing emails to be sent out to the workforce, including simulated phishing emails that include the tactics used in the DarkGate/Pikabot campaign. Security teams can use the simulator to determine how employees react and can then take proactive steps to address any knowledge gaps before a real DarkGate/Pikabot phishing email lands in an inbox.
An advanced spam filter should also be implemented that is capable of scanning and following links in emails along with a WebFilter for blocking access to malicious websites and restricting file downloads from the Internet, such as TitanHQ’s SpamTitan Plus and WebTitan DNS filter. For more information on the SafeTitan security awareness training and phishing simulation platform, advanced spam filtering with SpamTitan Plus, and web filtering with WebTitan, call TitanHQ today. All TitanHQ solutions are also available on a free trial.
