Blog
by titanadmin | May 31, 2024 | Internet Security |
Downloading unofficial and pirated software from the Internet carries a significant risk of malware infections. Malware is often packaged with the installers or with the cracks/key generators that provide the serial keys or codes to activate the software.
Cybercriminals use a variety of methods for driving traffic to their malicious websites, including malicious Google Ads, adverts on other third-party ad networks, SEO poising to get their malicious sites appearing high in the search engine listings, and via torrent and warez sites. A warning has recently been issued about the latter by AhnLab Security Intelligence Center (ASEC).
The campaign identified by the researchers distributes Microsoft Office, Microsoft Windows, and the Hangul Word Processor. The pirated software is available through torrent sites and includes a professional-looking installer. The installer for Microsoft Office allows users to select the Office products they want to install in either the 32-bit or 64-bit version and select the language.
If the installer is run, the user will get the software they are looking for; however, in the background, a malware cocktail will be installed. The threat actor behind this campaign is distributing several different malware payloads, including coinminers, remote access trojans (RATs), downloaders, and anti-AV malware.
When the installer is run, an obfuscated .NET downloader is executed which connects to the attacker’s Telegram/Mastadon channels and obtains a Google Drive or GitHub URL from where Base64 encrypted strings are obtained. Those strings are decrypted on the device and are PowerShell commands. Task Scheduler is used to execute the PowerShell commands, which install the malware. The scheduled tasks also allow the threat actor to consistently install other malware variants on the infected device.
By using Task Scheduler, the threat actor can reinstall malware if it is detected and removed, and since an updater is installed, the PowerShell commands can change. Even if the initial URLs are blocked, others will be added to ensure malware can still be delivered.
Initially, the threat actor was installing the updater together with either the Orcus RAT or the XMRig cryptocurrency miner. Orcus RAT provides the threat actor with remote control of an infected device, and has keylogging capabilities, can take screenshots, access the webcam, and exfiltrate data. XMRig is configured to only run when it is unlikely to be detected and will quit when system resource usage is high.
In the latest campaign, the threat actor also installs 3Proxy, which allows abuse of the infected device as a proxy, PureCrypter for downloading and executing additional malware payloads, and AntiAV malware, which disables antivirus and other security software by modifying the configuration files.
While this campaign appears to be targeting users in South Korea, it clearly shows the risks of downloading pirated software. Due to the inclusion of the updater and the installation of PureCrypter, remediation is difficult. Further, new malware variants are being distributed every week to evade detection.
Employees often download software to make it easier for them to do their jobs, and Torrent sites are a common source of unauthorized software. Businesses should therefore implement policies that prohibit employees from downloading software that has not been authorized by the IT department and should also implement controls to prevent Torrent and other software distribution sites from being accessed.
With TitanHQ’s WebTitan DNS filter, blocking access to malicious and risky websites could not be simpler. Simply install the cloud-based web filter and configure the solution by using the checkboxes in the user interface to block access to these categories of websites. WebTitan is constantly updated with the latest threat intelligence to block access to known malicious websites, and it is also possible to block downloads of executable files from the Internet.
For more information on improving Internet security with a DNS-based web filter, give the TitanHQ team a call. WebTitan, like all other TitanHQ products, is available on a free trial, with product support provided to ensure you get the most out of the solution during the trial.
by titanadmin | May 30, 2024 | Phishing & Email Spam |
Last month, the UK government published the findings of its 2024 cyber security breaches survey. The annual survey was conducted by the Department for Science, Innovation and Technology (DSIT) in partnership with the Home Office between September 2023 and January 2024 on 2,000 UK businesses, 1,004 registered UK charities, and 430 educational institutions. The survey provides insights into the nature of cyberattacks and data breaches experienced in the UK and confirms that attacks are increasing.
In the past year, 50% of surveyed businesses and almost one-third of charities (32%) experienced at least one cybersecurity breach or attack, with medium-sized businesses (70%), large businesses (74%), and high-income charities with £500,000+ annual income (66%) more likely to experience a cybersecurity breach.
It is often reported that cyberattacks are becoming more sophisticated; however, the most common cyber threats are relatively unsophisticated and are often effective. The most common type of cyberattack was phishing, which was reported by 84% of businesses and 83% of charities, with impersonation of organizations – online and via email – reported by more than one-third of businesses (35%) and charities (37%). Malware was used in 17% of attacks on businesses and 14% of attacks on charities. In terms of prevalence, phishing was by far the most common type of cybercrime. 90% of businesses and 94% of charities that were victims of cybercrime experienced at least one phishing attack.
The costliest type of phishing attack is business email compromise (BEC). BEC covers several types of attacks, with the most common involving criminals accessing work email accounts and using them to trick others into transferring funds or sending sensitive data. For example, a threat actor gains access to an email account of a vendor and uses the account to send an email to a customer containing a fake invoice or a request to change bank account information for an upcoming payment.
The losses to BEC attacks can be considerable. Attacks frequently result in fraudulent transfers of tens of thousands of pounds or in some cases hundreds of thousands or millions. With such large sums involved, criminals put considerable effort into these scams. Targets are researched, phishing is used to compromise an employee email account, internal phishing is used to gain access to the right accounts, the contents of accounts are studied to identify information that can be used in the scam, and the legitimate account holder is impersonated in the attack on the targeted organization or individual.
The goal in these attacks is often to gain access to the email account of the CEO or a senior executive, and that account is used to conduct a scam internally or externally. Since the request comes from a trusted authority figure and uses their legitimate account, the request is often not questioned.
BEC attacks can be difficult to identify by employees but also by email security solutions as trusted accounts are used for the scams and the emails usually do not contain any malicious content such as a URL to a phishing website or malware. These attacks use social engineering and target human weaknesses.
Defending against BEC and phishing attacks requires a combination of measures. Since targets are extensively researched, businesses should consider reducing their digital footprint and making it harder for cybercriminals to obtain information that can be used in convincing phishing and BEC campaigns, especially by reducing the amount of information that is available online about senior staff members.
Anti-spam software is a must for blocking the initial phishing attacks that are used to compromise accounts; however, an advanced solution is required to block sophisticated BEC attacks. TitanHQ’s cloud-based anti-spam service – SpamTitan – performs a barrage of spam checks for inbound and outbound emails to identify spam, phishing, and BEC content, including reputation checks of domains and accounts, scans of message content, sandboxing to identify malicious attachments, and AI and machine learning analysis to identify emails that deviate from the standard messages typically received by an organization.
PhishTitan is an anti-phishing solution for Microsoft 365 that enhances Microsoft’s anti-phishing measures and catches the phishing threats that Microsoft misses. The solution adds banners to emails to warn employees about potentially malicious content and allows security teams to quickly remediate phishing attempts across the entire email environment.
Since phishing and BEC attacks target human weaknesses, it is vital to provide training to the workforce. The aim should be to improve awareness and condition employees to always be on the lookout for a scam and to err on the side of caution and report suspicious emails to their IT security team. Phishing simulations are useful for helping staff to recognize phishing emails and identify knowledge gaps. TitanHQ’s SafeTitan training platform has all the content you need to run effective training programs to improve defenses against phishing and BEC attacks.
Contact TitanHQ today about these solutions and other ways you can improve your defenses against phishing, BEC, and other types of cyberattacks.
by titanadmin | May 30, 2024 | Phishing & Email Spam, Security Awareness |
Phishing tactics are constantly changing and while email is still one of the most common ways of getting malicious content in front of end users, other forms of phishing are growing. Smishing (SMS phishing) has increased considerably in recent years, and vishing (voice phishing) is also common, especially for IT support scams.
Another method of malware delivery that has seen an enormous increase recently is the use of instant messaging and VoIP social platform Discord. Discord is a platform that has long been popular with gamers, due to being able to create a server with voice and text for no extra cost, both of which are necessary for teamspeak in gaming. While gamers still account for a majority of users, usage for non-gaming purposes is growing.
The platform is also proving popular with cybercriminals who are using it for phishing campaigns and malware distribution. According to Bitdefender, the antivirus company whose technology powers the SpamTitan email sandboxing feature, more than 50,000 malicious links have been detected on Discord in the past 6 months. Around a year ago, a campaign was detected that used Discord to send links to a malicious site resulting in the delivery of PureCrypter malware – a fully featured malware loader that is used for distributing information stealers and remote access trojans.
Discord responded to the misuse of the platform and implemented changes such as adding a 24-hour expiry for links to internally hosted files, which made it harder for malicious actors to use the platform for hosting malware. While this move has hampered cybercriminals, the platform is still being used for malware distribution. One of the latest malicious Discord campaigns is concerned with obtaining credentials and financial information rather than distributing malware.
The campaign involves sending links that offer users a free Discord Nitro subscription. Discord Nitro provides users with perks that are locked for other users, such as being able to use custom emojis anywhere, set custom video backgrounds, HD video streaming, bigger file uploads, and more. Discord Nitro costs $9.99 a month, so a free account is attractive.
If the user clicks the link in the message, they are directed to a fake Discord website where they are tricked into disclosing credentials and financial information. Other Discord Nitro lures have also been detected along the same theme, offering advice on how to qualify for a free Discord Nitro subscription by linking to other accounts such as Steam. According to Bitdefender, 28% of detected malicious uses are spam threats, 27% are untrusted, around 20% are phishing attempts and a similar percentage involve malware distribution.
Any platform that allows direct communication with users can be used for phishing and other malicious purposes. Security awareness training should cover all of these attack vectors and should get the message across to end users that they always need to be on their guard whether they are on email, SMS, instant messaging services, or the phone. By running training courses continuously throughout the year, businesses can develop a security culture by training their employees to be constantly on the lookout for phishing and malware threats and developing the skills that allow them to identify threats.
Developing, automating, and updating training courses to include information on the latest threats, tactics techniques, and procedures used by threat actors is easy with the SafeTitan security awareness training platform. SafeTitan makes training fun and engaging for end users and the platform has been shown to reduce susceptibility to phishing and malware threats by up to 80%.
If you are not currently running a comprehensive security awareness training program for your workforce or if you are looking to improve your training. Give the TitanHQ team a call and ask about SafeTitan. SafeTitan is one product in a suite of cloud-based security solutions for businesses and managed service providers, which includes an enterprise spam filter, a malicious file sandbox for email, a DNS-based web filter, email encryption, email archiving, and phishing protection for M365.
by titanadmin | May 29, 2024 | Internet Security |
There has been a marked increase in malware distribution campaigns in recent months using fake adverts that direct users to malicious websites where sensitive information such as login credentials or credit card numbers is collected, or malware is distributed. This tactic is called malvertising.
One of the most common types of malvertising is the creation of malicious adverts for software solutions, which are displayed when users search for software in search engines. The reason why software-related malvertising is effective is users are searching for a software solution, which means they will be expecting to download an installer. Software installers are executable files, and malware can be packed into the installers. When the installer is executed, the user will get the software they are expecting but malware will also installed in the background.
There are a variety of defenses against malvertising. Installing an ad blocker will prevent the adverts from being displayed, security awareness training should teach employees to always be wary of adverts and to hover their mouse arrow over the advert to show the destination URL and ensure that the URL matches the software being offered. Another important defense is a web filter, which will block access to the malicious sites that the adverts direct users to. Web filters such as WebTitan can also protect against Internet-based malware distribution that doesn’t use malvertising to drive traffic to malicious websites, and can also block downloads of executable files from the Internet for individuals or user groups.
For example, a campaign has recently been detected that uses booby-trapped websites that generate a fake web browser update warning. The websites have embedded JavaScript code which redirects users to an update page where they can apply important browser security updates. The user proceeds to download what appears to be a zip file that contains the updater; however, the updater is a JavaScript file that will launch PowerShell scripts that will download and execute a malware payload from the threat actor’s remote server. In this campaign, at least two malware payloads are delivered – the BitRAT remote access trojan and the Lumma Stealer information stealer.
Another browser update scam has been identified that involves tricking the user into copying, pasting, and executing a PowerShell command to protect their browser; however, the PowerShell command will deliver and execute malware.
While an ad blocker will block the malicious adverts in these campaigns, it will not block drive-by malware downloads and attacks that use email, SMS, and instant messaging services to distribute malicious links. WebTitan is a more comprehensive web security solution that has multiple curated threat intelligence feeds that block access to a malicious website for all WebTitan users within about 5 minutes of a malicious site being detected anywhere in the world. The solution will also block downloads of executable files and has an easy-to-implement and configure category-based filter, that allows businesses to block access to risky and/or non-work-related websites.
WebTitan adds an extra layer to your security defenses to protect against malware distribution and the web-based component of phishing attacks. Further, being a DNS-based filter there is no latency, and the solution can be used to protect devices on and off the network, with the latter possible by installing a roaming agent on mobile devices.
For further information on malvertising protection, web filtering, and DNS and URL filtering, give the TitanHQ team a call.
by titanadmin | May 28, 2024 | Internet Security |
Phishing and spam emails are commonly used for malware distribution; however, it has become much harder for malware and malicious scripts to evade email filtering solutions, especially advanced email security solutions with sandboxing and AI and machine learning capabilities. Some threat actors have had greater success using Google Ads to drive traffic to sites hosting trojanized installers for popular software.
Google Ads allows advertisers to bid to place adverts at the top of the search engine listings for key search terms, giving the adverts the most prominent position on the page. While Google has controls in place to prevent malicious ads from appearing, a small number of threat actors successfully circumvent those controls. Some of the most effective uses of malicious Google Ads are for software solutions. If threat actors can direct users to a malicious site that resembles a legitimate software provider, the user is likely to download and run the installer and inadvertently infect their device with malware.
One such campaign was recently uncovered by security researchers at Malwarebytes. While they were unable to identify the final malicious payload, they believe the goal was to deliver an information stealer. An information stealer is a type of malware that runs in the background and gathers information about the system. Information stealers often target login information such as usernames and passwords and can capture keystrokes, take screenshots, search histories, cookies, steal from cryptocurrency wallets, and more.
In this campaign, the threat actors targeted search terms related to the Arc browser for Windows, a freeware web browser that was launched in July 2023 for MacOS. The web browser has many features that set it aside from other web browsers and it has received five-star reviews from reviewers and users since its launch in 2023. The highly anticipated Windows version was released on April 30, 2024, and the malvertising campaign was prepared ahead of the launch.
One potential problem with a campaign such as this is malvertisers need to direct traffic to their own website where the malicious installer is hosted. If you are looking to download Adobe Reader, for example, and the advert displays anything other than the Adobe.com domain, you would know not to click. With Google Ads, malvertisers can display the legitimate domain in the Ad and then redirect the user to their own domain when they click the ad.
In this campaign, like many other malvertising campaigns, the threat actor uses lookalike domains that closely resemble the legitimate domain – Arc[.]net, and the page looks exactly like the legitimate site that it spoofs. If the user clicks to download the installer and executes the file, it will install the Arc browser as well as a malicious script that downloads and executes the malware payload. The malware will then run silently in the background and the user will likely be unaware that anything untoward has happened.
Employees often look for software to allow them to work more efficiently and download software from the web. For businesses, malicious Google Ads are a serious threat and can easily lead to a costly malware infection and data breach. To protect against malware infections via the web, many businesses rely on antivirus software that scans for malware when it has been downloaded. The problem is these solutions are often signature-based and can only detect malware variants if they have the signatures in their malware definition lists. New variants are constantly being released that differ sufficiently to evade signature-based detection mechanisms.
In addition to antivirus software, businesses should consider implementing a web filter such as WebTitan. WebTitan is a DNS-based web filter with no latency, so there is no impact on page load and download speeds. The filter is fed threat intelligence from a network of 500 million end users and is constantly updated with the latest intelligence and will block attempts to visit known malicious sites. If a user attempts to visit a known malicious URL, the attempt will be blocked before a connection is made. WebTitan can also be configured to block certain file downloads from the web, such as executable files. This will stop malware from being installed and will also help to curb shadow IT. WebTitan can also be configured to block third-party adverts on websites to combat malvertising.
In addition to these software solutions, businesses should provide security awareness training to the workforce to explain the risks of malware, teach security best practices, and eradicate risky behaviors. This is another area where TitanHQ can help. TitanHQ has a comprehensive security awareness training platform – SafeTitan – which is the only behavior-driven security awareness solution that delivers security training in real-time in response to security errors by employees. SafeTitan is an effective way of modifying user behavior and building a human firewall of users.
To find out more about web filtering with WebTitan and security awareness training with SafeTitan, give the TitanHQ team a call. Both solutions are also available on a free trial to allow you to test them out before making a purchase decision.
