Our network security news section contains a range of articles relating to securing networks and blocking cyberattacks, ransomware and malware downloads. This section also features articles on recent network security breaches, alerting organizations to the latest attack trends being used by cybercriminals.
Layered cybersecurity defenses are essential given the increase in hacking incidents and the explosion in ransomware and malware variants over the past two years. Organizations can tackle the threat by investing in new security defenses such as next generation firewalls, end point protection systems, web filtering solutions and advanced anti-malware and antivirus defenses.
While much investment goes on tried and tested solutions that have been highly effective in the past, many cybersecurity solutions – antivirus software – are not as effective as they once were. In order to maintain pace with hackers and cybercriminals and get ahead of the curve, organizations should consider implementing a wide range of new cybersecurity solutions to block network intrusions, prevent data breaches and improve protection against the latest malware and ransomware threats.
This category contains information and advice on alternative network security solutions that can be adopted to improve network security and ensure networks are not infiltrated by hackers and infected with malicious software.
Ransomware attacks on the education sector in the United Kingdom have increased sharply since February, and the sector was already extensively targeted by threat groups long before then. The education sector is an attractive target for cybercriminals as sizeable amounts of sensitive data are stored within computer systems that can be easily monetized if stolen.
Students’ personally identifiable information is of more value than that of adults, and it can often be used for years before any fraud is detected. Higher education institutions often have intellectual property and research data that is incredibly valuable and can easily be sold on for a huge profit. Ransomware attacks prevent access to essential data, and with the pandemic forcing the education sector to largely switch to online learning, when communication channels and websites are taken out of action learning can grind to a halt.
In the United Kingdom, the reopening of schools and universities has only been possible with COVID-19 testing and contact tracing, which is also disrupted by ransomware attacks. Files are encrypted which prevents access to essential testing and monitoring data, further hampering the ability of schools, colleges, and universities to operate.
As is the case with healthcare, which has also seen a major increase in cyberattacks during the pandemic, services are majorly disrupted without access to computer systems, and there is considerable pressure on both industries to pay the ransom demands to recover from the attacks more quickly. Ransoms are more likely to be paid than in other industry sectors.
What makes the education sector an even more attractive prospect for cybercriminals is poorer security defenses than other industries. The lack of security controls makes attacks much more likely to succeed. On top of that, students often use their own devices to connect to networks so security can be very difficult to police, and many departments make their own IT decisions, which can easily result in vulnerabilities being introduced and remaining unaddressed.
The ease and profitability of attacks has made education a top target for ransomware gangs. Emsisoft reports education was the sector most targeted by ransomware gangs in 2020.
The increase in ransomware attacks on educational institutions in the United Kingdom prompted the UK’s National Cyber Security Center to issue a warning in March to all entities in the education sector about the risk of cyberattacks. NCSC noted in its alert that there was a significant increase in attacks in August and September 2020, and a further rise in attacks since February 2021.
University of Hertfordshire Suffers Major Cyberattack
One of the most damaging university cyberattacks in recent months occurred at the University of Hertfordshire. Late on April 14, cybercriminals struck, with the attack impacting all of the university’s systems. No cloud systems were available, nor MS Teams, Canvas, or Zoom. The attack forced the university to cancel all of its online classes for the following day, although in person teaching was able to continue provided computer access was not necessary.
It has been more than a week since the attack, and while some systems are now back online, disruption is still being experienced with student records, university business services, learning resource centre services, data storage, student services, staff services, and the postgraduate application portal, with the email system also considered to be at risk.
The university has not confirmed the nature of the attack, but it has the hallmarks of a ransomware attack, although the university has issued a statement stating that the attack did not involve data theft.
The University of Hertfordshire is certainly not alone. In March, South and City College of Birmingham was hit with a ransomware attack that took all of its computer systems out of action, with the college forced to switch to online learning for its 13,000 students.
UK Schools also Under Attack
The cyberattacks in the United Kingdom have not been limited to universities. School systems have also suffered more than their fair share of attacks. In March, the Harris Federation, which runs 50 schools in the UK, suffered a ransomware attack that took out communications systems and majorly affecting online learning for 37,000 students.
Also in March, the Nova Education Trust suffered a ransomware attack that took its systems out of action and affected 15 schools, all of which lost access to their communication channels including the phone system, email, and websites. The Castle School Education Trust also suffered a ransomware attack in March that disrupted the online functions of 23 schools.
What Can Be Done to Stop Cyberattacks in Education?
Cybersecurity must become a major focus for schools, colleges, and universities. The attacks are being conducted because they are easy and profitable and, until that changes, the attacks are not likely to slow and, in all likelihood, will continue to increase.
To protect against attacks, the education sector needs to implement multi-layered security defenses and find and address vulnerabilities before they are discovered by ransomware gangs and other cybercriminal operations.
The best place to start is by improving security for the two main attack vectors: email and the Internet. That is an area where TitanHQ can help. To find out more, get in touch with the TitanHQ team today and take the first step towards improving your security posture and better protecting your networks and endpoints from extremely damaging cyberattacks.
A previously unknown malware variant dubbed Saint Bot malware is being distributed in phishing emails using a Bitcoin-themed lure. With the value of Bitcoin setting new records, many individuals may be tempted into opening the attachment to get access to a bitcoin wallet. Doing so will trigger a sequence of events that will result in the delivery of Saint Bot malware.
Saint Bot malware is a malware dropper that is currently being used to deliver secondary payloads such as information stealers, although it can be used to drop any malware variant. The malware was first detected and analyzed by researchers at Malwarebytes who report that while the malware does not use any novel techniques, there is a degree of sophistication to the malware and it appears that the malware is being actively developed. At present, detections have been at a relatively low level but Saint Bot malware could develop into a significant threat.
The phishing emails used to distribute the malware claim to include a Bitcoin wallet in the attached Zip file. The contents of the Zip file include a text file with instructions and a LNK file that has an embedded PowerShell script. A PowerShell downloader delivers an obfuscated .Net dropper and downloader, which in turn deliver a BAT script that disables Windows Defender and the Saint Bot malware binary.
The malware is capable of detecting if it is in a controlled environment and terminates and deletes itself should that be the case. Otherwise, the malware will communicate with its hardcoded command and control servers, send information gathered from the infected system, and download secondary payloads to the infected device via Discord.
The malware has not been linked with any specific threat group and could well be distributed to multiple actors via darknet hacking forums, but it could well become a major threat and be used in widespread campaigns to take advantage of the gap in the malware-as-a-service (MaaS) market left by the takedown of the Emotet Trojan.
Protecting against malware downloaders such as Saint Bot malware requires a defense in depth approach. The easiest way of blocking infections is to implement an advanced spam filtering solution such as SpamTitan to block the phishing emails that deliver the malware. Antivirus software should also be installed on all endpoints and set to update automatically, and communication with the C2 servers should be blocked via firewall rules.
In addition to technical defenses, it is important to provide security awareness training to the workforce to help employees identify malicious emails and condition them how to respond when a potential threat is detected.
How SpamTitan Can Protect Against Phishing and Malware Attacks
SpamTitan is an award-winning anti-spam and anti-phishing solution that provides protection against the full range of email threats from productivity-draining spam to dangerous phishing and spear phishing emails, malware and ransomware.
SpamTitan has a catch rate in excess of 99.99% with a low false positive rate and uses a variety of methods to detect malicious emails, including dual antivirus engines, email sandboxing for detecting new malware variants, and machine learning techniques to identify zero-day threats.
SpamTitan’s advanced threat protection defenses include inbuilt Bayesian auto learning and heuristics to defend against sophisticated threats and evolving cyberattack techniques, with 6 specialized Real Time Blacklists to block malicious domains and URLs, DMARC to block email impersonation attacks, and outbound email policies for data loss prevention.
SpamTitan is quick and easy to set up and configure and is frequently praised for the level of protection provided and ease of use. SpamTitan is a 5-star rated solution on Spiceworks, Capterra, G2 Crowd and has won no less than 37 consecutive Virus Bulletin Spam awards.
If you want to improve your email defenses at a very reasonable price and benefit from industry-leading customer support, give the TitanHQ team a call today. Product demonstrations can be arranged, and you can trial the solution free of charge, with full support provided during the trial to help you get the most out of SpamTitan.
Threat actors are constantly changing their tactics, techniques, and procedures (TTP) to increase the chances of getting their malicious payloads delivered. Spam and phishing emails are still the most common methods used for delivering malware, with the malicious payloads often downloaded via the web via hyperlinks embedded in emails.
A new tactic that has been adopted by the threat group behind the IcedID banking Trojan cum malware downloader involves hijacking contact forms on company websites. Contact forms are used on most websites to allow individuals to register interest. These contact forms typically have CAPTCHA protections which limit their potential for use in malicious campaigns, as they block bots and require each contact request to be performed manually.
However, the threat actors behind the IcedID banking Trojan have found a way of bypassing CATCHA protections and have been using contact forms to deliver malicious emails. The emails generated by contact forms will usually be delivered to inboxes, as the contact forms are trusted and are often whitelisted, which means email security gateways will not block any malicious messages.
In this campaign, the contact forms are used to send messages threatening legal action over a copyright violation. The messages submitted claim the company has used images on its website that have been added without the image owner’s permission. The message threatens legal action if the images are not immediately removed from the website, and a hyperlink is provided in the message to Google Sites that contains details of the copyrighted images and proof they are the intellectual property of the sender of the message.
Clicking the hyperlink to review the supplied evidence will result in the download of zip file containing an obfuscated .js downloader that will deliver the IcedID payload. Once IcedID is installed, it will deliver secondary payloads such as TrickBot, Qakbot, and Ryuk ransomware.
IcedID distribution has increased in recent weeks, not only via this method but also via phishing emails. A large-scale phishing campaign is underway that uses a variety of business-themed lures in phishing emails with Excel attachments that have Excel 4 macros that deliver the banking Trojan.
The increase in IcedID malware distribution is likely part of a campaign to infect large numbers of devices to create a botnet that can be rented out to other threat groups under the malware-as-a-service model. Now that the Emotet botnet has been taken down, which was used to deliver different malware and ransomware variants, there is a gap in the market and IcedID could be the threat that takes over from Emotet. In many ways the IcedID Trojan is very similar to Emotet and could become the leading malware-as-a-service offering for delivering malware payloads.
To find out how you can protect your business against malware and phishing threats at a reasonable price, give the TitanHQ team a call today and discover for yourself why TitanHQ email and web security solutions consistently get 5-star ratings from users for protection, price, ease of use, and customer service and support.
A phishing attack on an employee of the California State Controller’s Office Unclaimed Property Division highlights how a single response from an employee to a phishing email could easily result in a massive breach. In this case, the phishing attack was detected promptly, with the attacker only having access to an employee’s email account for less than 24 hours from March 18.
In the 24 hours that the attacker had access to the email account, the contents of the account could have been exfiltrated. Emails in the account included unclaimed property holder reports. Those reports included names, dates of birth, addresses, and Social Security numbers – the type of information that could be used to steal identities.
The email that fooled the employee into clicking a link and disclosing login credentials appeared to have been sent from a trusted outside entity, which is why the email was assumed to be legitimate. After stealing the employee’s credentials undetected, the attacker immediately went to work and tried to compromise the email accounts of other state workers.
In the short time that the individual had access to the account, around 9,000 other state workers were sent phishing emails from the compromised account. Fortunately, the attack was detected promptly and all contacts were alerted about the phishing emails and told to delete the messages. That single compromised account could easily have led to a massive email account breach.
Phishing is now the biggest data security threat faced by businesses. The attacks are easy to conduct, require little skill, and can be extremely lucrative. Email accounts often contain a treasure trove of data that can be easily monetized, the accounts can be used to send further phishing emails internally and to external contacts and customers, and a breach of Microsoft 365 credentials could allow a much more extensive attack on a company. Many ransomware attacks start with a single response to a phishing email.
To improve protection against phishing attacks it is important to train the workforce how to identify phishing emails, teach cybersecurity best practices, and condition employees to stop and think before taking any action requested in emails. However, phishing attacks are often highly sophisticated and the emails can be difficult to distinguish from genuine email communications. As this phishing attack demonstrates, emails often come from trusted sources whose accounts have been compromised in previous phishing attacks.
What is needed is an advanced anti-phishing solution that can detect these malicious emails and prevent them from being delivered to employee inboxes. The solution should also include outbound email scanning to identify messages sent from compromised email accounts.
SpamTitan offers protection against these phishing attacks. All incoming emails are subjected to deep analysis using a plethora of detection mechanisms. Machine learning technology is used to identify phishing emails that deviate from typical emails received by employees, and outbound scanning can identify compromised email accounts and block outbound phishing attacks on company employees and contacts.
If you want to improve your defenses against phishing, give the SpamTitan team a call today to find out more. The full product is available on a free trial, and during the trial you will have full access to the product support team who, will help you get the most out of your trial.
Throughout 2020 the healthcare sector has been a major target of ransomware gangs, but the education sector is also facing an increase in attacks, with the Pysa (Mespinoza) ransomware gang now targeting the education sector.
Pysa ransomware is a variant of Mespinoza ransomware that was first observed being used in attacks in October 2019. The threat group behind the attacks, like many other ransomware threat groups, uses double extortion tactics on victims. Files are encrypted and a ransom demand is issued for the keys to decrypt files, but to increase the probability of the ransom being paid, data is exfiltrated prior to file encryption. The gang threatens to monetize the stolen data on the darkweb if the ransom is not paid. Many attacked entities have been forced to pay the ransom demand even when they have backups to prevent the sale of their data.
Since October 2019, the Pysa ransomware gang has targeted large companies, the healthcare sector, and local government agencies, but there has been a recent increase in attacks on the education sector. Attacks have been conducted on K12 schools, higher education institutions, and seminaries, with attacks occurring in 12 U.S. states and the United Kingdom. The rise in attacks prompted the FBI to issue a Flash Alert in March 2020 warning the education sector about the increased risk of attack.
Analyses of attacks revealed the gang conducts network reconnaissance using open source tools such as Advanced Port Scanner and Advanced IP Scanner. Tools such as PowerShell Empire, Koadic, and Mimikatz are used to obtain credentials, escalate privileges, and move laterally within networks. The gang identifies and exfiltrates sensitive data before delivering and executing the ransomware payload. The types of data stolen are those that can be used to pressure victims into paying and can easily be monetized on the darkweb.
Identifying a Pysa ransomware attack in progress is challenging, so it is essential for defenses to be hardened to prevent initial access. Several methods have been used to gain access to networks, although in many cases it is unclear how the attack started. In attacks on French companies and government agencies brute force tactics were used against management consoles and exposed Active Directory accounts. Some attacks have involved exploitation of Remote Desktop Protocol vulnerabilities, with the gang is also known to use spam and phishing emails to obtain credentials to get a foothold in networks.
Since several methods are used for gaining access, there is no single solution that can be implemented to block attacks. Educational institutions need to use a combination of security solutions and cybersecurity best practices to harden their defenses.
Antivirus/antimalware solution is a must, as is ensuring it is kept up to date. Since many attacks start with a phishing email, an advanced email security gateway is also important. Choosing a solution such as SpamTitan that incorporates dual AV engines and email sandboxing will maximize the chance of detecting malicious emails. SpamTitan also incorporates machine learning methods to identify new methods of email attacks.
End user training is also important to teach staff how to identify potentially malicious emails and train them on cybersecurity best practices such as setting strong passwords, not reusing passwords, and the dangers of using public Wi-Fi networks. Also consider disabling hyperlinks in emails, flagging emails that arrive from external sources, and implementing multi-factor authentication on accounts.
Patches and security updates should be implemented promptly after they have been released to prevent vulnerabilities from being exploited. You should use the rule of least privilege for accounts, restrict the use of administrative accounts as far as possible, and segment networks to limit the potential for lateral movement. You should also be scanning your network for suspicious activity and configure alerts to allow any potential infiltration to be rapidly identified. All unused RDP ports should be closed, and a VPN used for remote access.
It is essential for backups to be made of all critical data to ensure that file recovery is possible without paying the ransom. Multiple backups of data should be created, those backups should be tested to make sure file recovery is possible, and at least one copy should be stored securely on an air-gapped device.
TitanHQ has been recognized for its email security, web security, and email archiving solutions, collecting not one, not two, but three prestigious awards from Expert Insights.
Expert Insights was launched in 2018 to help businesses find cybersecurity solutions to protect their networks and devices from an ever-increasing number of cyber threats. Researching cybersecurity solutions can be a time-consuming process, and the insights and information provided by Expert Insights considerably shortens that process. Unlike many resources highlighting the best software solutions, Expert Insights includes ratings from verified users of the products to give users of the resource valuable insights about how easy products are to use and how effective they are at blocking threats. Expert Insights has helped more than 100,000 businesses choose cybersecurity solutions and the website is visited by more than 40,000 individuals a month.
Each year, Expert Insights recognizes the best and most innovative cybersecurity solutions on the market in its “Best-Of” Awards. The editorial team at Expert Insights assesses vendors and their products on a range of criteria, including technical features, ease-of-use, market presence, and reviews by verified users of the solutions. Each product is assessed by technology experts to determine the winners in a broad range of categories, including cloud, email, endpoint, web, identity, and backup security.
“2020 was an unprecedented year of cybersecurity challenges, with a rapid rise in remote working causing a massive acceleration in cybercrime,” said Craig MacAlpine, CEO and Founder, Expert Insights. “Expert Insights’ Best-Of awards are designed to recognize innovative cybersecurity providers like TitanHQ that have developed powerful solutions to keep businesses safe against increasingly sophisticated cybercrime.”
Three TitanHQ cybersecurity solutions were selected and named winners in the Expert Insights’ 2021 “Best-Of” Awards in the Email Security Gateway, Web Security, and Email Archiving categories. SpamTitan was named winner in the Email Security Gateway category, WebTitan won in the Web Security category, and ArcTitan was named a winner in the Email Archiving category. SpamTitan and WebTitan were praised for the level of protection provided, while being among the easiest to use and most cost-effective solutions in their respective categories.
All three products are consistently praised for the level of protection provided and are a bit hit with enterprises, SMBs, and MSPs. The solutions attract many 5-star reviews from real users on the Expert Insights site and many other review sites, including Capterra, GetApp, Software Advice, Google Reviews, and G2 Crowd. The cybersecurity solutions are now used by more than 8,500 businesses and over 2,500 MSPs.
“The recent pandemic and the growth of remote working initiatives have further highlighted the need for multiple layers of cybersecurity and our award-winning solutions form key pillars in this security strategy,” said Ronan Kavanagh, CEO, TitanHQ. “We will continue to innovate and provide solutions that MSPs can use to deliver a consistent, secure and reliable experience to their customers.”
Ransomware attacks in 2020 were conducted at twice the rate of the previous year, with many organizations falling victim and having to pay large ransoms to recover their data or risk sensitive information being published or sold to cybercriminal organizations.
At the start of 2020, data exfiltration prior to the deployment of ransomware was still only being conducted by a small number of ransomware gangs, but that soon changed as the year progressed. By the end of the year, at least 17 cybercriminal gangs were using this double extortion tactic and were stealing sensitive data prior to encrypting files. Faced with the threat of publication of sensitive data, many attacked organizations felt they had little alternative other than to pay the ransom demand.
The extent of ransomware attacks in 2020 has been highlighted by various studies by cybersecurity researchers over the past few weeks. Chainalysis recently released a report that suggests more than $350 million has been paid to cybercriminals in 2020 alone, based on an analysis of the transactions to blockchain addresses known to be used by ransomware threat groups. Of course, that figure is likely to be far lower than the true total, as many companies do not disclose that they have suffered ransomware attacks. To put that figure into perspective, a similar analysis in 2019 estimated the losses to be around $90 million. Those figures are for ransom payments alone, not the cost of resolving attacks, which would be several orders of magnitude higher.
The increase in attacks can be partly attributed to the change in working practices due to the pandemic. Many companies switched from office-based working to a distributed remote workforce to prevent the spread of COVID-19 and keep their employees protected. The rapid change involved hastily implementing remote access solutions to support those workers which introduced vulnerabilities that were readily exploited by ransomware gangs.
Most Ransomware Attacks Now Start with Phishing
Throughout 2020, phishing was commonly used as a way to gain access to corporate networks, accounting for between 25% and 30% of all ransomware attacks, but new data released by the ransomware attack remediation firm Coveware shows the attack methods changed in the last quarter of 2020. As companies and organizations addressed vulnerabilities in remote access solutions and VPNs and improved their defenses, phishing became the most common attack method. Coveware’s analysis shows that in the final quarter of 2020, more than 50% of ransomware attacks started with a phishing email.
Ransomware can be delivered directly through phishing emails, although it is more common to use intermediary malware. The most commonly used malware variants for distributing ransomware are Trojans such as Emotet and TrickBot, both of which are extensively delivered via phishing emails. These malware variants are also capable of self-propagating and spreading to other devices on the network.
Access to compromised devices is then sold to ransomware gangs, who access the devices, steal sensitive data, then deploy their ransomware payload. The Emotet botnet played a large role in ransomware attacks in 2020, and while it has now been disrupted following a joint law enforcement operation, other malware variants are certain to take its place.
The same report also highlighted the nature of businesses attacked with ransomware. Far from the gangs targeting large enterprises with deep pockets, most attacks are on small- to medium-sized businesses with under 250 employees. 30.2% of attacks were on businesses with between 11 and 100 employees, with 35.7% on businesses with 101 to 1,000 employees. Healthcare organizations, professional services firms, and financial services companies have all been targeted and commonly fall victim to attacks, although no sector is immune.
70% of ransomware attacks now involve data theft prior to encryption, so even if backups exist and can be used to restore data, it may not be possible to avoid paying the ransom. There is also a growing trend for data to be permanently deleted, which leaves businesses with no way of recovering data after a ransomware attack.
Steps to Take to Block Ransomware Attacks
What all businesses and organizations need to do is to make it as hard as possible for the attacks to succeed. While there is no single solution for blocking ransomware attacks, there are measures that can be taken that make it much harder for the attacks to succeed.
With most ransomware attacks now starting with a phishing email, an advanced email security solution is a must. By deploying best-of-breed solutions such as SpamTitan to proactively protect the Office365 environment it will be much easier to block threats than simply relying on Office 365 anti-spam protections, which are commonly bypassed to deliver Trojans and ransomware.
A web filtering solution can provide protection against ransomware delivered over the internet, including via links sent in phishing emails. Multi-factor authentication should be implemented for email accounts and cloud apps, employees should be trained how to identify threats, and monitoring systems should be implemented to allow attacks in progress to be detected and mitigated before ransomware is deployed.
To protect their clients from phishing attacks, Managed Service Providers (MSPs) need to provide a comprehensive range of cybersecurity solutions. This post explores the risks from phishing and suggests some easy to implement anti-phishing solutions for MSPs to add to their security offerings.
Phishing is the Number One Cyber Threat Faced by SMBs
Phishing is the number one cyber threat faced by businesses and one of the hardest to defend against. All it takes is for an employee to respond to a single phishing email for a costly data breach to occur. The consequences for the company can be severe.
Email accounts contain a wide range of sensitive information. A phishing attack on a UnityPoint Health hospital in Des Moines, IA, in 2018 saw the protected health information of 1.4 million patients compromised. Also in 2018, a phishing attack on the Boys Town National Research Hospital saw one account compromised that contained the information of more than 105,300 patients. Phishing emails are also used to introduce malware and ransomware. These attacks can be even more damaging and costly to mitigate.
The healthcare industry is extensively targeted by phishers due to the high value of healthcare data, although all industry sectors are at risk. In response to the high number of cyberattacks and the current threat levels, the Trump administration recently launched the “Know the Risk, Raise your Shield” campaign. The campaign aims to raise awareness of the threat from phishing and other attack methods and encourage private businesses to do more to improve their defenses.
Phishing will continue to be a major threat to businesses for the foreseeable future. Attacks will continue because they require relatively little skill to conduct, phishing is highly effective, and attacks can be extremely lucrative.
Easy to Implement Anti-Phishing Solutions for MSPs
There is no single solution that will provide total protection against phishing attacks. Businesses need layered defenses, which provides an opportunity for MSPs. SMBs can struggle to implement effective defenses against phishing on their own and look to MSPs for assistance.
MSPs that can provide a comprehensive anti-phishing package will be able to protect their clients, prevent costly phishing attacks, and generate more business. Effective anti-phishing controls are also an easy sell. Given the cost of mitigating attacks, the package is likely to pay for itself. But what solutions should be included in MSPs anti-phishing offerings?
Listed below are three easy-to-implement anti-phishing solutions for MSPs to offer to their clients, either individually or part of an anti-phishing security package.
Advanced Spam Filtering
Advanced spam filtering solutions are essential. They block phishing emails on the server before they can be delivered to inboxes or employees’ spam folders. An advanced spam filter will block in excess of 99.9% of spam and malicious emails and by itself, is the single most important solution to implement.
SpamTitan is an ideal anti-phishing solution for MSPs. This cloud-based solution supports an unlimited number of domains, all of which can be protected through an easy to use interface. The solution supports per domain administrators, with each able to implement elements of their own email such as searches and the release of messages from the quarantine folder. Reports can be generated per domain and those reports can be scheduled and automatically sent to clients. The solution can be fully rebranded to take an MSP logo and color scheme, and the solution can be hosted in TitanHQ’s private cloud or within your own data center.
Security Awareness Training and Testing
While the majority of malicious emails will be blocked at source, a very small percentage may slip through the net. It is therefore essential for employees to be aware of the risks from phishing and to have the skills to identify potential phishing emails. MSPs can help their clients by providing a staff training program. Many security awareness training companies offer MSP programs to help manage training for clients and a platform to conduct phishing simulation exercises to test security awareness.
DNS-Based Web Filtering
Even with training, some employees may be fooled by phishing emails. This is to be expected, since many phishing campaigns use messages which are highly realistic and virtually indistinguishable from genuine emails. Spam filters will block malicious attachments, but a web filter offers protection from malicious hyperlinks that direct users to phishing websites.
A DNS-based web filter blocks attempts by employees to access phishing websites at the DNS-level, before any content is downloaded. When an employee clicks on a phishing email, they will be directed to a block screen rather than the phishing website. Being DNS-based, web filters are easy to implement and no appliances are required.
WebTitan is an ideal web filtering solution for MSPs. WebTitan can be configured in just a couple of minutes and can protect all clients from web-based phishing attacks, with the solution managed and controlled through a single easy-to-use interface. Reports can be automatically scheduled and sent to clients, and the solution is available in full white-label form ready for MSPs branding. A choice of hosting solutions is also offered, and the solution can connect with deployment, billing and management tools through APIs.
Key Product Features of SpamTitan and WebTitan for MSPs
Easy to manage: There is a low management overhead. SpamTitan and WebTitan are set and forget solution. We handle all the updates and are constantly protecting against new threats globally, in real-time.
Scalability: Regardless of your size you can deploy the solution within minutes. SpamTitan and WebTitan are scalable to thousands of users.
Extensive API: MSPs provided with API integration to provision customers through their own centralized management system; a growth-enabling licensing program, with usage-based pricing and monthly billing.
Hosting Options: SpamTitan and WebTitan can be deployed as a cloud based service hosted in the TitanHQ cloud, as a dedicated private cloud, or in the service provider’s own data center.
Extensive drill down reporting: Integration with Active Directory allows detailed end user reporting. Comprehensive reports can be created on demand or via the scheduled reporting options.
Support: World class support – we are renowned for our focus on supporting customers.
Tried & Tested: TitanHQ solutions are used by over 1500 Managed Service Providers worldwide.
Rebrandable: Rebrand the platform with your corporate logo and corporate colors to reinforce your brand or to resell it as a hosted service.
TitanSHIELD Program for MSPs
To make it as easy as possible for MSPs to incorporate our world class network security solutions into their service stacks, TitanHQ developed the TitanSHIELD program. The TitanShield MSP Program allows MSPs to take advantage of TitanHQ’s proven technology so that they can sell, implement and deliver our advanced network security solutions directly to their client base. Under the TitanSHIELD program you get the following benefits:
TitanSHIELD Benefits
Sales Enablement
Marketing
Partner Support
Private or Public Cloud deployment
Access to the Partner Portal
Dedicated Account Manager
White Label or Co-branding
Co-Branded Evaluation Site
Assigned Sales Engineer Support
API integration
Social Network participation
Access to Global Partner Program Hotline
Free 30-day evaluations
Joint PR
Access to Partner Knowledge Base
Product Discounts
Joint White Papers
Technical Support
Competitive upgrades
Partner Events and Conferences
24/7 Priority Technical Support
Tiered Deal Registration
TitanHQ Newsletter
5 a.m. to 5 p.m. (PST) Technical Support
Renewal Protection
Better Together Webinars
Online Technical Training and FAQs
Advanced Product Information
Partner Certificate – Sales and technical
Access to Partner Technical Knowledge Base
Competitive Information and Research
Sales Campaigns in a box
Not-for-Resale (NFR) Key
Public Relations Program and Customer Testimonials
Product Brochures and Sales Tools
TitanHQ Corporate Style Guide and Logo Usage
Partner Advisory Council Eligibility
TitanHQ Partner Welcome Kit
QTRLY Business Planning and Review
Access to TitanHQ’s MVP Rewards Program
Access to Partner Support
For further information on TitanHQ’s anti-phishing solutions for MSPs, contact the TitanHQ team today and enquire about joining the TitanSHIELD program.
Recently, a new technique has been identified that is being used by hackers to conduct cross-site scripting attacks from within PDF files.
PDF files have long been used by hackers for phishing attacks and malware delivery. Oftentimes, emails are sent with PDF file attachments that contain hyperlinks to malicious websites. By adding these links into the files rather than the body of the email message, it is harder for security solutions to identify those malicious links.
The latest attack method also uses PDF files, but instead of tricking employees into revealing their login credentials or visiting a malicious website where malware is downloaded, the attackers attempt to obtain sensitive information contained in PDF files.
The technique is similar to those used to by hackers in web application attacks. Cross-site scripting attacks – or XXS attacks for short – typically involve injecting malicious scripts into trusted websites and applications. When a user visits a website or a hacked application, the script executes. The scripts give the attackers access to user information such as cookies, session tokens, and sensitive data saved in browsers, such as passwords. Since the website or application is trusted, the web browser will not recognize the script as malicious. These attacks are possible in websites and web applications where user input is used to generate output without properly validating or encoding it.
The same technique has been shown to also work within PDF files and is used to inject code and capture data. This is achieved by taking advantage of escape characters such as parentheses, which are commonly used to accept user input. If the input is not validated correctly, hackers can inject malicious URLs or JavaScript code into the PDF files. Even injecting a malicious URL can be enough to capture data in the document and exfiltrate it to the attacker-controlled website, as was demonstrated at the Black Hat online conference this month.
What sort of data could be captured in such an attack? A substantial amount of sensitive data is contained in PDF files. PDF files are used extensively for reports, statements, logs, e-tickets, receipts, boarding passes, and much more. PDF files may contain passport numbers, driver’s license numbers, bank account information, and a range of other sensitive data. The presenters at the conference explained they found some of the largest libraries of PDF files worldwide were sensitive to XXS attacks.
In the most part, the vulnerabilities in PDF files that allow XXS attacks are not due to the PDF files themselves, but improper coding. If PDF libraries fail to properly parse code of escape characters and allow unprotected formats, they will be vulnerable. Fortunately, Adobe released an update on December 9 which prevents this type of security vulnerability from being exploited, although companies that create PDF files must update their software and apply the update to be protected.
This is just one way that malicious attachments can be used to obtain sensitive information. As previously mentioned, malicious macros are commonly added to office documents, executable files are added as attachments to emails and masquerade as legitimate files, and malicious code can be injected into a range of different file types.
One of the best ways to protect against attacks via email using malicious attachments is to use an advanced email security solution that can detect not just known malware but also never-before-seen malicious code. This is an area where SpamTitan Email Security excels.
SpamTitan incorporates dual anti-virus engines (Bitdefender/ClamAV) to catch known malware threats and email sandboxing to identify malicious code that has been added to email attachments. Files are subjected to in-depth analysis in the security of the sandbox and are checked for any malicious actions.
To find out more about protecting your organization from malicious emails and malware, give the TitanHQ team a call.
The healthcare industry in the United States has long been targeted by cybercriminals seeking access to sensitive patient data. Patient data is a valuable commodity, as it can be used for a multitude of fraudulent purposes including identity theft, tax fraud, insurance fraud, and blackmail and understandably has a high black market value.
Some of the largest healthcare data breaches ever reported have started with a phishing attack, including the 78.8 million-record data breach at the health insurer Anthem Inc. and the cyberattack on Premera Blue Cross, another U.S. health insurer, which affected around 11 million individuals, both of which were reported in 2015.
While healthcare data breaches on the scale of Anthem’s have been avoided since, large phishing-related breaches are still occurring. The latest phishing-related data breach to be reported by a U.S. health insurer resulted in the exposure of the health records of almost 500,000 Aetna health plan members.
The phishing attack saw the attackers gain access to the email system of a business associate of Aetna. EyeMed manages vision benefits services for the health insurer and has several other healthcare clients. The compromised account contained highly sensitive information such as names, addresses, dates of birth, and full or partial Social Security numbers – information that is extremely valuable to phishers and identity thieves. In total, the records of 484,157 Aetna members were potentially compromised, along with the data of 60,000 members of Tufts Health Plan, and around 1,000 members of Blue Cross Blue Shield of Tennessee. While it was not the largest healthcare data breach of 2020, it does rank in the top 10 healthcare data breaches of the year.
Unfortunately, healthcare industry phishing attacks involving the exposure and/or theft of more than 100,000 patient records are far from unusual. There have been more than a dozen such breaches reported by healthcare organizations and their business associates in 2020, and several dozen smaller phishing attacks.
The healthcare industry is extensively targeted and is vulnerable to phishing attacks. Unfortunately, all it takes is for one employee to respond to a phishing email for their account to be compromised. Emails often contain personal and protected health information and can be downloaded by the attackers, and the compromised account can be used to send further phishing emails to other employees in the organization. In addition to gaining access to multiple email accounts, phishing can give attackers the foothold they need for a more extensive compromise, as was the case with the Anthem and Premera data breaches.
According to a report released by the Healthcare Information and Management Systems Society (HIMSS), its survey of healthcare cybersecurity professionals revealed 57% had experienced a successful phishing attack in the past year.
Securing the email system can be a challenge in healthcare and preventing phishing attacks is a constant struggle. Unfortunately, while there are excellent email security solutions available that will ensure the vast majority of phishing emails are blocked, it is not possible to deploy a single solution and prevent all phishing attacks from succeeding. What is required is a layered approach to phishing defenses. With multiple layers of protection, if one layer fails to block a threat, others will help to ensure the threat is blocked.
At the heart of phishing defenses should be an advanced machine-learning/AI-based anti-phishing solution such as SpamTitan. SpamTitan itself provides multiple layers of protection to block known phishing threats, while the machine-learning components identify new phishing threats that have yet to be seen. SpamTitan also incorporates multiple measures to identify and block email impersonation attacks, has a data loss protection feature, and anti-malware capabilities that block both known and zero-day malware threats.
A web filter is an often-overlooked anti-phishing measure. Web filters target the web-based component of phishing attacks and provide time-of-click protection to stop employees from visiting phishing websites via links in malicious emails.
As Microsoft pointed out in a summer blog post this year, multi-factor authentication is a must. Multi-factor authentication kicks in when credentials are obtained in phishing attacks and stops those credentials from being used to access email accounts. MFA can block more than 99.9% of attacks using compromised credentials.
End user training should also not be neglected. Conditioning employees how to recognize phishing emails and respond appropriately is essential, not just for cybersecurity but also HIPAA compliance.
These measures can be the difference between a successfully thwarted attack and a costly data breach, and the cost of implementing these solutions is cheaper than many people think. To find out more, give the TitanHQ team a call.
After a 2-month break, the Emotet botnet is back up and running and has been observed conducting a phishing email campaign that is delivering between 100,000 and 50,0000 messages to inboxes a day.
Emotet first appeared in 2014 and started life as a banking Trojan; however, over the years the malware has evolved. While Emotet remains a banking Trojan, it is now best known as a malware downloader that is used to deliver a range of secondary payloads. The malware payloads it delivers also act as malware downloaders, so infection with Emotet often results in multiple malware infections, with ransomware often delivered as the final payload.
Once Emotet is installed on an endpoint it is added to the Emotet botnet and is used for spam and phishing campaigns. Emotet sends copies of itself via email to the user’s contacts along with other self-propagation mechanisms to infect other computers on the network. Emotet can be difficult to eradicate from the network. Once one computer is cleaned, it is often reinfected by other infected computers on the network.
Emotet often goes dormant for several weeks or even months, but even with long gaps in activity, Emotet is still the biggest malware threat. Emotet went dormant around February 2020, with activity resuming five months later in July. Activity continued until late October when activity stopped once again until Tuesday this week when it returned in time for Christmas. In 2020, Emotet has been observed delivering TrickBot and other payloads such as Qakbot and ZLoader.
During the periods of inactivity, the threat actors behind the malware are not necessarily inactive, they just stop their distribution campaigns. During the breaks they update their malware and returned with a new and improved version that is more effective at evading defenses.
The latest campaign uses similar tactics to past campaigns to maximize the probability of end users opening a malicious Office document. The phishing emails are usually personalized to make them appear more authentic, with Emotet using hijacked message threats with malicious content inserted. Since the emails appear to be responses to past conversations between colleagues and contacts, there is a greater chance that the recipient will open the email attachment or click a malicious hyperlink.
This campaign favors password-protected files, with the password to open the file supplied in the message body of the email. Since email security solutions cannot open these files, it is more likely that they will be delivered to inboxes. The malicious documents delivered in this campaign contain malicious macros. If the macros are enabled – which the user is told is necessary to view the content of the document – Emotet will be downloaded, after which the TrickBot Trojan will be delivered, usually followed by a ransomware variant such as Ryuk.
Previous campaigns have not displayed any additional content when the macros are enabled; however, this campaign displays an error message after the macros have been enabled instructing the user that Word experienced an error opening the file. This is likely to make the user believe the Word document has been corrupted. A variety of themes are used for the emails, with the latest campaign using holiday season and COVID-19 related lures.
An analysis by Cofense identified several changes in the latest campaign, including switching the malware binary from an executable (.exe) file to a Dynamic Link Library (.dll) file, which is executed using rundll32.exe. The command-and-control infrastructure has been changed and now uses binary data rather than plain text, both of which make the malware harder to detect.
Businesses need to be particularly vigilant and should act quickly if infections are detected and should take steps to ensure their networks are protected with anti-virus software, security policies, spam filters, and web filters.
The threat of phishing is ever present, especially for the healthcare industry which is often targeted by phishers due to the high value of healthcare data and compromised email accounts. Phishing attacks are having a major impact on healthcare providers in the United States, which are reporting record numbers of successful phishing attacks. The industry is also plagued by ransomware attacks, with many of the attacks having their roots in a successful phishing attack. One that delivers a ransomware downloader such as the Emotet and TrickBot Trojans, for example.
A recent survey conducted by HIMSS on U.S. healthcare cybersecurity professionals has confirmed the extent to which phishing attacks are succeeding. The survey, which was conducted between March and September 2020, revealed phishing to be the leading cause of cybersecurity incidents at healthcare organizations in the past year, being cited as the cause of 57% of incidents.
One interesting fact to emerge from the survey is the lack of appropriate protections against phishing and other email attacks. While it is reassuring that 91% of surveyed organizations have implemented antivirus and antimalware solutions, it is extremely concerning that 9% appear to have not. Only 89% said they had implemented firewalls to prevent cybersecurity incidents.
Then there is multi-factor authentication. Multifactor authentication will do nothing to stop phishing emails from being delivered, but it is highly effective at preventing stolen credentials from being used to remotely access email accounts. Microsoft suggested in a Summer 2020 blog post that multifactor authentication will stop 99.9% of attempts to use stolen credential to access accounts, yet multifactor authentication had only been implemented by 64% of healthcare organizations.
That does represent a considerable improvement from 2015 when the survey was last conducted, when just 37% had implemented MFA, but it shows there is still considerable for improvement, especially in an industry that suffers more than its fair share of phishing attacks.
In the data breach reports that are required for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Rules, which healthcare organizations in the U.S are required to comply with, it is common for breached organizations to state they are implementing MFA after experiencing a breach, when MFA could have prevented that costly breach from occurring in the first place. The HIMSS survey revealed 75% of organizations augment security after suffering a cyberattack.
These cyberattacks not only take up valuable resources and disrupt busines operations, but they can also have a negative impact on patient care. 28% of respondents said cyberattacks disrupted IT operations, 27% said they disrupted business operations, and 20% said they resulted in monetary losses. 61% of respondents said the attacks had an impact on non-emergency clinical care and 28% said the attacks had disrupted emergency care, with 17% saying they had resulted in patient harm. The latter figure could be underestimated, as many organizations do not have the mechanisms in place to determine whether patient safety has been affected.
The volume of phishing attacks that are succeeding cannot be attributed to a single factor, but what is clear is there needs to be greater investment in cybersecurity to prevent these attacks from succeeding. An effective email security solution should be top of the list – One that can block phishing emails and malware attacks. Training on cybersecurity must be provided to employees for HIPAA compliance, but training should be provided regularly, not just once a year to meet compliance requirements. Implementation of multifactor authentication is also an essential anti-phishing measure.
One area of phishing protection that is often overlooked is a web filter. A web filter blocks the web-based component of phishing attacks, preventing employees from accessing webpages hosting phishing forms. With the sophisticated nature of today’s phishing attacks, and the realistic fake login pages used to capture credentials, this anti-phishing measure is also important.
Many hospitals and physician practices have limited budgets for cybersecurity, so it is important to not only implement effective anti-phishing and anti-malware solutions, but to get effective solutions at a reasonable price. That is an area where TitanHQ excels.
TitanHQ can provide cost-effective cloud-based anti-phishing and anti-malware solutions to protect against the email- and web-based components of cyberattacks and both of these solutions are provided at a very reasonable cost, with flexible payment options.
Further, these solutions have been designed to be easy to use and require no technical skill to set up and maintain. The ease of use, effectiveness, and low price are part of the reason why the solutions are ranked so highly by users, achieving the best rankings on Capterra, GetApp and Software Advice.
If you want to improve your defenses against phishing, prevent costly cyberattacks and data breaches, and the potential regulatory fines that can follow, give the TitanHQ team today and inquire about SpamTitan Email Security and WebTitan Web Security.
Black Friday and Cyber Monday are fast approaching and this year even more shoppers will be heading online to secure their Christmas bargains due to the COVID-19 pandemic. In many countries, such as the UK, lockdowns are in place that have forced retailers to close the doors of their physical shops, meaning Black Friday deals will only be available online. 2020 is likely to see previous records smashed with even more shoppers opting to purchase online due to many shops being closed and to reduce the risk of infection.
Surge in Phishing Attacks in the Run Up to Black Friday
The fact that many consumers have been forced to shop online due to COVID-19 has not been missed by cybercriminals, who have started their holiday season scams early this year. Every year sees a sharp rise in phishing emails and online scams that take advantage of the increase in sales in the run up to Christmas, but this year the data show cybercriminals have stepped up their efforts to spread malware, steal sensitive data, and fool the unwary into making fraudulent purchases.
Recent figures released by Check Point show there has been a 13-fold increase in phishing emails in the past 6 weeks with one in every 826 emails now a phishing attempt. To put that figure into perspective, 1 in 11,000 emails in October 2020 were phishing emails. Check Point reports 80% of the phishing emails were related to online sales, discounts, and special offers, and as Black Friday and Cyber Monday draws ever closer, the emails are likely to increase further.
Local lockdowns have piled pressure on smaller retailers, who are at risk of losing even more busines to the large retailers such as Amazon. In order to get their much-needed share of sales in the run up to Christmas, many have started conducting marketing campaigns via email to showcase their special offers and discounts. Those messages are likely to make it easier for cybercriminals to operate and harder for individuals to distinguish the genuine special offers from the fraudulent messages.
Cybercriminals have also started using a range of different techniques to make it harder for individuals to identify phishing and scam messages. Some campaigns involved the use of CAPTCHAs to fool both security solutions and end users, and the use of legitimate cloud services such as Google Drive and Dropbox for phishing and malware distribution is also rife.
With the scams even harder to spot and the volume of phishing and other scam emails up considerably, it is even more important for businesses to ensure their security measures are up to scratch and scam websites and phishing emails are identified and blocked.
How to Improve your Defenses Against Black Friday Phishing Scams and Other Threats
This is an area where TitanHQ can help. TitanHQ has developed two security solutions that work seamlessly together to provide protection from phishing and malware attacks via email and the Internet, not just protecting against previously seen threats, but also zero-day malware and phishing threats.
The SpamTitan email security and WebTitan web security solutions use a layered approach to threat detection, each incorporating multiple layers of protection to ensure that threats are identified and blocked. Both solutions leverage threat intelligence using a crowd sourced approach, to provide protection against emerging and even zero-minute threats.
SpamTitan uses smart email filtering and scanning, incorporating machine learning and behavioral analysis techniques to detect and isolate suspicious emails, dual antivirus engines, sandboxing to trick cybercriminals into thinking they have reached their target, and SPF, DKIM, and DMARC to detect and block email impersonation attacks.
WebTitan is an AI-powered cloud-based DNS web filtering solution that provides protection from online threats such as malware and ransomware and the web-based component of phishing attacks. The solution uses automation and advanced analytics to search through billions of URLs/IPs and phishing sites that could lead to a malware or ransomware infection or the compromising of employee credentials. The solution is an effective cybersecurity measure for protecting against web-based threats for office-based employees and remote workers alike.
If you want to protect your business this holiday season and beyond and improve your defenses against email and web-based threats, give the TitanHQ team a call. Product demonstrations can be arranged, advice offered on the best deployments, and if the solutions are not suitable for your business, we will tell you so. You can also trial both solutions free of charge to evaluate their performance in your own environment before making a decision on a purchase.
The cybercriminal organization behind Ryuk ransomware – believed to be an eastern European hacking group known as Wizard Spider – has stepped up attacks on hospitals and health systems in the United States. This week has seen a wave of attacks on hospitals from the Californian coast to the eastern seaboard, with 6 Ryuk ransomware attacks on hospitals reported in a single day.
Ryuk ransomware causes widespread file encryption across entire networks, crippling systems and preventing clinicians from accessing patient data. Even when the attacks are detected quickly, systems must be shut down to prevent the spread of the ransomware. While hospitals have disaster protocols for exactly this kind of scenario and patient data can be recorded using pen and paper, the disruption caused is considerable. Non-essential surgeries and appointments often need to be cancelled and, in some cases, hospitals have been forced to divert patients to alternative medical facilities.
It is unclear if any ransomware attacks on U.S. hospitals have resulted in fatalities, but there was recently a fatality in an attack in Germany, where a patient was rerouted to a different hospital and died before lifesaving treatment could be provided. Had the ransomware attack not occurred, treatment could have been provided in time to save the patient’s life. The attacks in the United States also have the potential to result in loss of life, especially in such as large-scale, coordinated campaign.
Earlier in the week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Health and Human Services (HHS) issued an advisory after credible evidence emerged indicating Ryuk ransomware attacks on U.S. hospitals and healthcare providers were about to increase.
It is unclear why the attacks have increased now and the exact motives behind the current campaign, but recently Microsoft and U.S. Cyber Command, in conjunction with several cybersecurity firms, disrupted the TrickBot botnet – A network of devices infected with the TrickBot Trojan. The TrickBot Trojan is operated by a different cybercriminal group to Ryuk, but it was extensively used to deliver Ryuk ransomware. The botnet is back up and running, with the threat actors switching to alternative infrastructure, but there have been suggestions that this could be a response to the takedown.
The Ryuk ransomware attacks on hospitals come at a time when healthcare providers are battling the coronavirus pandemic. In the United States the number of new cases is higher than at any time since the start of the pandemic. Hospitals cannot afford to have systems taken out of action and patient care disrupted. The timing of the attacks is such that hospitals may feel there is little alternative other than paying the ransom to ensure that disruption is kept to a minimum. Ransomware gangs are known to time their attacks to cause maximum disruption.
Ryuk ransomware attacks on hospitals have been steadily increasing in the United States prior to the latest spike. Figures released by Check Point Research in the past few days show ransomware attacks on hospitals increased 71% from September, with healthcare the most targeted industry sector, not only in October, but also Q3, 2020. Ryuk ransomware attacks account for 75% of all ransomware attacks on hospitals in the United States.
There is concern that the latest attacks will be just the tip of the iceberg. Some security experts suggest the gang is looking to target hundreds of hospitals and health systems in the United States in this campaign. Each attack on a health system could see several hospitals affected. The attack this week on the University of Vermont Health Network impacted 7 hospitals.
Defending against ransomware attacks can be a challenge, as multiple methods are used to gain access to healthcare networks. Ryuk ransomware is commonly delivered by the TrickBot Trojan, which is delivered as a secondary payload by the Emotet Trojan. The Buer loader and BazarLoader are also being used to deliver Ryuk ransomware. These malware downloaders are delivered via phishing emails so a good spam filter is therefore important.
Employees should be made aware of the increased threat of attack and advised to exercise extra caution with emails. Software updates need to be applied promptly and all systems kept fully patched and up to date. Default passwords should be changed, and complex passwords used, with multi-factor authentication implemented where possible. If it is not necessary for systems to be connected to the Internet, they should be disconnected, and RDP should be disabled where possible.
It is also essential for regular backups of critical data to be made and for those backups to be stored securely on non-networked devices to ensure that in the event of an attack hospitals have the option to recover their data without having to pay the ransom.
Further information on indicators of compromise and other mitigations are available in the CISA Ryuk ransomware advisory.
The Emotet Trojan is one of the main malware threats currently used to attack businesses. The Trojan is primarily distributed using spam emails, using a variety of lures to convince users to install the Trojan.
The spam emails are generated by the Emotet botnet – an army of zombie devices infected with the Emotet Trojan. The Trojan hijacks the victim’s email account and uses it to send copies of itself to the victim’s business contacts using the email addresses in victims’ address books.
Emotet emails tend to have a business theme, since it is business users that are targeted by the Emotet actors. Campaigns often use tried and tested phishing lures such as fake invoices, purchase orders, shipping notices, and resumes, with the messages often containing limited text and an email attachments that the recipient is required to open to view further information.
Word documents are often used – although not exclusively – with malicious macros which install the Emotet Trojan on the victim’s device. In order for the macros to run, the user is required to ‘Enable Content’ when they open the email attachment.
Users are instructed in the documents to enable content using a variety of tricks, oftentimes the documents state that the Word document has been created on an IoS or mobile device, and content needs to be enabled to allow the content to be viewed or that the contents of the document have been protected and will not be displayed unless content is enabled.
Earlier this month, a new lure was used by the Emotet actors. Spam emails were sent explaining a Windows update needed to be installed to upgrade apps on the device, which were preventing Microsoft Word from displaying the document contents. Users were instructed to Enable Editing – thus disabling Protected View – and then Enable Content – which allowed the macro to run.
The Emotet Trojan does not simply add devices to a botnet and use them to conduct further phishing attacks. One of the main uses of Emotet is to download other malware variants onto infected devices. The operators of the Emotet botnet are paid by other threat actors to distribute their malware payloads, such as the TrickBot Trojan and QBot malware.
The TrickBot Trojan was initially a banking Trojan that first appeared in 2016, but the modular malware has been regularly updated over the past few year to add a host of new functions. TrickBot still acts as a banking Trojan, but is also a stealthy information stealer and malware downloader, as is QBot malware.
As with Emotet, once the operators of these Trojans have achieved their aims, they deliver a secondary malware payload. TrickBot has been used extensively to deliver Ryuk ransomware, one of the biggest ransomware threats currently in use. QBot has teamed up with another threat group and delivers Conti ransomware. From a single phishing email, a victim could therefore receive Emotet, TrickBot/QBot, and then suffer a ransomware attack.
It is therefore essential for businesses to implement an effective spam filtering solution to block the initial malicious emails at source and prevent them from being delivered to their employee’s inboxes. It is also important to provide security awareness training to employees to help them identify malicious messages such as phishing emails in case a threat is not blocked and reaches employees’ inboxes.
Organizations that rely on the default anti-spam defenses that are provided with Office 365 licenses should consider implementing an additional spam filtering solution to improve protection against Emotet and other malware and phishing campaigns. Phishing emails often slip past Office 365 defenses and are delivered to inboxes. With a powerful, advanced spam filtering solution such as SpamTitan layered on top of Office 365 anti-spam protections, users will be better protected.
To find out more about the full features of SpamTitan and how the solution protects businesses from threats such as malware, ransomware, phishing, and spear phishing attacks, give the SpamTitan team a call today.
A product demonstration can be arranged, your questions will be answered, and assistance will be provided to help set you up for a free trial to evaluate the solution in your own environment.
Phishing is a cybersecurity threat that businesses of all sizes are likely to face and one that requires multiple phishing protection measures to prevent. Phishing is the term given to fraudulent attempts to obtain sensitive information such as login credentials to email accounts or employee/customer information. Phishing can take place over the telephone (vishing), via text message (SMiShing), or through social media networks and websites, but the most common phishing attacks take place over email.
When phishing occurs over email, an attack usually consists of two elements. A lure – a reason given in the email that encourages the user to take a particular action – and a web-based component, where sensitive information is collected.
For instance, an email is sent telling the recipient that there has been a security breach that requires immediate action. A link is supplied in the email that directs the recipient to a website where they are required to login and verify their identity. The website is spoofed to make it look like the site it is impersonating and when information is entered it is captured by the attacker.
Phishing protection measures should be deployed to block both of these components. First, you need a solution that stops the phishing attack at source and prevents phishing emails from being delivered to inboxes. You should also have security measures in place to prevent information from being handed over to the attackers at the web stage of the attack. As an additional protection, in case both of those measures fail, you need to prevent stolen credentials from being used to gain access to the account.
Four Essential Phishing Protection Measures
Phishing protection measures should consist of four elements: a spam filter, a web filter, end user training, and multi-factor authentication – often referred to as layered phishing defenses. If one layer should fail, others are in place to make sure the attack does not succeed.
Spam filtering
A spam filter is your first line of defense and one that will block the vast majority of email threats. An advanced spam filter will block in excess of 99.9% of spam, phishing, and malware-laced emails. Spam filters incorporate several layers of protection. They use blacklists of known spammers – domains, email accounts, and IP addresses that have previously been used for spamming, phishing, and other nefarious activities. Checks are performed on the message headers and the message body is subjected to multiple checks to identify malicious URLs and keywords commonly used in spam and phishing emails. Each message is given a score, and if that score is higher than a pre-defined threshold, the message will be either deleted or quarantined. Spam filters also incorporate antivirus engines that check messages for malicious attachments.
Web filtering
Cybercriminals are constantly changing tactics and developing new methods to obfuscate their phishing attempts to bypass spam filters. Spam filters are updated to block these new attacks, but there will be a lag and some messages will slip through the net on occasion. This is where a web filter kicks into action. A web filter will check a website against several blacklists and will assess the content of the website in real-time. If the website is deemed to be malicious, the user will not be permitted to connect, instead they will be directed to a local block page. Web filters also have AV software to prevent malware being downloaded and can be used to control the types of content users can access – blocking pornography for instance, or social media networks, gaming sites and other productivity drains.
End user training
Technical anti-phishing measures are important, but they will not block all attacks. It is therefore essential to provide end user training to help employees identify phishing and other malicious emails. A once-a-year formal training session should be conducted, with ongoing, regular shorter training sessions throughout the year to raise awareness of new threats and to reinforce the annual training. Phishing simulations should also be conducted to test whether training has been effective and to ensure that any knowledge gaps are identified and addressed.
Multi-factor authentication
If credentials are stolen in a phishing attack, or are otherwise obtained by a cybercriminal, multi-factor authentication can prevent those credentials from being used. In addition to a password, a second factor must be provided before account access is granted. This could be a token, code, or one-time password, with the latter usually sent to a mobile phone. While multi-factor authentication will block the majority of attempts by unauthorized individuals to access accounts, it is not infallible and should not be considered as a replacement for the other protections. Multi-factor authentication will also not stop malware infections.
Phishing Protection Solutions from TitanHQ
TitanHQ has developed two powerful cybersecurity solutions to help you protect against phishing and malware attacks: SpamTitan email security and the WebTitan web filter. Both of these solutions have multiple deployment options and are easy to implement, configure, and use. The solutions are consistently rated highly by end users for the level of protection provided, ease of deployment, ease of use, and for the excellent customer support if you ever have any problems or questions.
On top of that, pricing is totally transparent with no hidden extras, and the solutions are very competitively priced. Both are available on a free trial to allow you to test them in your own environment before committing to a purchase.
Over the past few months, cyberattacks involving Netwalker ransomware have been steadily increasing and Netwalker has now become one of the biggest ransomware threats of 2020.
Netwalker ransomware is the new name for a ransomware variant called Mailto, which first appeared a year ago in August 2019. The threat actors behind the ransomware rebranded their malware as Netwalker in late 2019 and in 2020 started advertising for affiliates to distribute the ransomware under the ransomware-as-a-service model. In contrast to many RaaS offerings, the threat group is being particularly choosy about who they recruit to distribute the ransomware and has been attempting to build a select group of affiliates with the ability to conduct network attacks on enterprises that have the means to pay large ransoms and the data to warrant such large payments if attacked.
Netwalker ransomware was used in an attack in February on Toll Group, an Australian logistics and transportation company, which caused widespread disruption although the firm claims not to have paid the ransom. Like several other ransomware gangs, the Netwalker gang took advantage of the COVID-19 pandemic and was using COVID-19 lures in phishing emails to spread the ransomware payload via a malicious email attachment, opting for a Visual Basic Scripting (.vbs) loader attachments.
Then followed attacks on Michigan State University and Columbia College of Chicago, with the frequency of attacks increasing in June. The University of California San Francisco, which was conducting research into COVID-19, was attacked and had little choice other than to pay the $1.14 million ransom demand to regain access to essential research data that was encrypted in the attack. More recently Lorien Health Services, a Maryland operator of assisted living facilities, also had files encrypted by the Netwalker gang.
The recent attacks have seen the attack vector change, suggesting the attacks have been the work of affiliates and the recruitment campaign has worked. Recent attacks have seen a range of techniques used in attacks, including brute force attacks on RDP servers, exploitation of vulnerabilities in unpatched VPN systems such as Pulse Secure VPNs that have not had the patch applied to correct the CVE-2019-11510 vulnerability. Attacks have also been performed exploiting user interface components of web apps, such as the Telerik UI vulnerability CVE-2019-18935, in addition to vulnerabilities in Oracle WebLogic and Apache Tomcat servers.
With the ransoms paid so far, the group is now far better funded and appears to have skilled affiliates working at distributing the ransomware. Netwalker has now become one of the biggest ransomware threats and has joined the ranks of Ryuk and Sodinokibi. Like those threat groups, data is stolen prior to file encryption and threats are issued to publish or sell the data if the ransom is not paid.
The increase in activity and skill of the group at gaining access to enterprise networks prompted the FBI to issue a flash alert warning of the risk of attack in late July. The group appears to be targeting government organizations, educational institutions, healthcare providers and entities involved in COVID-19 research, and the attacks are showing no sign of slowing, in fact they are more than likely to increase.
Defending against the attacks requires a defense in depth approach and adoption of good cyber hygiene. An advanced spam filtering solution should be used to block email attacks, end users should be taught how to recognize malicious emails and shown what to do if a suspicious email is received. Vulnerabilities in software are being exploited so prompt patching is essential. All devices should be running the latest software versions.
Antivirus and anti-malware software should be used on all devices and kept up to date, and policies requiring strong passwords to be implemented should be enforced to prevent brute force tactics from succeeding. Patched VPNs should be used for remote access, two-factor authentication should be implemented, web filters used for secure browsing of the internet, and backups should be performed regularly. Backups should be stored on a non-networked device that is not accessible over the internet to ensure they too are not encrypted in an attack.
A recent survey by Capterra on British SMEs has revealed 30% have fallen victim to a phishing attack during the COVID-19 lockdown. Just under half of the phishing emails received (45%) were related to coronavirus or COVID-19.
COVID-19 phishing emails increased significantly during the first quarter of 2020 as the coronavirus spread around the world. Since the virus was unknown to science, scientists have been working tirelessly to learn about the virus, the disease it causes, how the virus is spread, and what can be done to prevent infection. The public has been craving information as soon as it is available, which creates the perfect environment for phishing attacks. People want information and threat actors are more than happy to offer to provide it.
The Capterra survey highlights the extent to which these campaigns are succeeding. Employees are receiving phishing emails and being fooled by the social engineering tactics the scammers have adopted. The high success rate has seen many threat actors temporarily abandon their tried and tested phishing campaigns that they were running before the SARS-CoV-2 outbreak, and have repurposed their campaigns to take advantage of the public’s thirst for knowledge about the virus. In the first quarter of 2020, KnowBe4 reported a 600% increase in COVID-19 and coronavirus themed phishing emails.
The high percentage of businesses that have experienced phishing attacks during the COVID-19 lockdown indicates many SMEs need to augment their anti-phishing defenses. There is also a need for further training to be provided to employees, as the emails are being opened and links are being clicked.
On the training front, formal training sessions may be harder to administer with so many employees working remotely. Consider conducting short training sessions via teleconferencing platforms and sending regular email alerts warning about the latest techniques, tactics and procedures being used in targeted attacks on remote workers. Phishing simulation exercises can be hugely beneficial and will help to condition workers to check emails thoroughly and report any threats received. These simulations also help identify which employees need further training to help them recognize potential phishing attacks.
Of course, the best way to ensure that employees do not open phishing emails and malicious attachments is to ensure they are not delivered to employees’ inboxes. That requires an advanced spam filtering solution.
Many SMEs and SMBs have now moved to an Office 365 hosted email solution, in which case email filtering will be taking place using Microsoft’s Exchange Online Protection – The default spam filtering service that protects all office 365 users. If you are reliant on this solution for filtering out phishing emails and other types of malicious messages, you should consider adding a third-party solution on top of EOP.
Exchange Online Protection provides a reasonable level of security and can block phishing emails and known malware threats, but it lacks the features of more advanced spam filtering solutions and cloud-based email security gateways, such as machine learning and predictive technology to identify attacks that have not been seen before.
As an additional protection against phishing attacks, a web filtering solution should be considered. In the event of a phishing email arriving in an inbox, a web filter serves as an additional layer of protection to prevent attempts by employees to visit websites linked in the emails. When an attempt is made to visit a known phishing website or web content that violates your acceptable internet usage policies, access will be blocked and the user will be directed to a local web page telling them why access has been denied.
Multi-factor authentication should also be implemented for email to ensure that in the event that credentials are compromised, a second factor must be provided before access to the email account is granted.
For more information on spam filtering and web filtering, and further information on TitanHQ’s advanced cloud-based email security solution – SpamTitan – and DNS-based web filtering solution – WebTitan – give the TitanHQ team a call today.
Security awareness for remote workers has never been more important. It is fair to say that there have never been more people working from home as there are now during the COVID-19 pandemic, and home workers are now being actively targeted by cybercriminals who see them as providing an easy way to gain access to their corporate networks to steal sensitive information, and install malware and ransomware.
Businesses may have already given their employees security awareness training to make sure they are made aware of the risks that they are likely to encounter and to teach them how to recognize threats and respond. However, working from home introduces many more risks and those risks may not have been covered in security awareness training sessions geared toward protecting office workers. It is also important to provide security training for employees, and this is especially important for remote workers, as risk increases when employees are working remotely.
In this post we will highlight some of the key areas that must be addressed in work-from-home (WFH) security awareness training for the workforce.
Increased Security Awareness for Remote Workers Required as COVID-19 Crisis Deepens
Naturally, as an email security solution provider, we strongly advocate the use of a powerful email security solution and layered technical defenses to protect against phishing, but technical controls, while effective, will not stop all threats from reaching inboxes. It is all too easy to place too much reliance on technical security solutions for securing email environments and work computers. The truth is that even with the best possible email security defenses in place, some threats will end up reaching inboxes.
The importance of providing security awareness training to the workforce and the benefits of doing so have been highlighted by several studies. One benchmarking study, conducted by the security awareness training provider KnowBe4, revealed 37.9% of employees fail phishing tests if they are not provided with security awareness and social engineering training. That figure has increased by 8.3% from the previous year. With security awareness training and phishing email simulations, the figure dropped to 14.1% after 90 days.
During the COVID-19 pandemic, the volume of phishing emails being sent has increased significantly and campaigns are being conducted targeting remote workers. The aim of the phishing campaigns is to obtain login credentials to email accounts, VPNs, and SaaS platforms and to spread malware and ransomware.
With so many employees now working from home, and the speed at which companies have had to transition from a largely office-based workforce to having virtually everyone working from home may have seen security awareness training for remote workers put on the back burner. However, with the lockdown likely to be extended for several months and attacks on the rise, it is important to make sure that training is provided, and as soon as possible.
Increase in COVID-19 Domain Registrations and Rise in Web-Based Attacks
Security awareness training for remote workers also needs to cover internet security as not all threats will arrive in inboxes. Most phishing attacks have a web-based component, and malicious websites are being set up for drive-by malware downloads. Currently, the vast majority of threats are using COVID-19 and the Novel Coronavirus as a lure to get remote workers to download malware, ransomware, or part with their login credentials.
Unsurprisingly, cybercriminals have increased web-based attacks, which are being conducted using a plethora of COVID-19 and novel coronavirus-themed domains. By the end of March, approximately 42,000 domains related to COVID-19 and coronavirus had been registered. An analysis by Check Point Research revealed those domains were 50% more likely to be malicious than other domains registered over the same period.
It is important to raise awareness of the risks of using corporate laptops for personal use such as browsing the Internet. Steps should also be taken to limit the websites that can be accessed by employees and, at the very least, a solution should be implemented and configured to block access to known malicious websites that are used for phishing, fraud, and malware distribution.
Shadow IT is a Major Security Risk
When employees are office-based and connected to the network, identifying shadow IT – unauthorized software and hardware used by employees – is more straightforward. The problem not only becomes harder to identify when employees work from home, the risk of unauthorized software being loaded onto corporate-issued devices increases.
Software downloaded onto work computers carries a risk of a malware infection and potentially offers an easy way to attack the user’s device and the corporate network. IT teams will have little visibility into the unauthorized software on users’ devices and whether it is running the latest version and has been patched against known vulnerabilities. It is important to cover shadow IT in security awareness training for remote workers and to make it clear that no software should be installed on work devices and that personal USB devices should not be connected to corporate devices without the go-ahead being given by the IT department.
The COVID-19 pandemic has seen many workers turn to teleconferencing platforms to communicate with the office, friends, and family. One of the most popular teleconferencing platforms is Zoom. Malicious installers have been identified that install the genuine Zoom client but have been bundled with malware. Installers have been identified that also install adware, Remote Access Trojans, and cryptocurrency miners.
How TitanHQ Can Help Improve Email Security
Several security awareness training firms have made resources available to businesses free of charge during the COVID-19 crisis to help them train the workforce, such as the SANS Institute. Take advantage of these resources and push them out to your workforce. If you are a small SMB, you may also be able to get access to free phishing simulation emails to test the workforce and reinforce training.
TitanHQ can’t help you with your remote worker cybersecurity awareness training, but we can help by ensuring employees have to deal with fewer threats by protecting against email and web-based attacks.
SpamTitan is an advanced and powerful cloud-based email security solution that will protect remote workers from phishing, spear phishing, malware, virus, and ransomware attacks by blocking attacks at the source and preventing the threats from reaching inboxes. SpamTitan features dual anti-virus engines to protect against known malware threats and email sandboxing to block unknown (zero-day) malware threats. SpamTitan incorporates several real-time threat intelligence feeds to block current and emerging phishing attacks and machine learning technology detects and blocks previously unseen phishing threats. SpamTitan has been developed to work seamlessly with Office 365 to allow businesses to create layered defenses, augmenting Microsoft’s protections and adding advanced threat detection and blocking capabilities.
WebTitan is a DNS filtering solution that will protect all workers from web-based attacks, no matter where they access the internet. WebTitan incorporates zero-minute threat intelligence and blocks malicious domains and web pages as soon as they are identified. The solution can also be used to carefully control the types of websites that remote workers can access on their corporate-owned devices, via keyword and category-based controls. WebTitan can also be configured to block the downloading of malicious files and software installers to control shadow IT.
For more information on protecting your business during the COVID-19 crisis, to arrange a product demonstration of SpamTitan and/or WebTitan, and to register for a free trial of either solution to allow you to start instantly protecting against email and web-based threats, contact TitanHQ today!
When it comes to cybersecurity and home working, CIOs and IT teams have a challenge – How to ensure the same level of protection is provided for remote workers as they get when they are in the office. To help we have compiled a set of cybersecurity best practices for home workers to help IT teams prepare for a massive increase in telecommuting
The cybersecurity protections at home will not be nearly as good for home workers as protections in the office, which are much easier to implement and maintain. IT departments will therefore need to teach telecommuting workers cybersecurity best practices for home working and their devices will need to be configured to access applications and work resources securely. With so many workers having to telecommute, this will be a major challenge.
The coronavirus pandemic has forced businesses to rapidly expand the number of telecommuting workers and having to increase capacity in such a short space of time increases the potential for mistakes. Further, testing may not be nearly as stringent as necessary given the time pressure IT workers are under. Their teams too are likely to be depleted due to self-isolating workers.
One area where standards are likely to slip is staff training on IT. Many employees will be working from home for the first time and will have to use new methods and applications they will not be familiar with. The lack of familiarity can easily lead to mistakes being made. It is important that even though resources are limited you still teach cybersecurity best practices for home workers. Do not assume that telecommuting workers will be aware of the steps they must take to work securely away from the office.
Steps for IT Teams to Take to Improve Cybersecurity for Home Workers
Listed below are some of the key steps that IT teams need to take to improve security for employees that must now work from home.
Ensure VPNs are Provided and Updated
Telecommuting workers should not be able to access their work environment unless they use a VPN. A VPN will ensure that all traffic is encrypted, and data cannot be intercepted in transit. Enterprise-grade VPNs should be used as they are more robust and provide greater security. Ensure there are sufficient licenses for all workers, and you have sufficient bandwidth available. You must also make sure that the VPN is running the latest software version and patches are applied, even if this means some downtime to perform the updates. VPN vulnerabilities are under active attack.
Set up Firewalls for Remote Workers
You will have a firewall in place at the office and remote workers must have similar protections in place. Software firewalls should be implemented to protect remote workers’ devices. Home routers may have inbuilt firewalls. Talk employees through activating hardware firewalls if they have them on their home routers and ensure that passwords are set to prevent unauthorized individuals from connecting to their home Wi-Fi network.
Apply the Rule of Least Privilege
Remote workers introduce new risks, and with large sections of the workforce telecommuting, that risk is considerable. Remote workers are being targeted by cybercriminals and through web- and email-based attacks. In the event of a malware infection or credential theft, damage can be limited by ensuring workers only have access to resources absolutely necessary for them to perform their work duties. If possible, restrict access to sensitive systems and data.
Ensure Strong Passwords are Being Set
To protect against brute force attacks, ensure good password practices are being followed. Consider using a password manager to help employees remember their passwords. The use of complex passwords should be enforced.
Implement Multifactor Authentication
Multifactor authentication should be implemented on all applications that are accessed by remote workers. This measure will ensure that if credentials are compromised, system access is not granted unless a second factor is provided.
Ensure Remote Workers’ Devices Have Antivirus Software installed
Antivirus software must be installed on all devices that are allowed to connect to work networks and the solutions must be set to update automatically.
Set Windows Updates to Automatic
Working remotely makes it harder to monitor user devices and perform updates. Ensure that Windows updates are set to occur automatically outside of office hours. Instruct workers to leave their devices on to allow updates to take place.
Use Cloud-Based Backup Solutions
To prevent accidental data loss and to protect against ransomware attacks, all data must be backed up. By using cloud-based backups, in the event of data loss, data can be restored from the cloud-backup service.
Teach Cybersecurity Best Practices for Home Workers
All telecommuting workers must be shown how they need to access their work environment securely when working away from the office. Reinforce IT best practices with home workers, provide training on the use of VPNs, provide training on cybersecurity dos and don’ts when working remotely, and explain procedures for reporting problems.
Define Procedures for Dealing with a Security Incident
Members of the IT team are also likely to be working remotely so it is essential that everyone is aware of their role and responsibilities. In the event of a security incident, workers should have clear procedures to follow to ensure the incident is resolved quickly and efficiently.
Implement a Web Filter
A web filter will help to protect against web-based malware attacks by blocking access to malicious websites and will help to prevent malware downloads and the installation of shadow IT. Also consider applying content controls to limit employee activities on corporate-owned devices. Drive-by malware attacks have increased and the number of malicious domains registered in the past few weeks has skyrocketed.
Use Encrypted Communication Channels
When you need to communicate with telecommuting workers, ensure you have secure communications channels to use where sensitive information cannot be intercepted. Use encryption for email and secure text message communications, such as Telegram or WhatsApp.
Ensure Your Email Security Controls are Sufficient
One of the most important cybersecurity best practices for home workers is to take extra care when opening emails. Phishing and email-based malware attacks have increased significantly during the coronavirus pandemic. Ensure training is provided to help employees identify phishing emails and other email threats.
Consider augmenting email security to ensure more threats are blocked. If you use Office 365, a third-party email security solution layered on top will provide much better protection. Exchange Online Protection (EOP) is unlikely to provide the level of protection you need against phishing and zero-day malware threats. Consider an email security solutions with data loss protection functions to protect against insider threats.
Monitor for Unauthorized Access
More devices connecting to work environments makes it much easier for threat actors to hide malicious activity. Make sure monitoring is stepped up. An intrusion detection system that can identify anomalous user behavior would be a wide investment.
For further information on enhancing email security and web filtering to protect remote workers during the coronavirus pandemic, contact TitanHQ today.
The first California Consumer Privacy Act lawsuit has been filed over an alleged failure to adequately protect consumer data. The lawsuit has been filed against Hanna Andersson, a children’s clothing company, and its ecommerce platform provider, Salesforce.com.
The California Consumer Privacy Act took effect on January 1, 2020. Under Civil Code 1798.100 – 1798.199, consumers could start exercising their new rights under CCPA from the compliance date. One of those rights is being able to take legal action against companies for privacy violations, such as the theft of personal data in a data breach.
The California Consumer Privacy Act lawsuit was filed in the U.S. District Court for the Northern District of California on behalf of a victim of a 2019 data breach. The lawsuit alleges negligence and a failure to implement reasonable safeguards to protect consumer data, and that the data breach occurred as a direct result of the alleged negligence. A claim for damages has not been stated, although the right has been reserved to seek damages and relief at a later date.
The breach in question was announced by Hanna Andersson on January 15, 2020. Hackers had gained access to its systems and downloaded malware, which allowed the attackers to steal information such as names, personal information, and payment card data. That information was subsequently listed for sale on the dark web.
The California Consumer Privacy Act allows Californians to file for damages of up to $750 per data breach, so a class action California Consumer Privacy Act lawsuit arising from a sizeable data breach could prove extremely costly for a company. In this case, the data breach affected approximately 10,000 California residents, so damages up to $7,500,000 could potentially be claimed.
Enforcement of CCPA
Enforcement of compliance by the California Attorney General has been delayed and will start 6 months after the publication of the final regulations or July 1, 2020, whichever comes sooner. Since the final regulations have yet to be published, the enforcement date will be July 1, 2020. California Attorney General Xavier Bercerra has already stated that he will make an example of businesses that fail to comply with CCPA.
It should be noted that there is nothing in CCPA that prevents the state attorney general from issuing notices of noncompliance before that date and consumers can already file lawsuits to claim damages. It is therefore essential for all entities covered by CCPA to ensure that they are honoring the new consumer rights and have implemented safeguards to protect consumer data.
How TitanHQ Can Help with CCPA Compliance
TitanHQ offers two powerful security solutions that can help covered entities ensure the data of consumers is protected and data breaches are prevented. These two cybersecurity solutions protect against the two most common attack vectors – Email and the internet.
SpamTitan is a powerful anti-spam, anti-malware, and anti-phishing solution that protects email systems from phishing and spear phishing attacks, known and zero-day malware threats, and email-based ransomware attacks.
WebTitan is a companion solution that blocks the web-based element of phishing attacks, exploit kits, and drive-by malware downloads over the internet, while also controlling the content that employees can access on wired and wireless networks.
TitanHQ can also help covered entities comply with the right to know and right to delete consumer rights afforded by CCPA through ArcTitan. ArcTitan is an email archiving solution that allows organizations to meet state and federal email data retention requirements and quickly find emails containing consumer data. If a California resident exercises their right to know what data is held on them by a company, or requests all of their personal data is deleted, that information can quickly be found in the archive. ArcTitan will also allow you to quickly find email data for eDiscovery in the event of any legal disputes.
For further information on these solutions, to schedule a product demonstration, or to arrange a free trial of the full solutions (with full customer support), give the TitanHQ team a call today.
TitanHQ has announced a new partnership with Pax8. The partnership means Pax8 partners now have access to TitanHQ’s cloud-based email security solution – SpamTitan – and its DNS filtering solution, WebTitan.
Pax8 is the leader in cloud distribution. The company simplifies the cloud buying process and empowers businesses to achieve more with the cloud. The company has been named Best in Show for two consecutive years at the Next Gen and XChange conferences and is positioned at number 60 in the 2019 Inc. 5000 list of the fastest growing companies.
Pax8 carefully selects the vendors it works with and only offers market-leading channel friendly solutions to its partners. When searching for further cybersecurity solutions for its partners, TitanHQ was determined to be the perfect fit. TitanHQ is the leading provider of cloud-based email and web security solutions for managed service providers (MSPs) serving the SMB marketplace and its cybersecurity solutions are much loved by users. This was clearly shown in the 2019 G2 Crowd Report on Email Security Gateways where SpamTitan was named leader, having achieved 4- or 5-star ratings by 97% of its users, with 92% saying they would recommend the solution to other businesses.
Phishing, malware, and ransomware attacks have all increased in the past year and the cost of mitigating those attacks continues to rise. By implementing SpamTitan and WebTitan, SMBs and MSPs can secure their email environments and block web-based threats and keep their networks secure.
SpamTitan provides excellent protection for Office 365 environments. The solution detects and blocks phishing and email impersonation attacks and prevents known and zero-day malware and ransomware threats from reaching inboxes. The WebTitan Cloud DNS filtering solution blocks the web-based component of cyberattacks by preventing end users from visiting malicious websites, such as those harboring malware and phishing kits.
Both solutions are quick and easy to implement, can be seamlessly integrated into MSPs service stacks and cloud-management platforms, and Pax8 partners benefit from highly competitive and transparent pricing, centralized billing, and leading customer support.
“I am delighted to partner with the Pax8 team,” said Ronan Kavanagh, CEO, TitanHQ. “Their focus and dedication to the MSP community are completely aligned with ours at TitanHQ, and we look forward to delivering our integrated solutions to their partners and customers.”
The Travelex ransomware attack that started around December 31, 2019 is one of several recent ransomware attacks where threat actors have upped the ante by threatening to publish data stolen from victims prior to the deployment of ransomware.
A New Trend in Ransomware Attacks
Most ransomware attacks, especially those conducted by affiliates using ransomware-as-a-service, see ransomware deployed instantly. An employee receives a ransomware attachment via email, opens the attachment, and the encryption process is started. Now, several threat actors have taken steps to increase the probability of their ransom demand being paid.
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has recently issued warnings about changing ransomware tactics, which now involve data theft prior to file encryption. This tactic is nothing new, as several threat actors have been conducting these types of attacks for some time, attacks of this nature have been increasing.
to the network is gained, the attackers then move laterally and gain access to as many devices as possible. Data is stolen and when the attackers have stolen as much as they want, ransomware is deployed. In these types of attacks, the time between the initial compromise and deployment of ransomware is typically several months.
Data may be stolen and sold online with the ransomware deployed as a coup de grace after a long-term compromise to extort money from the company. Now it is increasingly common for a threat to be issued along with the ransom demand that the stolen data will be published or sold if the ransom is not paid.
This tactic has been adopted by the threat actors behind Maze ransomware and they have gone ahead and published stolen data when the ransom was not paid. The threat actors using MegaCortex ransomware and LockerGoga ransomware have similarly issued threats.
Now the gang behind Sodinikibi (REvil) ransomware have also changed tactics and have started issuing threats to publish stolen data. The Sodinokibi gang have made several threats to sell on or publish stolen data but it was only recently that they did just that. The gang attacked Artech Information Systems, one of the largest IT staffing companies in the U.S. When the ransom demand was not paid, 337MB of stolen data was published on a Russian hacking and malware forum. The Travelex ransomware attack is one of the latest Sodinokibi ransomware attacks, and a threat to publish stolen data was similarly issued.
The Travelex Ransomware Attack
On New Year’s Eve, Travelex took its systems offline to contain the infection and limit the damage caused. More than two weeks on, Travelex systems are still offline although the company is now starting to restore some of its systems. The number of branches affected by the attack, and banks and other companies that rely on its currency exchange services, makes this one of the most serious and damaging ransomware attacks ever.
With its systems offline, Travelex has been unable to provide its currency services to banks such as HSBC, Royal Bank of Scotland, NatWest, First Direct, Barclays and Lloyds, all of which rely on Travelex for providing their currency services. Many other companies, such as the supermarket chains Sainsbury’s and Tesco, have also had to stop providing online currency services to their customers. Travelex has been forced to provide services manually using pen and paper for over the counter currency exchanges in its branches. More than 70 countries in which Travelex operates were affected by the attack.
Travelex has only released a limited amount of information about the attack, but the attackers have been in contact with several media outlets. Initial reports suggested a payment of $3 million was required for the keys to unlock the encryption, although the demand doubled to $6 million when payment was not received within the stipulated 2 days. The attackers also threatened to publish data stolen in the attack if the payment was not made within 7 days.
Travelex issued a statement saying no customer data was breached and that the infection was contained, a position that has been maintained since the attack, even though the Sodinokibi gang has threatened to publish customer data.
The Sodinokibi ransomware gang, through a spokesperson, said the gang had stolen 5GB of customer data including customers’ names, dates of birth, credit card information, Social Security numbers, and National Insurance numbers. The gang claimed that all stolen data would be deleted and would not be used if the ransom demand was paid, but that the data would be sold if payment was not received. The gang also said access to Travelex systems was gained 6 months before the ransomware was deployed.
How Was Travelex Attacked?
It is not known at this stage exactly how ransomware was installed on its network, but there have been several security researchers that have offered some clues. According to BleepingComputer, Travelex was using insecure services prior to the attack. Security researcher Kevin Beaumont found Travelex had AWS Windows servers that did not have Network Level Authentication enabled, which could have given the attackers the opportunity they needed to launch an attack.
A critical vulnerability in the Pulse Secure VPN enterprise solution for secure communications – CVE-2019-11510 – was identified and was patched by Pulse Secure on April 24, 2019, but many companies were slow to apply the patch, despite receiving multiple warnings from Pulse Secure. An exploit for the vulnerability was made public on August 21, 2019.
Troy Mursch, chief research officer at Bad Packets, found that Travelex had not applied the patch by the time the exploit was released. The Sodinokibi ransomware gang said they compromised Travelex 6 months prior to the deployment of ransomware. This could have been the vulnerability that was exploited.
Recovery Now Well Underway
On January 13, 2020, more than 2 weeks after the ransomware attack was experienced, Travelex issued a statement confirming that the recovery process was well underway, although the firm’s website was still offline. The company had started restoring its currency services to banks and its own network. Internal order processing has been restored and customer-facing systems are slowly being brought back online. What Travelex has not confirmed is whether the ransom was paid. No Travelex data appears to have been published online so it is possible that a ransom payment has been negotiated with the attackers.
Cost of the Travelex Ransomware Attack
The ransom payment is considerable but is likely to be several orders of magnitude less than the costs of downtime and disruption to its services.
No customer data appears to have been misused, but Travelex could still face a barrage of lawsuits from customers and the Information Commissioner’s Office and other data protection authorities my choose to fine Travelex over the data breach, either for the exposure of data or for the failure to report under GDPR.
GDPR requires data breaches to be reported to data protection authorities within 72 hours and it appears that did not happen. The maximum financial penalty for a GDPR violation is €20 million or 4% of a company’s global annual turnover, whichever is greater. Travelex’s global annual turnover in 2018 was $947.86 million. A fine of $189.57 million could therefore be issued. It should be noted that even if data was not stolen by the attackers and was just made inaccessible, it still counts as a reportable data breach under GDPR.
A payment of $6 million to the attackers would only be a tiny proportion of the total losses from downtime, lost business, lawsuits, and regulatory fines.
Cyberattacks on managed service providers have been increasing over the past few months and they are now a key target for hackers. If a hacker can gain access to the systems of a managed service provider, their remote administration tools can be used to launch attacks on their clients.
There have been several major cyberattacks on managed services providers in the past few weeks, with nation-state-backed hacking groups targeting MSPs serving enterprises and ransomware gangs are conducting attacks on MSPs serving small and medium-sized businesses.
Three major cyberattacks on managed service providers serving healthcare organizations in the United States have been reported in the past two months. All three have affected more than 100 healthcare clients and one impacted 400.
In late November, the Milwaukee-based managed IT service provider, Virtual Care Provider Inc., was attacked with Ryuk ransomware. The attack started on November 17, 2019, and affected all of its clients’ data. Around 110 nursing homes and acute care facilities were prevented from accessing their patients’ medical records. The consequences for its clients were dire. Assisted living facilities and nursing homes were prevented from billing for Medicaid, which meant essential funding was not provided and nursing homes were prevented from ordering essential drugs for patients. Virtual Care Provider was issued with a $14 million ransom demand, which the company could not afford to pay. The managed service provider had around 20% of its services affected and had to rebuild around 100 servers.
The ransomware was deployed as a secondary payload by the TrickBot Trojan. TrickBot had been installed on its network 14 months previously via a malicious email attachment.
A few weeks later, a Colorado-based managed service provider serving dental practices was attacked with ransomware. Complete Technology Solutions was infected with a ransomware variant called Sodinokibi. First, the MSP was attacked, and then its remote administration tools were used to deploy ransomware on the networks of more than 100 dental practices. A ransom demand of $700,000 was issued, which the MSP refused to pay. Its clients are now having to pay the attackers for the keys to decrypt their files. Only a few that had backups stored off the network were able to recover without paying the ransom.
This is the second such attack to affect a company serving the dental industry. The dental record backup service provider, PerCSoft, was also attacked with Sodinokibi ransomware. That attack affected approximately 400 dental practices. CyrusOne was also attacked with Sodinokibi ransomware and its managed services division and six of its clients were affected.
It is not only ransomware that is being used in the attacks. Nation-state threat groups such as APT10 are also targeting MSPs. Their aims are different. The attacks are being conducted to gain access to the intellectual property of their enterprise customers.
As cyberattacks on managed service providers increase, MSPs must ensure that they have adequate defenses in place to keep the hackers at bay. This is an area where TitanHQ can help. TitanHQ is the leading provider of cloud-based email and web security solutions for managed service providers that serve the SMB market.
TitanHQ offers a trio of solutions for MSPs under the TitanShield program. SpamTitan email security is a powerful cloud-based solution that keeps inboxes free of spam, phishing emails, and malware. SpamTitan incorporates SPF and DMARC to block email impersonation attacks, dual antivirus engines to detect known malware threats, and heuristics and sandboxing to identify and block zero-day threats.
WebTitan Cloud is a 100% cloud-based DNS filtering solution that works seamlessly with SpamTitan to block web-based phishing attacks and malware downloads. The solution allows you to monitor and identify malicious threats in real-time and includes AI-driven protection against active and emerging phishing URLs, including zero-minute threats.
The third solution is ArcTitan, a cloud-based email archiving solution that provides protection against data loss and helps MSPs and their clients meet their compliance obligations. ArcTitan serves as a black box flight recorder for email and stores email data securely in the cloud on Replicated Persistent Storage on AWS S3. When emails need to be searched and recovered, the searches are lightning-fast. ArcTitan can search up to 30 million emails a second.
ArcTitan has recently been moved to a brand new system, with the service delivered as a highly available, self-healing horizontally scaled Kubernetes cluster. Within that cluster are many different components working in harmony together, but independently. Should any component go down, that component can be taken offline and repaired with no impact on the others, ensuring a much more reliable service with minimal or no disruption during an outage. With ArcTitan, email is protected from cyberattacks.
These solutions are not only an ideal for improving the security posture of MSP clients, they can help to ensure that MSP systems are protected from attack. All TitanHQ solutions are quick and easy to implement, have a low management overhead, and are API-driven so they can easily be incorporated into MSP’s remote management and monitoring systems.
To find out more about the TitanShield program for managed service providers and to discover how TitanHQ’s cybersecurity solutions can improve yours and your clients’ security posture, give the TitanHQ channel team a call today.
Cybercriminals are inventive and their attacks are becoming increasingly sophisticated. To help ensure you are prepared and can defend your business against these attacks, we have listed the top 10 cybersecurity threats your business is likely to face, along with some tips to help you prevent a costly data breach.
Cybercriminals are not just trying to attack large enterprises. Sure, a cyberattack on a large healthcare system or blue-chip company can be incredibly rewarding, but the defenses they have in place make attacks very difficult. SMBs on the other hand have far fewer resources to devote to cybersecurity and as a result they are easier to attack. The potential rewards may not be as great, but attacks are more likely to succeed which means a better return on effort. That is why so many SMBs are now being attacked.
There is a myriad of ways that a company can be attacked, and the tactics, techniques and procedures used by cybercriminals are constantly changing. The top 10 cybersecurity threats listed below include the main attack vectors that need to be blocked and will serve as a good starting point on which you can build a robust cybersecurity program.
Top 10 Cybersecurity Threats Faced by SMBs
We have listed the top 10 cybersecurity threats that SMBs need to defend against. All the threats listed below need to be addressed as any one of them could easily result in a costly data breach, data loss, or could cripple your business. Some of the threats listed below will be harder to address than others, and it will take time for your cybersecurity defenses to mature. The important thing is to start the ball rolling and address as many of these areas as soon as possible.
Human Error and Insider Threats
We have listed human error first, as it doesn’t matter what hardware and software solutions you implement, human error can easily undo much of your good work. Mistakes will be made by employees on occasion. What you need to do is reduce the potential for errors and limit the harm that can be caused.
Developing robust policies and procedures and providing training will help to ensure that your employees know how to act and more importantly, how not to.
Mistakes are not the only thing you need to take steps to try to prevent. There may also be individuals on your payroll who will take advantage of poor security for personal gain. You will also need to tackle the problem of insider threats and make it harder for rogue employees to cause harm and steal data. The measures listed below will help address threats from within and reduce risk.
Passwords
Enforce the use of strong passwords but make it easier for your employees to remember them so they don’t try to circumvent your password policy or, heaven forbid, write their passwords down. Implement a password manager to store their passwords so they only have one password or pass phrase to remember.
Rule of Least Privilege
It is obvious, but often overlooked. Don’t give employees access to resources they do not need for their day-to-day work duties. If their credentials are compromised, this will limit the harm caused. It will also limit the harm that can be caused by rogue employees.
Block the Use of USB Devices
USB devices make it easy for rogue employees to steal data and for malware to be accidentally or deliberately be introduced. Implement technical controls to prevent USB devices from being connected, and if they are required for work purposes only give permission to certain individuals to use them. Ideally, use more secure methods of transferring or storing data.
Monitor Employee Activity
If rogue employees are stealing data, you are only likely to find out if you are monitoring their computer activity. Similarly, if credentials are compromised, system logs will highlight any suspicious activity. Make sure logs are created and monitored. Consider using a security information and event management (SIEM) solution to automate this as much as possible.
Terminate Access at Point of Termination
Terminating an employee? Terminate their access to your systems at the point of termination. It is surprising how often employee access rights are not terminated for days, weeks, or even months after an employee has left the company.
We will cover some more important safeguards to implement to protect against user error in the following 9 SMB cybersecurity threats.
Phishing and Social Engineering Attacks
Phishing is arguably the biggest cybersecurity threat faced by SMBs. Phishing is the use of social engineering techniques to persuade people to divulge sensitive information or take an action such as installing malware or ransomware. This is most commonly achieved via email, but can also occur via text messages, social media websites, or over the telephone.
Do not assume that your employees have common sense and know not to open email attachments from unknown individuals or respond to enticing offers from legal representatives of Nigerian princes. You must train your employees and teach cybersecurity best practices and show them how to identify phishing emails. Refresher training should be provided at regular intervals and you should conduct phishing simulation exercises (which can largely be automated) to find out who has taken the training on board and who is a liability that needs further training.
Employees are the last line of defense. You need a layer of security above your employees to make sure their security awareness training is never required. That means an advanced anti-spam solution needs to be in place to block threats before they reach inboxes. If you use Office 365, you should still implement an antispam solution. A recent study by Avanan revealed 25% of phishing emails bypass Office 365 antispam defenses.
Another layer of protection should also be implemented to protect against phishing: Multi-factor authentication. This is the use of an additional authentication factor that will kick into action if an attempt is made to use credentials from an untrusted device or location. If credentials are compromised in a phishing attack, multi-factor authentication should stop them from being used to gain access to email accounts, computers, or network resources.
Malware and Ransomware
Malware, viruses, ransomware, spyware, Trojans, worms, botnets, and cryptocurrency miners are all serious threats that you must take steps to block. It goes without saying, but we will say it none the less, you need to have antivirus software installed on all endpoints and your servers.
Malware can be installed in many ways. As previously mentioned, blocking USB devices is important and spam filtering software with sandboxing will protect you from email-based attacks. Most malware infections now occur via the internet, so a web filtering solution is also important. This will also add an extra layer to your phishing defenses. A web filter will block drive-by malware downloads, prevent employees from visiting malicious sites (including phishing websites) and also allows you to enforce your internet usage policies. A DNS filtering solution is the best choice. All filtering takes place in the cloud before any content is downloaded and it will not add to your patching burden.
Shadow IT
Shadow IT – The term given for any hardware or software in use that has not been authorized by your IT department. This could be a portable storage device such as a zip drive, a VPN client to bypass your web filter, an application to help with work tasks, or all manner of other software. It is surprising to find exactly how many of these programs are installed on users’ devices when IT support staff are called upon to sort out a problem!
So, what is the problem? Anything installed without authorization is a potential security and compliance risk. Your security team has no control over patching, and vulnerabilities in those applications could easily go addressed for months and give hackers an easy entry point into your network. Fake applications could be downloaded that are really malware, software packages often include a host of potentially unwanted programs and spyware, and any data stored in these applications could be transmitted to unsecure locations. Those applications and data contained therein are also unlikely to be backed up by the IT department. If anything happens, data can easily be lost.
Unpatched Software
The importance of prompt patching cannot be understated. Vulnerabilities exist in all software solutions. Sooner or later those vulnerabilities will be found, and exploits will be developed to take advantage. Security researchers are constantly looking for flaws that could potentially be exploited by threat actors to gain access to sensitive information, install malware, or remotely execute code. When these flaws are identified and patches are released, they need to be applied promptly. Oftentimes, vulnerabilities are being actively exploited by the time a patch is released. It is essential for these vulnerabilities to be addressed as soon as possible and for all software to be kept up to date.
When software or operating systems are approaching end of life, you must upgrade. When patches stop being issued and software is unsupported, any vulnerabilities will remain unaddressed and can easily be exploited.
Out of Date Hardware
Not all vulnerabilities come from out of date software. The hardware you use can also introduce risks. You must keep an inventory of all your hardware, so nothing slips through the cracks. Firmware updates should be applied as soon as it is made available and you should monitor for any devices that are approaching end of life. If your devices do not support the latest operating systems, then it is time to replace your hardware. This will naturally come at a cost, but so do cyberattacks and data breaches.
Unsecured IoT Devices
The Internet-of-Things offers convenience but IoT devices are a potential liability. IoT devices can send, store or transmit data so they must be be secured.
Unfortunately, in the hurry to connect everything to the internet device manufacturers often overlook security as do users of these devices. Take security cameras for instance. You may be able to access your cameras remotely, but you may not be the only person who can. If your security cameras are hacked, thieves could see what you have, where it is located, and where and when security is lax. There have been cases of security cameras being hacked due to the failure to change default credentials for remote management.
Ensure you change the default credentials on the devices and use strong passwords. Keep the devices up to date, and if the devices need to connect the network, make sure they are isolated from other resources. Cybercriminals can also take advantage of flaws in the applications to which these IoT devices connect. They must also be kept up to date.
Man-in-the-Middle Attacks and Public Wi-Fi
A man-in-the-middle (MITM) attack is an attack scenario where communications between two individuals (or one individual and a website or network) are intercepted and potentially altered. An employee may believe they are communicating securely, when everything they are saying or doing is being seen or recorded. An attacker could even control the conversation between two people and be communicating with each separately while both individuals believe they are communicating with each other. This method of attack most commonly occurs through unsecured Wi-Fi hotspots or evil twin hotspots – Fake Wi-Fi hotspots set up in coffee shops, airports, and any other location where free Wi-Fi is offered.
If you have remote workers, you need to take steps to ensure that all communications are kept private. This can be achieved in two main ways. By making sure employees use a secure VPN that encrypts their communications over public or unsecured Wi-Fi networks and also by implementing a DNS filtering solution. The DNS filtering solution provides the same protection for remote workers as it does for on-premises workers and will prevent malware downloads and employees from accessing malicious websites.
Mobile Security Threats
There is no denying the convenience of mobile devices (laptops, tablets, smartphones). They allow workers to be instantly contacted and lets them work from any location. Mobile devices improve employee mobility, can lead to greater employee satisfaction, and will help you to boost productivity. However, the devices also introduce new risks. Whether you supply these devices or operate a BYOD policy, you need to implement a range of security controls to ensure those risks are managed.
You need to make sure you know of every device that you allow to connect to the network. A mobile device security solution can help you gain visibility into mobile device use and allow you to control your applications and data.
You should ensure the devices have security controls applied, can only access your network via secure channels (VPN), ensure the devices are covered by a DNS filtering solution, and any work data stored on the devices needs to be encrypted.
Remote Desktop Protocol
Remote desktop protocol (RDP) allows employees remotely connect to your computers and servers when they are not in the office and lets your managed service provider quickly sort out your problems and maintain your systems without having to pay a visit. RDP also gives hackers an easy way to gain access your computers, servers, and steal data or install malware. Do you need RDP enabled? If not, disable it. Does it need to be used internally only? Make sure that RDP is not exposed to the internet.
If you do need RDP, then you need to exercise extreme caution. Make sure that users can only connect via a VPN or set firewall rules. Limit the individuals who have permissions to use RDP, ensure strong passwords are set, and that rate limiting is implemented to protect against brute force attacks. Also use multi-factor authentication.
Stolen RDP credentials are often used by hackers to gain access to systems, brute force attempts are often conducted, and vulnerabilities in RDP that have not been patched are frequently exploited. This is one of the main ways that ransomware is installed.
These are just the top 10 cybersecurity threats faced by SMBs. There are many more risks that need to be identified and mitigated to ensure you are protected. However, by addressing the above issues you will have already made it much harder for hackers and cybercriminals to do your business harm.
TitanHQ is Here to Help!
TitanHQ can assist by providing you with advanced cybersecurity solutions to protect against several of the above listed top 10 cybersecurity threats and will the two most commonly used attack vectors – email and the web-based attacks. These solutions – SpamTitan and WebTitan – are 100% cloud based, easy to implement and maintain, and will provide superior protection against malware, ransomware, viruses, botnets, and phishing attacks.
Further, these powerful solutions are affordable for SMBs. You are likely to be surprised to find out how little these enterprise-grade security solutions will cost. If you are a managed service provider that services the SMB market, you should also get in touch. SpamTitan and WebTitan have been developed by MSPs for MSPs. There is a host of reasons why TitanHQ is the leading provider of cloud-based email and web security solutions to MSPs that service the SMB market!
Contact our friendly (and non-pushy) sales team today to find out more, book a product demo, and register for a free trial.
Q3, 2019 has seen TitanHQ register record-breaking growth in the MSP market with its busiest ever quarter for MSP sales. TitanHQ now has more than 2,200 MSP partners and its cloud-based email security, web security, and email archiving platforms are now used by more than 8,200 businesses around the world.
Many great success stories start from humble beginnings, and TitanHQ is no exception. The company started life as Copperfasten Technologies in 1999 and sold anti-spam appliances to local businesses from its Galway, Ireland base. The company then developed its own cybersecurity solutions, starting with the anti-spam and anti-phishing solution, SpamTitan.
The product portfolio grew to include WebTitan web filtering, a powerful DNS-based web security solution to protect businesses from the full range of internet threats. That was followed by the launch of ArcTitan, a cloud-based email archiving solution for businesses that eases their email storage and compliance burden.
That trio of core TitanHQ products has proven to be a massive hit with managed service providers, although not by accident. Many companies have developed innovative solutions for SMBs but have only realized the importance of the MSP market later on. Additional features are then added to appeal to MSPs. TitanHQ took a different approach. Its solutions were developed by MSPs for MSPs and MSPs were considered at every stage of product development. The result is a suite of security solutions tailor-made for MSPs.
This approach, along with cutting-edge technology and industry-leading customer support, has seen the company go from strength to strength and become the gold standard in email and web security and the leading global provider of cloud-based security solutions for MSPs servicing the SMB market.
Phishing attacks on businesses are soaring, new malware variants are being released at record levels, and the current ransomware epidemic is threatening to derail businesses. Many SMBs lack the internal resources to block these threats and turn to MSPs to provide the security they need.
To cope with the increased demand, MSPs need solutions with 100% cloud-based architecture that seamlessly integrate into their existing centralized management systems and are easy to implement, use, and maintain. Ideally, those solutions need to be flexible, have a range of hosting options, be available in white-label form to take MSP branding, and also include generous margins. That is a big ask, and many solutions only tick a few of those boxes. However, TitanHQ’s suite of solutions include all those features and more.
TitanHQ also offers extensive sales enablement and marketing support, world-class customer service, and each MSP has a dedicated account manager, engineers, and a support team to help them maximize their sales opportunities and really grow their businesses.
As part of the celebration of the Q3, 2019 MSP growth, TitanHQ has launched a new initiative to ensure Q4 will be an even bigger success.
On October 22, TitanHQ announced a new disruptive price package for a SpamTitan Email Security and WebTitan DNS filtering bundle at an exclusive once-in-a-lifetime price. The initiative has been called Margin Maker for MSPs and is intended to ensure MSPs build profitability instantly in Q4, 2019.
The two solutions are provided in two private clouds, customized to meet MSPs email and web security needs, and secure the most common attack vectors – email and the web. The package includes advanced protection for email, including Office 365 environments, complimented by WebTitan DNS filtering to block web-based threats and implement content control for on-premises and remote workers. These solutions are naturally provided with extensive sales enablement and marketing support.
The aim is to make TitanHQ’s email and web security platforms even more appealing to MSPs and to encourage MSPs to offer both SpamTitan email security and WebTitan web filtering to their clients and maximize revenues.
One MSP that is already boosting its profits and achieving increased, reliable recurring monthly revenues is UK-based OpalIT. The MSP has bases in Newcastle and Edinburgh and a 6,000+ customer base. Prior to joining the TitanShield program, OpalIT was offering its clients firewall filtering and email filtering with Barracuda and Vade. The company has now switched to TitanHQ’s cybersecurity bundle and is pushing SpamTitan Email Security, WebTitan DNS filtering, and ArcTitan email archiving to its clients and is reaping the rewards.
“Opal IT moved to TitanHQ because of our MSP focused solutions, ease of deployments, extensive APIs functionality and the increased margin they’re now making. Our cybersecurity bundle solutions allow MSPs to provide their downstream customers with a layered defense approach” said Rocco Donnino, EVP Strategic Alliances, TitanHQ.
If you are a managed service provider, now is the perfect time to sign up with TitanHQ. Come and meet the TitanHQ channel team at the following MSP events to find out more about the TitanShield program for MSPs, OEMs, and service providers, and take advantage of the amazing new MSP package.
If you are unable to attend any of these events, be sure to give the TitanHQ team a call to find out more and take advantage of this exciting new and exclusive offer.
IT Nation Connect 2019, the ConnectWise conference for the IT professional community, will be taking place on October 30, 31, and November 1 at the Hyatt Regency in Orlando, Florida.
The event is the leading conference for companies that sell, support, and service technology and is focused on helping attendees build a strong business and achieve long-term success. Attendees will gain practical advice from experts in the IT Nation community and will have the opportunity to build meaningful business connections and learn how to work on their businesses.
This year’s topics for the session tracks are mergers & acquisitions, growth & scalability, talent development & leadership, service delivery & customer success, sales & marketing, and security.
Security is a key focus of IT Nation Connect 2019. The event will provide opportunities to discover how security frameworks and IT solutions can help you bulletproof your business and protect your clients’ networks from cyberattacks. Attendees will also gain deep insights into the current state of security in the MSP space.
Leading security experts will be discussing the steps that the government is taking to combat cyber threats, the lessons the government and private firms have learned, and how security experts see the threat landscape evolving over the coming year.
Founders and CEOs of the most successful MSPs and IT firms will explain what it is like to be a trailblazer, how they achieved their successes, the mistakes they made on the way, and what the future holds for the IT Nation community.
More than 80 thought leaders, ConnectWise partners, and ConnectWise colleagues will taking over 130 educational, networking and panel sessions and will be sharing success stories, best practices, and the lessons they have learned to help attendees succeed and grow their businesses.
The conference offers an exceptional opportunity for learning, networking, and discovering technology solutions that can save you time, money, and boost the profitability of your business. Such an important event for the IT community is not to be missed.
TitanHQ will be attending the event to explain why TitanHQ is the global leader in cloud-based email and web security solutions for MSPs servicing the SMB market, the advantages of doing business with TitanHQ, and how TitanHQ solutions can help you better protect your environment and those of your clients from increasingly sophisticated cyber threats.
TitanHQ Marketing Director Dryden Geary, Sales Director Conor Madden, and Inside Sales Executive Peter Cooke will explain the benefits of the TitanShield program for MSPs, OEMs, technology partners, and Wi-Fi providers and show you just how easy it is to incorporate SpamTitan email security, WebTitan DNS filtering, and ArcTitan email archiving into your security stacks.
If you are attending the event, be sure to make time to meet with TitanHQ and feel free to reach out in advance of the event if you have any questions.
The 2019 Canalys Cybersecurity Forum will be taking place in Barcelona on October 16-17, 2019. The event is the only independent conference dedicated to the cybersecurity channel and is one of the most important events of the year for managed service providers (MSPs).
The event provides an incredible opportunity for MSPs looking to enhance their security stacks, provide greater value, and better protect their clients from increasingly sophisticated security threats. Attendees will have the opportunity to have 1:1 meetings with more than 700 established and new partners and discover best practices to adopt to get the most out of their cybersecurity solutions.
The event is also a must for MSPs who have yet to start offering managed security services as it will allow them to form new partnerships with Europe’s best cybersecurity solution partners who will help them grow their businesses significantly over the coming year.
Leading cybersecurity vendors will be taking thought-crunching sessions and sharing their knowledge to help partners succeed. Attendees will be able to engage in intense debates and interact with some of the brightest minds in the field of cybersecurity. Questions can be posed in multi-vendor theatre panels to get the answers from the leading cybersecurity solution providers in the EMEA region.
Highlights of this year’s event include panels, theatre and keynotes exploring the re-imaging of the idea of solutions, generalist vs. specialist in the cybersecurity channel, the next catalyst that will drive security sales, and how the role of the CSO is evolving in the hybrid IT world.
Canalys analysts will also be providing keynote speeches and sharing their insights into the current threat landscape and some of the burning issues of the moment. The event will also see Canalys name the new Threat Fighter and MSSP winners in the Canalys Channel Partner Awards.
TitanHQ Sales Director, Conor Madden
The event provides an amazing opportunity for networking with more than 200 channel partner delegates in attendance. New alliances can be formed and along with the knowledge gained, attendees will be able to make important decisions that will have a major positive impact on growth for the coming year.
TitanHQ is a proud sponsor of the 2019 Canalys Cybersecurity Forum and the team will be on hand to answer questions and explain why TitanHQ is the global leader in cloud-based email and web security solutions for the MSP that services the SMB market.
TitanHQ Strategic Alliance Manager, Marc Ludden
At the event you will be able to discover the considerable benefits of using SpamTItan email security, WebTitan DNS filtering, and ArcTitan email archiving to solve your clients security issues, better protect them from cybersecurity threats, and help them achieve their compliance objectives… and how easy TitanHQ makes this for MSPs.
TitanHQ Sales Director Conor Madden will be a panelist at the event and will be answering questions from attendees on email security, web security, email archiving and how to get the most out of TitanHQ’s cybersecurity solutions for MSPS and SMBs.
Marc Ludden, TitanHQ’s Strategic Alliance Manager, will also be attending and meeting with enterprise-level clients and major MSPs and ISPs to help them push TitanHQ products downstream to their customers, grow their businesses, and improve their bottom lines.
You can find out more about this one in a year opportunity here – Canalys Cybersecurity Forum 2019 – and feel free to reach out to TitanHQ in advance of the event.
If you are unable to attend this year’s Canalys event, TitanHQ will be on the road throughout October and November. Be sure to connect at one of the other fall 2019 events below:
If you are looking for a Cisco Umbrella alternative, you are not alone. TitanHQ has helped multiple businesses change from Cisco Umbrella to WebTitan Cloud. In most cases, the main reason why businesses seek a Cisco Umbrella alternative is to save money; but – depending on which Cisco Umbrella plan you subscribe to – WebTitan Cloud can also help better protect your business against web-borne threats and give you more control over Internet usage.
One of the challenges of evaluating a Cisco Umbrella alternate is that there are four versions of Cisco Umbrella – ranging in capabilities from a basic (and not entirely effectively) web filter to a top-of-the-range Secure Access Service Edge (SASE) solution. This makes it difficult to conduct apples-for-apples comparisons especially with regards to price due to a lack of pricing transparency with both the licensing costs and the add-ons – some of which are necessary and one of which is mandatory.
Cisco Umbrella Review
The four versions of Cisco Umbrella are DNS Essentials, DNS Advantage, SIG Essentials, and SIG Advantage; and because the versions increase in capabilities as you go through the range, we have provided a synopsis of each version´s capabilities below.
DNS Essentials
DNS Essentials is the entry-level version of Cisco Umbrella. It blocks websites known to be harboring malware and published to conduct phishing attacks, blocks or allows Internet access by domain or category, and enables system administrators to create user policies and view activity reports – albeit at an additional cost if you integrate DNS Essentials with (for example) Active Directory.
The big problem with the DNS version of Cisco Umbrella is that it does not decrypt and inspect the content of encrypted websites. Therefore, if a website is not yet known to be harboring malware – or contains adult content that would normally be blocked by category – the filter will not be able to identify the content and the website will evade detection as a malicious or harmful website.
DNS Advantage
This version of Cisco Umbrella is more advanced than the entry-level version inasmuch as it supports SSL decryption and inspection and will block websites and files based on anti-virus inspection. It also blocks direct-to-IP traffic such as command and control callbacks that bypass DNS filters and can be integrated with the Cisco Investigate console to analyze threats (at an additional cost).
However, like the DNS Essentials version, DNS Advantage only blocks websites by domain, rather than by URL. This can create issues if, for example, you want to prevent users wasting time reading the sports pages of an online newspaper but want to give the finance team access to the online newspaper´s money pages. The same limitation applies to “allow” lists. It´s either all or nothing.
SIG Essentials
The first of two Secure Internet Gateway (SIG) packages improves on the DNS packages by providing more granularity over Internet usage. This version also comes with a cloud firewall that can be configured to block or allow specific IPs, ports, and protocols, while the anti-virus engine can be configured to scan previously benign files to check for previously disguised threats.
The drawback of this solution is that it is not a complete Secure Internet Gateway solution without subscribing to multiple add-ons (for example, outbound traffic scans) or overcoming limitations on services such as cloud storage scans. It is also important to be aware there is a mandatory charge for onboarding (applies to all versions) and an extra charge for priority technical support.
SIG Advantage
SIG Advantage has been acknowledged as a leading SASE solution by Gartner´s Magic Quadrant and this version of the Cisco Umbrella includes almost everything that is an add-on in other versions (except onboarding and technical support). Furthermore, you can enhance the capabilities of the SASE solution by taking advantage of Cisco Talos Incident Response (at a cost).
If there is an issue with this version, it is that it includes many features and capabilities that may exist in other security solutions already being used by the business (i.e., Microsoft Sentinel, Amazon Security Lake, etc.). Additionally, if the business does not have the technical abilities in-house to take advantage of all the capabilities, you won´t see a good ROI from SIG Advantage.
Cisco Umbrella Licensing
Each of the versions has a subscription-based licensing structure – the price of which varies according to the number of users, the length of the subscription, and the location of the business. The cost of add-ons is also calculated in the same way, offering economies of scale to larger companies in the “right” area who subscribe for the maximum five years.
Generally, the cost of Cisco Umbrella licensing has to be paid all-upfront, although some resellers allow monthly, quarterly, or annual payments. Additionally, while you might be able to get a better deal from resellers, you have to be sure that the deal you are getting includes all the add-ons you require to filter the Internet securely and effectively.
How Much Does Cisco Umbrella Cost?
Due to there being four different version of Cisco Umbrella, multiple add-ons, and a lack of pricing transparency it is impossible to answer the question how much does Cisco Umbrella cost. Some resellers advertise the DNS Essentials version with prices starting from $1.50 per user per month (for > 25,000 users/5-year subscription), but it is not possible to determine what this price includes.
Anecdotal evidence suggests the cost of the DNS Advantage version including mandatory onboarding and technical support is $2.70 per user per month for a business with 100 to 499 users. Even if other add-ons are included in the price, this still seems a little high compared with a Cisco Umbrella alternate such as WebTitan for which the equivalent cost per user per month id $1.58.
Is Cisco Umbrella Pricing Negotiable?
Although few businesses reveal how much they are paying for Cisco Umbrella, there does appear to be a range of prices published in user forums and comment boxes that imply you can get a discount off Cisco Umbrella pricing if you negotiate hard enough. What´s not clear is whether any discount off Cisco Umbrella pricing is from Cisco directly or from resellers.
Resellers is probably the best way to go if you are looking to protect a large number of users because resellers have profit margins they will likely be prepared to trim to get the business. Additionally, you can also play one reseller against another. However, beware of “introductory offers”, as the price will increase significantly when the time comes to renew the subscription.
Can the Cisco Umbrella Price be Justified?
It depends on what your business needs. If, for example, you compare the anecdotal price of the DNS Advantage version against a Cisco Umbrella alternative such as WebTitan, you could save around 40% by switching to WebTitan. Even if you negotiate a deal for DNS Advantage, the version of Cisco Umbrella you get is still going to lack granular filtering to effectively control Internet usage.
However, if your business needs all the bells and whistles of the SIG Advantage version of Cisco Umbrella – and none of the SASE solution´s capabilities are duplicated in existing security solutions – you may feel the Cisco Umbrella price is justified. However, we would strongly suggest researching what else is available before committing to a long term subscription.
WebTitan Cloud: An Ideal Cisco Umbrella Alternative
Cost is not the only consideration when looking for a Cisco Umbrella alternative – you need to sure that your DNS filtering and Internet security solution is providing you with maximum protection against web-borne threats and maximum control over Internet usage. You can be assured of both with WebTitan Cloud.
For example, rather than updating threat databases retrospectively as some solutions do, WebTitan Cloud´s threat database is updated in “real-time” to mitigate the risk of emerging threats evading detection. Additionally, WebTitan Cloud includes “Zero-Minute” protection against emerging phishing threats.
With regards to maximum control over Internet usage, WebTitan Cloud allows system administrators to apply acceptable usage policies by user, group, department, or location. Policies can also be applied by time of day, or – for schools – by school year to ensure students only have access to age-appropriate content.
Finally, WebTitan Cloud has been developed to be easy to implement, configure, use, and maintain. We aim for minimal administrative overhead, but there will naturally be times when things don’t go according to plan. In the event of a problem, all customers benefit from world class support at no extra cost (and in no priority order).
WebTitan Cloud Benefits for MSPs
One of the features of WebTitan Cloud that is particularly attractive to MSPs is the ability to host the solution locally within their own environment. Most businesses will choose to host WebTitan Cloud with TitanHQ, but the option is available if this suits you better. MSPs can also be supplied with WebTitan Cloud in white label format for rebranding and reselling.
Transparent pricing – including monthly billing
Multiple hosting options, including within your own data center
Product can be supplied in white label format for rebranding
No monthly minimums or yearly commitments
The product can scale to meet your needs (and shrink too if needed)
Extensive suite of customizable reports
Easy integration into existing security and customer management systems
World-class customer support included in the cost
Generous margins for MSPs
Access to an extensive library of support materials
Book a Free Web Filtering Demo to Find Out More
If you have any questions about WebTitan Cloud, would like information on how you can switch from Cisco Umbrella, or would like a product demonstration, complete the form below and one of the WebTitan team will be in touch to organize a convenient time for your free no-obligation demo.
The demo will not only show how easy it is to set up WebTitan Cloud, but how effective it is at blocking web-borne threats and helping your business control Internet usage. The opportunity also exists to take advantage of a free trial of WebTitan Cloud to evaluate its potential as a Cisco Umbrella alternative in your own environment.
The cost of a ransomware attack can be considerable. Several attacks in the United States have seen payments of hundreds of thousands of dollars made for the keys to unlock the encryption. While those payments are certainly high, they are a fraction of the total cost of a ransomware attack which are usually several times the cost of any ransom payment.
Recovery without paying a ransom can be considerably more. The ransomware attack on the city of Baltimore saw a ransom demand of around $76,000 issued. Baltimore refused to pay. The attack is estimated to have cost the city at least $18.2 million.
The cost of that ransomware attack is high, but nowhere the cost of a suspected September 2019 ransomware attack on the Danish hearing aid manufacturer Demant. The firm experienced the attack on or around September 3, 2019. One month on and the firm still hasn’t recovered. In a recent message to its investors, the firm said the cyberattack would cost an estimated $80 million to $95 million, even though the company held a cyber insurance policy. Without that policy the bill would have been $14.6 million higher.
According to a notice on the firm’s website, it experienced “a critical incident” when its “IT infrastructure was hit by cyber-crime.” Ransomware was not mentioned by the firm although it has been reported as a ransomware attack by the Danish media.
The attack impacted its Polish production and distribution facilities, French cochlear implants production sites, Mexican production and service sites, its amplifier production site in Denmark, its entire Asia-Pacific network, and its enterprise resource planning (ERP) system.
The firm is recovering its IT infrastructure and believes it will take a further two weeks for systems to be restored and business operations to approach normality. However, the effects of the attack are expected to be long-lasting.
The inability to access its systems across all these areas has caused major disruption to the company. The firm has been unable to supply its products, receive and process orders, and clinics in its network have had difficulty servicing end users.
Due to the limited information released it is unclear whether the company refused to pay a ransom, if the attackers could not supply valid keys to unlock the encryption, of if this was a sabotage attack akin to the NotPetya wiper malware attacks of 2017.
If this was a ransomware attack, the losses far exceed those of the Norwegian aluminum and energy company Norsk Hydro, whose ransomware attack cost the firm around $70 million, although it is a fraction of the cost of the NotPetya attacks on the shipping firm Maersk and FedEx, both of which caused losses of around $300 million.
These incidents all demonstrate just how damaging cyberattacks can be and the massive costs of recovery. As is typical, the cost of recovering its IT systems accounted for a small proportion of the total cost – around $7.3 million. The bulk of the losses were due to lost sales and the inability to process orders, which the company says make up around half of the estimated losses.
In a press release, the firm said in addition to the lost sales, “the incident has prevented us from executing our ambitious growth activities in some of the most important months of the year – particularly in the US, which is our biggest market.”
Malware, ransomware and wiper malware are most commonly delivered via a small number of attack vectors. All too often they start with a phishing email, exploitation of RDP, drive-by malware download, or the exploitation of unpatched vulnerabilities. The cost of preventative measures to block these attack vectors is pocket change by comparison to the cost of recovery from an attack.
TitanHQ cannot help businesses with securing RDP and patching promptly, but we can help businesses secure the email system and protect against drive-by malware downloads and other web-based attacks.
To find out more about how you can improve security against email- and web-based attacks, from a cost of as little as 90 cents per user per month, give our sales team a call.
The sales team will be happy to explain the ins and outs of our web and email security solutions, schedule product demonstrations, and help set you up for a free trial of our SpamTitan email security and WebTitan web security solutions and greatly improve your defenses against phishing, ransomware, malware, and wiper attacks.
The dangers of ransomware attacks have been made abundantly clear to more than 5,000 patients in California whose medical records have been permanently lost as a result of a ransomware attack on their healthcare provider.
Simi Valley, CA-based Wood Ranch Medical experienced the attack on August 10, 2019 which saw ransomware deployed and executed on its servers which contained the medical records of 5,835 patients. The attack caused permanent damage to computer systems, and since backup copies of patient records were also encrypted, those records have been permanently lost. It is unclear how much the attackers demanded as payment for the keys and whether those keys would have worked had the ransom been paid.
Without patient records and faced with the prospect of having to totally rebuild the medical practice from scratch, the decision was taken to permanently close the business. Patients have been forced to find alternative healthcare providers and no longer have access to their medical records.
This is the second healthcare provider in the United States that has been forced out of business due to a ransomware attack. Brookside ENT and Hearing Center in Battle Creek, Michigan also closed its practice this year as a result of a ransomware attack. In that case, the practice owners refused to pay the ransom demand and patient records were permanently encrypted. The practice owners decided it was not possible to rebuild the practice from scratch and announced their early retirement.
It is unclear exactly how the ransomware was installed in each of these incidents, so it is not possible to determine what defenses could have been improved to prevent the attacks. However, in both cases, recovery of files from backups was not possible.
The purpose of a backup is to ensure that in the event of disaster, data will be recoverable. File recovery may be time consuming and downtime due to the attack likely to be expensive, but data will not be permanently lost.
In order to ensure file recovery is possible, backups must be tested. Files may be corrupted during the backup process and data restoration may not be possible. If backups are not tested to make sure files can be recovered, it will not be possible to guarantee file recovery in the event of disaster.
These incidents also highlight another fundamental rule of backing up. NEVER store the only copy of a backup on a networked or internet-connected computer.
In the event of ransomware attack, it is highly likely that backup copies on networked devices will be encrypted along with shadow volume copies. Ransomware encrypts these files to make sure the only way of recovering data is paying the ransom.
Even paying a ransom comes with no guarantee that data will be recoverable. Files may be corrupted through the encryption/decryption process – some data loss is inevitable – and the attackers may not be able to supply valid keys to decrypt files.
A good backup approach to adopt to prevent disasters such as these is a 3-2-1 strategy. 3 backups should be created, which should be stored on 2 different media, with 1 copy stored securely off site on a device that is not networked or connected to the internet.
After a quiet summer, the Emotet botnet is back in action. The threat actors behind Emotet are sending hundreds of thousands of malicious spam emails spreading the Emotet Trojan via malicious Word documents.
Emotet first appeared in 2014 and was initially a banking Trojan used to obtain credentials to online bank accounts. The stolen credentials are used to make fraudulent wire transfers and empty business accounts. Over the years the Trojan has evolved considerably, with new modules being added to give the malware a host of new features. Emotet is also polymorphic, which means it can change itself each time it is downloaded to avoid being detected by signature-based anti-malware solutions. Up until the start of 2019, more than 750 variants of Emotet had been detected.
The latest iteration of Emotet is capable of stealing banking credentials and other types of information. It is also capable of downloading other malware variants, which has led to security researchers naming it ‘triple-threat malware,’ as it has been used recently to download the TrickBot Trojan and Ryuk ransomware. These three malware threats along with the scale of the operation make Emotet one of the most dangerous threats faced by businesses. It is arguably the costliest and most destructive botnet ever seen.
Last summer, Emotet activity was so high and the threat so severe that the Department of Homeland Security issued an alert to all businesses in July 2018 warning them of the threat. That warning was mirrored by the UK National Cyber Security Center which published its own warning about the malware in September 2018. Activity remained high well into 2019, but suddenly stopped at the start of June when command and control server activity fell to next to nothing.
The hiatus in activity was only brief. Researchers at Cofense Labs discovered its command and control servers had been activated again in late August and a massive spamming campaign commenced on September 16 using bots in Germany. The campaign was initially focused on businesses in the United States, Germany, and United Kingdom but the campaign has now spread to Austria, Italy, Poland, Spain, and Switzerland.
After being downloaded, Emotet spreads laterally and infects as many devices as possible on the network. Email accounts on infected machines are hijacked and used to send further spam emails to all contacts in the account. Finally the malware downloader module is used to a secondary and often tertiary malware variant.
The latest campaign uses Word documents containing malicious macros, which launch PowerShell scripts that fetch the Emotet Trojan from a variety of different compromised websites, many of which are running the WordPress CMS.
The campaign uses a variety of lures including invoices, payment remittance advice, and statements, the details of which are contained in Word documents that require content to be enabled to view the document content.
Upon opening the document, the user is requested to accept the Office 365 license agreement. Failure to enable content, so the document claims, will result in Microsoft Word features being disabled.
This campaign includes personalized subject lines including the recipients name to increase the likelihood of a user taking the requested action. Genuine email thread are also hijacked to make it appear that the user has already been communicating with the sender of the email. Around a quarter of attacks use hijacked email threads. Data from Cofense indicates emails are being sent from 3,362 hijacked email accounts from 1,875 domains.
It is currently unclear whether Ryuk ransomware is being distributed in this campaign. Several researchers have confirmed that TrickBot is being downloaded as a secondary payload.
The key to blocking attacks with polymorphic malware is to implement layered defenses, including an advanced spam filtering solution, anti-virus software, and web filter. It is also important to ensure that the staff is made aware of the threat of attack and the types of email that are being used to spread the Trojan.
This fall, TitanHQ will be attending several Managed Service Provider (MSP) events and trade shows throughout Europe and the United States.
TitanHQ has been developing innovative cybersecurity solutions for MSPs for more than two decades and all solutions have been created with MSPs firmly in mind. By involving MSPs in the design process, TitanHQ has been able to ensure that its products incorporate features to make life easier for MSPs, such as easy integration into MSPs management systems through the use of APIs to features rarely found in cybersecurity products – such as full white label versions ready for MSP branding and the ability to host the solutions within MSPs own environments.
Trade shows give the TitanHQ team the opportunity to meet face to face with prospective clients to discuss their email and web security needs and get face to face feedback from current customers that have already integrated TitanHQ products into their technology stacks.
The TitanHQ team kicked off the fall schedule of trade shows on September 12 at the Taylor Business Group BIG 2019 Conference at the Westin Hotel in Chicago, where members got to meet the TitanHQ team to discuss the new TitanShield program and discover how TitanHQ products can improve security for their clients while saving MSPs time and money.
At the same time, TitanHQ was at the CloudSec Europe 2019 Conference in London demonstrating WebTitan Cloud, SpamTitan Cloud, and ArcTitan to MSPs and cloud service providers.
If you were unable to attend either of these two events or did not get the chance to meet with the team, all is not lost. The fall schedule has only just commenced and there are still plenty of opportunities to meet the team to discuss your requirements and find out how TitanHQ products can meet and exceed your expectations.
Trade Events Attended by TitanHQ – Autumn, 2019
Date
Event
Location
September 17, 2019
Datto Dublin
Dublin, Ireland
September 18, 2019
MSH Summit
London, UK
October 6-10, 2019
Gitex
Dubai, UAE
October 7-8, 2019
CompTIA EMEA Show
London, UK
October 16-17, 2019
Canalys Cybersecurity Forum
Barcelona, Spain
October 21-23, 2019
DattoCon Paris
Paris, France
October 30, 2019
MSH Summit North
Manchester, UK
October 30, 2019
IT Nation Evolve (HTG 4)
Florida, USA
October 30, 2019
IT Nation Connect
Florida, USA
November 5-7, 2019
Kaseya Connect
Amsterdam, Netherlands
If you plan on attending any of the above events this fall, be sure to come and visit the TitanHQ team and feel free to reach out ahead of the events for further information.
Rocco Donnino, Executive Vice President-Strategic Alliances, LinkedIn
Eddie Monaghan, MSP Alliance Manager, LinkedIn
Marc Ludden, MSP Alliance Manager, LinkedIn
Dryden Geary, Marketing Director
TitanHQ has announced it has entered not a new partnership with one of the United Kingdom’s leading Managed Service Providers (MSPs), OneStopIT.
For more than 16 years, OneStopIT has been helping small to medium sized businesses (SMBs) implement enterprise-class technology solutions. The Edinburgh-based MSP is focused on providing process-driven IT solutions to growing organizations at an affordable price.
Through the company’s dealing with UK businesses it has become clear that one of the biggest problem areas is phishing. Phishing attacks on UK businesses are now occurring at record pace and those attacks are costing businesses dearly.
UK businesses need advanced, enterprise-level cybersecurity solutions, but at an affordable SMB-friendly price. To improve protection against phishing and malware attacks, OneStopIT turned to TitanHQ.
TitanHQ has developed powerful cloud-based solutions for the SMB marketplace that incorporate enterprise-grade security features, but at a price that is affordable for even the smallest business. These solutions have been developed to be delivered by MSPs and can be easily incorporated into MSP auto-provisioning, billing, and management systems.
Under the new partnership, OneStopIT will be offering its customers SpamTItan-powered advanced email security and anti-phishing protection, WebTitan-powered DNS-based web filtering, and an ArcTitan-powered email archiving service.
All three solutions have been seamlessly integrated into OneStopIT’s security stack and are now being used to better protect its customers from today’s advanced and sophisticated cyber threats.
“ The proliferation of phishing threats across Office 365 is a real problem for SME’s in the UK and we’re partnering with a key vendor in this space to protect our customers and also give them the OneStopIT premium service they are used to,” said Ally Hollins-Kirk, CEO of OneStopIT.
The largest managed service provider conference of 2019 will be taking place in San Diego on 17-19 June.
DattoCon is the premier conference for MSPs, bringing together a plethora of vendors and industry experts to help MSPs learn business building secrets, gain invaluable product insights, and learn technical best practices. The networking and learning opportunities at DattoCon are second to none. DattoCon19 is certainly an event not to be missed.
TitanHQ is a Datto Select Vendor and a proud sponsor of DattoCon19. TitanHQ has developed cybersecurity solutions to exactly meet the needs of MSPs. All solutions area easy to implement and maintain and can be integrated into MSP’s existing systems via a suite of APIs. TitanHQ provides the web security layer to Datto DNA and D200 boxes and is the only third-party security company trusted to work with Datto.
The TitanHQ team will be on hand at the conference to discuss your email and web security needs and will offer practical advice to help you better serve the needs of your customers and get the very most out of TitanHQ solutions.
Visitors to the TitanHQ stand (booth 23) will have the opportunity to learn about TitanHQ’s exclusive TitanShield Program for MSPs. Through the TitanShield program, members have access to SpamTitan email security and phishing protection; the WebTitan DNS filter; and the ArcTitan email archiving solution. Around 2,000 MSPs have already signed up to the program and are using TitanHQ solutions to protect their clients.
If you currently use Cisco Umbrella to provide web and malware protection, you may be paying far more for security than is necessary and could well be struggling with product support. Be sure to speak to the team about the savings from switching and the support provided by TitanHQ. A visit will also be useful for MSPs that are currently supporting Office 365, as the team will explain how spam, phishing and malware protection can be enhanced.
TitanHQ Executive Vice President-Strategic Alliances, Rocco Donnino, will be on the panel for the new, Datto Select Avendors event on Monday. The event runs from 3PM to 4PM and brings together experts from several select companies who will help solve some of the epic problems faced by MSPs today.
Additional Benefits at DattoCon19
New TitanHQ customers benefit from special show pricing.
A daily raffle for a free bottle of vintage Irish whiskey.
Two DattoCon19 parties: TitanHQ and BVOIP are sponsoring a GasLamp District Takeover on Monday 6/17 and Wed, 6/19.
DattoCon Details
DattoCon19 will be taking place in San Diego, California on June 17-19, 2019
If you are not yet registered for the event you can do so here.
TitanHQ will be at booth 23
The global user review website, G2, is the go-to place to find reviews of business software and services. Unlike many other review websites, G2 gives users of the software and services the opportunity to provide their feedback on how the products perform. Millions of businesses use the website to make smarter buying decisions and select the best products and services to meet their needs.
This year, for the first time, G2 has launched a new Best Software Companies in EMEA list. To produce the list, G2 used the reviews of more than 66,000 users of the products of more than 900 companies. To be selected as one of the best companies is only possible if users of products and services have given their endorsement.
“G2’s ever-expanding breadth and depth of product, review, and traffic coverage provide over 5 million data points to help buyers navigate the complex world of digital transformation”, said G2 CEO Godard Abel. “In our Best Software Companies in EMEA list, we leverage this data to identify the companies our users tell us are best helping them reach their potential”.
TitanHQ has developed a suite of advanced cybersecurity solutions to keep businesses protected from email and web-based threats and help MSPs serving that market effortlessly provide managed cybersecurity services to their clients.
“TitanHQ earned its place on the list thanks to the value our customers place on the uncompromised security and real-time threat detection we provide,” said Ronan Kavanagh, CEO, TitanHQ. “The overwhelmingly positive feedback from on G2 Crowd is indicative of our commitment to ensuring the highest levels of customer success.”
The use of ransomware to attack businesses continued to decline throughout 2018 after extensive use of the file-encrypting malware by cybercriminals in 2016 and 2017. In 2018, ransomware fell out of favor with cybercriminals, who turned to other forms of cybercrime to make money.
However, ransomware is seeing something of a resurgence in 2019. The latest Breach Insights Report from Beazley Breach Response Services shows ransomware attacks are increasing once again. In the first quarter of 2019, ransomware attack notifications from its clients increased by 105% from Q1, 2018. Ransom demands are also increasing.
The rise in attacks has continued in Q2. Attacks using MegaCortex ransomware surged in late April. The ransomware variant was first identified in January and was only used in a handful of attacks in the following three months, but in the last week in April, 47 confirmed attacks were reported.
Dharma ransomware attacks have similarly increased. According to Malwarebytes, the past two months have seen a 148% increase in attacks. The threat actors behind Dharma ransomware are now using a variety of methods to distribute their ransomware payload.
The most common method of distribution is phishing emails. Emails contain embedded hyperlinks that direct users to a malicious website where the ransomware payload is downloaded. Email attachments containing malicious scripts are also used to download the ransomware payload.
Attacks are also taking place via remote desktop protocol over TCP port 3389. Brute force attacks are conducted to gain access to a device then ransomware is deployed. Dharma ransomware has also been identified in fake antivirus software programs which are pushed via a variety of websites. Users are tricked into downloading fake AV software after receiving a fake alert about a malware infection that has been detected on the user’s device.
Ransomware has also been used in conjunction with other malware such as Emotet. Emotet was once a banking Trojan but has since morphed into a botnet, capable of stealing login credentials, propagating itself via email on an infected device, and is capable of downloading other malware payloads. Emotet has been used to distribute Ryuk ransomware.
There have been upticks in attacks using other ransomware variants and the popularity of ransomware continues to grow, with some industries targeted more than others. Healthcare organizations are an attractive target as access to patient data is critical for providing medical services. There is a higher probability of ransom demands being paid due to reliance on patient data.
A recent report from Recorded Future has confirmed that attacks on towns, cities, and local government systems are soaring. Its study confirmed that there were 169 attacks on county, city, or state government systems and police and sheriffs’ offices since 2013. There were 38 ransomware attacks in 2017, 53 in 2018, and 22 attacks have already occurred in 2019 and the year is not yet halfway through.
Akron, OH; Albany, NY; Jackson County and Cartersville, GA; and Lynn, MA, have all been attacked this year and the city of Baltimore, MA, has been struggling to recover from its attack for the past two weeks with many city services still disrupted.
The rise in attacks is understandable. The potential rewards from a successful attack are high, many victims have no alternative but to pay, and thanks to ransomware-as-a-service, attacks are easy to pull off and require little in the way of skill.
As long as the attacks continue to be profitable, they will continue. What businesses need to do is to make it much harder for the attacks to succeed and to ensure that if disaster does strike, recovery is possible without having to pay a ransom.
Recovery depends on viable backups of all critical files being available. That means regular backups must be made, those backups need to be tested to make sure files can be restored, and copies need to be stored securely where they cannot also be encrypted.
Remote Desktop Protocol is a weak point that is commonly exploited. If RDP is not required, it should be disabled. If disabling RDP is not an option, strong, complex passwords should be used and access should only be possible using a VPN.
To block web-based attacks, consider implementing a web filtering solution such as WebTitan which prevents users from visiting known malicious websites and downloading executable files types.
One of the primary methods of delivering ransomware is spam and phishing emails. An advanced spam filtering solution should be implemented to block malicious emails and ensure they are not delivered to end users’ inboxes. SpamTitan now incorporates a sandbox, which allows suspicious files to be executed in a secure environment where activities of the files can be safely analyzed for malicious actions. SpamTitan also scans outgoing mail for signs of infection with Emotet.
While these technical controls are important, you should not forget end users. By providing security awareness training and teaching end users how to recognize potential threats, they can be turned into a strong last line of defense.
Fortunately, with layered defenses you can make it much harder for ransomware attacks to succeed and can avoid becoming yet another ransomware statistic.
Shade ransomware was first identified by security researchers in 2014, when it was primarily being used in attacks on Russian businesses; however the threat actors behind this ransomware variant have broadened their horizons and attacks are now being conducted around the world. The United States is now the most attacked country followed by Japan, India, Thailand, and Canada. Russia has now fallen from top spot to seventh.
Shade ransomware, like many ransomware variants, is primarily spread via email. Emails are sent to businesses which appear at first glance to be invoices or bills. The emails contain links to websites hosting malicious files which are downloaded to the user’s device. A variant of this method uses a PDF attachment which contains a link inside which must be clicked to download a fake invoice or bill.
The downloaded files use JavaScript or other scripts to download the Shade ransomware payload. Shade ransomware encrypts a wide range of files and changes the background on the infected computer to alert the user that their files have been encrypted. Ransom notes are also saved to the Desktop with the filename of README1.txt through to README10.txt. Those text files advise the victim to email a code to an email address to receive instructions on how the ransom payment must be made.
An analysis of the latest campaigns was recently conducted by Palo Alto Networks Unit 42 team. That analysis revealed the attackers are concentrating their attacks on high-tech companies, retailers, wholesalers, telecommunications, and educational institutions and the threat actors behind the campaigns have been highly active in 2019.
Since Shade ransomware is most commonly spread via spam email, to reduce the risk of an attack, businesses should implement an advanced email gateway solution that is capable of identifying and blocking the malspam emails that ultimately deliver Shade ransomware.
SpamTitan protects businesses from Shade ransomware and other email-based malware attacks. SpamTitan includes dual antivirus engines to detect malicious files attached to emails and scans the content of messages and subjects them to a Bayesian analysis and heuristics to identify signatures of spam and malicious messages.
The solution now incorporates a Bitdefender-powered sandbox feature which allows files to be opened in a safe and secure environment where they can be analyzed for malicious activity. The solution also allows users to block attachments commonly used to deliver malware, such as zip files and executable files such as .exe and .js.
These and other protection mechanisms help to ensure that only legitimate emails are delivered and malicious messages are prevented from being delivered to end users’ inboxes.
If you want to protect your business against ransomware and malware attacks, contact TitanHQ today to find out more about SpamTitan and take the first step towards improving your security posture.
A critical Windows vulnerability has been identified which could be exploited in a WannaCry-style malware attack. The vulnerability is pre-authentication and requires no user interaction to exploit, as such it is wormable. A patch was issued by Microsoft on May 14, 2019 to correct the flaw. The patch should be applied immediately to prevent the flaw from being exploited.
A remote attacker could exploit the flaw to deliver malware to a vulnerable device and, by incorporating the exploit into the malware, move laterally and infect all vulnerable devices on the network.
The vulnerability, tracked as CVE-2019-0708, is in Remote Desktop Services (previously called Terminal Services) and requires a relatively low level of skill to exploit. To exploit the flaw, an attacker would need to send a specially crafted request to the Remote Desktop Service on a targeted device via RDP. Once exploited, an attacker could download malware and install other programs, view, change, or delete data, create new user accounts with admin privileges, and take full control of a vulnerable device. The vulnerability has been assigned a CVSS v3 base score of 9.8 out of 10.
Microsoft has incorporated security protections into the latest Windows versions, so Windows 8 and Windows 10 users are unaffected. However, earlier versions of Windows contain the vulnerability.
Patches have been released for all vulnerable Windows versions, including Windows XP and Windows 2003, both of which have reached end of life and are no longer supported, as was the case with the Windows Server Message Block (SMB) vulnerability that was exploited by WannaCry.
Affected Windows versions are:
Windows Server 2008 R2
Windows Server 2008
Windows 7
Windows XP
Windows 2003
Businesses running machines with the above operating systems should test the patch and apply it as soon as possible. In the meantime, a workaround should be implemented to prevent the flaw from being exploited.
The workaround requires TCP port 3389 to be blocked on the firewall and for Network Level Authentication (NLA) to be enabled on all systems running vulnerable Windows versions. If NLA is enabled, before the flaw can be exploited, an attacker would first need to authenticate to remote Desktop Services using a valid account. While the workaround will reduce the risk of exploitation of the vulnerability, it is not a replacement for the patch, which should still be applied as soon as possible. Businesses should also disable Remote Desktop Services if they are not essential and RDP should not be exposed to the internet.
Microsoft has warned that the failure to mitigate the vulnerability, either by applying the patch or using the workaround, could result in another global attack on the scale of WannaCry. Such an attack is extremely likely. When patches are released to address critical flaws, it doesn’t take long for them to be reverse engineered and for exploits to be crafted. Such a high severity flaw is likely to be exploited quickly. It may only take a few days before the first attacks are conducted.
TitanHQ, the leading provider of spam filtering, web filtering, and email archiving solutions to SMBs and managed service providers (MSPs) has announced a new partner program has been launched: TitanShield.
The aim of the TitanShield Partner Program is to provide MSPs, cloud distributors, OEM partners, Wi-Fi providers, and Technology Alliance partners with all the tools and support they need to start offering TitanHQ solutions to their clients and to provide continued support.
The launch of the new program coincides with TitanHQ’s 20-year anniversary. For the past two decades, TitanHQ has been developing innovative cybersecurity solutions for SMBs and MSPs that serve the SMB market. The company started by developing anti-spam technologies for businesses in Ireland and has since grown into an award-winning global provider of cybersecurity solutions.
Over the course of the past year, TitanHQ has been working closely with partners to make it as easy as possible for them to sell, onboard, deliver, and managed advanced network security solutions directly to their client base. In fact, in the past 9 months, as a result of those efforts, TitanHQ has increased its partner base by 40%.
In addition to providing cutting edge cybersecurity solutions to protect against email and web-based attacks and meet compliance requirements, TitanHQ offers partners flexible pricing models, competitive margins, and a wealth of sales and technical resources to drive revenue growth.
Under the new partner program, all qualified partners will be assigned a dedicated account manager, a support team, and engineers. Partners also benefit from a full range of APIs that will enable them to incorporate TitanHQ products into their backend provisioning and management systems and will be provided with extensive sales enablement and marketing support, including lead generation resources.
“Our new TitanShield partner program allows us to separate partners into their specific areas so that we can make sure they are receiving best practices, simple pricing models and focused information for the markets and customers they serve,” explained TitanHQ Executive VP of Strategic Alliances, Rocco Donnino “Our program takes a unique and strategic approach for our partners and can be customized to fit all business models.”
MSPs and cloud providers who have not yet started offering TitanHQ solutions to their clients can find out more about the TitanShield program by emailing the team at partners@titanhq.com