Cybersecurity News
Keeping up-to-date with cybersecurity news can help protect organizations from online threats such as malware downloads and phishing campaigns. By being aware of type of threats that exist, how they operate, and what damage they can do, organizations can take precautions against the threats, educate their employees to be aware of online security, and strengthen their online defenses.
The most effective way of preventing attacks by cybercriminals is to stop Internet users from receiving emails containing phishing links or visiting websites that harbor viruses. This can be achieved with an email filter and an Internet content filter – both solutions having mechanisms in place to protect organizations and ensure they are not featured in future in our cybersecurity news section.
Sep 30, 2016 | Cybersecurity News, Web Filtering
The threat from malware is now greater than ever before in the history of the Internet. New malware is being developed at alarming rates, and traditional antivirus software developers are struggling to maintain pace and prevent new forms of malware from being installed on endpoints.
Not only are malware developers creating ever stealthier information stealers, Trojans, and ransomware, the methods used to install the malicious software are becoming much more sophisticated. Keeping endpoints and networks free from infection is becoming far more complicated, while the cost of dealing with malware infections is increasing. Figures from the Ponemon Institute suggest the average cost of a data breach has now reached $4 million.
2015 saw some of the largest data breaches ever discovered and the situation is getting worse. The 78.8-million record attack on Anthem Inc. may have been one of the worst ever data breaches in terms of the number of individuals affected and the amount of data obtained by the attackers, but 2016 has seen even larger data breaches uncovered.
The attack on LinkedIn, which was discovered in May this year, affected 117 million users. The data breach at MySpace resulted in 460 million passwords being obtained by hackers, 111 million of those records also included a username. However, even those massive data breaches were dwarfed by the discovery of the data breach at Yahoo Inc., this month. Hackers were found to have obtained the information of around 500 million individuals.
Not all of those data breaches involved the use of malware, but a large percentage of smaller breaches have occurred as a result of malware infections and the threat from ransomware has grown significantly over the past few months.
Threat from Malware Greater than Ever Before
This month, a study conducted by Proofpoint has cast more light on the seriousness of the threat from malware and the extent to which organizations are being attacked and the seriousness of the threat from malware. The Proofpoint 2016 Security Report shows that throughout 2015, an average of 274 new forms of previously unknown malware were discovered every minute. 971 forms of unknown malware hit organizations every hour in 2015. That’s 9 times the downloads that occurred in 2014. Proofpoint’s research indicates 12 million new pieces of malware were discovered every month last year.
Proofpoint’s study revealed that in 2015, 89% of organizations downloaded a malicious file. In 2014, only 63% of companies reported downloading malicious files. In 2014, malware was downloaded every 6 minutes on average. In 2015, new malware was being downloaded every 81 seconds. In total, almost 144 million new malware were found in 2015. Out of the 6,000 gateways analyzed by Proofpoint, 52.7% were found to have downloaded at least one file infected with malware, and an average of 2,372 infected files were reported per gateway.
Email remains one of the most common vectors for malware delivery. Attackers are sending malicious emails containing scripts that download malware, or links to websites containing exploit kits that download information stealers, Trojans, and ransomware.
There was a small decline in the number of malicious websites that were accessed by employees. In 2014, 86% of organizations reported that end users had visited malicious websites. In 2015, 82% of organizations said employees had visited malicious websites.
However, employees in enterprise organizations were five times more likely to visit malicious websites in 2015 than in 2014. On average, enterprise employees visited malicious websites every 5 seconds. In 2014, malicious websites were accessed every 24 seconds.
Protecting Against Malware Attacks
Defending against malware attacks requires more than an anti-virus or anti-malware solution. Multi-layered cybersecurity defenses are required to cope with the onslaught.
Training programs should be conducted regularly to ensure employees are aware of the risks and latest threats. Knowledge should also be put to the test by conducting phishing training exercises.
Technical solutions should include anti-virus, anti-malware, and anti-bot software. Virus and malware definitions must be kept up to date and regular network scans conducted to identify infections rapidly.
Since email is the most common attack vector, anti-spam solutions should be employed. By using a robust anti-spam solution such as SpamTitan it is possible to prevent the vast majority of malicious emails from being delivered to end users. SpamTitan blocks 99.7% of spam email.
A URL filtering solution such as WebTitan should also be employed to prevent end users from visiting malicious websites and downloading malware. WebTitan can be configured to prevent end users from visiting websites known to contain malware and exploit kits. Malicious third party adverts – malvertising – can also be blocked, as can categories of websites which carry a high risk of containing malware.
Along with advanced threat prevention technologies, application controls, intrusion prevention systems, and good patch management policies it is possible to prevent the vast majority of malware attacks. However, with the volume of malware now being released and the extent to which hackers are attacking organizations, failing to commit improve cybersecurity defenses is likely to see organizations become another breach statistic.
Jul 15, 2016 | Cybersecurity News, Web Filtering
New Locky ransomware variants are frequently developed to keep security researchers on their toes. The malicious ransomware is highly sophisticated and further development allows the gang behind the crypto-ransomware to keep raking in millions of dollars in ransoms.
According to security researchers at Avira, a new Locky variant has now been discovered with new capabilities that spell trouble for businesses, even those with highly advanced security systems in place. Now, even rapid detection of Locky will not prevent files from being encrypted. Even if Locky cannot contact its command and control server, it will still execute and encrypt files. Previous Locky ransomware variants would only encrypt files after C&C server contact was established.
This means that if Locky is detected on a computer, shutting down the network or blocking communications will not prevent files from being encrypted. This is one of the few options open to organizations to limit the damage caused if ransomware is discovered.
New Locky Ransomware Variants Encrypt Without C&C Server Contact
Many of the latest ransomware strains use public key cryptography to lock users’ files. They will not encrypt files if systems are taken offline because they require contact with a C&C server to obtain the public-private key pairs that are used to lock files. These are only generated if a connection to the C&C is made. The private key that is used to unlock files is stored on the attacker’s server and never on the local machine that is infected.
Without a connection, unique keys for each user cannot be generated. This means that even if millions of computers are locked, one key will unlock them all. By generating a unique key for each infection, a ransom must be paid for each device that is encrypted. Without this, a business would only need to pay one ransom payment to unlock all infected devices.
Fortunately, that is the case with the latest Locky strain. If no C&C contact is made, all infected devices will be locked with the same key. That means only one ransom payment may need to be paid. However, if C&C contact is established, the AES encryption key will be encrypted using a separate RSA encryption key for each device and multiple payments will be required.
Avira reports that the new Locky ransomware variants use separate types of victim IDs, depending on whether files were encrypted offline or online. Offline infections use a 32-character alphabet for the victim IDs – “YBNDRFG8EJKMCPQX0T1UWISZA345H769” – rather than hex digits. By doing so, the attackers can determine which key to supply to unloick the encryption.
According to Avira’s Moritz Kroll, “Theoretically, if a company with a domain controller is hit by the new Locky and sees a non-hexdigit ID like ‘BSYA47W0NGXSWFJ9’, it might be cheaper to generate a victim ID with the same public key ID but without saying it’s a corporate computer.” That key can then be used for all other devices that have been infected.
While this may work, it is no substitute for having a viable backup. It is also far better to block the malicious spam emails that are used to deliver the ransomware using an advanced spam filtering solution such as SpamTitan, and to prevent drive-by downloads using WebTitian.
Jul 8, 2016 | Cybersecurity News, Internet Security News, Web Filtering
If you want to keep your computers and network protected, you should ensure that browsers are patched as soon as updates are made available. However, end users may be fooled into taking action to keep their computers secure and inadvertently use fake Firefox updates.
Fake FireFox Updates Used to Install the Kovter Trojan
Fake Firefox updates are being used by the gang behind the Kovter Trojan. A new version of the fileless malware has been identified recently, and it is infecting users by posing as a fake Firefox update.
The cybercriminal gang behind Kovter frequently tweak the malware and come up with new ways of infecting end users. Kovter is a particular worry as it can be particularly difficult to detect. Being fileless, there are no actual files to detect. The malware resides only in the memory, and it ensures it is reloaded into the memory each time a computer is rebooted with a Windows registry component.
Kovter can perform a range of malicious activities, such as redirecting users to malicious websites, performing click fraud, downloading other malware, and now also encrypting files. The latest variant discovered by CheckPoint also has ransomware capabilities.
When users visit a malicious or infected website they are presented with fake Firefox updates and are urged to download the latest version to keep their computers secure. Researchers at Barkly discovered that the gang behind the latest Kovter campaign are using a legitimate certificate to fool antivirus engines. The certificate was issued to Comodo, although it has since been revoked. Anti-virus engines are also now being updated to detect the malware and block its download.
Preventing Drive by Malware Downloads
There are a number of steps that can be taken to prevent drive-by downloads of malware such as Kovter. Policies should be implemented that prohibit end users from performing software updates, which should be left to the IT team to handle. Patch management policies should be developed and implemented to make sure that when software updates and patches are issued, they are installed promptly or preferably automatically.
Browsers should never be updated outside the normal update process. To check if the latest version is installed, simply click on the help function, followed by the About option, and the browser will check to determine whether an update is available.
A web filtering solution is also an important security control to employ to prevent drive-by downloads. A web filter can be configured to block access to webpages known to contain malware and restrict access to non-work related websites which carry a high risk of malware infections. Some web filtering solutions – WebTitan Gateway for example – can also scan websites in real-time to check for known indicators of drive-by downloads and exploit kits. WebTitan then prevents the sites from being visited.
Jun 30, 2016 | Cybersecurity News, Internet Security News
Mobile ransomware may not be nearly as prevalent as its PC counterpart, but attacks on mobile devices are on the rise according to a new report issued by anti-virus firm Kaspersky Lab.
Kaspersky Lab assessed thwarted ransomware attacks on mobile users over a period of two years and saw that the numbers of attacks doubled, signifying a worrying new trend.
Between 2014 and 2015, 2.04% of malware attacks on mobile users involved ransomware. Between 2015 and 2016, the percentage of ransomware attacks rose to 4.63%. During that period, 136,532 attacks took place.
Kaspersky Lab noted that the ransomware used to infect mobile devices differs considerably from the strains used to infect PC users. While Locky, CryptXXX, and RAA are now the main threats affecting PCs, the main mobile ransomware strains currently being used are Fusob, Small, Svpeng, and Pletor.
Mobile ransomware tends not to use encryption to lock files, instead malicious software is developed that blocks users from accessing their device. Oftentimes, this is achieved with a simple HTML overlay. Encryption is more effective on PCs because many users fail to back up their data, or when they do they leave their backup devices connected. Many strains of PC ransomware are able to delete backup files or encrypt them, leaving end users with no alternative but to pay the ransom or lose their data forever.
Many mobile users automatically backup their data in the cloud. If data is ever lost or encrypted, files can easily be recovered. However, overlays prevent the user from being able to access their files from the device. With mobile devices victims cannot simply take out a hard drive and plug it into another machine and manually remove malicious files. If an infection takes place, users either have to pay the ransom or replace their device. Provided the ransom is lower, many users will end up paying.
Without the need for encryption, the development of mobile ransomware is considerably cheaper. The ransoms that can be demanded may be lower than for PC infections, but campaigns can be highly profitable for cybercriminals.
Criminal gangs are also using an affiliate model to spread infections. There is usually no shortage of actors willing to invest the time distributing the malicious software in exchange for a cut of the ransom. In many cases, signing up for these affiliate ransomware campaigns is easy. The developers of the malware release kits to make it as easy as possible. Programming skill is not even needed.
Mobile Ransomware Attacks Will Continue
The use of mobile ransomware is increasing significantly because it is effective. An increasing amount of data are now stored on mobile devices, and end users – and business users in particular – are unwilling to lose their data. As long as ransoms are paid, attacks will continue and are likely to increase. Cybercriminals will only stop developing new mobile ransomware strains when the campaigns prove to be ineffective and unprofitable.
Jun 29, 2016 | Cybersecurity News, Internet Security News, Network Security
A new threat has recently been discovered by security researchers at Phishme: Bart ransomware. The new ransomware variant is not as sophisticated as Locky and Samsa, but it is still highly effective and poses a risk to businesses. Should end users be fooled into opening spam emails, file recovery will only be possible via backups if the ransom demand is not paid.
Bart Ransomware Locks Files in Password-Protected ZIP Files
Bart Ransomware bears a number of similarities to other ransomware variants that have been discovered in recent months. If installed on a device, media files, photos, documents, spreadsheets, databases, and a host of other files are located and encrypted. Bart ransomware also encrypts .n64 ROM files, which was previously unique to Locky ransomware. Bart is also delivered using the same Dridex botnet that was used to deliver Locky.
Bart ransomware also uses a payment interface that looks very similar to Locky. However, there are notable differences to Locky and other ransomware variants. Bart demands a particularly high payment from its victims. Rather than a demand of 0.5 Bitcoin, Bart asks for 3 Bitcoin per infected machine – Approximately $1988 per device.
There are also notable differences in the method used to encrypt files. Bart doesn’t use public key cryptography. Files are added to zip files which are then password protected. In order to unzip files, a password must be supplied. These passwords are only supplied to the victim if the sizeable ransom is paid.
Bart also does not use the typical command and control center infrastructure. Most new ransomware variants communicate with the attackers’ command and control center before files are encrypted, but that does not appear to happen with Bart.
New Ransomware Variant Delivered via Spam Emails
The campaign uses spam emails to deliver malicious Javascript files, which are disguised as image files. End users may be fooled into opening the attachments in the belief they are simply images. However, if the attachments are opened, JavaScript is executed and Rocketloader is downloaded. Rocketloader installs Bart ransomware and is also capable of downloading a variety of other malware.
The ransomware has been developed to attack users in the west, and will not lock files if the operating system is in Russian, Ukrainian, or Belorussian.
To prevent infection, it is essential that end users do not open the infected email attachments. Since the emails may appear benign to end users, organizations should take steps to prevent the spam emails from being delivered. One way of doing this is to use SpamTitan. SpamTitan can be configured to block zip files and prevent them from being delivered to end users.
If spam emails are not delivered, end users will not be able to inadvertently infect their devices. Furthermore, the cost of deploying SpamTitan is likely to be considerably less than the cost of a single ransom payment to resolve a Bart infection.
Jun 22, 2016 | Cybersecurity News, Network Security
There have been a number of high-profile data breaches reported in recent weeks, now Citrix has announced its users have been impacted after receiving multiple reports of GoToMyPC password reuse attacks. An investigation into the attacks revealed that the account compromises were not the result of a Citrix data breach, but that the attacks had been made possible due to poor security practices of some of its users.
Passwords Reset After Spate of GoToMyPC Password Reuse Attacks
After discovering the GoToMyPC password reuse attacks, Citrix performed a password reset on all users’ accounts to reduce the risk of account compromises. When users next login to the remote desktop access service they will be required to set up a new password before being allowed to access the service.
While Citrix has taken steps to protect its own users, simply changing passwords on GoToMyPC will not protect users who share passwords across multiple applications and web services. It is therefore important for users to login to all online accounts that have the same password set and to create new, unique passwords for each.
Following the cyberattacks on LinkedIn, MySpace, and Tumblr, login credentials were openly sold on darknet marketplaces. Many individuals purchased the data and have been searching online platforms to find users that have accounts elsewhere. The same passwords are then tried to see if access can be gained.
Shortly after these data dumps, numerous Twitter accounts were hacked, including those belonging to a number of high profile celebrities – Katy Perry, Mark Zuckerberg, Tenacious D, and Lana Del Rey for example. While the hacking of a Twitter account may only be an inconvenience for many victims, far more serious hacks have occurred.
TeamViewer remote desktop connection software was targeted by attackers who had obtained data from the LinkedIn breach. Users’ accounts were accessed and the software leveraged to obtain access to users’ PayPal accounts and bank accounts, primarily using passwords saved in browsers. The victims had their bank and PayPal accounts emptied. Some individuals also reported that TeamViewer had been used to install ransomware on their computers.
Since many individuals share passwords on personal accounts and business accounts, the latter may also be compromised and that can have highly serious implications.
The Danger of Password Sharing
All organizations face a threat of cyberattacks and sooner or later it is likely that one of those attacks will be successful. If users’ login credentials are obtained, they can be used to access accounts on other web and software platforms.
The spate of recent attacks shows how dangerous it can be to use the same passwords for multiple accounts. While it is certainly convenient to use the same password on multiple platforms, users stand to have their entire online identity hijacked as a result of a single cyberattack on one company.
To limit the damage caused, it is essential to use a unique, complex password for each online account, never to recycle passwords, and to update passwords frequently. Sys admins should ensure that password policies are set that require complex passwords to be created. Password expiration policies should also be developed and implemented. Password managers can be used to help end users keep track of all of their passwords.
Jun 21, 2016 | Cybersecurity News, Internet Security News, Network Security
Security researchers have uncovered an entirely JavaScript based ransomware variant that is not only being used to lock infected devices with AES encryption, but also to deliver the Pony info-stealer. Pony is used to obtain users’ passwords and login credentials to launch further attacks. This means that while a ransom may have to be paid to regain access to important files, the victim is also highly likely to suffer further losses.
JavaScript based malware is nothing new. Criminals have been using JavaScript files to infect devices with ransomware for some time, yet previously JavaScript has most commonly been used to download ransomware to infected devices. The latest threat exclusively uses JavaScript and requires no additional downloads.
RAA Ransomware Delivered via Spam Email
The attack starts with a spam email containing a malicious attachment. The attached file appears to be a document, but it is actually a malicious JavaScript file. Opening the file will result in a fake Word document being created in the user’s My Documents folder. That file is then opened automatically leading the victim to believe that the file attachment is corrupted. However, processes will still be running in the background. The malicious JavaScript file – dubbed RAA ransomware – does not contain any cryptographic functions, instead it uses the CryptoJS library to lock files with AES encryption.
First, all drives – local, network, and portable – are scanned for specific file extensions, including documents and spreadsheets (DOC, RTF, XLS, CSV, PDF), compressed files (ZIP, RAR), image files (JPG, PSD, PNG, DWG, CDR, CD), database files (DBF, MDF), and LCD disk images.
Once the targeted files are identified, the JavaScript based ransomware then encrypts those files using AES encryption and replaces the extension with “.locked.” To make it harder for the victims to recover from the infection without paying the ransom, RAA ransomware also deletes the Windows Volume Shadow Copy Service (VSS) as well as all shadow copies. Finally, files are created on the Desktop which detail how much must be paid to obtain the decryption keys and instructions on how payment must be made.
JavaScript Based Ransomware Delivers the Pony Info Stealer
This JavaScript based ransomware also includes the pony info stealer. In contrast to other malware which can download additional malicious files from the Internet, RAA ransomware has the Pony info-stealer embedded as a base64 encoded string. The string is decoded and also saved to the My Documents folder and is then run automatically.
The RAA ransomware is set to run automatically each time the computer is booted, and it will install Pony each time. Since the ransomware runs on boot it will encrypt any of the above file extensions that have been created or downloaded since the last time the ransomware was executed. At present, there is no way of decrypting the files without paying the ransom.
To protect against attacks, end users must be vigilant and not open any files attachments sent from unknown individuals. Sys admins must also ensure that all files are regularly backed up and back up devices are air-gapped.
Jun 17, 2016 | Cybersecurity News, Network Security
Each year, the Ponemon Institute conducts an annual benchmark study on the cost of a data breach. The IBM-sponsored report reveals just how damaging data breaches can be to a company’s finances. Responding to a data breach costs companies millions of dollars, and each year the cost rises.
Last year, the Cost of a Data Breach study placed the average cost at 3.79 million. This year, the average cost has risen to $4 million. The average cost per stolen record rose from $154 to $158 over the past 12 months.
Average Cost of a Data Breach in the United States is $7.01 Million
However, those figures are taken from the global data collected for the study. The costs incurred by U.S businesses are much higher. Take the figures for the United States alone, and the average cost is $7.01 million. Last year the average cost of a breach response in the United States was $6.53 million.
Organizations in the United States can expect to pay costs of $221 per record, although organizations in the healthcare industry, financial, and life science sector can expect to pay far higher amounts. The cost of a data breach in the healthcare industry is a staggering $402 per record. The data also show that the average number of records exposed per incident also increased.
In the United States, the total cost of a data breach rose by 7% over the space of a year, and by 2% per stolen or compromised record. The Ponemon Institute offers some suggestions why the overall cost of a data breach has increased by such a high degree. One of the main reasons is a substantial rise in indirect costs. When an organization suffers a security breach that exposes sensitive data such as credit card numbers, financial information, Social Security numbers, or medical records, consumers are increasingly taking their business elsewhere. The Ponemon Institute refers to this as the abnormal churn rate.
Organizations Should Try to Reduce Churn Rate After a Data Breach
One of the findings of the research is the higher the churn rate is following a data breach, the higher the cost of the breach will be. Companies that experienced an abnormal churn rate of lower than 1%, had to pay average breach costs of $5.4 million. The cost rose to $6.0 million with an abnormal churn rate of between 1% and 2%, while a churn rate of above 4% resulted in average costs of $12.1 million.
The industries most likely to see customers leave and find alternative companies to do business with were healthcare organizations, financial companies, service organizations, and companies operating in the technology and life sciences industries. Public sector companies, research organizations, and the media experienced the lowest churn rates.
Ponemon suggests that one of the best ways to reduce the financial impact of a data breach is to put greater effort into retaining customers and adopting strategies to preserve brand value and reputation. Consumers now understand that data breaches are a fact of life, but they expect action to be taken by organizations that have suffered a breach that exposed their personal information. Issuing breach notifications quickly, offering credit monitoring services to affected individuals, and taking steps to greatly improve security can all help to reduce fallout after a data breach occurs.
Malicious Attacks Cost the Most to Resolve
All data breaches will result in organizations incurring costs, but the cause of a data breach will dictate how high those costs will be. Malicious attacks on organizations were discovered to cost the most to resolve. In the United States, the average cost per record for a malicious or criminal attack was $236. For system glitches the cost was £213 per record, and for human error the cost was $197 per record.
The costs incurred can be reduced significantly if organizations take steps to prepare for data breaches. The Ponemon Institute determined that having an effective breach response plan can greatly reduce the cost of a data breach. When an organization can respond quickly to a breach the costs tend to be much lower.
The average time to contain a data breach was determined to be 58 days. Organizations that were able to contain a data breach in less than 30 days paid an average cost of $5.24 million per breach, compared to $8.85 million when the time to contain the breach exceeded 30 days.
It also pays to invest in technologies that allow organizations to identify breaches quickly when they do occur. The mean time to identify a breach was determined to be 191 days – more than 6 months. When the mean time to identify a breach was less than 100 days, the breach cost was $5.83 million. When the mean time to identify a data breach exceeded 100 days, the mean cost rose to $8.01 million.
The costs of breach resolution are continuing to rise. Organizations should therefore consider investing more heavily in technologies to prevent data breaches and to increase the speed at which they are detected. The results of the study clearly demonstrate that having a tested breach response plan in place is essential if costs are to be reduced.
Jun 9, 2016 | Cybersecurity Advice, Cybersecurity News
The security threat from bloatware was made abundantly clear last year with the discovery of a Lenovo bloatware vulnerability, affecting the Superfish Adware program that came pre-installed on Lenovo laptops.
Bloatware is a term used to describe software applications and programs that are largely unnecessary, yet are pre-installed on new computer and laptops. The software programs can slow down computers and take up a lot of memory, yet offer the user little in the way of benefits. They are primarily used to update application features rather than to enhance security.
Unfortunately, these pre-installed programs have been discovered – on numerous occasions – to contain security vulnerabilities that can be exploited by malicious actors and used for man-in-the-middle attacks. They can even let attackers run arbitrary code, allow privilege escalation, or perform malicious software updates.
Now a new Lenovo bloatware vulnerability has been uncovered. This time it concerns the company’s software updater which has been found to contain a vulnerability that could potentially be exploited allowing man-in-the-middle attacks to be conducted.
New Bloatware Vulnerability Found in Lenovo Accelerator Application Updater: Uninstall Recommended
The Lenovo Accelerator Application has been pre-installed on a wide range of desktop computers and notebooks shipped pre-installed with Windows 10. In total, well over 100 different models of Lenovo notebooks and desktops have the Lenovo Accelerator Application installed. Lenovo says the application is used to speed up the launching of Lenovo applications and communicates with the company’s servers to determine whether application updates exist.
The UpdateAgent pings Lenovo’s servers every 10 minutes to check whether updates have been released. However, the application has recently been discovered to contain a security vulnerability that could be exploited by attackers. DuoLabs investigated a number of companies to check for security vulnerabilities in pre-installed software applications and found that Lenovo’s UpdateAgent was particularly vulnerable to attacks.
DuoLabs reported that the updater had “no native security,” and that “executables and manifests are transmitted in the clear and no code-signing checks are enforced.” The security flaws could allow an attacker to intercept these communications and manipulate responses, even allowing malicious software updates to be performed.
Lenovo has responded by issuing an advisory recommending all owners of the affected devices uninstall the software application. This is a straightforward task that can be performed by accessing the Apps and Features application on a Windows 10 computer, selecting the Lenovo Accelerator Application and manually uninstalling the program.
Jun 8, 2016 | Cybersecurity News, Internet Security News
A new WordPress plugin vulnerability was recently uncovered that is being actively exploited. The vulnerability affects the WP Mobile Detector plugin, which is used to determine whether a website is being viewed on a desktop or mobile device. The plugin then serves a compatible WordPress theme.
The plugin was one of the first to be able to distinguish whether a device was a standard mobile or a Smartphone, and as of the start of May, the plugin had been installed on more than 10,000 WordPress websites.
WP Mobile Detector WordPress Plugin Vulnerability Exploited to Install Porn Spam Doorways
The WordPress plugin vulnerability was detected by Plugin Vulnerabilities, which noticed a HEAD request for a file called /wp-mobile-detector/resize.php, even though the plugin had not been installed on the site.
Researchers at Plugin Vulnerabilities concluded that the request was made by an individual attempting to determine whether the plugin had been installed in order to exploit a vulnerability. After searching for reports of a known vulnerability and finding none, researchers investigated further and discovered the plugin had an arbitrary file upload vulnerability.
The vulnerability is straightforward to exploit and can be used to upload malicious files to the cache directory, host spam content, redirect users to malicious websites, or install malware. Since the plugin performed no checks to validate input from untrusted sources, an attacker would be able to insert a src variable containing a malicious URL and PHP code.
Many of the infections uncovered so far have involved the installation of porn spam doorways. Sucuri reports that the WordPress plugin vulnerability has been exploited since May 27.
Since the discovery of the WP Mobile Detector plugin flaw last week, the plugin was temporarily removed from the WordPress plugin directory. The developer of the WP Mobile Detector plugin has now fixed the vulnerability. Any site owner that has the plugin installed should immediately update to version 3.6.
However, simply updating to the latest version of the plugin will not remove malware if it has already been installed. If web shells have already been installed, attackers could still have an active backdoor to the site allowing them to continue to upload malicious files or inject malicious code into webpages.
One of the easiest ways to check to see if a site has been compromised is to look for a directory called gopni3g in the site root. The directory will contain a story.php file, and “.htaccess and subdirectories with spammy files and templates,” according to Sucuri researcher Douglas Santos.
Jun 7, 2016 | Cybersecurity Advice, Cybersecurity News, Social Media
The Federal Bureau of Investigation (FBI) has issued a new security alert warning of a new wave of extortion email schemes. The alert was issued after its Internet Crime Complaint Center (IC3) started receiving multiple reports from individuals who had been threatened with the exposure of their sensitive data.
Cybercriminals are quick to respond to large-scale data breaches and use the fear surrounding the attacks to scam individuals into paying ransoms, clicking on links to malicious websites, or opening infected email attachments. In recent weeks, the Internet has been awash with news reports of major data breaches that have hit networking sites and a number of popular Internet platforms.
Major data breaches affected LinkedIn, MySpace, and Tumblr, and while the stolen data are old, hundreds of millions of individuals have been affected.
These cyberattacks occurred in 2012 and 2013, although the data stolen in the attacks have just been listed for sale online. These major data breaches had gone undiscovered until recently.
Extortion Email Schemes Threaten Exposure of Sensitive Data
Due to the volume of logins that were exposed in these attacks and the popularity of the sites, many individuals may be concerned that their login credentials may have been obtained by hackers. Cybercriminals are taking advantage of this fear and are sending out huge volumes of spam emails advising individuals that their sensitive data have been obtained.
In the emails, individuals are told that their name, address, telephone number, credit card details, and other highly sensitive data are being held and that they will be distributed to friends and family if a ransom is not paid. The attackers warn their victims that access to social media accounts has been gained and that the attackers have details of all of the victim’s social media contacts.
The scammers are also threatening to email and mail out details of credit card transactions and internet activity to friends, family, and employers, suggesting that the payment to prevent this from happening will be much lower than the cost of a divorce, and low in comparison to the affect it will have on relationships with friends and on social standing.
To stop the distribution of these data, victims are required to pay the attackers anywhere from 2 to 5 Bitcoin – Between $250 and $1,200. A Bitcoin address is sent in the email which the victims must use. This ensures the transaction remains anonymous.
After analyzing the extortion email schemes, the FBI has concluded that the attacks are the work of multiple individuals. The FBI has advised against paying the ransoms as this will only ensure that this criminal activity continues. Paying a ransom is no guarantee that further demands will not be received.
Any person receiving an email that they believe to be an extortion email scheme should contact their local FBI office and send a copy of the email with the subject “extortion E-mail scheme,” along with details of the Bitcoin address where payment has been asked to be sent.
Extortion email schemes are often sent out randomly in spam email; however, responding to an email will alert the attacker that the email account is active and is being checked. The best course of action is to ignore the email, to log into social media accounts and change all passwords, and to carefully monitor bank accounts and credit card statements. The FBI also advises individuals to ensure social media accounts are configured with the highest level of privacy settings and to be extremely careful about sharing any sensitive data online.
Jun 2, 2016 | Cybersecurity News, Internet Privacy, Internet Security News, Social Media
On May 12, the microblogging website Tumblr notified users of a data breach that occurred in 2013. The company had kept quiet about the number of site users that were affected, although it has since emerged that 65 million account credentials were stolen in the Tumblr data breach. Stolen email addresses and passwords were recently offered for sale on a Darknet marketplace called TheRealDeal.
Tumblr Data Breach Ranks as One of the 5 Biggest Data Breaches of All Time
The massive Tumblr data breach may not be the largest ever discovered, but it certainly ranks as one of the biggest, behind the breach of 360 million MySpace account details, the theft of 164-million LinkedIn account credentials, and the 152 million-record Adobe breach. All of these huge data breaches occurred in 2013 with the exception of the LinkedIn breach, which happened a year earlier.
These breaches have something else in common. They were all discovered recently and the stolen data from all four data breaches have been listed for sale on illegal Darknet marketplaces by the same individual: A Russian hacker with the account “peace_of_mind” – more commonly known as “Peace”. It is not clear whether this individual is responsible for all four of these data breaches, but he/she appears to have now obtained all of the data.
The person responsible for the theft appears to have been sitting on the data for some time as according to Tumblr, as the login credentials do not appear to have been used.
Fortunately, the passwords were salted and hashed. Unfortunately, it would appear that the SHA1 hashing algorithm was used, which is not as secure as the latest algorithms. This means that hackers could potentially crack the passwords. The passwords were also salted so this offers more protection for individuals affected by the Tumblr data breach. However, as a precaution, site users who joined the website in 2013 or earlier should login and change their passwords.
Do You Reuse Passwords on Multiple Sites?
Even if victims of the Tumblr data breach have changed their password on the site before 2013, they may still be at risk of having their online accounts compromised if their password has been used for multiple online accounts.
If you have been affected by the Adobe, LinkedIn, MySpace, or Tumblr data breach, and there is a possibility that you have reused passwords on any on other platforms it is strongly advisable to change all of your passwords.
Peace may not be the only individual currently in possession of the data, and it is highly unlikely that the data will only be sold to one individual.
If you are unsure if your login credentials have been compromised, you can check by entering your email address or username on haveibeenpwned.com
May 27, 2016 | Cybersecurity News, Internet Privacy, Internet Security News, Network Security, Web Filtering
A new phishing activity report published by the Anti-Phishing Working Group (APWG) shows that the threat from phishing websites is greater than any other time in the history of the Internet. The latest phishing activity report shows that in the past six months, the number of phishing websites has increased by a staggering 250%. Most of the new websites were detected in March 2016.
The Rising Threat from Phishing Websites Should Not Be Ignored
APWG was founded in 2003 in response to the rise in cybercrime and the use of phishing to attack consumers. The purpose of the organization is to unify the global response to cybercriminal activity, monitor the latest threats, and share data to better protect businesses and consumers.
In 2004, APWG started tracking phishing and reporting on the growing threat from phishing websites. During the past 12 years, the number of phishing websites being created by cybercriminals has grown steadily; however, the past six months has seen a massive rise in new websites that trick users into revealing sensitive data.
APWG reports that there is an increase in new malicious websites around the holiday season. In the run up to the holiday period when online shopping increases and Internet traffic spikes, there are more opportunities to relieve online shoppers of their credit card details, login credentials, and other sensitive data.
In late 2015, cybercriminals increased their efforts and there was the usual spike in the number of new phishing websites. However, after the holiday period ended APWG expected activity to reduce. That didn’t happen. New sites were still being created at elevated levels.
In the first quarter of 2016, APWG detected 289,371 new phishing websites were created. However, almost half of the new websites – 123,555 of them – were detected in March 2016. Aside from a slight dip in February, the number of new websites created has increased each month. March saw almost twice the number of new sites than were created in December. The figures for Q1 and for March were the highest ever seen.
Retail and Financial Sectors Most Frequently Targeted by Phishers
Phishers tend to favor well-known brands. The phishing activity report indicates little has changed in this regard. Between 406 and 431 brands are targeted each month. Most of the new sites target the retail industry which accounts for 42.71% of the new phishing websites detected in the first quarter of 2016. The financial sector was second with 18.67% of new sites, followed by the payment service industry with 14,74% and the ISP industry with 12.01%. The remaining 11.87% of new sites targeted a wide range of industries. The United States is the most targeted country and hosts the most phishing websites.
While phishing websites are now favored by cybercriminals, emails continue to be used to send malicious links and malware-infected attachments to consumers and businesses. In January, 99,384 phishing email reports were sent to APWG. The number increased to over 229,000 in February and stayed at that level in March.
APWG also tracked malware infections. In the first quarter of the year, 20 million malware samples were intercepted – an average of 6.67 million malware samples a month.
The report shows how critical it is for business to take action to prevent end users from visiting malicious websites and the seriousness of the threat from phishing websites.
One of the best ways that businesses can reduce the risk of employees visiting phishing websites is to use a web filtering solution. By controlling the sites that can be accessed by employees, the risk of phishing, malware infections, and ransomware attacks can be greatly reduced.
May 26, 2016 | Cybersecurity News, Internet Security News, Network Security
Surprisingly, after ESET sent a request for the TeslaCrypt ransomware master key to the criminal gang behind the attacks, they responded by making the decryption key public and even issued an apology. The surprise move signals the end of the ransomware that was used primarily to target gamers
TeslaCrypt Ransomware Master Key Released
So does the release of the TeslaCrypt ransomware master key mean that the attacks will now stop? The answer to that is a little complicated. Attacks using TeslaCrypt will slow and stop soon, and even if some individuals have their computer files locked by the ransomware they will not need to pay a ransom.
Once the TeslaCrypt ransomware master key was made public, security companies started work on decryption tools to unlock infections. ESET have added the key to their TeslaCrypt decryption tool, and Kaspersky Lab similarly used the master key to update the decryption tool it had been using to unlock earlier versions of the ransomware.
That does not mean that the criminal gang behind the campaign will stop its malicious activity. It just means that the gang will stop using TeslaCrypt. There are many other types of ransomware that can be used for attacks. In fact, it would appear that TeslaCrypt has now simply been replaced with a new form of ransomware called CryptXXX. According to ESET, many of the distributers of TeslaCrypt have already switched to CryptXXX.
Under normal circumstances, contacting a criminal gang and asking for the TeslaCrypt ransomware master key would not have worked. Attackers running profitable ransomware campaigns are unlikely to respond to a polite request asking to unlock an infection without paying a ransom, let alone supply a master key that can be used to unlock all infections.
The reason for the release is TeslaCrypt was already being phased out. ESET researcher Igor Kabina noticed that TeslaCrypt infections were slowing, which signaled that either the gang behind the ransomware was phasing it out in favor of a new malware, or that a new and updated version of TeslaCrypt would soon be released. Kabina decided to contact the attackers through the channels set up to allow victims to contact the gang and pay the ransom.
Kabina asked for the private decryption keys to unlock all four versions of the ransomware. He was answered within one day and was provided the key for the version he claimed to have been infected with. He then sent another message requesting the release of the latest key to unlock v4 of the ransomware, and noticed on the TeslaCrypt page that the gang had announced that the project had been closed. The universal key had been posted on an anonymous .onion page that can be accessed using the Tor browser.
There is a constant battle between security companies and ransomware developers. Oftentimes, ransomware variants contain flaws that allow antivirus companies to develop decryption tools. When these tools are released attackers work rapidly to repair the security flaw and release a new, more robust version of the ransomware. This was the case with TeslaCrypt. Flaws in the first version allowed a tool to be developed. A decryption tool was released, and version 2 of the ransomware was released. TeslaCrypt is now on the fourth version.
As with Cryptowall, TeslaCrypt has now been shut down; however, CryptXXX is still very much active and is still being updated. Furthermore, the attackers have learnt from their mistakes and have developed CryptXXX to be a much harder nut to crack.
CryptXXX is run alongside a program that monitors the system on which it is run to check if it is in a virtual environment or sandbox or otherwise being probed. If abnormal behavior is identified, the encryption routine is restarted. CryptXXX is also spread via spam email, exploit kits, and malvertising. This means that it is much easier to spread and more attacks are likely to occur. Companies and individuals therefore face a much higher risk of an attack.
The release of the TeslaCrypt ransomware master key is therefore only good news if you have been infected with TeslaCrypt. With the move to CryptXXX it is even more important to have solutions in place to prevent attacks, and a plan in place to deal with an attack when it occurs.
May 20, 2016 | Cybersecurity News, Internet Security News, Network Security
A new study has recently been published showing the impact of security breaches on brand image, and how the behavior of consumers changes when companies experience data breaches that expose private data.
Cyberattacks are now taking place with such frequency that data breaches are now to be expected. It is no longer a case of whether a security breach will occur, it is now just a case of when it will happen. Even with the best protections in place to protect sensitive data, breaches will still occur.
Many consumers are aware that the current threat levels are greater than ever and that cyberattacks will occur. However, how do consumers react to breaches of their personal information? Do they forgive and forget or are they taking their business elsewhere?
What is the Impact of Security Breaches on Brand Image?
The FireEye study set out to examine the impact of security breaches on brand image. 2,000 interviews were conducted on consumers in the United States to find out whether security incidents changed behavior and whether data breaches altered perceptions of companies and trust in brands.
The results of the survey clearly show that the failure to invest in robust cybersecurity defenses can have a major impact on revenue. 76% of surveyed consumers claimed they would take their business elsewhere if they believed a company’s data handling practices were poor or that the company was negligent with regard to data security.
75% of respondents said they would likely stop making purchases from a company if they felt that a security incident resulted from a failure of the company to prioritize cybersecurity.
Loss of business is not the only problem companies will face following a data breach. If a breach of personal information occurs and data are used by criminals for identity theft or fraud, 59% of consumers would take legal action to recover losses.
Even when companies take action to mitigate the risk of losses being suffered by consumers – such as providing identity theft protection services – brand image remains tarnished. Reputation damage after a data breach is suffered regardless of the actions taken by companies to mitigate risk. It can also take a considerable amount of time to regain consumers’ trust. More than half of respondents (54%) said that their impression of companies was negatively impacted after a security breach occurred.
Fast action following a data breach can help to restore confidence, but this is expected by consumers. The survey showed that 90% of consumers expect to be notified of a breach of data within 24 hours of an attack taking place, yet this is something that rarely happens. All too often consumers are made to wait weeks before they are informed of a breach of their personal information.
The study also shows that as a result of large-scale breaches consumers are now much less trusting of companies’ ability to keep data secure. They are also much more cautious about providing personal information. 72% of consumers said they now share less information with companies due to the volume of data breaches now being suffered.
The take home message from the survey is organizations must do more to protect consumer data and to prevent data breaches from occurring. If companies invest heavily in cybersecurity and can demonstrate to consumers that they take privacy and security seriously, the negative impact of security breaches on brand image is likely to be reduced.
May 20, 2016 | Cybersecurity News
The not-for-profit technology industry association CompTIA recently released its 2016 International Trends in Cybersecurity report after analyzing the current state of cybersecurity and assessing behaviors and techniques currently being used by organizations around the world to tackle the growing risk of cyberattacks.
To compile the report, CompTIA surveyed 1,509 IT security professionals from 12 countries around the world, including Australia, Canada, India, Brazil, Malaysia, Japan, South Africa, the UAE and the UK.
The International Trends in Cybersecurity report shows that information security is still a major concern for IT and business executives, which is perhaps no surprise given the number of cybersecurity threats they now have to deal with. The report showed that over the course of the past 12 months, 73% of organizations had experienced at least one security incident and 60% of those security incidents were classed as serious.
The highest number of security incidents occurred in India, where 94% of companies experienced a security breach in the past 12 months, closely followed by Malaysia on 89%, and Brazil and Mexico with 87% of companies suffering at least one breach. Japan and the UAE fared the best, with just 39% and 40% of companies self-reporting a security breach.
Security incidents involving mobile devices are becoming much more prevalent as the use of the devices increases. 76% of companies across all 12 countries experienced a mobile-related data breach in the past 12 months. In Thailand, 95% of companies had experienced a mobile-related security breach. In the UK, 64% of companies experienced a mobile-related incident. Companies in Japan and the UAE fared the best with 60% of companies experiencing breach of mobile data.
Human error continues to be a major cause of security breaches and the situation is getting worse. Companies are tackling the issue with training to improve awareness of cybersecurity issues and ensure security best practices are adopted.
Nearly 80% of managers responsible for data security expect cybersecurity to become even more important over the next two years. The increasing reliance on mobile technology and cloud computing has required a major rethink about how systems and data need to be protected from attack. These were listed as the main drivers behind changes in cybersecurity practices in 10 out of the 12 countries where respondents were located.
May 11, 2016 | Cybersecurity Advice, Cybersecurity News, Internet Security News, Web Filtering
This week, patch Tuesday saw updates issued to address actively exploited security vulnerabilities in Internet Explorer, along with a swathe of fixes for a number of other critical Microsoft security vulnerabilities. In total, Microsoft issued fixes for 51 vulnerabilities this week spread across 16 security bulletins, half of which were rated as important, the other eight being rated as critical.
The updates tackle vulnerabilities in Microsoft Edge and Internet Explorer, Windows, the Microsoft .NET Framework, and MS Office; however, it is the browser fixes that are the most important. These include actively exploited security vulnerabilities that can be used to compromise computers if users visit websites containing exploit kits.
Security update MS16-051 tackles the CVE-2016-0189 zero-day vulnerability in Internet Explorer, which if exploited, would allow an attacker to gain the same level of privileges as the current user. The flaw could be used to take control of the entire system. The exploit could be used to install new programs on the device, create new accounts, or modify or delete data. The vulnerability modifies the functioning of JScript and VBScript, changing how they handle objects in the computer’s memory.
The IE security vulnerability was brought to the attention of Microsoft by researchers at Symantec, who had discovered an active exploit that was being used alongside spear-phishing attacks in South Korea. Users were being directed to a website containing an exploit kit that had been updated with the IE security vulnerability.
The MS16-052 security update tackles a vulnerability in Microsoft Edge which similarly changes how objects in the memory are handled. These two updates should be prioritized by sysadmins, although all of the updates should be installed as soon as possible. Even the important updates could potentially be exploited and used to gain control of unpatched computers.
Bulletin MS16-054 is also a priority update to patch critical vulnerabilities in Adobe Flash. Since Flash is embedded in both Edge and IE, Microsoft has started issuing updates to address Adobe Flash vulnerabilities. While these security flaws are not believed to have been exploited in the wild, it will not be long before they are included in exploit kits.
Microsoft may have fixed its actively exploited security vulnerabilities, but despite Adobe issuing patches for Acrobat, ColdFusion, and Reader on Tuesday, Flash remains vulnerable to attack. Adobe has yet to issue a patch for an actively exploited Flash security vulnerability (CVE-2016-4117) that affects version 21.0.0.226 and all earlier versions of the platform. This vulnerability has been included in exploit kits and can be used to take control of devices. In total, Adobe fixed 92 separate vulnerabilities in its Tuesday update.
Between Microsoft and Adobe, 143 vulnerabilities have been addressed this week. With hackers quick to add the vulnerabilities to website exploit kits, it is essential that patches are installed rapidly. These actively exploited security vulnerabilities also highlight the importance of using a web filtering solution to prevent users from visiting compromised websites where the vulnerabilities can be exploited.
May 6, 2016 | Cybersecurity Advice, Cybersecurity News, Internet Security News, Network Security, Web Filtering
Finding a web security service for MSPs can be a time consuming process. There are a number of solutions that allow MSPs to keep their clients protected from malware and reduce the risk from internal and external threats, yet many are far from ideal for use by MSPs.
The ideal web security service for MSPs must have a relatively low cost of ownership. Clients may be more than willing to implement a web security service to deal with the growing range of web-borne threats, but the cost of implementation is a key factor.
Many solutions offer all the necessary benefits for the client, but are not practical for use by MSPs. The time taken to install web security solutions and to configure them for each client can reduce profitability. The best web security service for MSPs need to be easy to install and maintain, and have a low management overhead.
Low cost solutions that are quick to install and easy to maintain allow MSPs to easily incorporate into existing packages to create a more comprehensive Internet security service. This can increase the value provided to clients, boost client revenue, and help MSPs to win more business and differentiate their company in the marketplace.
The ideal web security service for MSPs is available as a white label. This allows the service to be easily incorporated into existing packages. White labeling allows MSPS to strengthen their own brand image rather than promoting someone else’s.
Many providers of a web security service for MSPs fall down on customer support. If any issues are experienced, it is essential that an MSP can provide rapid solutions. Industry-leading technical support is essential.
WebTitan Cloud – A Web Security Service for MSPs That Ticks All the Right Boxes
WebTitan Cloud is an enterprise-class web filtering solution for MSPs that can be used to enforce clients’ acceptable use policies and control the content that can be accessed via their wired and wireless networks.
Our DNS-based web filtering solution allows organizations to prevent phishing, stop malware downloads, protect against ransomware and botnet infections, and block spyware and adware. Controls prevent the bypassing of the content filter by blocking anonymizer services. Encrypted web traffic is also inspected.
Implementation could not be any easier. There is no need for any hardware purchases or software downloads. All that is required is a change to the DNS to point to our servers and the Internet can be filtered in under 2 minutes.
Configuring each client to incorporate their AUPs is also a quick and easy process requiring no technical expertise. Highly granular controls ensure AUPs can be quickly and easily applied. There is no need to use on premise support teams. Everything can be monitored via the control panel from any Internet browser. There is no hardware or software to maintain and no patches to apply, reducing management overhead considerably. Cloud keys can be supplied to allow guests to bypass organization-wide content control settings, with time-limits applied to prevent abuse.
Reporting is effortless. A full suite of pre-defined reports can be generated automatically and scheduled for each client to allow Internet access to be carefully monitored.
We also offer fully white-labeled solutions for MSPs allowing logos, branding, and corporate color schemes to be easily incorporated. We are also more than happy to allow WebTitan Cloud to be hosted within an MSPs infrastructure.
What Your Customers Get
- Ransomware, malware, and phishing protection. Protection from malware, ransomware and the web-based component of phishing attacks. More than 60,000 malware iterations are blocked every day.
- A quick and easy to use DNS filter to manage and control web usage – Block malicious sites and control the web content employees and guest users can access.
- Easy to implement; Easy to use. Customer accounts are up and running within 20 minutes
- Improve network performance: A no latency DNS filtering solution that can be used to reduce bandwidth waste and abuse.
- Highly granular content filtering with flexible user policies
- Support for dynamic IP’s
- Works with any device
- Full reporting suite. WebTitan contains a comprehensive reporting suite providing automated graphical reports and extensive reports on demand.
- Fully automated updating – Does not add to your patching burden and requires minimal management while ensuring maximum security.
- Whitelists and blacklists Global whitelists and blacklists and custom categories can be configured to allow/block by full website address or by IP address
Benefits for MSPs
- Save on customer support time, hours and cost – No more costly ransomware call outs.
- Easy to deploy, manage and sell our awarded-winning cloud based web filtering solution
- Simple Integration into your existing service stack through API’s and RMM integrations
- Competitive pricing with a core focus on the SMB market.
- Generous margins and monthly billing
- White labelling – WebTitan can be fully rebranded with your logos and color scheme with us working seamlessly in the background.
- Set & forget. WebTitan requires minimal IT service intervention
- Short sales cycle – only a 14 day free trial required to test
- World class support – The best customer service in the industry with scalable pre-sales and technical support and sales & technical training
- Multi-tenant dashboard – MSP-client hierarchy enables you to keep clients separated and choose whether to manage client settings in bulk or on an individual basis
To find out more about why WebTitan Cloud is a game changing web security service for MSPs contact our sales team today!
MSP Testimonials
“WebTitan is an outstanding tool for most reliable content filtering. The monitoring feature of this specific product is quite unique that totally monitors all the process of online working and also secures all the data. Additionally, its set-up is superb easy and it can be done in just few minutes that save my time and energy as well.” Kristie H. Account Manager
“WebTitan is fairly easy to setup. It is available as a cloud based solution or on prem. You can get as simple or as complicated with your filtering as you like, it will handle most situations with ease. It has provided us with a stable web filtering platform that has worked well for us for many years. ” Derek A. Network Manager
“WebTitan is outstanding software that helps me a lot in minimizing viruses. The thing I like most about WebTitan is that it is extremely easy to use and configure. I like its clear interface. It lets us block malicious content and spam easily. It is no doubt an amazing product helping us a lot in kicking out harmful bad stuff.” Randy Q. Software Engineer
“By reducing malware-related security incidents, you’re reducing your number one uncontrollable expense: the people on your IT operations team, like your help desk techs.” MSP, Washington, US
“Web filtering is one of the, if not the greatest bang for your buck services. It’s built in anti malware has protected our clients, saving us thousands of hours of repair time I am absolutely certain.” MSP, New York, US
“a key part of our security stack as we’ve scaled to over 6,000 managed endpoints, while decreasing virus and malware related tickets by 70%.” MSP, Boston, US
“It has paid for itself many times over by reducing malware calls.” MSP, Toronto, Canada
May 5, 2016 | Cybersecurity Advice, Cybersecurity News, Internet Security News, Network Security, Web Filtering
Over the past two weeks there have been three worrying instances of the Angler exploit kit being used to infect website visitors with malware and ransomware. Cybercriminals are increasingly using exploit kits to deliver their malicious payloads and all organizations need to be aware of the risk.
Why AUPs May Not Be Sufficient to Keep Networks Secure
Many companies advise employees of the types of websites that can be accessed via work networks and which are forbidden. Typically, employees are banned from visiting pornographic websites, using the Internet for the sharing of copyright-protected material, installing shareware or other unauthorized software, and using unauthorized web applications and gaming sites.
Employees are provided with a document which they are required to read and sign. They are informed of the actions that will be taken for breaching the rules: verbal and written warnings for example, and in some cases, instant dismissal. These AUPs are usually effective and employees do heed the warnings if they value their jobs.
If an employee breaches the AUPs and accesses pornography for instance, action can be taken against that individual. It is probable that no harm will have been caused and the matter can be dealt with by HR.
However, if an employee breaches AUPs and visits a website that has been compromised with malware or installs shareware that includes malicious files, taking action against the employee will not undo the damage caused.
To better protect networks, AUPs should be enforced with a software solution. By implementing a web filtering solution, HR departments can ensure that inappropriate website content is not accessed, while IT departments can be prevented from having to deal with malware infections.
Even if AUPs are followed to the letter, malware may still be downloaded onto the network. The risk has recently been highlighted by two security incidents discovered in the past two weeks.
Legitimate Websites Compromised with Angler Exploit Kit
Last week, news emerged that a toy manufacturer’s website had been compromised and was being used to infect visitors with malware. The website had been loaded with the Angler exploit kit and was being used to silently infect visitors’ devices with ransomware.
An exploit kit is a malicious toolkit used by hackers to probe for security vulnerabilities in website visitors’ browsers. A visitor to a website containing an exploit kit – BlackHole, Magnitude, Nuclear, Styx, or Angler for example – will have their browser checked for out of date plugins such as Adobe Reader, Silverlight, Flash, or Java. If the plugins are not up to date, security vulnerabilities can be exploited to download a payload of malware. These attacks are silent and the website visitor will be unaware that their machine has been compromised.
This week, two more websites were discovered to have been hijacked and were being used to direct visitors to the Angler exploit kit. These websites were much more likely to be visited by company employees. They were the sites of two CBS-affiliated TV stations: KMOV in St. Louis and WBTV in Charlotte, North Carolina.
These news websites would be unlikely to be banned in AUPs, and few organizations would see the risk of their employees visiting these websites.
News Websites Contained Malvertising Directing Users to the Angler Exploit Kit
While the toy manufacturer’s website was directly infecting web visitors, in the case of KMOV and WBTV the attackers were using a common technique called malvertising. The websites had not been loaded with the Angler exploit kit, instead the attacks were taking place via third party adverts that were being served on the sites.
The sites contain adblocks which were used to serve advertisements via the Taggify network – a legitimate advertising network. However, a rogue advertiser had got around the controls put in place by Taggify and malicious adverts were being served.
The attackers hosted the malicious ad components – images and JavaScript- on their own servers. The malicious adverts were then served on unsuspecting website visitors. However, the rogue advertiser was also serving legitimate ads and these were displayed to web crawlers and scanners to avoid detection. Other users were served an advert that redirected them to the Angler exploit kit. If those visitors had browsers with out of date plugins, they would be infected with whatever payload the attackers chose to deliver.
Reduce Risk of Attack with a Web Filtering Solution
These three recent cases are just the tip of the iceberg. Criminals are hijacking all manner of websites and using them to host exploit kits. Legitimate websites serving third party adverts are also being targeted with malvertising.
Enforcing AUPs with a web filtering solution can help to prevent end users from visiting websites that have been compromised with malware. A web filter – such as WebTitan – can also be used to block third party advertisements from being displayed.
Unfortunately for enterprises, it is not possible to install patches as soon as they are released. Many patches require reboots, and that is not practical. The number of patches being released to plug security holes is considerable, and it takes time to patch all devices that connect to a network. Good patch management policies can reduce the likelihood of a successful attack, but they cannot prevent all attacks from taking place. If a web filtering solution is used that can block malvertising and websites known to contain malware, end users and networks will be better protected.
Apr 30, 2016 | Cybersecurity Advice, Cybersecurity News, Network Security, Web Filtering
There are some very good reasons why you should block file sharing websites. These websites are primarily used to share pirated software, music, films, and TV shows. It would be unlikely for the owner of the copyright to take action against an employer for failing to prevent the illegal sharing of copyrighted material, but this is an unnecessary legal risk.
However, the main risk from using these websites comes from malware. Research conducted by IDC in 2013 showed that out of 533 tests of websites and peer-2-peer file sharing networks, the downloading of pirated software resulted in spyware and tracking cookies being downloaded to users’ computers 78% of the time. More worryingly, Trojans were downloaded with pirated software 36% of the time.
A survey conducted on IT managers and CIOs at the time indicated that malware was installed 15% of the time with the software. IDC determined that overall there was a one in three chance of infecting a machine with malware by using pirated software.
Even visiting torrent sites can be harmful. This week Malwarebytes reported that visitors to The Pirate Bay were served malicious adverts. An advertiser used a pop-under to silently redirect users to a malicious site containing the Magnitude exploit kit which was used to downloaded Cerber ransomware onto users’ devices.
A study conducted by UC San Diego involved testing pirated software downloads using VirusTotal. VirusTotal checks files against the databases of 47 different anti-virus engines. The research team determined that 50% of pirated files were infected with malware.
Dealing with malware from pirated software was determined to take around 1.5 billion hours per year. For businesses the cost can be considerable. IDC calculated the cost to enterprises to be around $114 billion in 2013 alone. And that was just for the clean-up. The cost of data breaches caused by illegal software installations was estimated to be in the order of $350 billion.
Time to Block File Sharing Websites?
Organizations can monitor devices and check for unauthorized software installations on individual devices; however, by the time a software installation has been discovered, malware is likely to already have been installed. A recent report by Verizon suggests that on average, hackers are able to exfiltrate data within 28 minutes of gaining access to a system.
One of the easiest ways to manage risk is to block file sharing websites such as P2P and torrent sites. A web filter can be easily configured to block file sharing websites and prevent them from being accessed. Many web filters can also be configured to block specific file types from being downloaded, such as keygens and other executables.
By blocking file sharing websites organizations can ensure that copyright-violating activities are prevented and malware risk is effectively managed. Furthermore, web filters can be used to block web-borne threats such as phishing websites, compromised webpages, spam and botnets, adware, malware, ransomware, and anonymizers.
The failure to block file sharing websites could turn out to be costly. It is far better to block potentially dangerous websites and online activities than to have to cover the cost of removing malware infections and dealing with data breaches.