Cybersecurity News

Our cybersecurity news will not be enjoyable reading for organizations that fail to implement adequate online security measures and update them regularly. Many of the news items in this section report hacks, data breaches and scams that have cost organizations money, credibility and – in some cases – their businesses.

The majority of the adverse incidents reported below could have been avoided had the organization in question taken appropriate steps to protect its database and prevent malware from infecting its computer system. To ensure your organization does not feature in a future cybersecurity news item, implement a web filter from WebTitan.

University Cyberattack Involved Campus Vending Machines and 5,000 IoT Devices

A recent university cyberattack in the United States resulted in more than 5,000 systems being taken out of action.

The university cyberattack only became apparent after the IT department was flooded with complaints from staff and students that the Internet had slowed to a snail’s pace. By the time that the cyberattack was identified, the attack had spread to multiple systems and devices, resulting in major headaches for the IT department. Attempts were made to bring systems back online but they failed. Not only had IoT devices been compromised, passwords were changed by the attackers. The IT department was locked out and was prevented from gaining access to any of the compromised devices.

The attack involved a range of devices. Even campus vending machines had been loaded with malware and were under the control of the attackers. In total, 5,000 smart devices were compromised in the attack and had been added to an emerging IoT botnet.

An investigation was launched which revealed the extent of the attack. Virtually the entire IoT network had been lost to the attackers. Everything from smart lightbulbs in street lamps to drink-dispensing vending machines had been infected with malware and made part of a botnet.

The IoT devices were making hundreds of DNS lookups, preventing users from performing web searches or visiting websites. In this case, the devices were being used to make seafood-related searches. So many searches that genuine use of the Internet was prevented.

Once the first devices were compromised, the infection spread rapidly. Every IoT device connected to the network was attacked, with the devices brute-forced until the correct username and password combo was found. The devices were then loaded with malware and added to the botnet. The speed at which the IoT devices were compromised and loaded with malware was due to the use of weak passwords and default login credentials. The university, for convenience, had also made the mistake of loading all IoT devices onto one network.

Once the attackers had gained access to an IoT device and loaded their malware, they had full control of the device. To prevent removal of the malware, the attackers changed the password on the device, locking the IT department out.

Once that had occurred, the only way the IT department thought it would be possible to remove the malware and regain control would be to replace every IoT device. All 5,000 of them.

However, before such a drastic measure was taken, the university sought external assistance and was advised to use a packet sniffer to intercept clear-text passwords sent by the attackers to the malware-compromised devices. The university was able to read the new passwords and regain access to its IoT devices. Passwords were then changed on all 5,000 devices and the malware was removed.

A university cyberattack such as this can cause considerable IT headaches, major disruption for staff and students, and involves a not insignificant resolution cost. However, the university cyberattack could have been avoided. Even if an attack was not prevented, its severity could have been greatly reduced.

Had strong passwords been set, the attackers would have found it much harder to infect devices, buying the IT department time and allowing action to be taken to mitigate the attack.

While it is easy to see why all IoT devices were included on a single network, such a move makes it far too easy for cybercriminals to spread malware infections. It is never wise to put all of one’s eggs in the same basket. It is also important to ensure that networks are separated. If access to devices on one network is gained, damage will be limited.

Law Firm Phone Hacking Results in $65,000 Phone Bill

A law firm phone hacking incident has resulted in an Alexandria, VA attorney being sent a staggering $65,000 phone bill. The attorney’s phone system was hacked and used to make a slew of international phone calls in the middle of the night to numbers in Algeria and Serbia.

In total, 195 phone calls were made through the law firm’s phone system in just 45 minutes. Since the incident occurred in the middle of the night, no one noticed. The small law firm only employs three people, none of whom were in the office at the time.

Attorney David Chamowitz was informed by his service provider via email about the calls and the charges.  This law firm phone hacking incident was not a one off. Even though the attorney changed the password on his system, he was attacked again suggesting the hacker had a backdoor into the system. To ensure that future calls were not made, the attorney has had to switch off long distance call capabilities.

The hacker responsible was unlikely to be looking to speak to friends and relatives abroad. This type of scam involves making calls to premium rate international numbers, with the hackers making money from those calls. The charges for the calls can be extortionate, as Chamowitz discovered. Many other small to medium sized businesses have been targeted by hackers and have had to foot the bill for the calls. Phone charges totaling tens of thousands of dollars can easily be racked up.

As was the case with Chamowitz, the attack occurred at a time when it was unlikely to be noticed. Calls are usually made outside of business hours, often in the middle of the night.

Flaws in security systems are exploited to gain access to voicemail systems, although more commonly, hackers take advantage of poor security controls such as default login credentials left active on voicemail systems. Small businesses may implement firewalls and a host of security measures to protect their computers from attack, yet do not realize that voicemail system hacks are also possible.

The default credentials can easily be found online via the search engines or they can be easily guessed. Usernames of ‘admin’ are common and passwords are often set to 1234.

As this law firm phone hacking incident shows, any system that can be accessed externally can be hacked. Whether that is a computer, server, router, IoT device or phone/voicemail system.

To protect against voicemail system hacks it is important to ensure that default credentials are changed and strong passwords are set. A PBX firewall should be employed and calls logs should be monitored. If there is no need for your business to make international or premium rate calls, speak to your service provider and try to block those calls. Also, consider setting the system to not permit outbound calls at certain times (outside of office hours) and disable external access to the phone system/voicemail when the office is closed.

Restaurant Malware Attack Results in Theft of More Than 355,000 Credit and Debit Cards

A restaurant malware attack has resulted in the theft of the credit and debit card numbers of more than 355,000 customers, according to Krebs on Security. A breach was suspected to have occurred when credit unions and banks started to notice a flurry of fraudulent purchases. The breach was traced to the fast food restaurant chain Arbys.

While there have been numerous instances of credit card fraud reported in the past few days, the Arbys data breach was first identified in January. Industry partners contacted Arbys regarding a potential breach of credit/debit card numbers. At that point, the incident was only thought to have affected a handful of its restaurants.

The malware infection was soon uncovered and the FBI was notified, although the agency requested that Arby’s did not go public so as not to impede the criminal investigation. However, a statement has recently been released confirming that Arby’s is investigating a breach of its payment card systems.

Upon discovery of the breach, Arby’s retained the services of cybersecurity firm Mandiant to conduct a forensic analysis. The Mandiant investigation is continuing, although rapid action was taken to contain the incident and remove the malware from Arby’s payment card systems. The investigation revealed that the incident only impacted certain corporate-owned stores. None of the franchised stores were infected with malware. Arbys has more than 3,300 stores across the United States, more than 1,000 of which are corporate-owned.

PSCU, an organization serving credit unions, was the first to identify a potential breach after receiving a list of 355,000 stolen credit card/debit card numbers from its member banks. It is currently unclear when the restaurant malware attack first occurred, although the malware is currently thought to have been actively stealing data from October 25, 2016 until January 19, 2017, when the malware was identified and removed.

This is of course not the first restaurant malware attack to have been reported in recent months. The restaurant chain Wendys suffered a similar malware attack last year. That incident also resulted in the theft of hundreds of thousands of payment card details before the malware was discovered and removed. Similar payment card system malware infections were also discovered by Target and Home Depot and resulted in huge numbers of card details being stolen.

Details of how the malware was installed have not been released, although malware is typically installed when employees respond to spear phishing campaigns. Malware is also commonly installed as a result of employees clicking on malicious links contained in spam emails or being redirected to malicious sites by malvertising. In some cases, malware is installed by hackers who take advantage of unaddressed security vulnerabilities.

Once malware has been installed it can be difficult to identify, even when anti-virus and anti-malware solutions are in use. As was the case with the latest restaurant malware attack, data theft was only identified when cybercriminals started using the stolen payment card information to make fraudulent purchases.

Protecting against malware attacks requires multi-layered cybersecurity defenses. Good patch management policies are also essential to ensure that any security vulnerabilities are remediated promptly. Anti-spam and anti-phishing solutions can greatly reduce the volume of messages that make it through to employees’ inboxes, while malicious links and redirects can be blocked with a web filtering solution. A little training also goes a long way. All staff members with computer access should receive anti-phishing training and should be instructed on security best practices.

Regular scans should be performed on all systems to search for malware that may have evaded anti-virus and anti-malware solutions. Since a restaurant malware attack will target payment card systems, those should be frequently scanned for malware. Rapid detection of malware will greatly reduce the damage caused.

2016 Malware Report Shows Changes in Malware Trends Over the Past 12 Months

If your organization was hit with a malware or ransomware infection last year, the 2016 malware report from Malwarebytes may serve as an unpleasant reminder of 12 months best forgotten. Malware infections rose in 2016 and ransomware infections soared. In the case of the latter, there was an explosion in new variants. Malwarebytes charted a 267% increase in ransomware variants between January 2016 and November 2016. In quarter four alone more than 400 active ransomware variants were cataloged.

During those 11 months, email spam volume increased significantly as did the percentage of those spam emails that were malicious. Botnets went into overdrive distributing malicious email messages that sent swathes of malicious links and attachments to employees. There were malicious Word macros, JavaScript downloaders, PowerShell scripts, and VBScripts aplenty. Fileless malware consisting entirely of PowerShell also emerged.

The 2016 malware report shows how ransomware has become the revenue-generator of choice for many cybercriminals. It is easy to understand why. Infecting computers is a relatively easy process, ransom payments are made within a matter of days, much of the process is entirely automated, and ransomware-as-a-service means no skill is even required to jump on the bandwagon and send out campaigns.

The 2016 malware report indicates ransomware accounted for 18% of malicious payloads from spam email and ransomware is the payload of choice for exploit kits, accounting for 66% of malicious downloads.

Locky was a major threat for most of the year, but in December there was a massive spike in Cerber ransomware variants, which are now the most populous ransomware family.

The cybersecurity’s company’s 2016 malware report confirms what many security professionals already know all too well. 2016 was a particularly bad year for everyone but the cybercriminals. Unfortunately, the outlook for 2017 does not look any better. In fact, it looks like it will be even worse.

Predictions have been made that will send shivers down many a system administrator’s spine. Ransomware is set to become even more aggressive. Critical infrastructures are likely to be targeted. Healthcare ransomware attacks will increase potentially placing patients’ lives at risk. Educational institutions will be targeted. No organization will be immune to attack.

Fortunately, new ransomware families will be limited in 2017. But that is only because Locky and Cerber are so effective and can easily be tweaked to avoid detection.

Then there are the botnets. The increase in use of IoT devices would not be a problem, were it not for a lack of security. Many insecure devices are coming to market which can all too easily be added to botnets. As we saw in the tail end of the year, these botnets – such as Mirai – are capable of conducting devastating DDoS attacks. Those attacks are only likely to increase in scale and frequency. As Malwarebytes correctly points out, unless manufacturers of IoT devices are better regulated and are forced to improve their security, vast sections of the Internet will come under threat.

So, it looks like all bad news for 2017. All organizations can do is purchase the technology to deal with the threats, plug security holes promptly, train staff to be aware of the threats, and shore up their defenses. The next 12 months could be a rocky ride.

Hotel Malware Attacks on the Rise: 12 U.S InterContinental Hotels Affected

Hotel malware attacks have been hitting the headlines in the past two years as cybercriminals target hotels looking for payment card information. Now, InterContinental Hotels Group Plc has announced that a malware infection has potentially resulted in the theft of customers’ payment card details from 12 of its hotels in the United States. The hotel malware attacks affected guests at InterContinental Hotels as well as Crowne Plaza and Holiday Inn hotels.

The data breach affected the payment systems used by the hotel chain’s restaurants and bars, but did not extend to the front desk system used to process guests.

Malware was installed on the hotels’ servers which searched for and obtained customer track data from credit and debit card transactions. Customers’ card data – including names, card numbers, expiry dates and verification codes – were intercepted and potentially stolen using the malware. The malware was discovered in late December when the hotel chain hired a cybersecurity firm to investigate a potential data breach following an unusual level of fraud affecting the hotel chain’s customers. That investigation revealed malware had been installed as early as August 1, 2016 which remained active until December 15, 2016.

InterContinental has not disclosed whether the malware passed on any payment card information to the attackers nor how many customers had been impacted by the incident, only that servers at 12 of the chain’s hotels had been affected. Investigations into the security breach are continuing and the investigation has now been extended to other hotels owned by InterContinental in the Americas.

Hotels are commonly targeted by cybercriminals seeking payment card information. Last summer, InterContinental’s Kimpton Hotels & Restaurants were attacked with malware and similar incidents were reported last year by Marriot International’s Starwood Hotels as well as the Hyatt, Westin, and Sheraton hotel chains. Hotel malware attacks were reported by the Hilton chain and Trump Hotels in 2015.

Cybercriminals are most interested in POS systems used by hotels. Malware is installed that is capable of capturing payment card information and those data are then transferred to the attackers. All too often, malware is installed and stays active for months before it is detected. During that time, tens of thousands of hotel guests can be impacted and have fraudulent charges applied to their accounts.

While hotel customers are often covered by their card providers’ insurance policy, the fallout from these incidents can be considerable. When guests suffer credit card and debit card fraud as a result of visiting a particular hotel, they may take their business elsewhere.

Malware can be installed by cybercriminals via a number of different attack vectors. Direct attacks take advantage of security flaws in software and hardware. Last year, Cylance’s Sophisticated Penetration Exploitation and Research Team (SPEAR) identified a zero-day vulnerability in ANTLabs InnGate routers, which are used by many of the top hotel chains to provide Internet access for guests. The flaw could be exploited to gain access to guest’s smartphones, laptops, and tablets, or potentially be used to install malware that targets POS systems on hotel servers.

According to SPEAR, the flaw was being actively exploited and 277 hotels had been targeted across 29 countries, including more than 100 hotels in the United States. Eight out of the world’s top ten hotel chains were found to have systems vulnerable to this type of attack. A patch was promptly issued to correct the flaw and hotels were able to plug the security hole.

It may not be possible to prevent attacks that exploit zero-day vulnerabilities; however, there are steps that can be taken to reduce hotel malware attacks. Malware is often downloaded as a result of employees’ or guests’ actions. Malware may be deliberately installed, although all too often downloads occur silently as a result of employees and guests visiting malicious websites.

Blocking access to these websites will protect both the hotel and its guests from web-borne malware and ransomware attacks. If a web filter – such as WebTitan – is installed, all websites known to house malware will be blocked.

Any individual who attempts to connect to one of those websites, or is redirected to one of those sites via a malicious email link or malvertising, will be protected. WebTitan can also be configured to prevent individuals from downloading files known to carry a high risk of being malicious – JavaScript files and executables for instance.

If you run a hotel or hotel chain, a web filter is an additional layer of security that should be seriously considered. A web filter will help to reduce the risk of malware and ransomware infections and keep hotel networks safe and secure for all users.

Hotel Ransomware Attack Affects Key Card and Reservation System

A hotel ransomware attack in Austria hit the headlines in the past couple of days. The cyberattack affected the Romantik Seehotel Jägerwirt. The hotel’s computer system was infiltrated by the attacker who installed ransomware. A range of files were encrypted, which prevented the hotel from being able to check-in new guests and issue new key cards for hotel doors.

Hotel Ransomware Attack Hampers Guest Check-ins

Early reports of the hotel ransomware attack suggested hotel guests were locked out of their rooms or, in some cases, locked in their rooms. The latter is not possible as even when electronic key cards are used, locks can be opened manually from the inside. Guests who had been issued with key cards prior to the attack were also able to use their cards to get in their rooms, according to a statement issued by the hotel’s manager.

However, the cyberattack still caused considerable disruption at the 111-year old hotel. According to local news sources, the attack affected the hotel’s key card system, reservation system, and its cash desk.

Since files were encrypted that were necessary to program new key cards, any guest that had not been checked in before the cyberattack occurred experienced considerable delays. The issue was only resolved when the hotel paid the ransom demand of 1500 Euros – approximately £1,300/$1,600. Systems remained out of action for 24 hours as a result of the attack.

This was not the only attack affecting the hotel. A second attack reportedly occurred, although the hotel was able to thwart that attempt by taking its systems offline. Repeat attacks are unfortunately common. If one ransomware attack results in the payment of a ransom, other attacks may also occur as the attackers attempt to extort even more money from their victim. Backdoors are often installed during initial attacks to enable access to continue after payment has been made.

Not being able to check-in new guests for a period of 24 hours can make a serious dent in profits, not only from guests being forced to seek alternative accommodation, but also from the damage to a hotel’s reputation. Such an attack can keep future guests away.

In this case, in addition to paying the ransom demand, the manager of the Romantik Seehotel Jägerwirt confirmed that the hotel will be going old school in the impending future. Rather than continue to use an electronic key card system, the hotel will revert to using standard keys for hotel room doors. Another hotel ransomware attack would therefore not prevent guests from checking in.

Hotels Must be Prepared for Cybersecurity Incidents

This is not the first hotel ransomware attack to have occurred in 2017 and it certainly will not be the last. Hotels are attractive targets for cybercriminals because hotels cannot afford to have critical systems offline for lengthy periods of time due to the disruption they cause. Cybercriminals know that ransom demands are likely to be paid.

In this case, no lasting harm was caused, although that does not mean future attacks will be limited to reservation systems and cash desk operations. Elevator systems may be targeted or other systems that have potential to compromise the health and safety of guests.

Hotels therefore need to make sure that not only are defenses augmented to prevent ransomware attacks, but a data breach response plan is in place to ensure that in the event of a cybersecurity incident, rapid action can be taken to limit the harm caused.

US Ransomware Attacks Quadrupled in 2016

According to a new report from data breach insurance provider Beazley, US ransomware attacks on enterprises quadrupled in 2016. There is no sign that these attacks will slow, in fact they are likely to continue to increase in 2017. Beazley predicts that US ransomware attacks will double in 2017.

Half of US Ransomware Attacks Affected Healthcare Organizations

The sophisticated nature of the latest ransomware variants, the broad range of vectors used to install malicious code, and poor user awareness of the ransomware threat are making it harder for organizations to prevent the attacks.

For its latest report, Beazley analyzed almost 2,000 data breaches experienced by its clients. That analysis revealed not only that US ransomware attacks had increased, but also malware infections and accidental disclosures of data. While ransomware is clearly a major threat to enterprises, Beazley warned that unintended disclosures of data by employees is actually a far more dangerous threat. Accidental data breaches increased by a third in 2016.

US ransomware attacks and malware incidents increased in the education sector, which registered a 10% rise year on year. 45% of data breaches experienced by educational institutions were the result of hacking or malware and 40% of data breaches suffered by companies in the financial services. However, it was the healthcare industry that experienced the most ransomware attacks. Nearly half of 2016 US ransomware attacks affected healthcare organizations.

The report provides some insight into when organizations are most at risk. US ransomware attacks spiked at the end of financial quarters and also during busy online shopping periods. It is at these times of year when employees most commonly let their guard down. Attackers also step up their efforts at these times. Beazley also points out that ransomware attacks are more likely to occur during IT system freezes.

Ransomware Attacks on Police Departments Have Increased

Even Police departments are not immune to ransomware attacks. Over the past two years there have been numerous ransomware attacks on police departments in the United States. In January, last year, the Midlothian Police Department in Chicago was attacked with ransomware and paid a $500 ransom to regain access to its files.

The Dickson County Sheriff’s Office in Tennessee paid $572 to unlock a ransomware infection last year, and the Tewksbury police department in Massachusetts similarly paid for a key to decrypt its files. In 2015, five police departments in Maine (Lincoln, Wiscasset, Boothbay Harbor, Waldboro and Damariscotta) were attacked with ransomware and in December 2016, the Cockrell Hill Police Department in Texas experienced a ransomware infection. The attack resulted in video evidence dating back to 2009 being encrypted. However, since much of that information was stored in backup files, the Cockrell Hill Police Department avoided paying the ransom.

Defending Against Ransomware

Unfortunately, there is no silver bullet to protect organizations from ransomware attacks. Ransomware defenses should consist of a host of technologies to prevent ransomware from being downloaded or installed, but also to ensure that infections are rapidly detected when they do occur.

Ransomware prevention requires technologies to be employed to block the main attack vectors. Email remains one of the most common mediums used by cybercriminals and hackers. An advanced spam filtering solution should therefore be used to prevent malicious emails from being delivered to end users. However, not all malicious attachments can be blocked. It is therefore essential to not only provide employees with security awareness training, but also to conduct dummy ransomware and phishing exercises to ensure training has been effective.

Many US ransomware attacks in 2016 occurred as a result of employees visiting – or being redirected to – malicious websites containing exploit kits. Drive-by ransomware downloads are possible if browsers and plugins are left unpatched. Organizations should ensure that patch management policies are put in place to ensure that all systems and software are patched promptly when updates are released.

Given the broad range of web-based threats, it is now becoming increasingly important for enterprises to implement a web filtering solution. A web filter can be configured to prevent employees from visiting malicious websites and to block malvertising-related web redirects. Web filters can also be configured to prevent employees from downloading malicious files and engaging in risky online behavior.

The outlook for 2017 may be bleak, but it is possible to prevent ransomware and malware attacks. However, the failure to take adequate preventative steps to mitigate risk is likely to prove costly.

2016 Data Breach Report Shows Massive Rise in Severity of Attacks

A recently released 2016 data breach report has shown that the number of data breaches reported by businesses has remained fairly constant year on year. 4,149 data breaches were reported between January and December 2016, which is broadly on a par with the figures from 2015.

2015 saw the largest ever healthcare data breach ever reported – The 78.8 million record data breach at Anthem Inc. There were also two other healthcare data breaches in 2015 that resulted in the theft of more than 10 million records. The 11-million record breach at Premera Blue Cross and the 10-million record breach at Excellus BlueCross BlueShield.

2016 saw more data breaches reported by healthcare organizations than in 2015, although the severity of the attacks was nowhere near as bad.  More than 27 million healthcare records were exposed in 2016, whereas the total for 2015 was in excess of 113 million.

2016 Data Breach Report Shows Severity of Cyberattacks Has Dramatically Increased

While the severity of healthcare data breaches fell year on year, the 2016 data breach report from Risk Based Security shows an overall increase in the severity of data breaches across all industries. 2016 was a record-breaking year.

In 2013 more than 1 billion records were exposed or stolen – the first time that the 1 billion record milestone had been passed. 2016 saw that previous milestone smashed.  More than four times as many records were stolen in 2016 than in 2013. 2016 data breaches exposed an incredible 4.2 billion records.

The RBS 2016 data breach report details 94 data breaches that exposed more than 1 million records. 37 breaches resulted in the exposure of more than 10 million records. The United States was the biggest target, accounting for 47.5% of the data breaches reported over the course of the year.

Healthcare data breaches hit the headlines frequently in 2016 due to the potential impact they had on the victims. However, healthcare industry data breaches only made up 9.2% of the annual total. The business sector was the worst hit, accounting for 51% of breaches in 2016. Government organizations made up 11.7% of the total and education 4.7%.

According to the RBS 2016 data breach report, the top ten data breaches of 2016 exposed an incredible 3 billion records and the average severity score of those breaches was 9.96 out of 10. All but one of those security breaches was caused by hackers. One of the incidents was a web-related breach. Six of the data breaches reported in 2016 ranked in the top ten list of the largest data breaches ever reported.

Six 2016 Security Incidents Ranked in the Top 10 List of Largest Ever Data Breaches

The largest data breach of 2016 – and also the largest data breach ever reported – was the hacking of Yahoo. More than 1 billion user credentials were exposed as a result of that cyberattack. While malware is a major threat to businesses, malware attacks only accounted for 4.5% of data breaches in 2016. Hacking exposed the most records and was the main cause of 2016 data breaches, accounting for 53.3% of incidents and 91.9% of the total number of stolen records.

Many organizations also reported being attacked on multiple occasions. The 2016 data breach report shows that 123 organizations reported multiple data breaches in 2016 and 37% of those organizations reported experiencing three or more data breaches between January and December.

According to RBS, more than 23,700 data breaches have now been tracked. In total, more than 9.2 billion records have been exposed or stolen in those incidents. According to RBS Executive vice president Inga Goddijn, “Any organization that has sensitive data – which is every organization with employees or confidential business information – can be a target.”

Cyberattacks are coming from all angles. Employees are being targeted via email, the volume of malware-laden websites and phishing sites has soared, malvertising is increasing and hackers are exploiting unpatched software vulnerabilities.

It is difficult to predict how bad 2017 will be for cybersecurity breaches, but it is fair to assume that data breaches will continue to occur at a similar level. Organizations need to respond by increasing their cybersecurity defenses to prevent attacks from occurring, but also to prepare for the worst and ensure they are ready to deal with a breach when one occurs. A fast response can limit the damage caused.

Credential Stuffing Attacks on Enterprises Soar Following Major Data Breaches

Credential stuffing attacks on enterprises are soaring according to a recent study conducted by Shape Security. The massive data breaches at the likes of LinkedIn, Yahoo, MySpace have provided cybercriminals with passwords aplenty and those passwords are used in these automated brute force login attempts.

Organizations that have discovered data breaches rapidly force password-resets to prevent criminals from gaining access to users’ accounts; however, stolen passwords can still be incredibly valuable. A study conducted by Microsoft in 2007 suggested that the average computer user has 25 accounts that require the use of a username and password, while Sophos suggests users have an average of 19 accounts.

Password managers can be used to help individuals remember their login credentials, but many people have not signed up for such a service. To remember passwords people just recycle them and use the same password over and over again. Cybercriminals are well aware of that fact and use stolen passwords in credential stuffing attacks on websites and mobile applications.

Shape Security suggests that for many enterprises, 90% of login traffic comes from credential stuffing attacks. Those attacks can be highly effective and since they are automated, they require little effort on the part of the attacker. A batch of passwords is purchased from any number of sellers and resellers on darknet marketplaces. A target site is identified and an automated script is developed to login. The criminals then scale up the assault by renting a botnet. It is then possible to conduct hundreds of thousands of login attempts simultaneously.

Many of the stolen credentials are old, so there is a high probability that passwords will have been changed, but not always. Many people keep the same passwords for years.

The success rate may be low, but the scale of the credential stuffing attacks gives cybercriminals access to hundreds of thousands of accounts.

Shape Security researchers suggest the success rate of these attacks is around 2%. To put this into perspective, if the passwords from the Yahoo data breach were used in credential stuffing attacks, which they almost certainly are, a success rate of 2% would give criminals access to 20 million user accounts.

There is certainly no shortage of passwords to attempt to use to gain access to accounts. According to the report, more than 3 billion username and password combinations were stolen by cybercriminals in 2016 alone. That would potentially give the attackers access to 60 million accounts.

These attacks are not hypothetical. During a 4-month observation period of just one major U.S. retailer in 2016, Shape Security discovered that 15.5 million attempted logins occurred. Even more worrying was that more than 500,000 of the retailer’s customers were using recycled passwords that had previously been stolen from other websites.

Additionally, as a recent report from SplashData has shown, weak passwords continue to be used. The top 25 list of the worst passwords in 2016 still contains very weak passwords such as 123456 and password. These commonly used passwords will also be attempted in brute force attacks. SplashData suggests as many as 10% of Internet users use at least one of the passwords in the top 25 worst password list.

These studies highlight the seriousness of the risk of recycling passwords and send a clear message to organizations: Develop mitigations to prevent the use of stolen credentials and ensure that password policies are developed and enforced.

59% of Companies Increased Cybersecurity Spending in 2016

Cybersecurity spending in 2016 was increased by 59% of businesses according to PwC. Cybersecurity is now increasingly being viewed as essential for business growth, not just an IT cost.

As more companies digitize their data and take advantage of the many benefits of the cloud, the threat of cyberattacks becomes more severe. The past 12 months have already seen a major increase in successful cyberattacks and organizations around the world have responded by increasing their cybersecurity spending.

The increased threat of phishing attacks, ransomware and malware infections, data theft and sabotage has been a wake up call for many organizations; unfortunately, it is often only when an attack takes place that that wake up call occurs. However, forward-thinking companies are not waiting for attacks, and are increasing spending on cybersecurity and are already reaping the benefits. They experience fewer attacks, client and customer confidence increases, and they gain a significant competitive advantage.

The annual Global State of Information Security Report from Pricewaterhouse Coopers (PwC) shows that companies are realizing the benefits of improving cybersecurity defenses. More than 10,000 individuals from 133 companies took part in the survey that provided data for the report. 59% of respondents said that their company increased cybersecurity spending in 2016. Technical solutions are being implemented, although investment in people has also increased.

Cybercriminals are bypassing complex, multi-layered cybersecurity defences by targeting employees. Organizations have responded by increasing privacy training. 56% of respondents say all employees are now provided with privacy training, and with good reason.

According to the report, 43% of companies have reported phishing attacks in the past 12 months, with this cybersecurity vector the most commonly cited method of attack. The seriousness of the threat was highlighted by anti-phishing training company PhishMe. The company’s Enterprise Phishing Susceptibility and Resiliency Report showed 90% of cyberattacks start with a spear phishing email. Given how effective training can be at reducing the risk from phishing, increasing spending on staff training is money well spent.

The same is true for technical cybersecurity solutions that reduce phishing risk. Two of the most important solutions are antispam and web filtering solutions, with each tackling the problem from a different angle. Antispam solutions are employed to prevent phishing emails from reaching employees’ inboxes, while web filtering solutions are being used to block access to phishing websites. Along with training, companies can effectively neutralize the threat.

Many companies lack the staff and resources to develop their own cybersecurity solutions; however, the range of managed security services now available is helping them to ensure that their networks, data, and systems are adequately protected. According to the PwC report, 62% of companies are now using managed security services to meet their cybersecurity and privacy needs. By using partners to assist with the challenge of securing their systems, organizations are able to use limited resources to better effect and concentrate those resources on other areas critical to business processes.

There has been a change to how organizations are view cybersecurity over the past few years. Rather than seeing cybersecurity as simply a cost that must be absorbed, it is now increasingly viewed important for business growth. According to PwC US and Global Leader of Cybersecurity and Privacy David Burg, “To remain competitive, organizations today must make a budgetary commitment to the integration of cybersecurity with digitization from the outset.” Burg also points out, “The fusion of advanced technologies with cloud architectures can empower organizations to quickly identify and respond to threats, better understand customers and the business ecosystem, and ultimately reduce costs.”

Doxware – A New Ransomware Threat to Deal with in 2017

Companies must now deal with a new ransomware threat: 2017 is likely to see a proliferation of doxware attacks.

2016 was the year when cybercriminals fully embraced ransomware and used it to devastating effect on many organizations. As 2016 started, the healthcare industry was heavily targeted. Cybercriminals rightly assumed that the need for healthcare professionals to access patient data would mean ransom payments would likely be paid. That was certainly the case with Hollywood Presbyterian Medical Center. An attack resulted in a ransom of $17,000 being paid to allow the medical center to regain access to patient data and computer systems

Hospitals throughout the United States continued to be attacked, but not only in the United States, Attacks spread to the United Kingdom and Germany. The education sector was also hit heavily. Many schools and universities were attacked and were forced to pay ransoms to obtain keys to unlock their data.

Between April 2015 and March 2016, Kaspersky Lab reported that ransomware infections rose by 17.7%. The figures for April 2016 to March 2017 are likely to show an even bigger rise.  Ransomware has rarely been out of the news headlines all year.

Cybercriminals are making stealthier and more sophisticated ransomware variants to avoid detection and cause more widespread disruption. Widespread media coverage, warnings by security companies and law enforcement agencies, and the likely costs of dealing with attacks has led many companies to improve their defenses and develop strategies to recover from infections.

With ransom demands of tens of thousands of dollars – or in some cases hundreds of thousands of dollars – and widespread attacks, the threat can no longer be ignored

One of the best ways of avoiding having to pay a sizeable ransom is to ensure data are backed up. Should ransomware be installed, IT departments can wipe their systems, restore files from backups, and make a quick recovery.

Ransomware is only an effective income generator for cybercriminals if ransoms are paid. If companies can easily recover, and restoring data from backups is cheaper than paying a ransom, cybercriminals will have to look elsewhere to make their money.

However, ransomware is far from dead. Cybercriminasl are changing their tactics. Ransomware is still being used to encrypt data, but an extra incentive is being added to the mix to increase the chance of a ransom being paid.

Doxware: The New Ransomware Threat

Doxware, like ransomware, encrypts data and a ransom demand is issued. However, in addition to encrypting data, information is also stolen. The gangs behind these attacks up the ante by threatening to publish sensitive data if the ransom is not paid.

If access is gained to corporate emails or other electronic conversations, the potential harm that can be caused is considerable. Reputation damage from doxware can be considerable, making payment of a ransom far more preferable to recovering data from a backup. If intellectual property is stolen and published the consequences for a company could be catastrophic.

2016 has already seen extortion attempts by hackers who have infiltrated networks, stolen data, and threatened its release if ransom payments are not made. TheDarkOverlord attacks on healthcare providers are just one example. However, in those attacks data were simply stolen. The combination of data theft with ransomware would be more likely to see ransoms paid. Already we have seen ransomware variants that combine an information stealing component and 2017 is likely to see the problem get far worse.

Crackdown on Fake News Shines Light on Typosquatting and Cybersecurity Risks

The proposed crackdown on fake news websites has shone a light on the use of typosquatting and cybersecurity risks for businesses from employees visiting fake news websites.

Over the past few weeks there has been considerable media attention focused on fake news websites and the harm that these fake news stories can cause.

Just as newspapers and news networks can earn big money from being the first to break a new story, there is big money to be made from posting fake news items. The problem is growing and it is now becoming harder to separate fact from fiction. 2016 has seen fake news stories hit the headlines – Both the problem and the republishing of fake news in the mainstream media.

Fake News Websites are a Serious Problem

This year’s U.S. presidential election has seen the Internet awash with propaganda and fake news posts, especially – but not exclusively – about support for Donald Trump and criticism of Hillary Clinton. Fake news sites such as the Denver Guardian (the periodical doesn’t actually exist) posted news about rigging of the election. Genuine news organizations notably picked up on a story about Denzel Washington supporting Trump; however, the original story was taken from a fake news site. Of course, these are just two of many hundreds of thousands of fake news stories published throughout the year.

All too often fake news stories are silly, satirical, or even humorous; however, they have potential to cause considerable harm and influence the public. Potentially, they could change the outcome of an election.

Consumers are now increasingly basing their opinions on fiction rather than fact. Fake news is nothing new of course, but the U.S. presidential election has brought it to the forefront and has highlighted the extent to which it is going on – on a scale never before seen.

Worldwide governments are now taking action to crackdown on the problem. Germany and Indonesia have joined the U.S. in the fight against fake news stories and there have been calls for greater regulation of online content.

Facebook has received considerable criticism for failing to do enough to prevent the proliferation of fake news. While CEO Mark Zuckerberg dismissed the idea that fake news on Facebook was influential in the election – “the idea that fake news on Facebook, which is a very small amount of the content, influenced the election in any way, I think is a pretty crazy idea.” However, last month he confirmed a new initiative to address hoaxes and fake news. Facebook is to make it easier for users to report fake news stories, third-party fact checkers will be enlisted, news websites will be analyzed more closely, and stories will be pushed down the rankings if they are getting fewer shares.

All of the attention on fake news sites has highlighted a tactic that is being used to spread fake news – a tactic that has long been used by cybercriminals to spread malware: Typosquatting.

Typosquatting and Cybersecurity Risks

Typosquatting – otherwise known as URL hijacking – is the use of a popular brand name with authority to fool web surfers into thinking a website is genuine. The fake news scandal brought attention to the tactic after fake news items were posted on spoofed news websites such as usatoday.com (usatoday.com.com) and abcnews (abcnews.com.co).

To the incautious or busy website visitor, the URL may only get a casual glance. The slightly different URL is unlikely to be spotted. This may only result in website visitors viewing fake news, although in many cases it can result in a malware download. Cybercriminals use this tactic to fool web surfers into visiting malicious websites where malware is automatically downloaded.

Typosquatting is also used on phishing websites and for fake retail sites that relieve visitors of their credit card information or other sensitive credentials.

Even fake news sites are a problem in this regard. They often contain third-party adverts – this is one of the ways that fake news stories generate income for the posters. Those adverts are often malicious. The site owners are paid to display the adverts or send visitors to malicious websites. Adverts are also used to direct visitors to fake retail sites – zappoos.com or Amazoon.com for example. Many fake news sites are simply used as phishing farms.

While consumers can be defrauded, businesses should also take note. Since many of these sites are used to either spread malware or direct users to malicious sites where malware is downloaded, fake news sites are a serious cybersecurity risk.

Governments and social media networks may be taking a stand against these malicious sites, but businesses should also take action. All it takes is for one user to visit a malicious site for malware or ransomware to be downloaded.

Fortunately, it is possible to reduce risk with a web filtering solution. Web filtering solutions such as WebTitan can be used to block access to websites known to contain malware. Malicious websites are rapidly added to global blacklists. If a web filtering solution is used, an employee will be prevented from visiting a blacklisted site, which will prevent a malware download.

Malicious adverts can also be blocked and prevented from being displayed. Malicious links on fake news sites can also easily be blocked. Users can also be prevented from visiting websites when clicking on links to the sites in emails or on social media websites.

For further information on the full range of benefits of WebTitan and to find out how you can sign up for a free 30-day trial of WebTitan, contact TitanHQ today.

Anti-Phishing Solutions for Businesses Required to Tackle Growing Phishing Risk

Anti-phishing solutions for businesses are now an essential element of cybersecurity defenses. The risk from phishing websites has grown considerably in 2016, and 2017 is likely to see the problem become much more severe. 

Anti-Phishing Solutions for Businesses Now a Necessity

Cybercriminals are using increasingly sophisticated tactics to infect end users with malware and ‘phish’ for sensitive information such as credit card details, email login credentials, and other sensitive data that can be used for identity theft and fraud. Cybercriminals have changed their tactics to infect more end users and bypass traditional cybersecurity defenses.

In the past it was common for domains to be registered by cybercriminals and only used for phishing or to spread malware. Sooner or later the websites would be reported as malicious in nature, and those domains would be added to global blacklists. As the sites were blocked, the cybercriminals would simply buy another domain and repeat the process. Phishing websites used to remain active for weeks or even months before they ceased to be effective. However, cybersecurity firms are now faster at detecting malicious websites and adding them to blacklists.

Cybercriminals are aware that phishing websites and malicious webpages have a very short shelf life and will only remain effective for a few days before they are blocked. In response, they have changed tactics and are now creating webpages which are only used for very short periods of time.

New webpages are now being created faster and in higher volumes. Those webpages now remain active for less than 24 hours in the majority of cases. Cybercriminals are hijacking legitimate websites with poor security controls or unaddressed vulnerabilities. Malicious URLS are then created and hidden on those domains. Cybercriminals have now all but abandoned malicious websites in favor of single URLs on otherwise benign websites.

The volume of phishing websites has also increased considerably in 2016. Studies now suggest that around 400,000 phishing websites are being detected every month of the year.

Web Filtering Solutions Can Significantly Reduce Risk

There are many anti-phishing solutions for businesses that can be adopted to reduce risk, although one of the most effective tools is an advanced web filter. A web filter can be used to prevent users from visiting malicious websites and webpages that are used to phish for sensitive information or infect end users with malware.

While it was possible for standard web filtering solutions to protect against the risk from phishing by comparing domains against blacklists, it is now essential for each webpage to be checked to determine whether it is malicious. Each URL must also be checked each time it is visited to make sure that it has not been hijacked and used for phishing or to spread malware. For that an advanced web filtering solution is needed, such as WebTitan.

WebTitan checks each webpage that an end user attempts to visit in a fraction of a second, with no noticeable latency – slowing of webpage loading. If a website or webpage is identified as malicious the end user will be prevented from accessing that webpage.

WebTitan allows businesses to further protect their networks by restricting access to certain categories of websites which are commonly used by cybercriminals to spread malware. Since these websites have no legitimate work purpose, they can be easily blocked without any negative impact on the business. In fact, businesses are likely to see significant increases in employee productivity as a result.

Cybercriminals are also increasingly using third party advertising blocks on legitimate websites to display malicious adverts. Those adverts redirect visitors to malicious websites containing exploit kits. Some of those adverts require no user interaction at all – visitors are automatically redirected to websites where drive-by malware downloads occur. WebTitan can be configured to prevent these adverts from being displayed, thus neutralizing the risk.

Cybercriminal activity has been steadily increasing, yet employing an advanced web filtering solution such as WebTitan can help businesses stay one step ahead of cybercriminals and keep their networks malware free.

For further information on the capabilities of WebTitan, to find out how easy it is to protect your end users and networks from attack, and to register for a free 30-day trial of WebTitan, contact TitanHQ today.

Beware of Social Media Ransomware Attacks

This month, security researchers have discovered cybercriminals are conducting social media ransomware attacks using Facebook Messenger and LinkedIn. Social media posts have long been used by cybercriminals to direct people to malicious websites containing exploit kits that download malware; however, the latest social media ransomware attacks are different.

According to researchers at CheckPoint Security, the social media ransomware attacks take advantage of vulnerabilities in Facebook Messenger. Images are being sent through Facebook Messenger with double extensions. They appear as a jpeg or SVG file, yet they have the ability to download malicious files including ransomware. The files are understood to use a double extension. They appear to be images but are actually hta or js files.

CheckPoint says “The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file.” The report goes on to say “This results in infection of the users’ device as soon as the end-user clicks on the downloaded file.” No technical details have been released as CheckPoint claim the vulnerability has yet to be fixed by Facebook.

Earlier this week, security researcher Bart Blaze claimed to have also identified a Facebook Messenger campaign that was allegedly being used to spread Locky ransomware. Blaze said an SVG image was being sent via Facebook Messenger that contained malicious JavaScript code that installed a malware downloader called Nemucod. Nemucod subsequently downloaded Locky. This is also the first time that the actors behind the infamous Locky ransomware are believed to have used Facebook Messenger to spread infections.

Facebook responded to Blaze’s claim saying the problem was not related to Messenger, but involved bad Chrome extensions. Facebook said the problem had been reported to the appropriate parties.

Ransomware Attacks on the Rise

According to the Kaspersky Security Network, ransomware attacks on SMBs have increased eightfold in the past 12 months. The problem is also getting worse. More than 200 ransomware families have now been discovered by security researchers, and new forms of the malicious file-encrypting software are being released on a daily basis.

Any business that is not prepared for a ransomware attack, and has not implemented security software to protect computers and networks, is at risk of being attacked. A recent survey conducted by Vanson Bourne on behalf of SentinelOne showed that 48% of organizations had been attacked with ransomware in the past 12 months. Those companies had been attacked an average of 6 times.

How to Prevent Social Media Ransomware Attacks

Social media ransomware attacks are a concern for businesses that do not block access to social media platforms in the workplace. It is possible to prevent employees from accessing social media websites using WebTitan, although many businesses prefer to allow employees some time to access the sites. Instead of blocking access to Facebook, businesses can manage risk by blocking Facebook Messenger. With WebTitan, it is possible to block Facebook Messenger without blocking the Facebook website.

If WebTitan is installed, webpages that are known to contain malware or ransomware downloaders will be blocked. When individuals link to these malicious websites in social media posts, employees will be prevented from visiting those sites. If a link is clicked, the filtering controls will prevent the webpage from being accessed.

To find out more about how WebTitan can protect your organization from web-borne threats such as ransomware and to register for a free trial of WebTitan, contact the Sales Team today.

Are You Prepared for a Ransomware Attack?

Are You Prepared for a Ransomware Attack?

It doesn’t matter which security report you read; one thing is clear. The ransomware problem is becoming worse and the threat greater than ever.

While ransomware attacks in 2015 were few and far between, 2016 has seen an explosion of ransomware variants and record numbers of attacks across all industry sectors. For every ransomware variant that is cracked and decryption software developed, there are plenty more to take its place.

200 Ransomware Families Now Discovered

As if there were not enough ransomware milestones reached this year, there is news of another. The total number of detected ransomware families has now surpassed 200. That’s families, not ransomware variants.

The ransomware families have been catalogued by the ID Ransomware Service; part of the Malware Hunter Team. The current count, which may well be out of date by the time this article is finished, stands at 210.

Not only are new ransomware being developed at an unprecedented rate, the latest variants are even sneakier and have new capabilities to avoid detection. They are also more virulent and capable of encrypting a far wider array of data, and can delete backup files and quickly spread across networks and storage devices.

More people are getting in on the act. Ransomware is being rented out as a service to affiliates who receive a cut of the ransoms they collect. Campaigns can now be run with little to no skill. Unsurprisingly there are plenty of takers.

Massive Campaign Spreading New Locky Ransomware Variant

One of the biggest threats is Locky, a particularly nasty ransomware variant that first appeared in February 2016. Even though Locky has not been cracked, new variants continue to be released at an alarming rate. This week yet another variant has been discovered. The developers and distributers are also using a variant of techniques to evade detection.

Three separate campaigns have been detected this week after a two-week period of relative quiet. The ransomware is now back with a vengeance, with one of the campaigns reportedly involving an incredible 14 million emails on October 24 alone; 6 million of which were sent in a single hour.

There have been some successes in the fight against ransomware. Earlier this year the No More Ransom project was launched. The No More Ransom Project is a joint initiative Europol and the Dutch National Police force, although a number of security firms have now collaborated and have supplied decryptors to unlock files encrypted by several ransomware strains. So far, decryptors have been uploaded to the site that can unlock several ransomware variants: Chimera, Coinvault, Rannoh, Rakhni, Shade, Teslacrypt, and Wildfire.

Ransomware Problem Unlikely to Be Solved Soon

Despite the sterling efforts of security researchers, many of the most widely used ransomware strains have so far proved impossible to crack. The authors are also constantly developing new strains and using new methods to avoid detection. The ransomware problem is not going to be resolved any time soon. In fact, the problem is likely to get a lot worse before it gets better.

Last year, an incredible 113 million healthcare records were exposed or stolen. This year looks like it will be a record-breaking year for breaches if incidents continue at the current rate. The sheer number of healthcare records now available to cybercriminals has had a knock-on effect on the selling price. Whereas it was possible to buy a complete set of health data for $75 to $100 last year, the average price for healthcare records has now fallen to between $20 and $50.

Cybercriminals are unlikely to simply accept a lower price for data. That means more attacks are likely to take place or profits will have to be made up by other means. The glut of stolen data is seeing an increasing number of cybercriminals turn to ransomware.

Are you Prepared for a Ransomware Attack?

With the threat from ransomware increasing, organizations need to prepare for an attack and improve defenses against ransomware. Policies should be developed for a ransomware attack so rapid action can be taken if devices are infected. A fast response to an attack can limit the spread of the infection and reduce the cost of mitigation; which can be considerable.

Defending against ransomware attacks is a challenge. Organizations must defend against malicious websites, malvertising, drive-by downloads, malicious spam emails, and network intrusions. Hackers are not only stealing data. Once a foothold has been gained in a network and data are stolen, ransomware is then deployed.

An appropriate defense strategy includes next generation firewalls, intrusion detection systems, web filtering solutions, spam filters, anti-malware tools, and traditional AV products. It is also essential to provide regular security awareness training to staff to ensure all employees are alert to the threat.

Even with these defenses attacks may still prove successful. Unless a viable backup of data exists, organizations will be left with two options: Accept data loss or pay the ransom. Unfortunately, even the latter does not guarantee data can be recovered. It may not be possible for attackers to supply valid keys to unlock the encryption and there is no guarantee that even if the keys are available that they will be sent through.

Since Windows Shadow copies can be deleted and many ransomware variants will also encrypt backup files on connected storage devices, backup devices should be air-gapped and multiple backups should be performed.

With attacks increasing, there is no time to wait. Now is the time to get prepared.

Trump Hotels Fined By NY Attorney General for POS Data Breach

Trump Hotels and Management LLC has paid the price for failing to implement robust security controls to secure its POS system from cybercriminals.

The hotel chain, which is headed by Donald Trump and run by three of his children, has been fined $50,000 by the New York Attorney General for a data breach that exposed the credit card details and personal information of over 70,000 guests in 2015.

Banks conducted an investigation following a spate of fraudulent credit card transactions last year, and determined that the common denominator was all of the victims had previously stayed in Trump-owned hotels. In all of the cases, Trump Hotels was the last merchant to process a legitimate card transaction, indicating there had been a breach of credit card details at the hotel chain.

A further investigation revealed that the POS system used by 5 Trump hotels in Chicago, Las Vegas, and New York had been infected with malware. The malware was installed on the credit card processing system in May 2014 and access to the system was gained using legitimate domain administrator credentials. The malware was able to capture the payment card information of guests.

The fine, which was announced by New York Attorney General Eric Schneiderman on Friday, was issued for the failure to adequately secure its systems and for the delay in issuing breach notifications to consumers. Trump Hotels did place a breach notice on the company website, but it took 4 months for that notice to be uploaded – a breach of state laws in New York.

Schneiderman explained “It is vital in this digital age that companies take all precautions to ensure that consumer information is protected, and that if a data breach occurs, it is reported promptly to our office, in accordance with state law.”

A spokesperson for Trump Hotels explained that the hotel industry is under attack by cybercriminals looking to gain access to guests’ credit card details. “Unfortunately, cyber criminals seeking consumer data have recently infiltrated the systems of many organizations including almost every major hotel company.”

Other notable hospitality industry breaches include the cyberattack on Hyatt hotels and Starwood Hotels & Resorts Worldwide. The Hyatt breach affected 250 hotels, while the Starwood breach resulted in the POS systems of 54 hotels being loaded with malware.

Cyberattacks are to be expected; however, security controls at Trump Hotels appear to be insufficient. A second credit card system data breach was discovered to have affected the hotel chain in March this year. Investigators discovered malware had been installed on 39 computer systems used at various locations.

In addition to the $50,000 fine, Trump Hotels has agreed to adopt a corrective action plan which requires additional security controls to be installed to prevent future data breaches.

It may not be possible to prevent all cyberattacks but, with the hospitality industry coming under attack, it is essential that security controls are implemented that prevent the installation of malware. Keyloggers and other information stealing malware are usually delivered via spam email or are unwittingly downloaded from malicious websites.

In order to prevent infections via email, hotel chains can implement a robust spam filter. Web-borne infections can be prevented using a powerful web filtering solution to block malware downloads.

GCHQ Plans to Expand the Use of DNS Filters to Prevent Cyberattacks

Although many businesses use configured DNS filters to prevent cyberattacks, UK ISPs tend to blanket-block complete categories of websites to limit access to those most likely to be harboring malware. This hit-and-miss approach to online security often blocks genuine websites, or exposes consumers who opt out of DNS filtering to every type of online threat.

However, plans have now been announced that will see the UK´s spy agency – GCHQ – partner up with leading ISPs in the UK in order to develop a more finely-tuned approach to consumer security. Effectively GCHQ will advise the ISPs on how to configure their DNS filters to prevent cyberattacks on consumers based on individual sites known to harbor malware.

By preventing consumers from accessing “bad addresses” that appear to be legitimate domains, GCHQ hopes to reduce the number of malware and phishing attacks launched on the UK public each year. The organization is reported to routinely use DNS filtering to filter out some parts of the internet that the government asks to be banned, and this new initiative is an extension of its existing service.

The plans were announced by Ciaran Martin – head of GCHQ and the recently formed National Cyber Security Centre (NCSC) – at the Billington Cyber-Security Summit. Martin told Summit attendees, “We’re exploring a flagship project on scaling up DNS filtering: what better way of providing automated defenses at scale than by the major private providers effectively blocking their customers from coming into contact with known malware and bad addresses?”

A few years ago, former UK Prime Minister David Cameron attempted to introduce legislation that would require ISPs to block pornography. While legislation was not passed, ISPs entered into a voluntary agreement to block pornography by default. Since 2013, all new customers have been prevented from accessing online pornography by their ISPs unless they choose to opt out and lift the DNS filter. Under this voluntary arrangement, UK citizens are protected from inappropriate content, yet their civil liberties are not violated.

There would likely be considerable backlash if the government was to introduce legislation to block the accessing of certain websites, even if those sites were known to contain threats such as malware or ransomware. Martin is well aware of the potential problems that could arise. He told Summit attendees, “The government does not own or operate the Internet,” explaining that any move to use DNS filters to prevent cyberattacks would need to come from the private sector.

Martin explained that, as with ISPs blocking pornography, consumers would be given a choice to opt out of using DNS filters to prevent cyberattacks. He said “addressing privacy concerns and citizen choice is hardwired into our program.”

The plan to use DNS filters to prevent cyberattacks on consumers and UK businesses has been applauded. “The Great Firewall of Britain” will help to protect consumers from cybercriminal activity and keep electronic devices free from malware and ransomware.

There are currently millions of malicious websites that have been set up with the sole purpose of spreading malware such as banking Trojans, ransomware, spyware, or to commit online fraud. Data from the Information Commissioner’s Office (ICO) shows the number of reported online security incidents has doubled in the past year and cyber-infection rates are growing at an exponential level around the globe.

The use of DNS filters to prevent cyberattacks should go some way towards preventing consumers from inadvertently downloading malware or falling victim to a phishing campaign. However, while this is a step in the right direction, when the plan is implemented it will not spell an end to malware and ransomware attacks.

ISP DNS filters can only block websites that are known to be malicious or have been discovered to host exploit kits or malware. Cybercriminals are constantly changing tactics and are using ever more sophisticated methods of attacking individuals, businesses, and governments. The use of ISP DNS filters to prevent cyberattacks will help to deal with low level attacks, but organizations should not rely on their ISPs to block online threats.

It will still be essential for organizations to carefully control the website content that can be accessed by their employees, and to do that they will need their own web filtering solution.

CryptXXX Crypto-Ransomware Receives an Update

The developers of CryptXXX ransomware have made some updates to the malicious software recently. A new campaign has also been launched which is seeing an increasing number of Joomla and WordPress websites compromised with malicious code that directs visitors to sites containing the Neutrino exploit kit.

The latest CryptXXX crypto-ransomware variant no longer changes the extension of files that have been encrypted, instead they are left unchanged.  This makes it more difficult for system administrators to resolve an infection by restoring files from backups, as it is much harder to determine exactly which files have been encrypted.

The ransomware developers have also changed the ransom note that is presented to victims and the Tor address for payment has also been changed. The payment site has been changed frequently, having used names such as Google Decryptor and Ultra Decryptor in the past. The authors have now changed the site to Microsoft Decryptor. This is the second time the payment site has been renamed since June 1. Unfortunately for victims that experience difficulties making the payment, there is no method of contacting the attackers to explain about payment issues.

CryptXXX crypto-ransomware has previously been spread using the Angler exploit kit, although the ransomware is now being distributed using Neutrino. Neutrino is primarily used to exploit vulnerabilities in PDF reader and Adobe Flash to download CryptXXX.

CryptXXX Crypto-Ransomware and CryptoBit Distributed in RealStatistics Campaign

WordPress and Joomla sites are being infected at a high rate, with 2,000 sites currently infected as part of the latest campaign according to Sucuri. The company’s researchers have suggested that the actual figure may be closer to 10,000 websites due to the limited range of sites that they have been observing.

It is unclear how the websites are being infected, although it has been suggested that outdated Joomla and WordPress installations are the most likely way that the attackers are gaining access to the sites, although outdated plugins on the websites could also be used to inject malicious Analytics code. The campaign is being referred to as “Realstatistics” due to the URL that is placed into the PHP template of infected sites.

The latest campaign has also been used to push other ransomware variants on unsuspecting website visitors. Palo Alto Networks researchers discovered eight separate Cryptobit variants that were being pushed as part of the latest Realstatistics campaign. The attackers now appear to be using Cryptobit less and have switched to CryptXXX crypto-ransomware in recent days.

Dangerous New Mac Backdoor Program Discovered

Security researchers at ESET have discovered a dangerous new Mac backdoor program which allows attackers to gain full control of a Mac computer. Mac malware may be relatively rare compared to malware used to infect PCs, but the latest discovery clearly demonstrates that Mac users are not immune to cyberattacks. The new OS X malware has been dubbed OSX/Keydnap by ESET. This is the second Mac backdoor program to be discovered in the past few days.

OSX/Keydnap is distributed as a zip file containing an executable disguised as a text file or image. If the file is opened, it will download the icloudsyncd backdoor which communicates with the attackers C&C via the Tor network. The malware will attempt to gain root access by asking for the users credentials in a pop up box when an application is run. If root access is gained, the malware will run each time the device is booted.

The malware is capable of downloading files and scripts, running shell commands, and sending output to the attackers. The malware is also able to update itself and also exfiltrates OS X keychain data.

Second Mac Backdoor Discovery in Days

The news of OSX/Keydnap comes just a matter of hours after security researchers at Bitdefender announced the discovery of another Mac backdoor program called Eleanor. Hackers had managed to get the Backdoor.MAC.Eleanor malware onto MacUpdate. It is hidden in a free downloadable app called EasyDoc Converter.

EasyDoc Converter allowed Mac users to quickly and easily convert files into Word document format; however, rather than doing this, the app installed a backdoor in users’ systems. Infections with Eleanor will be limited as the app does not come with certificate issued to an Apple Developer ID. This will make it harder for many individuals to open the app.

However, if users do install the app, a shell script will be run that will check to see if the malware has already been installed and whether Little Snitch is present on the device. If the Little Snitch network monitor is not installed, the malware will install three LaunchAgents together with a hidden folder full of executable files used by the malware. The files are named to make them appear as if they are dropbox files.

The LaunchAgents open a Tor hidden service through which attackers can communicate with a web service component, which is also initiated by the LaunchAgents. A Pastebin agent is also launched which is used to upload the Mac’s Tor address to Pastebin where it can be accessed by the attackers. The Mac backdoor program can reportedly be used for remote code execution, to access the file system, and also to gain access to the webcam.

Ransomware Study Published by Kaspersky Lab

Kaspersky Lab has published a new ransomware study that clearly shows the rise in use of the malicious file encrypting software over the past two years. The research shows that companies are firmly in attackers’ sights, with attacks on companies having soared in recent months.

Kaspersky Ransomware Study 2016

For the ransomware study, Kaspersky Lab looked at crypto-ransomware, which uses encryption to lock critical business files as well as windows blockers – ransomware that simply locks victims’ computer screens to prevent files from being accessed. Kaspersky Lab took de-identified data from the Kaspersky Security Network (KSN) and assessed the data from individuals that had encountered ransomware between April 2014 and March 2016.

Kaspersky Lab notes that while the prevalence of Windows blockers is still high, there has been a massive rise in the use of crypto-ransomware over the past 12 months. Between April 2015 and March 2016 there was a 17.7% rise in the number of individuals who encountered ransomware or Trojan downloaders that installed ransomware. During that time frame, 2,315,931 users had encountered ransomware.

The figures show that cybercriminals are now increasingly turning to ransomware to make money, although in terms of the total number of malware encounters, ransomware remains relatively low. From April 2015 to March 2016, the proportion of users who encountered ransomware out of the total number who encountered other forms of malware increased from 3.63% to 4.34%, a rise of 0.7 percentage points.

Ransomware Study Shows Rise in Popularity of Crypto-Ransomware

The Kaspersky ransomware study clearly shows the rise in popularity of crypto-ransomware with cybercriminals. Compared to 2014-2015, the last 12 months has seen the percentage of individuals who encountered crypto-ransomware rise by 25 percentage points. 31.6% of ransomware encounters are now with cryptors. Attacks using cryptors jumped by 5.5% to 718,536 attacks between 2015 and 2016.

Kaspersky Lab also noted a fall in the use of Windows lockers. Attacks using Win-lockers fell by 13.03% over the same period, falling from 1,836,673 attacks in 2014-2015 to 1,597,395 attacks in 2015-2016.

Windows blockers are not particularly sophisticated and are relatively easy to resolve; however, the same is not true of crypto-ransomware infections. An infection with a Windows-blocker can be reversed without paying a ransom demand. The victim could simply re-install their operating system. This may not be an ideal solution, and it can be time consuming, but the victim would be able to recover all of their files.

With crypto-ransomware that is not the case. If a ransom demand is not paid, the victim would not be able to unlock their files. The decryption keys are all held by the attackers. The only way to recover from a crypto-ransomware attack without paying the ransom demand is by restoring files from a backup. If no backup exists, the victim must pay the ransom or forever lose their files. Because of this, victims are more likely to pay the ransom. It is therefore no surprise that cybercriminals are increasingly trying to cryptors.

Businesses Increasingly Being Targeted

The Kaspersky Lab ransomware study shows that businesses are now increasingly being targeted. Not only will businesses be more likely to pay the ransoms, since ransoms are set per device, the infection of a business network of multiple computers would represent a big pay day for an attacker. Between 2014 and 2016, attacks on businesses rose from 6.80% of all attacks to 13.13%.

The ransomware variants used to attack businesses and individuals has changed significantly over the past 12 months. In 2014-2015, CryptoWall accounted for the lion’s share of attacks (58.84%). Other attacks used a variety of different ransomware variants, the main other variants were Cryaki (5.66%) and Scatter (4.40%).

In 2015-2016, the main ransomware variant was Teslacrypt, which accounted for 48.81% of ransomware attacks. However, many new variants were also extensively used. CTB-Locker accounted for 21.61% of attacks, Scatter 8.66%, Cryaki 7.13%, CryptoWall 5.21%, and Shade 2.91%. Attacks using Locky were just starting late in the year. Locky accounted for 0.62% of all attacks between 2015 and 2016. The “Others category” decreased considerably from 22.55% of attacks in 2014-2015, to 2.41% in 2015-2016. Kaspersky Lab attributes this to the sharing of crypto-ransomware kits by ransomware developers.