Whereas news about Internet security often focuses solely on the latest threats or vulnerabilities, in addition to reporting hacks, data breaches and exposures, we also include advice about the best practices organizations should adopt to mitigate the threat from malware and other malicious software.
Consequently we strongly advise that individuals and organizations never use the same passwords for different accounts, make passwords as complex as possible and change them frequently. We also recommend that sensitive online accounts have 2-factor authentication whenever possible.
Ideally, organizations should implement a web filter to prevent Internet users from accessing websites that could compromise Internet security. With a web filter in place, the potential exists for productivity to increase and also for employees to enjoy a hostility-free workplace environment.
A recent university cyberattack in the United States resulted in more than 5,000 systems being taken out of action.
The university cyberattack only became apparent after the IT department was flooded with complaints from staff and students that the Internet had slowed to a snail’s pace. By the time that the cyberattack was identified, the attack had spread to multiple systems and devices, resulting in major headaches for the IT department. Attempts were made to bring systems back online but they failed. Not only had IoT devices been compromised, passwords were changed by the attackers. The IT department was locked out and was prevented from gaining access to any of the compromised devices.
The attack involved a range of devices. Even campus vending machines had been loaded with malware and were under the control of the attackers. In total, 5,000 smart devices were compromised in the attack and had been added to an emerging IoT botnet.
An investigation was launched which revealed the extent of the attack. Virtually the entire IoT network had been lost to the attackers. Everything from smart lightbulbs in street lamps to drink-dispensing vending machines had been infected with malware and made part of a botnet.
The IoT devices were making hundreds of DNS lookups, preventing users from performing web searches or visiting websites. In this case, the devices were being used to make seafood-related searches. So many searches that genuine use of the Internet was prevented.
Once the first devices were compromised, the infection spread rapidly. Every IoT device connected to the network was attacked, with the devices brute-forced until the correct username and password combo was found. The devices were then loaded with malware and added to the botnet. The speed at which the IoT devices were compromised and loaded with malware was due to the use of weak passwords and default login credentials. The university, for convenience, had also made the mistake of loading all IoT devices onto one network.
Once the attackers had gained access to an IoT device and loaded their malware, they had full control of the device. To prevent removal of the malware, the attackers changed the password on the device, locking the IT department out.
Once that had occurred, the only way the IT department thought it would be possible to remove the malware and regain control would be to replace every IoT device. All 5,000 of them.
However, before such a drastic measure was taken, the university sought external assistance and was advised to use a packet sniffer to intercept clear-text passwords sent by the attackers to the malware-compromised devices. The university was able to read the new passwords and regain access to its IoT devices. Passwords were then changed on all 5,000 devices and the malware was removed.
A university cyberattack such as this can cause considerable IT headaches, major disruption for staff and students, and involves a not insignificant resolution cost. However, the university cyberattack could have been avoided. Even if an attack was not prevented, its severity could have been greatly reduced.
Had strong passwords been set, the attackers would have found it much harder to infect devices, buying the IT department time and allowing action to be taken to mitigate the attack.
While it is easy to see why all IoT devices were included on a single network, such a move makes it far too easy for cybercriminals to spread malware infections. It is never wise to put all of one’s eggs in the same basket. It is also important to ensure that networks are separated. If access to devices on one network is gained, damage will be limited.
There are many cybersecurity solutions for managed service providers to add to their service stacks and offer to clients. However, the failure to offer a comprehensive range of cybersecurity solutions can prove costly. There is considerable demand for managed services, and the failure to provide them could see clients effectively handed to competitors.
Furthermore, there is now increased competition. Managed service providers have offered preventative cybersecurity solutions to their clients for many years, but competition in this sphere is increasing.
IT companies that have previously relied on fixing computer problems or providing data breach investigative services as their core business have realized there is big money to be made from providing cybersecurity services to prevent problems. An increasing number of IT companies are now capitalizing on high profile data breaches and demand for preventative solutions from SMBs and are now providing these services.
In order to capitalize on the opportunity for sales and to make sure clients do not start looking elsewhere, managed service providers need to make sure that they offer a full suite of cybersecurity solutions. Solutions that will keep their clients protected from the barrage of cybersecurity attacks that are now occurring.
Fortunately, the move away from hardware-based solutions to cloud-based services is making it easier for managed services providers. Cloud-based solutions are not only cheaper for clients, they are easier for MSPs to deliver and manage. While providing solutions that prevent cyberattacks may have been impractical and provided little return for the effort, that is no longer the case.
There are many potential cybersecurity solutions for managed service providers, although one area in particular where MSPs can take advantage is to offer solutions to prevent phishing attacks. Phishing – obtaining sensitive information from employees – is one of the main ways that cybercriminals gain access to networks and sensitive data.
Companies are spending big on network security to prevent direct attacks, yet cybercriminals know all too well that even multi-million-dollar security defenses can be breached. The easiest way to gain network access is to be provided with it by employees.
It is much easier to fool an employee into downloading malware, ransomware, or revealing their email or login credentials that it is to find security vulnerabilities or use brute force tactics. All it takes is for a phishing email to reach the inbox of an employee.
Anti-phishing training companies, which provide security awareness training for employees and teach them how to identify phishing emails, know all too well that training alone is ineffective. Some employees are poor at putting training into practice.
Even if security awareness training is provided, employees will still open email attachments from strangers and click on links sent to them in emails. Furthermore, cybercriminals are getting better at crafting emails to get links clicked and malware-ridden attachments opened.
We have already seen this year (and last tax season) how effective phishing emails can be. At least 145 companies in the United States (that we know about) emailed W-2 Forms of employees to scammers via email last year. This year looks like it will be even worse.
A high percentage of malware infections occur as a result of spam emails with infection either through email attachments (downloaders) or links to malicious sites where malware is silently downloaded. The same is true of many ransomware infections.
Given the high risk of a phishing attack occurring or information-stealing malware and ransomware being installed, organizations are happy to pay for managed solutions that can block phishing emails, prevent malware-infecting emails from being delivered, and stop employees from visiting malicious links.
MSPs can take advantage by providing these services. Since cloud-based solutions are available that offer the required level of protection, adding these solutions to an MSPs service stack is a no brainer. Cloud-based solutions to protect against phishing, malware, and ransomware infections require no hardware, no site visits, and require little management overhead.
TitanHQ can provide cloud-based solutions ideal for inclusion in MSPs service stacks. TitanHQ’s email and web protection solutions – SpamTitan and WebTitan – are effective at blocking a wide range of email and web-borne threats.
SpamTitan blocks over 99.97% of spam email, has a low false positive rate and blocks 100% of known malware. Inboxes are kept spam and malware free, and an anti-phishing component prevents phishing emails from being delivered to end users.
WebTitan offers excellent protection from web-borne threats, protecting employees and networks from drive-by malware and ransomware downloads and blocking links to malicious websites.
Furthermore, these solutions can be run in a public/private cloud, can be provided in white-label format ready for MSP’s branding, have low management overhead and include generous margins for MSPs.
If you are an MSP and are looking to increase the range of cybersecurity services you can offer to clients, give TitanHQ a call today and find out more about the our cybersecurity solutions for managed service providers.
With our cybersecurity solutions for managed service providers, you can improve your cybersecurity portfolio, provide better value to your clients and boost your bottom line.
Credential stuffing attacks on enterprises are soaring according to a recent study conducted by Shape Security. The massive data breaches at the likes of LinkedIn, Yahoo, MySpace have provided cybercriminals with passwords aplenty and those passwords are used in these automated brute force login attempts.
Organizations that have discovered data breaches rapidly force password-resets to prevent criminals from gaining access to users’ accounts; however, stolen passwords can still be incredibly valuable. A study conducted by Microsoft in 2007 suggested that the average computer user has 25 accounts that require the use of a username and password, while Sophos suggests users have an average of 19 accounts.
Password managers can be used to help individuals remember their login credentials, but many people have not signed up for such a service. To remember passwords people just recycle them and use the same password over and over again. Cybercriminals are well aware of that fact and use stolen passwords in credential stuffing attacks on websites and mobile applications.
Shape Security suggests that for many enterprises, 90% of login traffic comes from credential stuffing attacks. Those attacks can be highly effective and since they are automated, they require little effort on the part of the attacker. A batch of passwords is purchased from any number of sellers and resellers on darknet marketplaces. A target site is identified and an automated script is developed to login. The criminals then scale up the assault by renting a botnet. It is then possible to conduct hundreds of thousands of login attempts simultaneously.
Many of the stolen credentials are old, so there is a high probability that passwords will have been changed, but not always. Many people keep the same passwords for years.
The success rate may be low, but the scale of the credential stuffing attacks gives cybercriminals access to hundreds of thousands of accounts.
Shape Security researchers suggest the success rate of these attacks is around 2%. To put this into perspective, if the passwords from the Yahoo data breach were used in credential stuffing attacks, which they almost certainly are, a success rate of 2% would give criminals access to 20 million user accounts.
There is certainly no shortage of passwords to attempt to use to gain access to accounts. According to the report, more than 3 billion username and password combinations were stolen by cybercriminals in 2016 alone. That would potentially give the attackers access to 60 million accounts.
These attacks are not hypothetical. During a 4-month observation period of just one major U.S. retailer in 2016, Shape Security discovered that 15.5 million attempted logins occurred. Even more worrying was that more than 500,000 of the retailer’s customers were using recycled passwords that had previously been stolen from other websites.
Additionally, as a recent report from SplashData has shown, weak passwords continue to be used. The top 25 list of the worst passwords in 2016 still contains very weak passwords such as 123456 and password. These commonly used passwords will also be attempted in brute force attacks. SplashData suggests as many as 10% of Internet users use at least one of the passwords in the top 25 worst password list.
These studies highlight the seriousness of the risk of recycling passwords and send a clear message to organizations: Develop mitigations to prevent the use of stolen credentials and ensure that password policies are developed and enforced.
Internet censorship laws in two U.S. states may be augmented, forcing Internet service providers and device manufacturers to implement technology that blocks obscene material from being viewed on Internet-connected devices.
North Dakota has recently joined South Carolina in proposing stricter Internet censorship laws to restrict state residents’ access to pornography. There is growing support for stricter Internet censorship laws in both states to block pornography and websites that promote prostitution, and it is believed that stricter Internet censorship laws will help reduce human trafficking in the states.
The new Internet censorship laws would not prevent state residents from accessing pornography on their laptops, computers and smartphones, as the technology would only be required on new devices sold in the two states. Any new device purchased would be required to have “digital blocking capability” to prevent obscene material from being accessed. Should the new Internet censorship laws be passed, state residents would be required to pay $20 to have the Internet filter removed.
The proposed law in North Dakota – Bill 1185 – classifies Internet Service Provider’s routers and all laptops, computers, smartphones, and gaming devices that connect to the Internet as “pornographic vending machines” and the proposed law change would treat those devices as such. The bill would also require device manufacturers to block ‘prostitution hubs’ and websites that facilitate human trafficking. If passed, the ban on the sale of non-filtered Internet devices would be effective from August 1, 2017.
Lifting of the block would only be possible if a request to remove the Internet filter was made in writing, the individual’s age was verified in a face to face encounter, and if a $20 fee was paid. Individual wishing to lift the block would also be required to receive a written warning about the dangers of removing the Internet filter.
The fees generated by the state would be directed to help offset the harmful social effects of obscene website content, such as funding the housing, legal and employment costs of victims of child exploitation and human trafficking. Fees would be collected at point of sale.
Device manufacturers would have a duty to maintain their Internet filter to ensure that it continues to remain fully functional, but also to implement policies and procedures to unblock non-obscene website content that has accidentally been blocked by filtering software. A system would also be required to allow requests to be made to block content that has somehow bypassed the Internet filtering controls. Requests submitted would need to be processed in a reasonable time frame. Failure to process the requests promptly would see the company liable to pay a $500 fine per website/webpage.
State Representative Bill Chumley (R‑Spartanburg) introduced similar updates in South Carolina last month, proposing changes to the state’s Human Trafficking Prevention Act. Both states will now subject the proposed bills to review by their respective House Judiciary Committees.
Companies must now deal with a new ransomware threat: 2017 is likely to see a proliferation of doxware attacks.
2016 was the year when cybercriminals fully embraced ransomware and used it to devastating effect on many organizations. As 2016 started, the healthcare industry was heavily targeted. Cybercriminals rightly assumed that the need for healthcare professionals to access patient data would mean ransom payments would likely be paid. That was certainly the case with Hollywood Presbyterian Medical Center. An attack resulted in a ransom of $17,000 being paid to allow the medical center to regain access to patient data and computer systems
Hospitals throughout the United States continued to be attacked, but not only in the United States, Attacks spread to the United Kingdom and Germany. The education sector was also hit heavily. Many schools and universities were attacked and were forced to pay ransoms to obtain keys to unlock their data.
Between April 2015 and March 2016, Kaspersky Lab reported that ransomware infections rose by 17.7%. The figures for April 2016 to March 2017 are likely to show an even bigger rise. Ransomware has rarely been out of the news headlines all year.
Cybercriminals are making stealthier and more sophisticated ransomware variants to avoid detection and cause more widespread disruption. Widespread media coverage, warnings by security companies and law enforcement agencies, and the likely costs of dealing with attacks has led many companies to improve their defenses and develop strategies to recover from infections.
With ransom demands of tens of thousands of dollars – or in some cases hundreds of thousands of dollars – and widespread attacks, the threat can no longer be ignored
One of the best ways of avoiding having to pay a sizeable ransom is to ensure data are backed up. Should ransomware be installed, IT departments can wipe their systems, restore files from backups, and make a quick recovery.
Ransomware is only an effective income generator for cybercriminals if ransoms are paid. If companies can easily recover, and restoring data from backups is cheaper than paying a ransom, cybercriminals will have to look elsewhere to make their money.
However, ransomware is far from dead. Cybercriminasl are changing their tactics. Ransomware is still being used to encrypt data, but an extra incentive is being added to the mix to increase the chance of a ransom being paid.
Doxware: The New Ransomware Threat
Doxware, like ransomware, encrypts data and a ransom demand is issued. However, in addition to encrypting data, information is also stolen. The gangs behind these attacks up the ante by threatening to publish sensitive data if the ransom is not paid.
If access is gained to corporate emails or other electronic conversations, the potential harm that can be caused is considerable. Reputation damage from doxware can be considerable, making payment of a ransom far more preferable to recovering data from a backup. If intellectual property is stolen and published the consequences for a company could be catastrophic.
2016 has already seen extortion attempts by hackers who have infiltrated networks, stolen data, and threatened its release if ransom payments are not made. TheDarkOverlord attacks on healthcare providers are just one example. However, in those attacks data were simply stolen. The combination of data theft with ransomware would be more likely to see ransoms paid. Already we have seen ransomware variants that combine an information stealing component and 2017 is likely to see the problem get far worse.
The increase in cyberattacks and proliferation of web-borne threats has made web filtering for Managed Service Providers one of the most important, and profitable, opportunities for MSPs. However, not all MSPs have started offering a web filtering service to their clients, even though web filtering is now an essential cybersecurity defense
Why is web filtering for Managed Service Providers now so important? Listed below – and in a useful infographic – are some of the reasons why businesses need to control the websites that can be visited by their employees and why web filtering for Managed Service Providers is an important addition to any MSPs service stack.
Cybercriminals Have Switched from Email to the Web to Spread Malware
Email remains one of the most likely routes that malware can be installed. Malicious email volume is growing and in Q3, 2016, Proofpoint discovered 96.8% of malicious attachments were used to download Locky ransomware. Blocking malicious spam email messages is therefore an essential element of any organization’s cybersecurity defense strategy. However, times are a changing. The threat from web-borne attacks has increased significantly in the past few years.
Cybercriminals are well aware that most organizations now use a spam filter to block malicious messages and that they now conduct end user training to warn employees of the risks of opening email attachments or clicking on hyperlinks sent by strangers.
However, far fewer businesses have implemented a solution that blocks web-borne threats. Consequently, cybercriminals have changed their focus from email to the Internet.
The shift to the web means cybercriminals can reach a much bigger target audience and can spread malware and ransomware more effectively. The extent of this paradigm shift is deeply concerning.
Now, more than 80% of malware is web-related and spread via malicious web adverts, hijacked websites, and websites that have been created with the sole purpose of infecting visitors with malware.
As TitanHQ CTO Neil Farrell points out, “the average business user now encounters 3 malicious links per day.” Those links are rarely identified as malicious and the malware downloads that result from visiting malicious websites go undetected.
Web-Borne Threats have Increased Substantially in Recent Years
Cybercriminals use exploit kits – malicious software that probes for vulnerabilities in browsers – on hijacked webpages and purpose designed, malware-laced websites. Zero-day vulnerabilities are frequently identified in web browsers, browser plugins, and extensions and these flaws can be exploited and leveraged to download malware and ransomware. Each time a new flaw is identified, it is rapidly added to a swathe of exploit kits.
Anti-virus software is capable of detecting a high percentage of malware and preventing the malicious software from being installed on computers; however, new forms of malware are being released at an unprecedented rate. A new malware is now released every 4 seconds. Naturally, there is a lag between the release of new malware and the addition of its signature into antivirus software companies’ virus definition lists. Visits to malicious websites all too often result in malware installations that go undetected.
Malicious websites are constantly being created. Google reports that since July 2013, 113,132 new phishing websites have been created and it is businesses that are being targeted. TitanHQ now adds over 60,000 new malware-spreading websites to its blocklists every single day.
Companies that fail to block these web-borne threats face a high risk of their computers and networks being infected with malware. Figures from IDC show that 30% of companies employing more than 500 staff have experienced malware infections as a result of end users surfing the Internet.
New Threats are Constantly Being Developed
Malware is used to log keystrokes to obtain login credentials for further, more sophisticated attacks. Banking credentials are stolen and fraudulent transfers are made. Businesses also have to contend with the current ransomware epidemic. 40% of businesses have now been attacked with ransomware.
Malware and ransomware infections do not just occur via obscure websites that few employees visit. Hugely popular news sites such as the New York Times and the BBC have been discovered to display adverts containing malicious code. Social media websites are also a major risk. 24% of organizations have been infected with malware via Facebook and 7% via LinkedIn/Twitter, according to a recent study by Osterman Research.
These and other serious threats, along with the extent to which infections are occurring, have been summarized in a new infographic that can be accessed by clicking on the image below:
WebTitan Cloud – Web Filtering for Managed Service Providers
Fortunately, there is an easy solution to prevent web-borne attacks: WebTitan Cloud. WebTitan Cloud is a 100% cloud-based web filtering solution that can be used to prevent end users from visiting websites known to contain malware. WebTitan can be configured to block malicious adverts and can prevent end users from being directed to malware-infected websites if malicious links are clicked.
Given the range of threats and the extent to which cybercriminals are using the web, it is now essential for organizations to add web filtering to their cybersecurity defenses. Consequently, web filtering for Managed Services Providers presents a huge opportunity for growth. TitanHQ has seen a significant increase in uptake of its web filtering for Managed Service Providers in recent months as MSPs have started to appreciate the huge potential web filtering for Managed Services Providers has to improve bottom lines.
WebTitan can be rapidly added to an MSPs service stack and is an easy sell to clients. WebTitan can be deployed remotely and rapidly installed and configured. The solution is automatically updated, requires little to no IT support, is technology agnostic, and therefore so has an extremely low management overhead. The solution also has excellent scalability and can be used to protect any number of end users.
MSPs can be provided with a white-label version of WebTitan Cloud ready for branding and WebTitan Cloud can even be hosted within an MSPs own environment. Perhaps most important for MSPs is the high margin recurring SaaS model. That means high recurring revenues for MSPs and better bottom lines.
Contact TitanHQ today to find out more about web filtering for Managed Service Providers, for full technical specifications, and to discover just how easy it is to add WebTitan to your service stack and start boosting profits.
Many employers are not entirely happy with employees using social media sites in the workplace, and with good reason: There are many risks of social media in business and the costs can be considerable.
Social Media Use Can be a Huge Drain on Productivity
When employees are spending time updating their Facebook accounts or checking Twitter they are not working. All those minutes spent on social media platforms really do add up. Social media site use can be a major drain on productivity.
If every employee in an organisation spends an hour a day on social media sites, the losses are considerable. Unfortunately, many employees spend much more than an hour a day on the sites.
Salary.com reports that around 4% of employees waste more than half of each day on non-work related tasks. For a company employing 1,000 members of staff, that equates to more than 160 hours lost each day, not including the hour or two spent on social media sites by the remaining 96% of the workforce.
Social media site use is not all bad, in fact, the use of the sites can be good for productivity. Employees cannot be expected to work solidly for 8 or more hours each day; at least not 8 highly productive hours. If employees enjoy some ‘Facetime’ every hour or two, it can help them to recharge so they are more productive when they return to their work duties.
The problem for employers is how to control the use of Facebook in the workplace and ensure that social media site use is kept within acceptable limits. Taking 5 minutes off every hour or two is one thing. Taking longer can have a seriously negative impact. Unfortunately, relying on employees to self-moderate their use of social media sites may not be the best way to ensure that Internet use is not abused.
The Cost of Social Media Use Can Be Severe
Productivity losses can have a serious negative impact on profits, but there are far biggest costs to employers from social media site use. In fact, the risks of social media in business are considerable.
The cost from lost productivity can be bad, but nowhere near as bad as the cost of a malware or ransomware infection. Social media sites are commonly used by hackers to infect computers. Just visiting a malicious Facebook or Twitter link can result in a malware or ransomware infection. The cost of resolving those infections can be astronomical. The more time employees spend on non-work related Internet activities, the greater the risk of a malware infection.
Is there a genuine risk? According to PC Magazine, the risks are very real. There is a 40% chance of infection with malicious code within 10 minutes of going online and a 94% chance of encountering malicious code within an hour.
Controlling employees’ use of the Internet can not only result in huge increases in productivity, Internet control can help to reduce the risk of malware and ransomware infections. Further, by limiting the sites that can be accessed by employees, organizations can greatly reduce legal liability.
Fortunately, there is a simple, cost-effective, and reliable solution that allows organisations to effectively manage the risks of social media in business: WebTitan.
Managing the Risks of Social Media in Business
WebTitan is an innovative web filtering solution that allows organizations to accurately enforce Internet usage policies. Employers can block inappropriate content to effectively reduce legal liability, block or limit the use of social media sites to improve productivity, and prevent users from encountering malicious code that could give cybercriminals a foothold in the network.
If you have yet to implement a web filtering solution to control Internet use in the workplace or you are unhappy with the cost or performance of your current web filtering product, contact TitanHQ today and find out more about the difference WebTitan can make to your bottom line.
To find out more about the risks of social media in business and why it is now so important to manage social media use in the workplace, click the image below to view our informative infographic.
Most employees are required to agree to use the Internet responsibly and are made to sign an acceptable usage policy as part of their induction before being supplied with a user ID. The policies vary in their content from organization to organization, but typically prohibit individuals from using the Internet to access illegal material, visit websites containing pornography, or engage in online activities that have no work purpose. The policies detail prohibited uses and state the penalties if individuals are discovered to have abused their access rights.
For many businesses, this may be deemed to be sufficient. If policies are breached, there are serious repercussions for the individual. For most employees AUPs alone will be sufficient to stop Internet abuse. However, while a breach of AUPs could result in termination of a work contract or serious disciplinary action against an employee, the consequences for a business can be much more severe.
AUPs can cover employers and prevent legal issues resulting from inappropriate Internet use, but they cannot protect against malware and ransomware infections. The consequences of malware and ransomware infections can be considerable. Data can be lost or corrupted by malware, to confidential information stolen, used for nefarious purposes, or sold on the darknet to criminals. The financial and reputational consequences for a business could be catastrophic.
In the case of ransomware infections, the cost can be considerable. Earlier this year, Hollywood Presbyterian Medical Center experienced a ransomware attack that required a ransom payment of $17,000 to be paid to recover data. The costs of dealing with the infection even after the ransom was paid was considerable, not to mention the disruption to operations while data were locked. Full access to data was not regained for more than a week.
AUPs used to be sufficient to reduce risk – legal and otherwise – but today much more rigorous controls are required to keep networks secure. To manage the risk effectively, it is important to enforce acceptable usage policies with a technological solution.
The most effective way of ensuring AUPs are adhered to is to enforce acceptable usage polices with a web filtering solution. A web filter can be configured to ensure the Internet can only be used for activities that an employer permits. Controls can be applied to ensure that illegal websites are not visited or to block pornography in the workplace, or stricter controls can be applied to severely restrict access. Most importantly given the massive rise in ransomware and malware attacks, controls can be enforced to keep networks secure.
To find out more about the benefits of implementing a web filtering solution, how networks can be secured with WebTItan, and for details of pricing, contact the TitanHQ team today.
Although many businesses use configured DNS filters to prevent cyberattacks, UK ISPs tend to blanket-block complete categories of websites to limit access to those most likely to be harboring malware. This hit-and-miss approach to online security often blocks genuine websites, or exposes consumers who opt out of DNS filtering to every type of online threat.
However, plans have now been announced that will see the UK´s spy agency – GCHQ – partner up with leading ISPs in the UK in order to develop a more finely-tuned approach to consumer security. Effectively GCHQ will advise the ISPs on how to configure their DNS filters to prevent cyberattacks on consumers based on individual sites known to harbor malware.
By preventing consumers from accessing “bad addresses” that appear to be legitimate domains, GCHQ hopes to reduce the number of malware and phishing attacks launched on the UK public each year. The organization is reported to routinely use DNS filtering to filter out some parts of the internet that the government asks to be banned, and this new initiative is an extension of its existing service.
The plans were announced by Ciaran Martin – head of GCHQ and the recently formed National Cyber Security Centre (NCSC) – at the Billington Cyber-Security Summit. Martin told Summit attendees, “We’re exploring a flagship project on scaling up DNS filtering: what better way of providing automated defenses at scale than by the major private providers effectively blocking their customers from coming into contact with known malware and bad addresses?”
A few years ago, former UK Prime Minister David Cameron attempted to introduce legislation that would require ISPs to block pornography. While legislation was not passed, ISPs entered into a voluntary agreement to block pornography by default. Since 2013, all new customers have been prevented from accessing online pornography by their ISPs unless they choose to opt out and lift the DNS filter. Under this voluntary arrangement, UK citizens are protected from inappropriate content, yet their civil liberties are not violated.
There would likely be considerable backlash if the government was to introduce legislation to block the accessing of certain websites, even if those sites were known to contain threats such as malware or ransomware. Martin is well aware of the potential problems that could arise. He told Summit attendees, “The government does not own or operate the Internet,” explaining that any move to use DNS filters to prevent cyberattacks would need to come from the private sector.
Martin explained that, as with ISPs blocking pornography, consumers would be given a choice to opt out of using DNS filters to prevent cyberattacks. He said “addressing privacy concerns and citizen choice is hardwired into our program.”
The plan to use DNS filters to prevent cyberattacks on consumers and UK businesses has been applauded. “The Great Firewall of Britain” will help to protect consumers from cybercriminal activity and keep electronic devices free from malware and ransomware.
There are currently millions of malicious websites that have been set up with the sole purpose of spreading malware such as banking Trojans, ransomware, spyware, or to commit online fraud. Data from the Information Commissioner’s Office (ICO) shows the number of reported online security incidents has doubled in the past year and cyber-infection rates are growing at an exponential level around the globe.
The use of DNS filters to prevent cyberattacks should go some way towards preventing consumers from inadvertently downloading malware or falling victim to a phishing campaign. However, while this is a step in the right direction, when the plan is implemented it will not spell an end to malware and ransomware attacks.
ISP DNS filters can only block websites that are known to be malicious or have been discovered to host exploit kits or malware. Cybercriminals are constantly changing tactics and are using ever more sophisticated methods of attacking individuals, businesses, and governments. The use of ISP DNS filters to prevent cyberattacks will help to deal with low level attacks, but organizations should not rely on their ISPs to block online threats.
It will still be essential for organizations to carefully control the website content that can be accessed by their employees, and to do that they will need their own web filtering solution.
Kaspersky Lab has published a new ransomware study that clearly shows the rise in use of the malicious file encrypting software over the past two years. The research shows that companies are firmly in attackers’ sights, with attacks on companies having soared in recent months.
Kaspersky Ransomware Study 2016
For the ransomware study, Kaspersky Lab looked at crypto-ransomware, which uses encryption to lock critical business files as well as windows blockers – ransomware that simply locks victims’ computer screens to prevent files from being accessed. Kaspersky Lab took de-identified data from the Kaspersky Security Network (KSN) and assessed the data from individuals that had encountered ransomware between April 2014 and March 2016.
Kaspersky Lab notes that while the prevalence of Windows blockers is still high, there has been a massive rise in the use of crypto-ransomware over the past 12 months. Between April 2015 and March 2016 there was a 17.7% rise in the number of individuals who encountered ransomware or Trojan downloaders that installed ransomware. During that time frame, 2,315,931 users had encountered ransomware.
The figures show that cybercriminals are now increasingly turning to ransomware to make money, although in terms of the total number of malware encounters, ransomware remains relatively low. From April 2015 to March 2016, the proportion of users who encountered ransomware out of the total number who encountered other forms of malware increased from 3.63% to 4.34%, a rise of 0.7 percentage points.
Ransomware Study Shows Rise in Popularity of Crypto-Ransomware
The Kaspersky ransomware study clearly shows the rise in popularity of crypto-ransomware with cybercriminals. Compared to 2014-2015, the last 12 months has seen the percentage of individuals who encountered crypto-ransomware rise by 25 percentage points. 31.6% of ransomware encounters are now with cryptors. Attacks using cryptors jumped by 5.5% to 718,536 attacks between 2015 and 2016.
Kaspersky Lab also noted a fall in the use of Windows lockers. Attacks using Win-lockers fell by 13.03% over the same period, falling from 1,836,673 attacks in 2014-2015 to 1,597,395 attacks in 2015-2016.
Windows blockers are not particularly sophisticated and are relatively easy to resolve; however, the same is not true of crypto-ransomware infections. An infection with a Windows-blocker can be reversed without paying a ransom demand. The victim could simply re-install their operating system. This may not be an ideal solution, and it can be time consuming, but the victim would be able to recover all of their files.
With crypto-ransomware that is not the case. If a ransom demand is not paid, the victim would not be able to unlock their files. The decryption keys are all held by the attackers. The only way to recover from a crypto-ransomware attack without paying the ransom demand is by restoring files from a backup. If no backup exists, the victim must pay the ransom or forever lose their files. Because of this, victims are more likely to pay the ransom. It is therefore no surprise that cybercriminals are increasingly trying to cryptors.
Businesses Increasingly Being Targeted
The Kaspersky Lab ransomware study shows that businesses are now increasingly being targeted. Not only will businesses be more likely to pay the ransoms, since ransoms are set per device, the infection of a business network of multiple computers would represent a big pay day for an attacker. Between 2014 and 2016, attacks on businesses rose from 6.80% of all attacks to 13.13%.
The ransomware variants used to attack businesses and individuals has changed significantly over the past 12 months. In 2014-2015, CryptoWall accounted for the lion’s share of attacks (58.84%). Other attacks used a variety of different ransomware variants, the main other variants were Cryaki (5.66%) and Scatter (4.40%).
In 2015-2016, the main ransomware variant was Teslacrypt, which accounted for 48.81% of ransomware attacks. However, many new variants were also extensively used. CTB-Locker accounted for 21.61% of attacks, Scatter 8.66%, Cryaki 7.13%, CryptoWall 5.21%, and Shade 2.91%. Attacks using Locky were just starting late in the year. Locky accounted for 0.62% of all attacks between 2015 and 2016. The “Others category” decreased considerably from 22.55% of attacks in 2014-2015, to 2.41% in 2015-2016. Kaspersky Lab attributes this to the sharing of crypto-ransomware kits by ransomware developers.
Healthcare ransomware infections have made the headlines in recent weeks, although the University of Calgary ransomware attack shows that no organization is immune: In fact, university ransomware attacks are on the rise.
Organizations in the healthcare and financial sectors are the main targets for cybercriminals, although education is the third most likely industry to be attacked. Universities store huge volumes of highly sensitive data and state-sponsored hacking groups frequently conduct attacks.
Foreign governments are keen to obtain research data and ransomware attacks on universities may just be a smokescreen. All too often DDoS attacks are performed for this purpose, yet ransomware can be just as effective. While IT departments scramble to secure systems and recover data, attackers may be plundering data.
University of Calgary Ransomware Attack: $20K Paid for Decryption Keys
The University of Calgary ransomware attack occurred late last month and resulted in computer systems being severely disrupted. The IT department worked around the clock in an attempt to contain the infection and restore computer services one by one. While the University had made backups of critical data, the decision was taken to pay the attackers’ ransom demand as a precaution. To obtain the decryption keys the University had to pay the attackers $20,000.
However, even after paying the ransom, unlocking the encryption and recovering data has been a long winded process. The decryption keys had to be assessed and evaluated, and the process of decrypting the infection took a considerable amount of time.
If multiple computers are infected with ransomware, separate decryption keys are required for each device. Each computer must be restored separately and decryption keys do not always work and may not allow all data to be recovered.
The keys have to be used with care and an infection can take up a considerable amount of an IT department’s time to resolve. Systems and data need to be checked after the infection has been removed and additional cybersecurity measures implemented to protect against future attacks.
The University of Calgary ransomware attack has cost tens of thousands of dollars to resolve and shows that paying the attackers ransom demand is not a quick fix that will enable files to be quickly recovered. The recovery process is time consuming, expensive, and requires a considerable amount of resources.
During the time that systems are down, workflows are seriously disrupted. In the case of university ransomware attacks lives may not be put at risk as is the case with healthcare attacks, but the costs of ransomware attacks on universities can be considerable. The total cost of resolving a ransomware infection is far in excess of any ransom payment.
Protecting Against University Ransomware Attacks
Unfortunately for universities, protecting against ransomware can be difficult as public and private networks often overlap. Staff and students are often allowed to connect personal devices to networks, and controlling devices that connect to networks can be a difficult task. While businesses can conduct cybersecurity training and can teach staff basic security best practices to adopt, this can be difficult for universities with huge volumes of staff, students and researchers.
It is therefore important to implement a number of strategies to reduce the risk of a ransomware attack being successful.
It is essential that regular data backups are made and backup devices must be air-gapped. Staff and students should be encouraged to save files on backed up network drives, and cybersecurity training should be provided where possible. Students should be informed of the risk and advised of security best practices via email and noticeboards.
Many universities already use a web filtering solution to control the content that can be accessed via university wired and WiFi networks. Web filters can also be configured to reduce the risk of drive-by malware downloads. Anti-spam solutions can also prove effective as part of a multi-layered cybersecurity strategy and can prevent malicious emails from being delivered.
Technology should also be implemented to identify intrusions when they occur. A network intrusion detection system is a wise precaution alongside traditional anti-virus and anti-malware solutions.
It may not be possible to prevent all university ransomware attacks, but it is possible to manage risk and reduce the damage caused if ransomware is installed on devices or networks.
This week saw a host of updates issued by Microsoft to address critical flaws in Windows, although 44 security vulnerabilities in total have been addressed in the updates. These vulnerabilities affect a wide range of its products including Windows, Internet Explorer, Edge, and many of its Microsoft Office products. The updates were spread across 16 security bulletins, 6 of which were rated by Microsoft as critical. The remaining patch bundles were marked as important.
Critical Flaws in Windows Addressed this Patch Tuesday
To address the latest critical flaws in Windows, all of the patches should be applied as soon as possible. However, some are more important than others and should be prioritized. MS16-071 is perhaps the most important, especially for organizations that run their DNS server on the same machine as their Active Directory server. This update addresses critical flaws in Windows Server 2012 and Windows Server 2012 R2.
MS16-071 addresses a single flaw in Microsoft’s DNS server; however, the flaw is highly serious. Malicious actors could potentially exploit this vulnerability which allows remote code execution if an attacker send malicious requests to the DNS server. The update modifies how the DNS servers handle requests.
Microsoft has also issued updates to address vulnerabilities in Internet Explorer – MS16-063 – and Microsoft Edge – MS16-068. These two flaws would allow an attacker to gain the same rights as the current user if that individual visits malicious websites configured to exploit the vulnerability.
MS16-070 should also be updated as a priority. This security bulletin addresses a number of flaws, one of which could be exploited via spam email. It addresses vulnerability CVE-2016-0025, which concerns the Word RTF format. This could be exploited to yield RCE to the attacker. Worryingly, an attacker could exploit the flaw without an email even being opened, should that message be viewed using message preview in Microsoft Outlook.
Adobe Flash Zero Day Being Actively Exploited
While all of these updates are important, there is an even bigger worry. A new zero-day vulnerability in Adobe Flash Player has been discovered by Kaspersky Lab researchers. Adobe has been alerted that an exploit already exists for CVE-2016-4171 and that it is being actively exploited in the wild. At present, the vulnerability is being exploited in targeted attacks on organizations by a new hacking group referred to by Kaspersky Lab as “ScarCruft.”
Earlier this week, Adobe said it will delay the issuing of updates in order to address this new vulnerability. CVE-2016-4171 affects Adobe Flash v 188.8.131.52 and previous Windows, Mac, Chrome OS, and Linux versions. Updates are expected to start rolling out today.
The Zuckerberg Twitter hack has clearly demonstrated the danger of password reuse. Zuckerberg used the same password for Twitter as he did for his Pinterest and LinkedIn accounts. In spite of the Facebook founder, chairman, and CEO’s lofty position at the top of the world’s most popular social media network, he is guilty of poor data security practices like many others.
In addition to reusing passwords, Zuckerberg also chose a password of 6 digits with no capital letters, symbols, or numbers and did not change it for at least three years. The password was revealed to be “dadada.”
Mark Zuckerberg Twitter Hack Stemmed from the LinkedIn Data Breach
A collective known as OurMine was responsible for the Mark Zuckerberg Twitter hack. The collective, which is understood to hail from Saudi Arabia, gained access to data from the LinkedIn breach. The data were listed for sale a few days previously by a hacker operating under the name of “Peace”.
The LinkedIn passwords were not stored as plaintext, so a little effort was required to reverse the hash to obtain the password. While SHA-1 was thought to be impossible to reverse, it has since been shown to be a relatively straightforward task unless the passwords are also salted. In the case of LinkedIn, they were not.
Simply enter in the SHA-1 hash of a password into one of many reverse hash calculators and the plaintext password will be revealed. A search of the keyword phrase “how to reverse a sha1 password” will reveal many online options for doing so. Once the password had been obtained, access to online accounts was possible.
The Zuckerberg Twitter hack did not appear to cause anything other than some embarrassment. The group notified Zuckerberg of the hack by tweeting him using his own account, saying “we are just testing your security.” While the tweet said that Zuckerberg’s Instagram account was compromised, it has since been confirmed that this account was secure all along, as was Zuckerberg’s Facebook account.
While it is embarrassing, it should be pointed out that Zuckerberg was not a regular Twitter user, having only sent 19 tweets from his account in the past four years. His compromised Pinterest account was similarly rarely used.
Spate of Account Hacks Reported After Major Data Leaks
Other individuals were not quite so fortunate. Since the data from the LinkedIn breach was made available online, numerous celebrity social media accounts have been compromised. The Twitter accounts of celebrities such as Keith Richards and Kylie Jenner were hacked, as was the account of Tenacious D. The latter’s account was used to send a tweet saying Jack Black had died.
While these hacks have not been confirmed as stemming from the LinkedIn breach (or the MySpace or Tumblr breaches) the spate of account hijacks suggest as much.
TeamViewer GmbH was also a victim, having had numerous accounts compromised recently. The company provides remote desktop software and a number of users claim that the hacking of GmbH employee accounts enabled attackers to compromise their computers and authorize PayPal and Amazon transactions. This was attributed to “password mismanagement” by GmbH rather than any flaws in their software.
All of these account hacks show how common the reuse of passwords is, and the danger of doing so. What should be particularly worrying for businesses, is many people use their LinkedIn passwords for work accounts, or vice versa. If that password is obtained via a data breach, malicious actors could do a considerable amount of damage.
Important Online Security Best Practices
To improve security and reduce the risk of more than one account being compromised….
- Never reuse passwords
- Create a complex password for each platform – use symbols, capitals, and numerals
- Change your passwords regularly – every month or three months
- Use 2-factor authentication if available
- Use a password manager to help keep track of passwords
- Don’t store your passwords in your browser
- Regularly check your email address/username against the Have I Been Pwned? database
A recent ransomware research study has shown the individuals running ransomware campaigns do not actually earn that much money and the success rate of attacks is relatively low. However, the threat from attacks cannot be ignored due to the volume of individuals now running their own ransomware campaigns.
For the ransomware research study, web intelligence company Flashpoint trawled underground forums and marketplaces and monitored communications over a period of five months. The purpose of the ransomware research study was to improve understanding of how ransomware campaigns are run, to learn about the players involved, and the tactics they used to run campaigns and infect end users. It helps to know thy enemy when forming a defense strategy against attacks.
For its ransomware research study, Flashpoint investigated Russian ransomware campaigns from December 2015. The attacks were predominantly carried out on organizations and individuals in the West.
Ransomware Research Study Shows Campaigns are Not as Profitable as Many People Think
Considering the disruption caused and the money lost by victims of ransomware attacks, many people believe the criminals behind the campaigns are making big bucks, but that is not necessarily the case. In fact, even “ransomware bosses” – the individuals offering ransomware-as-a-service – are not raking in anywhere near as much money as many people think.
The majority of cybercriminals who run ransomware campaigns earn well under $10,000 a month. According to the ransomware research study report, only one in five individuals who run ransomware campaigns admitted to earning in excess of this figure. The report suggests that the average monthly earnings from this type of campaign is around $600 per month.
The typical ransom is around $300 per infected computer, although the people who run the campaigns have to give the ransomware bosses 60% of their earnings. They are allowed to keep the remaining 40%, suggesting most of the people running these campaigns only get 2-3 ransoms per month.
The ransomware research study data suggest that far from allowing criminals to obtain big money from ransomware campaigns, the attacks only yield similar returns to other forms of cybercriminal activities. The only difference being the attackers can usually get their hands on money faster. Stealing data such as credit card numbers or healthcare data requires the attacker to find a buyer for those data before any money is received.
The report suggests that the typical infection rate from a campaign is between 5% and 10%, yet few of the victims end up paying the ransom. Many ransomware victims are protected having made backup copies of important files and some are able to unlock the infections using tools from security companies. Others are willing to lose data rather than pay the ransom.
Ransomware bosses that push ransomware-as-a-service using an affiliate model can make around $7,500 per month, which equates to around $90,000 a year – approximately 30 ransom payments per month for the bosses.
Most Ransomware Campaigns are Run by Novices
While there are criminal gangs and highly skilled cybercriminals who invest a lot of time and effort into their ransomware attacks, the report suggests that the majority of attackers are novices; not skilled hackers. The report suggests that many individuals choose to run campaigns using ransomware-as-a-service in the hope that they will get lucky and get a big payout. These individuals tend to run spamming campaigns based on quantity rather than quality, and send high numbers of spam emails using botnets.
Flashpoint’s ransomware research study shows just how easy it is to start sending out ransomware campaigns. This is why so many individuals choose to give it a try. All that is needed is a very small injection of capital to get started, a lack of morals about how money is earned online, and a modicum of knowledge to allow individuals to send out mass spam emails.
Adverts for ransomware-as-a-service are easy to find with the Tor browser and advice on distribution is not difficult to find. Would-be criminals with no experience are recruited with a promise of a big payout, even though the reality is that for most people the payouts will be low.
More experienced and skilled individuals send phishing emails directing victims to websites containing exploit kits, which probe for vulnerabilities and automatically download the ransomware. Another popular method of infection is to sneak adverts containing malicious links onto legitimate advertising networks.
Only a small percentage of attackers are highly skilled. These individuals tend to send out targeted campaigns. These attackers target organizations and businesses with the aim of infecting multiple machines and infiltrating networks causing widespread disruption.
These campaigns tend to involve a considerable amount of planning, and require the attacker to research targets and design targeted emails that have a high change of eliciting the desired response. According to Flashpoint’s director of Eastern European Research and Analysis, Andrei Barysevich, “The success rate of this type of operation is significantly higher, enabling criminals to earn upwards of $10,000 a month or more.”
For organizations infected with ransomware the costs can be severe. Add up the cost of disruption to the business, the time and resources required to remove infections and restore files, and the cost of implementing more robust security measures, and the cost of a ransomware attack could be tens of thousands of dollars.
With no shortage of takers for ransomware-as-a-service, and ever more sophisticated ransomware being developed, organizations must develop a host of defenses to prevent attacks from being successful.
Security researchers have discovered a serious Jetpack plugin vulnerability that places sites at risk of attack by hackers. If you run WordPress sites for your company and you use the Jetpack website optimization plugin, you must perform an update as soon as possible to prevent the flaw from being exploited.
The flaw can also be exploited by competitors to negatively affect search engine rankings by using SEO spamming techniques, which could have serious consequences for site ranking and traffic.
Over a Million WordPress Websites Affected by the New Jetpack Plugin Vulnerability
The Jetpack plugin vulnerability was recently discovered by researchers at Sucuri. The flaw is a stored cross-site scripting (XSS) vulnerability that was first introduced in 2012, affecting version 2.0 of the plugin. All subsequent versions of Jetpack also contain the same Shortcode Embeds Jetpack module vulnerability.
Jetpack is a popular WordPress plugin that was developed by the people behind WordPress.com – Automattic – and has been downloaded and used on more than one million websites. This is not only a problem for website owners, but for web visitors who could easily have this flaw exploited to infect their computers with ransomware or malware. Flaws such as this highlight the importance of using web filtering software that blocks redirects to malicious websites.
While many WordPress plugin vulnerabilities require a substantial skill level to exploit, the jetpack plugin vulnerability takes very little skill at all to exploit. Fortunately, Jetpack has not discovered any active exploits in the wild; however, now the vulnerability has been announced, and details provided online about how to exploit the vulnerability, it is only a matter of time before hackers and malicious actors take advantage.
The flaw can only be exploited if the Shortcode Embeds Jetpack module is enabled, although all users of the plugin are strongly advised to perform a site update as soon as possible. Jetpack has worked with WordPress to get the update pushed out via the WordPress core update system. If you have version 4.0.3 installed, you will already be protected.
Jetpack reports that even if the flaw has already been exploited, updating to the latest version of the software will remove any exploits already on the website.
Over the past few days, rumors have been circulating about a massive MySpace data breach. Initial reports suggested that 427 million usernames and passwords had been obtained by a hacker going by the name of “Peace”. The name should sound familiar. The Russian hacker is the same individual who recently listed 117 million LinkedIn login credentials for sale on an illegal darknet marketplace. The hacker was also allegedly responsible for the 65 million-record data breach at Tumblr.
360 Million Login Credentials Stolen in MySpace Data Breach
Yesterday, Time Inc., confirmed that login credentials had been listed for sale online and that a MySpace data breach had occurred, although it would appear that the stolen data was obtained some time ago. The login credentials are for the old MySpace platform and date to before June 11, 2013. While Time Inc., did not confirm exactly how many login names and passwords had been stolen, Time confirmed that the figure of 360 million that had been reported in the press in the last couple of days was probably accurate.
Usernames, passwords, email addresses, and secondary passwords are reportedly being offered for sale. Out of the 360 million logins, Leakedsourrce.com suggests that 111,341,258 of the stolen records include a username and a password, and 68,493,651 records had a secondary password compromised. Not all of those stolen records also included a primary password.
Since 2013, data security has improved considerably and many companies have enforced the use of numerals, capital letters, and symbols when creating passwords. The stolen data reportedly includes only a small percentage of accounts with a capital letter in the password. This makes the passwords much easier to crack. The algorithm used to encrypt the passwords was also weak.
The login credentials from the MySpace data breach are reportedly being offered for sale for 5 Bitcoin – approximately $2,800.
All old users of the MySpace platform, and current users who joined the website before June 11, 2013 are potentially at risk. MySpace has responded to the breach by resetting all passwords on accounts created before June 11, 2013. When these users visit MySpace again they will be required to authenticate their account and supply a new password.
Additional security measures have been employed to identify suspicious account activity and the data theft is now being investigated. It would appear that no one at MySpace was aware that its database had been breached until the data were offered for sale just before the Memorial Day weekend.
MySpace Breach Shows Why It is Important Never to Reuse or Recycle Passwords
Since the data breach appears to have occurred some time ago, it is probable that many users will have changed their passwords on the site long ago, but the data could still be used to attack past and current users. All too often passwords are recycled and used for other online accounts, and many individuals use the same passwords for different platforms or rarely (or never) change them.
The MySpace data breach shows why it is important to use a different password for each online account and to regularly change passwords on all platforms. In the event of a breach of login credentials, users will only have to secure one account. If there is a possibility that only passwords are still in use on other platforms, MySpace account holders should update their passwords as soon as possible.
Hackers have access to tools that can check to see if account login and password combos have been used on other websites.
After the recent news that TeslaCrypt has been decommissioned comes a new highly serious threat: DMA Locker ransomware.
Malwarebytes has recently reported that DMA Locker ransomware, which is now in its 4th incarnation – could pose a significant threat to businesses and individuals over the coming weeks. Version 4 of the ransomware has already been added to the Neutrino exploit kit and is currently being distributed. Malwarebytes expects DMA Locker ransomware attacks to become much more widespread.
Spate of DMA Locker Ransomware Attacks Expected
DMA Locker ransomware was first seen in the wild in January of this year, yet the malicious file-encrypting malware posed little threat in its early forms, containing numerous flaws that allowed security companies to develop decryption tools.
The early forms of DMA Locker ransomware were capable of encrypting files offline and did not used a command and control server. When files were encrypted, the key to unlock the encryption was stored on the device. This allowed the malware to be reverse engineered to crack the encryption.
A new version of the ransomware was released a month later, yet it used a weak random generator and it was a relatively easy task to guess the AES key. A couple of weeks later saw the release of version 3, which saw previous flaws corrected by the authors.
However, version 3 of DMA Locker ransomware contained another flaw. While it was not possible to decrypt locked files without a decryption key, the attackers used the same key for the entire campaign. If a business had multiple infections, only one key would need to be purchased. That key could then be posted online and be used by other victims.
However, this month version 4 was released. The latest version corrects the issues with version 3 and uses a separate key for each infection. The ransomware also communicates with a command and control server and cannot work offline.
Infection with early versions of the ransomware occurred via compromised remote desktop logins – or logins that were easily guessed. Consequently, the number of recorded infections remained low. However, the latest version has been added to exploit kits which take advantage of vulnerabilities in browsers making silent drive-by downloads of the ransomware possible. This makes attacks much more likely to occur.
The ransomware is potentially highly serious, encrypting a wide range of file types. Many ransomware strains only encrypt specific file types. TeslaCrypt for example was developed to attack gamers, and encrypted saved game files and files associates with Steam accounts. DMA Locker does not search for specific files, and instead encrypts everything that is not in its whitelist of file extensions. It is also capable of encrypting files on network drives, not just the computer on which it has been downloaded.
To prevent attacks, businesses should use web filtering software to block users visiting sites containing exploit kits and stop command and control server communications. Regular backups should also be performed and files stored on air-gapped drives. In case of attack, files can then be recovered without paying the ransom.
A successful CEO fraud scam that resulted in a fraudulent bank transfer being made from company accounts to a cyberattacker has cost the CEO his job.
CEO Fraud Scan Results in Losses of 40.9 Million Euros
Earlier this year, FAAC – an Austrian aircraft component manufacturer – was targeted by attackers who managed to pull off an audacious 50 million Euro ($55 million) CEO fraud scam. A wire transfer was made for 50 million euros by an employee of the firm after receiving an email request to transfer the funds from CEO Walter Stephan. The email was a scam and had not been sent by the CEO.
Unfortunately for FAAC, the CEO fraud scam was discovered too late and the transfer of funds could not be stopped. While the company was able to recover a small percentage of its losses, according to a statement released by FAAC, the company lost 41.9 million Euros as a result of the attack which contributed to annual pretax losses of 23.4 million Euros.
The bank transfer represented approximately 10% of the company’s entire annual revenue. Given the high value of the transfer it is surprising that the transfer request was not queried in person – or over the telephone with the CEO.
The CEO and the employee who made the transfer were investigated but do not appear to have been involved in the scam. The attackers were not believed to be linked to FAAC in any way.
Heads Roll After Huge Losses Suffered
Earlier this year, FAAC sacked its chief finance officer as a direct result of the scam. The CEO was recently sacked following a meeting of the company’s supervisory board. Stephan had worked at the company as CEO for 17 years.
This CEO fraud scam is one of the largest ever reported, although this type of scam is becoming increasingly common. Earlier this year the FBI issued an advisory about the high risk of CEO fraud scams following many attacks on U.S companies over the past year. In April, the FBI reported that $2.3 billion has been lost as a result of this type of scam.
CEO email fraud involves a member of the accounts department being sent an email from the CEO – or another senior executive – requesting a bank transfer be made from the company accounts. A reason is usually supplied as to why the transfer request needs to be made, and why it must be made urgently.
Oftentimes, the scammer and the target exchange a few emails. An email is initially sent asking for a transfer to be made, followed by another email containing details of the recipient account where the funds must be sent and the amount of the transfer. The scams are effective because the request appears to come from within the company from a senior executive or CEO. Oftentimes the attackers manage to compromise the CEO’s email account, and spend time researching the style the CEO uses for emails and who transfer requests have been sent to in the past.
According to the FBI, the average transfer amount is between $25,000 and $75,000, although much larger scams have been pulled off in the past. Irish budget airline Ryanair fell victim to a CEO fraud scam and wired $5 million to a Chinese bank, although the funds were able to be recovered. The Scoular Co., wired $17.2 million to scammers in February last year, while Ubiquiti suffered a loss of $46.7 million as a result of a CEO fraud scam.
Easy Steps to Prevent CEO Email Fraud
There are steps that can be taken that can greatly reduce the risk of these scams being successful.
- Implement policies that require all bank transfers – or those above a certain threshold – to be authorized by telephone or through other communication channels.
- Ensure bank transfer requests are authorized by a supervisor and are not left to one single employee
- Configure spam filters to block spoofed domains to prevent scam emails from being delivered
- Provide training to all accounts department staff and warn of the risk of CEO fraud scams
Resolving a hospital ransomware infection may not be as easy as paying the attackers’ ransom demand, as was shown by the Kansas Heart Hospital ransomware attack last week.
Hospital Ransomware Infection Not Removed After Ransom Paid
The Kansas Heart Hospital ransomware attack which occurred last week was the latest in a string of attacks on healthcare organizations in the United States. Ransomware was accidentally installed on a hospital worker’s computer and files were locked and prevented from being accessed.
A ransom demand was received demanding payment for decryption keys to unlock the infection. The decision was taken to pay the ransom to resolve the hospital ransomware infection quickly.
After the ransom was paid, the attackers did not make good on their promise and failed to unlock all of the files. Some Instead the hospital was issued with a second ransom demand.
In this case, the initial ransom demand was relatively low. Ransomware attackers typically demand a fee of approximately $500 per device to unlock an infection. If multiple computers have been infected, that figure is then multiplied by the number of devices that need to be decrypted.
Ransomware locks each individual machine separately, and a different key is required to unlock each one. Otherwise a victim could pay up and then publish their key and no one else would be required to pay.
Kansas Heart Hospital did not disclose how much was paid, but this could well have been the fee to unlock a single machine. However regardless of the amount, the incident shows that even if a ransom is paid there is no guarantee that the attackers will play ball and make good on their promise. Further demands may be made from more Bitcoin. Resolving a hospital ransomware infection may not necessarily mean just paying the ransom demand.
Healthcare Industry Under Attack
Over the past few months the healthcare industry has come under attack from criminals using ransomware. Some authors of ransomware have taken steps to prevent healthcare providers’ computers from being attacked by their ransomware by including checks to determine the environment in which the ransomware has been installed. However, not all attackers feel they have a moral responsibility to prevent attacks which could cause people to come to physical harm.
Hollywood Presbyterian medical center, Alvarado Hospital Medical Center, King’s Daughters’ Health, Kentucky’s Methodist Hospital, California’s Chino Valley Medical Center and Desert Valley Hospital, and MedStar Health have all been attacked with ransomware this year.
That list is likely to continue to grow. Hospitals and medical centers are attractive targets for ransomware gangs. Many healthcare organizations have under-invested in cybersecurity measures to protect their networks and many hospital employees have not received extensive training in security awareness. This makes it easy for attackers to install ransomware.
Furthermore, if patient data are locked this can have a negative effect on patient health. If patients are at risk of harm, organizations are much more likely to respond to ransom demands and pay up to ensure patients do not suffer. If patients are harmed as a direct result of poor investment in cybersecurity or mistakes that have been made by healthcare employees, healthcare organizations are likely to face lawsuits that could result in damages far in excess of the ransom being demanded.
With attacks likely to continue, healthcare providers must take steps to prevent ransomware attacks from occurring, and develop policies that can be implemented immediately upon discovery of a ransomware attack. As the Kansas Heart hospital ransomware attack has shown, paying a ransom is no guarantee that the file encryption will be unlocked. Hospitals may find that they still have to recover files from backups or explore other means of unlocking infections.
The threat from Cerber ransomware has increased substantially after the gang behind the file-encrypting software have leveraged Dridex botnets to deliver a malicious payload that loads the ransomware onto users’ devices.
Cerber ransomware was first discovered in the wild in February 2016, but researchers at security firm FireEye noticed a massive increase in infections in recent weeks. Initially, Cerber ransomware infections occurred as a result of visiting malicious websites hosting the Nuclear or Magnitude exploit kits. Nuclear and Magnitude probe visitors’ browsers for a number of zero day vulnerabilities, although infections primarily occurred by exploiting a vulnerability in Adobe Flash (CVE-2016-1019). Now the ransomware is being installed via infected files sent via spam email.
Cerber differs from many ransomware strains by being able to speak to victims. The ransomware is able to use text-to-speech to tell victims they have been infected and that their files have been encrypted.
Massive Increase in Cerber Ransomware Infections Discovered in April
The number of infections remained relatively low since the discovery of the new ransomware earlier this year; however, there was a massive spike in infections around April 28 according to FireEye. The ransomware was being downloaded using Microsoft Word macro downloaders.
The attached files are usually disguised as invoices, receipts, or purchase orders, while the emails – written in English – urge the user to open the attachment. If macros are enabled on the computer a VBScript will be installed in the victim’s %appdata% folder. If macros are not enabled users will be prompted to enable them in order to view the contents of the file. Doing so will guarantee infection.
Once installed, the script performs a check to determine whether the infected computer has an Internet connection by sending an HTTP request to a website. If an Internet connection is present, the script will perform a HTTP Range Request, that will ultimately result in the final stage of the infection. FireEye reports the technique has previously been used to deliver the financial Trojans Dridex and Ursnif.
Cerber has been configured to encrypt Word documents, emails, and Steam gaming files, which are given a “.cerber” extension. To unlock the encryption, the victims are told to visit one of a number of websites with the domain “decrypttozxybarc”. Further instructions are then provided on how to unlock the encryption, although a Bitcoin ransom must first be paid. In addition to encrypting files, Cerber ransomware adds the victim’s computer to a spambot network.
The ransomware uses a number of obfuscation techniques to avoid detection by spam filters and anti-virus programs. If the emails are delivered and the macros are allowed to run, victims’ files will be encrypted. To prevent infection, it is important to have macros disabled and to be extremely cautious about opening email attachments, and never to open files deliver via email from an unknown sender. The decrypttozxybarc domain should also be added to web filter blacklists.