Cybercriminals have adopted a new tactic to deliver malware and conduct phishing attacks on unsuspecting internet users. They are hijacking inactive domains and using them to direct visitors to malicious websites in a form of malvertising.
Malvertising is the term given to the use of malicious code in seemingly legitimate adverts, which are often displayed on high-traffic websites. Website owners use third-party ad networks as a way to increase revenue from their websites. Most of these adverts are genuine and will direct users to a legitimate website, but cybercriminals often sneak malicious code into these adverts. Clicking the link will direct the user to a website hosting an exploit kit or phishing form. In some cases, ‘drive-by’ malware downloads occur without any user interaction, simply if the web content loads and the user has a vulnerable device.
The new tactic uses domains that have expired and are no longer active. These websites may still be listed in the search engine results for key search terms. When user conducts a search and clicks the link or uses a link in their bookmarks to a previously visited website, they will arrive at a landing page that explains that the website is no longer active. Oftentimes, that page will include a series of links that will direct the visitor to related websites.
What often happens is these expired domains are put up for sale. They can be attractive for purchasers as there may already be many links to the website, which is preferable to starting a brand-new website from scratch. These expired domains are then auctioned. Researchers at Kaspersky found that cybercriminals have taken advantage of these auction-listed websites and have added links that direct visitors to malicious websites.
When a visitor arrives on the site, instead of being directed to the auction stub, the stub is replaced with a link to a malicious website. The study uncovered around 1,000 domains that had been listed for sale on a popular auction site, which redirected visitors to more than 2,500 unwanted URLs. In the majority of those cases, the URLs were ad-related pages, but 11% of the URLs were malicious and were mostly being used to distribute the Shlayer Trojan via infected documents that the user is prompted to download. The Shlayer Trojan installs adware on the user’s device. Several of the sites hosted malicious code on the site rather than redirecting the visitor to a different website.
These domains were once legitimate websites, but are now being used for malicious purposes, which makes the threat hard to block. In some cases, the sites will display different content based on where the user is located and if they are using a VPN to access the internet. These websites change content frequently, but they are indexed and categorized and if determined to be malicious they are added to real time block lists (RBLs).
A web filtering solution such as WebTitan can provide protection against malvertising and redirects to malicious sites. If an attempt is made to send a user to a known malicious website, rather than being connected the user will be directed to a local block page, negating the threat. WebTitan can also be configured to block downloads of risky file types from these websites.
Many organizations have implemented firewalls to prevent direct attacks by hackers, use antivirus software to block malware, and use an anti-spam solution to block attacks via email, but there is a gap in their security protections and web-based threats are not effectively blocked. WebTitan allows organizations to plug that gap and control the websites that can be accessed by employees.
For further information on WebTitan and filtering the internet, give the TitanHQ team a call. WebTitan is available on a free trial to allow you to evaluate the solution and see for yourself how you can block attempts to visit malicious web content and NSFW sites.
TitanHQ customers that are currently using the ArcTitan email archiving solution for long term email storage will soon benefit from a vastly improved email archiving service. TitanHQ is in the process of migrating customers to new email archiving systems that have been developed to improve performance, reliability, and scalability.
The new ArcTitan email archiving service is being delivered on new infrastructure – A highly available, horizontally scaling Kubernetes cluster that is self-maintaining and self-healing. Within the cluster are multiple components that work in harmony, but independently. This has the advantage of ensuring that in the event of a server outage or if a component goes down, there will be minimal or no downtime. Any time a component goes down, all others will remain available and the component that has gone down will be taken offline and automatically repaired. Other components will not be affected.
The new email archiving systems offer replicated persistent storage through Ceph storage clusters. This provides high performance storage and file systems, with automated data replication and fail over. Amazon S3 is used for long term storage of archived email data, providing reliability, redundancy, and scalability. A Percona XtraDB MySQL cluster is deployed within Kubernetes for handling all database operations. The cluster is self-maintaining, self-healing, and can be scaled with minimal effort and zero downtime. Customers are also provided with a new and improved ArcTitan GUI.
Managing the Migration
TitanHQ is in the process of migrating ArcTitan customers to the new system and the process will be completed with minimal customer effort. First, TitanHQ will create a new account on the new infrastructure. Once the new account has been set up, TitanHQ will be in touch to provide the details and talk you through making a simple change to your connector/mail server to point it to the new server. Once that change has been made, all archived email will be sent to the new archive and the old account will receive no further archived emails. Once TitanHQ has verified mail flow, you will be told that the process has been completed.
TitanHQ will then commence the migration of your archive to the new account. Once that process has been completed, you will be contacted and asked to verify the data migration. Once confirmation has been received, the old archive on the original server will be deleted.
There will be a small delay between sending email to the new account and migrating your historical email data, but customers will not lose access to the old archive. Searches can still be performed on the old archive and you will retain full access to all of your historical email data during the migration.
If you have any questions about the migration or the new ArcTitan email archiving systems, our customer service team will be more than happy to help.
Managed Service Providers are an attractive target for cybercriminals. If a threat actor succeeds in gaining access to an MSP’s network, they can use the same remote management tools that MSPs use to conduct attacks on the MSPs clients.
Many companies are now turning to MSPs for IT support and management services. This is often the most cost-effective solution, especially when companies lack the in-house IT expertise to manage their networks, applications, and security. An MSP will typically provide IT management services for many different companies. A successful cyberattack on the MSP can therefore give a threat actor access to the networks of all the MSPs clients, which makes the attack extremely profitable.
There was a marked increase in cyberattacks on managed service providers in 2019, in particular by ransomware gangs using GandCrab, Sodinokibi BitPaymer and Ryuk ransomware. The MSPs were attacked in a variety of ways, including phishing, brute force attacks on RDP, and exploitation of unpatched vulnerabilities.
Once access has been gained to an MSP’s network, hackers search for remote management tools such as Webroot SecureAnywhere and ConnectWise which the MSP uses to access its clients’ networks to provide IT services. Several 2019 ransomware attacks on MSPs used these tools to access clients’ networks and deploy ransomware. MSPs such as PerCSoft, TrialWorks, BillTrust, MetroList, CloudJumper, and IT by Design were all attacked in 2019 and ransomware was deployed on their and their clients’ networks.
Kyle Hanslovan, CEO at Huntress Labs, told ZDNet in a recent telephone interview that his company had provided support to 63 MSPs that had been attacked in 2019 but believes the total number of attacks was likely to be more than 100. However, the number of MSPs that have been attacked is likely to be substantially higher. It is likely that many cyberattacks on MSPs are not even detected.
The attacks have shown no sign of slowing. Recently the U.S. Secret Service issued a TLP Green alert warning MSPs of an increase in targeted cyberattacks. Compromised MSPs have been used to conduct business email compromise (BEC) attacks to get payments sent to attacker-controlled accounts. Attacks have been conducted on point-of-sale (POS) systems and malware has been deployed that intercepts and exfiltrates credit card data, and there have been many successful ransomware attacks.
In addition to cybercriminals, nation state-sponsored hacking groups have also been conducting cyberattacks on MSPs, notably hacking groups linked to China. The National Cybersecurity and Communications Integration Center (NCCIC) issued an alert about the threat to MSPs from state-sponsored hacking groups in October 2019.
Best Practices for MSPs to Adopt to Improve Their Security Posture
There are several best practices that can be adopted by MSPs to improve security and block these attacks. MSPs may currently be incredibly busy helping their clients deal with IT issues related to the COVID-19 pandemic, but given the increase in targeted cyberattacks on MSPs, time should be spent improving their own security, not just security for their clients.
The U.S Secret Service recommends MSPs keep up to date on patching, especially patches for any remote administration tools they use. ConnectWise issued a security advisory last month and patched a flaw in the ConnectWise Automate solution. The API vulnerability could be exploited remotely by a threat actor to execute commands and/or modifications within an individual Automate instance. Vulnerabilities such as these are actively sought by cybercriminals.
The principle of least privilege should be adopted for access to resources to limit the harm caused in the event of a breach. It is also important to have well-defined security controls that are fully compliant with industry standards.
Annual data audits should be conducted along with regular scans to identify malware that may have been installed on systems. Logging should be enabled, and logs should be regularly checked to identify potentially malicious activity. MSPs should also ensure that their employees receive regular security awareness training to teach cybersecurity best practices and how to identify phishing and BEC scams.
The WannaCry ransomware attacks that started on May 12, 2017 were blocked quickly when a kill switch was identified and activated, but how much money did WannaCry make during the time it was active?
WannaCry was a devastating global cyberattack, the likes of which had been predicted by many cybersecurity professionals but had yet to materialize. WannaCry was the fastest spreading ransomware ever created.
WannaCry combined ransomware with a worm, which allowed it to automatically spread and infect huge numbers of devices on a network. The ransomware exploited a vulnerability in Windows Server Message Block (SMBv1) using an NSA exploit called EternalBlue.
The flaw exploited by EternalBlue had been reported to Microsoft and a patch was issued in March 2017, two months before the attacks started. However, many businesses were slow to apply the patch and were vulnerable to attack. Within a matter of hours, around 200,000 computers had been attacked in 150 countries. It is worth noting here that there are still many computers that have not been patched more than 2 and a half years after the patch was released, in spite of widespread news coverage about the threat of attack and its huge cost. WannaCry is still one of the biggest ransomware threats and accounts for a significant percentage of all successful ransomware attacks in 2019.
WannaCry was blocked by a British security researcher who discovered the ransomware checked a domain name prior to encrypting data, but that domain name had not been registered. He purchased the domain name, thus preventing file encryption.
That said, the speed at which the ransomware spread meant many devices were infected and encrypted. Since businesses were not protected if the ransomware encryption had already started by the time the kill switch was activated, the attackers must have had a huge payday. So how much did WannaCry make?
Protect your customers from web-based threats such as drive-by downloads, exploit kits, and phishing. Book a FREE WebTitan demo. Book Free Demo
By today’s standards, the ransom demand was very small. Just $300 per infected device, which doubled to $600 if the payment was not paid within 3 days. It is actually easy to see how many payments were made, as the transactions are detailed in the blockchain. The recipient remains anonymous, but the payments can be seen.
The three Bitcoin addresses known to have been used in the WannaCry attacks currently show 430 payments have been made and 54.43228033 BTC has been sent to those accounts. The value of BTC is somewhat volatile and was much higher at points between now and the attacks, but at today’s exchange rate that equates to around $386,905. Most of the BTC payments have now been moved out of the accounts so the attackers have managed to cash out. Payments are also still being made to those accounts. The latest payments to one of the addresses were made in December 2019.
$386,905 may not seem like much of a payday considering the number of devices infected and the damage caused by the attack, and it’s not. Further, the attackers will need to convert that total to real money, and a considerable amount will be lost in that process. The payday was tiny considering the scale of the attack. However, the cost of the attack to businesses was colossal.
The National Health Service in the United Kingdom was hit bad and the cleanup operation, and loss of business while that occurred, has been estimated to have cost £92 million. That was just one victim, albeit a major one. The total cost of the 2017 WannaCry ransomware attacks has been estimated to be $4 billion globally; however, even though the kill switch was flicked to block the initial attacks, the threat from Wannacry has not gone away. In 2019, two years after the initial attacks, millions of computers were still at risk as the vulnerability that was exploited had still not been fixed and a new version of WannaCry was released that did not have the kill switch and continues to pose a threat. In 2019 Kaspersky said it was the most detected ransomware threat with the ransomware infecting 164,433 users, accounting for 21 percent of detected ransomware attacks that year and ESET reports that WannaCry was the most commonly detected ransomware threat in Q1, 2020, 3 years after the ransomware first appeared. The ransomware is still being used in attacks on unpatched systems in Thailand, Turkey, and Indonesia.
Next time you delay applying a patch or updating software, consider WannaCry and the potential costs of exploitation of a vulnerability. In all of the above cases – all 200,000+ attacks – applying the patch would have prevented the attack and the huge cost of remediation.