Month: July 2023

Search Engine Ads Abused to Gain Initial Access to Business Networks

Employees are being targeted in a new malvertising campaign that uses Google and Bing Ads offering a variety of trojanized installers for software solutions such as AnyDesk, Cisco AnyConnect VPN, and WinSCP. These campaigns deliver malware that establishes initial access in enterprise networks, allowing other malicious payloads to be delivered, including ransomware.

The ‘Nitrogen’ campaign was first analyzed by researchers at eSentire and later by Trend Micro, revealing initial access was gained after a user was tricked into downloading an ISO image file from a compromised WordPress website. Malicious pay-per-click adverts are served in response to specific search terms, which drive traffic to fake branded websites. Since the user is expecting to install legitimate software, they execute the installation file within the ISO image; however, unknown to them, the installer drops a malicious DLL file which installs the Nitrogen initial access malware and a malicious Python package. Since the software the user is expecting is also installed, they would likely be totally unaware that their device has been compromised. After installing the malware, additional payloads such as Cobalt Strike Beacons are loaded onto the victim’s systems, with at least one of the attacks also resulting in the deployment of BlackCat/ALPHV ransomware.

Malvertising attacks are an opportunistic way of gaining access to devices. By side-loading malware through trojanized software solutions likely to be downloaded by business and enterprise users, the attackers can gain access to valuable targets. Malvertising is commonly used for distributing malware. Several campaigns have recently been detected that deliver a range of remote access Trojans, information stealers, and other malicious payloads. In addition to malvertising, malware is commonly delivered via malicious websites that appear high in search engine listings for specific search terms used by employees, such as business software and document templates. Black hat search engine optimization (SEO) techniques are used to get the websites to appear high in the search engine listings – a technique referred to as SEO poisoning.

Malvertising and SEO poisoning offer cybercriminals a way of bypassing email filters, and these techniques have grown in popularity since Microsoft started blocking macros in Office documents delivered via the Internet by default. Combatting malware delivery via malvertising and SEO poisoning requires a combination of security awareness training and web filtering. Employees should be taught about the risks of downloading software from the Internet and be made aware of the threat of SEO poisoning and malvertising through security awareness training.

SafeTitan from TitanHQ is a comprehensive security awareness training platform that allows businesses to teach cybersecurity best practices and raise awareness of the full range of email and web-based threats. WebTitan is a DNS-based web filtering solution that businesses can use to control access to the Internet. WebTitan can be configured to block downloads of file types often used by malicious actors for installing malware, such as .ISO, .exe, .js, and other executable file types. For more information on defending against web-based attacks, give the TitanHQ team a call. SafeTitan security awareness training and the WebTitan web filter are available on free trials to allow you to evaluate both solutions before making a decision on a purchase.

TitanHQ Releases WebTitan 5.03

TitanHQ has released WebTitan 5.03 which includes several new features that have been requested by managed service providers (MSPs) to improve usability, along with updated reports, layouts, and several bug fixes.

WebTitan is an award-winning DNS-based web filtering solution that has been adopted by thousands of SMBs, enterprises, and MSPs. WebTitan allows administrators to exercise control over the websites and web pages that can be accessed on wired and wireless networks through category-based and URL filtering, restrictions on file downloads from the Internet, and the blocking of malicious web content through constantly updated blacklists. WebTitan monitors and identifies malicious threats in real-time with unmatched speed, scale, and accuracy and has no limits on the volume of usage and no latency. WebTitan can be used to control Internet access on wired networks as well as off-network through the WebTitan On-the-Go (OTG) agent.

Notable feature upgrades included in WebTitan 5.03 include new customization capabilities for customers’ global default policies, which allow policies to be customized at the customer level. WebTitan 5.03 has the ability to inherit allowed and blocked domains from customers’ default policies, and support has now been added for allowing and blocking a top-level domain (TLD) on customer policy and global domains. MSPs benefit from customization of the global default policy at the MSP level, which allows custom default policies to be applied when creating customer accounts. Other enhancements include a new summary report page and an update to the layout of the custom block page. WebTitan 5.03 is now being rolled out to existing customers and is available to new customers.

Earlier this month, the SafeTitan security awareness training and phishing simulation platform received an update to add a new feature for MSPs to make it much easier for them to provide continuous training and phishing simulations to their customers. The Auto Campaigns feature allows MSPs to automate the provision of phishing simulation campaigns by creating an annual set of simulation campaigns for customers in a matter of minutes, greatly reducing the time that needs to be spent on planning and management. The new feature improves operational efficiency and profitability, eliminating the complexities of managing multiple customers’ security awareness training programs.

SpamTitan users are also due to receive an upgrade with the imminent release of SpamTitan version 9.01, which includes several new and advanced features to improve usability for MSPs. The upgrades include history/quarantine for MSPs to allow them to act on customer emails at the MSP level, Link Lock inheritance, which sees Link Lock inherited from the MSP level to avoid drilling down into individual domains, and pattern filtering for MSPs, which simplifies the administration of SpamTitan, allowing customers to be secured from one place.  Email analysis has also been made easier with a simplified mail view, and a new ‘Add Products’ section makes it easier for MSPs to offer other TitanHQ solutions to customers to provide defense-in-depth security to their customers.