Our news section dedicated to cybersecurity advice is regularly updated with news about the latest online threats and most recently-discovered security vulnerabilities – and advice on how to deal with them.
MSPs will particularly find our cybersecurity advice security of value, as it addresses many of the online security issues that clients may have heard about and developed concerns about their own cybersecurity defenses.
MSPs can reassure clients that the risk of systems and networks being infected by an online threat – or security vulnerabilities in their software being exploited by a hacker – can be nullified with a web filtering solution from TitanHQ.
Awareness of the additional security provided by HTTPS websites is increasing, but so too are HTTPS phishing websites. Cybercriminals are taking advantage of consumer trust of websites that encrypt connections with web browsers.
The risks of disclosing sensitive information such as credit card numbers on HTTP sites has been widely reported, with more sites now using the Hypertext Transfer Protocol Secure (HTTPS) to prevent man-in-the-middle attacks and improve security for website visitors. However, just because a website starts with HTTPS does not mean that website is safe.
HTTPS phishing websites also secure the connection. Divulging login credentials or other sensitive information on those sites will place that information in the hands of criminals.
A recent report from Netcraft shows more phishing websites are now using HTTPS to communicate, with the percentage of HTTPS phishing websites jumping from 5% to 15% since the start of 2017.
Internet users are now being warned if they are visiting a website that does not encrypt connections. Google Chrome and Firefox browsers have recently started displaying warnings on sites that are not secure.
The problem is that many users automatically assume that if a website starts with HTTPS it is safe and secure when that is far from the case.
Even if a website is genuine and encrypts communications, that does not mean the website cannot be compromised. If a hacker gained access to a website with a SSL certificate it would be possible to add pages that phish for sensitive information. The website would still display the green lock symbol and start with HTTPS.
HTTPS phishing websites may also have valid digital certificates meaning even Firefox and Google Chrome browsers will not flag the sites as potentially malicious. Those sites may also include the brand names of legitimate websites such as Facebook, Amazon, or PayPal. In the case of the latter, a recent report from the SSL Store revealed that there were 15,270 websites that contained the word PayPal which had been issued with SSL certificates.
The rise in HTTPS phishing websites shows that simply checking the protocol used by the site is no guarantee that the site is not malicious. Care must be taken when accessing any website, regardless of the protocol used by the site.
Businesses can improve protection by implementing a web filtering solution capable of reading encrypted web traffic. This will help to ensure employees are prevented from visiting malicious websites on their work computers, regardless of the protocol used by the sites.
WebTitan not only allows organizations to block websites by category, content or keyword, the web filtering solution also decrypts, reads, and then re-encrypts connections and will block phishing and other malicious websites. By inspecting HTTPS websites, WebTitan will also ensure access to any secure website is blocked if the site or webpage violates user-set rules on website content.
A Mac malware warning has been issued for any individual who recently downloaded Handbrake for Mac. A server was compromised and a remote access Trojan was bundled with the Handbrake Apple Disk Image file.
A credential-stealing Remote Access Trojan was discovered to have been bundled with the Handbrake video transcoder app for the MacOS, with Handbrake for Mac downloads between May 2 and May 6, 2017 potentially also installing the MacOS Proton RAT.
A Mac malware warning has been issued for all users who recently downloaded the app. It is strongly recommended that any individual who downloaded the app between the above dates verifies that they have not been infected. According to a statement issued by the developers of the app, individuals have a 50/50 change of infection if they downloaded the app between the above dates.
Cybercriminals were able to compromise a server and bundle the malware with the app, with all users who used the download.handbrake.fr mirror potentially infected.
Apple has now updated its OSX’s XProtect to detect and remove the infection although individuals at risk should check to see if their device has been infected. Infection can be detected by looking for the Activity_agent process in the OSX Activity Monitor. If the process is running, the device has been infected with the Trojan.
Any user infected with the malware will need to change all passwords stored in the MacOS keychain. Any password stored in a browser will also need to be changed, as it is probable it has also been compromised.
The Trojan can be easily removed by opening the Terminal and entering the following commands before removing all instances of the Handbrake app:
if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder
The MacOS Proton RAT was first identified earlier this year. It is capable of logging keystrokes to steal passwords, can execute shell commands as root, steal files, take screenshots of the desktop and access the webcam. Once installed, it will run every time the user logs on.
Only Handbrake for Mac downloads were affected. Any user who recently upgraded through the Handbrake update mechanism will not be affected, as checks are performed to prevent the downloading of malicious files.
The compromised server has now been shut down to prevent any further malware downloads. At this stage it is unclear how access to the server was gained and how the Handbrake Apple Disk Image file was replaced with a malicious version.
A patch has been rushed and released to address a serious Microsoft Malware Protection Engine bug, termed ‘Crazy Bad’ by the researchers who discovered the flaw. If exploited, the vulnerability would allow threat actors to turn the malware protection software against itself.
If the Microsoft Malware Protection Engine bug is exploited, Microsoft’s malware protection engine could be used to install malware rather than remove it. Instead of searching for infected files that have been downloaded, the system would be downloading malware and infecting end users.
The Microsoft Malware Protection Engine bug affects a number of anti-malware software products including Windows Defender, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Forefront Security for SharePoint, Microsoft Endpoint Protection, Windows Intune Endpoint Protection and Microsoft Forefront Endpoint Protection.
The remotely exploitable bug could allow a system to be completely compromised, giving attackers full access to an infected computer or server, since the software and all associated processes run at LocalSystem privilege level.
The flaw was discovered by Natalie Silvanovich and Tavis Ormandy of Google Project Zero who alerted Microsoft three days ago. Ormandy said the flaw was “The worst in recent memory.” Microsoft worked fast to patch the flaw and an update was pushed out yesterday.
While extremely serious, Microsoft does not believe any malicious actors have taken advantage of the flaw, although all unpatched systems are at risk. Threat actors could take advantage of the Microsoft Malware Protection Engine bug in a number of ways, including sending specially crafted email messages. The Project Zero researchers note that simply sending a malicious email would be enough to allow the bug to be exploited. It would not be necessary for the user to open the email or an infected email attachment. The researchers explained that “writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc) is enough to access functionality in mpengine.” Alternatively, the flaw could be exploited by visiting a malicious website if a link was sent via email or through instant messaging.
The patch for the vulnerability (CVE-2017-0290) will be installed automatically if users have auto-update turned on. System administrators who have set updates to manual should ensure the patch is applied as soon as possible to prevent the flaw from being exploited. The current, patched Malware Protection Engine is version 1.1.13704.0.
On May 25, 2018, the General Data Protection Regulation (GDPR) comes into force and GDPR compliance will be mandatory. Now is the time to get prepared. GDPR compliance is likely to require considerable effort and resources. If your organization is not prepared, you may miss the GDPR compliance deadline.
GDPR is a new regulation that will apply to all organizations based in EU member states, as well as those based in non-member states that capture, hold or process the data of EU citizens. GDPR is a replacement of the 1995 EU Data Protection Directive and will address web-based technology that was not widely available in 1995. Use of the cloud for instance.
The new regulation will help to ensure the personal data of EU citizens is protected and the risk of sensitive data being exposed is minimized. The new regulation will also allow EU citizens to have much greater control over the personal data that is collected and stored by organizations, and how those data are used.
How Will GDPR Protect Consumers?
One of the main elements of GDPR is improving the rights of EU citizens with regards to the personal data that is collected, stored and used by organizations. GDPR requires organizations to obtain informed consent from consumers prior to collecting and using their data. Consumers must be told the reason why data are being collected, how data will be used, and consumers must be told that they can withdraw their consent at any time. A mechanism must be put in place that will allow an organization to delete data when it is no longer required or when consent is withdrawn.
GDPR gives consumers the right to:
Find out how their data will be used
Discover how data were obtained if informed consent was not provided
Access personal data
Find out how long data will be stored
Correct errors in stored data
Move data to a different processor
Restrict or prohibit the processing of data
Find out with whom data have been or will be shared
Have data permanently erased
Avoid being evaluated on the basis of automated processing
Organizations must also limit the data collected to the minimum necessary amount for the purpose that has been described to consumers to be performed.
While organizations that have an online presence and actively collect data will have to comply with GDPR – Amazon for example – GDPR will apply to a much broader range of companies. In fact, many companies that do not have an online presence will need to comply with GDPR. GDPR will apply to any company that collects the types of data covered by the GDPR definition of personal information. That includes organizations that store ‘personal data’ of employees in an electronic database.
What Data are Covered by GDPR?
Under GDPR, personal information includes an individual’s name and a host of other identifiers, including online identifiers such as location data, IP addresses, cookies and other “pseudonymous data”. Information such as race and ethnic origin, religious or philosophical beliefs, political opinions, sexual orientation, details of sex life, criminal convictions, trade union membership, health data, biometric data, and genetic data are all covered.
Data Security Standards Necessary for GDPR Compliance
GDPR also covers the protections that must be put in place by organizations to ensure the confidentiality, integrity, and availability of data. That includes stored data and all data that flows through systems or applications.
GDPR compliance requires organizations to conduct a risk/gap analysis to assess potential vulnerabilities in their current systems and processes.
Companies must “implement appropriate technical and organizational measures” to ensure the confidentiality, integrity and availability of data. Those measures should “ensure a level of security appropriate to the risk.”
Companies must adopt a privacy and security-by-design approach, and ensure that controls are implemented during the planning stages, development, implementation, and use of applications and systems. Regular testing and security assessments must also be performed.
Systems must also be implemented that allow data to be recovered and restored in the event of a security incident or technical problem being experienced.
Data Breach Notification Requirements of GDPR
Any organization that experiences a breach of data covered by GDPR must inform their Data Protection Authorities (DPAs) within 72 hours of the breach being discovered. Individuals impacted by a data breach must also be notified, if such a breach has potential to result in identity theft or fraud, discrimination, financial loss, reputation damage, or other significant economic or social disadvantage. Notifications will not be required if stored data are encrypted or are otherwise undecipherable and unusable.
Preparing for GDPR
Many organizations currently lack the necessary systems to ensure GDPR compliance. For instance, many do not have systems that allow them to easily identify consumer data, retrieve it, and delete it as necessary.
Privacy policies will need to be drafted and published to incorporate the new regulation and ensure GDPR compliance. Forms explaining consent to use data will need to be developed and published. Staff will need to be trained on the new rights of individuals. Policies must also be developed – or updated – covering data breach notifications in case personal information is exposed, accessed, or stolen. Additional security solutions will need to be implemented. GDPR compliance will involve considerable cost and resources and ensuring GDPR compliance will take time.
Organizations must therefore start preparing for the introduction of the new regulation. It may be a year before GDPR compliance is necessary, but given the necessary changes, organizations should start planning now. From May next year, GDPR compliance will be mandatory and there will be severe penalties for non-compliance.
What are The Penalties for Non-Compliance with GDPR?
Any organization that fails to comply with GDPR can be fined by their DPAs. DPAs will be given more powers to investigate data breaches and non-compliance. The potential fines for non-compliance with GDPR are considerable.
If an organization does not comply with the GDPR security standards, a fine of up to €10 million can be issued or 2% of global annual turnover, whichever is the greater. The failure to comply with GDPR privacy standards can attract a fine of up to €20 million or 4% of global annual turnover, whichever is the greater.
Fines will be dictated by the extent of the violation or data breach, the number of individuals impacted, and the extent to which the organization has implemented controls and standards to ensure GDPR compliance.
Individuals also have the right to seek compensation if their personal information is misused or stolen, if they have suffered harm as a result. Criminal sanctions may also be applied, such as if data is collected without consent.
Organizations are likely to suffer reputational damage in the event of a data breach, as the EU will be naming and shaming organizations that fail to implement appropriate measures to protect data and prevent data breaches. Details of organizations that have not complied with GDPR will be published and made available to the public.
How Can TitanHQ Help with GDPR Compliance?
TitanHQ offers a range of data security solutions that offer real-time protection against viruses, malware, ransomware and spyware to help organizations effectively manage risk, prevent data breaches, and ensure GDPR compliance.
TitanHQ offers award-winning security solutions to prevent web-based and email-based cyberattacks, in addition to helping organizations protect themselves from insider breaches.
SpamTitan is an advanced email security solution that protects organizations from email-based attacks such as phishing, blocking the most common method of malware and ransomware delivery. SpamTitan detects and blocks 99.97% of spam email, with a range of deployment options to suit the needs of all businesses.
WebTitan offers industry-leading protection against a wide range of web-based threats such as exploit kits, malvertising, phishing websites and drive-by malware downloads. The solution allows data protection officers to limit the types of websites that can be accessed by employees to minimize risk.
ArcTitan is an easy to use email archiving system that copies all inbound and outbound messages and stores them in an encrypted email archive, preventing loss of data and ensuring emails can be recovered and audited. The solution satisfies GDPR compliance requirements for identifying, retrieving, and deleting individuals’ personal data, when its purpose has been served or consent is withdrawn.
For more information on TitanHQ’s cybersecurity solutions and how they can help with GDPR compliance, contact the TitanHQ team today.
Do you have any machines running on unsupported operating systems? Is all of your software up to date with all of the latest patches applied? If you are not patching promptly or are still running outdated, unsupported operating systems or software, you are taking unnecessary risks and are leaving your network open to attack.
Hackers are constantly trawling the Internet looking for vulnerable systems to attack. Even if you are only running Windows XP or Vista on one networked machine, it could allow a hacker to exploit vulnerabilities and gain access to part or all of your network.
An alarming number of businesses are still running outdated software and are not patching promptly. For instance, 7.4% of businesses are still using Windows XP, even though Microsoft stopped issuing patches three years ago.
Hackers are discovering new vulnerabilities in software and operating systems faster than the software manufacturers can address those flaws. Zero-day vulnerabilities are regularly discovered and exploits developed to take advantage of the flaws and gain access to business networks. When a software developer stops issuing updates, the list of potential vulnerabilities that can be exploited grows fast.
Take Windows for example. Each set of updates released by Microsoft every Patch Tuesday contains patches to remediate several critical vulnerabilities that could be exploited to run code or access a system and gain user privileges. While exploits may not currently exist for those flaws at the time the patches are released, that is not the case for long. Hackers can look at the updates and reverse engineer patches to discover the vulnerabilities. Exploits can then be developed to attack unpatched machines.
Take the recent set of updates addressed by Microsoft in its March Patch Tuesday update as an example. Microsoft silently patched a slew of flaws for which exploits had been developed. Four days later, exploit tools from The Equation Group were dumped online by Shadow Brokers. Those tools could be used to exploit the flaws addressed by Microsoft a few days previously.
The exploit tools can be used to attack unpatched machines, but the patches were only issued to address flaws in supported versions of Windows. Many of those exploit tools can be used to attack unsupported Windows versions such as XP and Vista.
One of those tools, called Eternalromance, will likely work on all previous versions of Windows back to Windows XP. EasyPi, Eclipsedwing, Emeraldthread, eraticgopher and esteemaudit have all been confirmed to work on Windows XP.
Those are just the exploit tools recently discovered by The Equation Group. They represent just a small percentage of the exploits that exist for flaws in older, unpatched Windows versions. In addition to exploits for Windows flaws, there are exploits for many software programs.
There will always be zero day exploits that can be used to attack businesses, but running outdated software and unsupported operating systems makes it too easy for hackers.
Businesses of all sizes must therefore ensure that they have good patch management policies covering all software and operating systems and all devices. However, since unsupported operating systems will never be patched, continued use of those products represents a very large and unnecessary risk.
The cost of a ransomware attack is far higher than the amount demanded by cybercriminals to unlock encrypted files. The final cost of a ransomware attack is likely to be many times the cost of the ransom payment, in fact, the ransom payment – if it is made – could be one of the lower costs that must be covered.
Typically, cybercriminals charge between $400 and $1,000 per infected computer to supply the keys to decrypt data. If one member of staff is fooled into clicking on an infected email attachment or downloading ransomware by another means, fast action by the IT team can contain the infection. However, infections can quickly spread to other networked devices and entire networks can have files encrypted, crippling an organization.
Over the past 12 months, ransomware attacks have increased in number and severity. New ransomware variants are constantly being developed. There are now more than 600 separate ransomware families, each containing many different ransomware variants.
Over the past year there has also been an increase in ransomware-as-a-service (RaaS). RaaS involves developing a customizable ransomware which is rented out to affiliates. Any individual, even someone with scant technical ability, can pay for RaaS and conduct ransomware campaigns. Access to the ransomware may be as little as $50, with the affiliate then given a cut of the profits. There has been no shortage of takers.
Figures from FireEye suggest ransomware attacks increased by 35% in 2016. Figures from the FBI released in March 2016 suggested ransomware had already netted cybercriminals $209 million. Herjavec Group estimated that ransomware profits would top $1 billion in 2016; a considerable rise from the $24 million gathered during the previous calendar year. Figures from Action Fraud indicate ransom payments in the United Kingdom topped £4.5 million last year.
While ransom demands for individual infections can be well below $1,000, all too often ransomware spreads to multiple computers and consequently, the ransom increases considerably. Cybercriminals are also able to gather information about a victim and set ransoms based on ability to pay.
In June 2016, the University of Calgary paid $16,000 to recover its email system. In February last year, Hollywood Presbyterian Medical Center (HPMC) paid a ransom payment of $17,000 to unlock its system. A ransom demand in excess of $28,000 was demanded from MIRCORP following an infection in June 2016. The MUNI metro ransomware attack in San Francisco saw a ransom demand of $73,000 issued!
Figures from Malwarebytes suggest globally, almost 40% of businesses experienced a ransomware attack in the previous year. Ransomware is big business and the costs are considerable.
What is the Cost of a Ransomware Attack?
Ransomware infections can cause considerable financial damage. The cost of a ransomware attack extends far beyond the cost of a ransom payment. The Malwarebytes study suggests more than one third of businesses attacked with ransomware had lost revenue as a result, while 20% were forced to stop business completely.
The FBI and law enforcement agencies strongly advise against paying a ransom as this only encourages further criminal activity. Organizations that are unprepared or are unable to recover data from backups may have little choice but to pay the ransom to recover data essential for business.
However, the true cost of a ransomware attack is far higher than any ransom payment. The HMPC ransomware infection resulted in systems being out of action for 10 days, causing considerable disruption to hospital operations.
System downtime is one of the biggest costs. Even if backup files exist, accessing those files can take time, as can restoring systems and data. Even if a ransom is paid, downtime during recovery is considerable. One study by Intermedia suggests 32% of companies that experienced a ransomware attack suffered system downtime for at least five days.
A study by Imperva on 170 security professionals indicates downtime is the biggest cost of a ransomware attack. 59% of respondents said the inability to access computer systems was the largest cost of a ransomware attack. 29% said the cost of system downtime would be between $5,000 and $20,000 per day, while 27% estimated costs to be in excess of $20,000 per day.
One often forgotten cost of a ransomware attack is notifying affected individuals that their data may have been compromised. Healthcare organizations must also notify individuals if their protected health information (PHI) is encrypted by ransomware under HIPAA Rules.
Major attacks that potentially impact tens of thousands of patients could cost tens of thousands of dollars in mailing and printing costs alone. Credit monitoring and identity theft protection services may also be warranted for all affected individuals.
Many affected individuals may even choose to take their business elsewhere after being notified that their sensitive information may have been accessed by cybercriminals.
Following a ransomware attack, a full system analysis must be conducted to ensure no backdoors have been installed and all traces of malware have been removed. Additional protections then need to be put in place to ensure that future attacks do not occur.
The true cost of a ransomware attack is therefore considerable. The final cost of a ransomware attack could be several hundred thousand dollars or more.
It is therefore essential that businesses of all sizes have appropriate protections in place to prevent ransomware attacks and limit their severity if they do occur.
To find out more about some of the key protections that you can put in place to improve your resilience against ransomware attacks, contact the TitanHQ team today.
In all likelihood, 2016 will be forever remembered as The Year of Ransomware, in the same way that 2014 was the year of the healthcare data breach.
2016 Will be Remembered as The Year of Ransomware
Ransomware first appeared in the late 1980’s, although at the time, cybercriminals did not fully embrace it. Instead, they favored viruses, worms, and other forms of malware. That’s not to say that ransomware was not used, only that there were more lucrative ways for cybercriminals to make money.
That all started to change in 2015, when the popularity of cryptomalware was fully realized. By 2016, many actors had got in on the act and the number of ransomware variants started to soar, as did attacks on healthcare providers, educational institutions, government departments, businesses, and even law enforcement agencies. In 2016, it appeared that no one was immune to attack. Many organizations were simply not prepared to deal with the threat.
Early in the year it became clear that healthcare organizations were starting to be targeted for the first time. In February, one of the most notable ransomware attacks of the year occurred. Hollywood Presbyterian Medical Center in Hollywood, CA., was attacked and its computers were taken out of action for well over a week while the medical center grappled with the infection. The decision was taken to pay the ransom demand of $17,000 to obtain the key to decrypt its data.
Not long afterwards, MedStar Health suffered a massive infection involving many of the computers used by the hospital system. In that case, the $19,000 ransom was not paid. Instead, encrypted data were recovered from backups, although the disruption caused was considerable. 10 hospitals and more than 250 outpatient centers had their computers shut down as a result of the infection and many operations and appointments had to be cancelled.
In the first quarter of 2016 alone, the FBI reported that more than $206 million in ransom payments had been made by companies and organizations in the United States. To put that figure in perspective, just $24 million had been paid in the whole of 2015 – That represents a 771% increase in ransom payments and only three months had passed. The year of ransomware had barely even begun!
Biggest Ransomware Threats in 2016
TeslaCrypt was one of the biggest ransomware threats at the start of the year, although the emergence of Locky ransomware in February saw it become an even bigger threat. It soon became the ransomware variant of choice. Locky was used in attacks in 114 countries around the world last year, and cybercriminals continue to tweak it and release new variants. Locky has yet to be cracked by security researchers. Then came Cerber, CryptXXX, Petya (which was defeated in April), and Dogspectus for smartphones, to name just a few.
By the summer, The Guardian newspaper reported that 40% of UK businesses had been attacked with ransomware, although the majority of ransomware attacks were concentrated in the United States. By the autumn, more than 200 ransomware families had been discovered, each containing many variants.
Reports of attacks continued to flood in over the course of the year, with ransomware arguably the biggest cybersecurity threat seen in recent years.
2016 was certainly The Year of Ransomware, but 2017 doesn’t look like it will get any easier for security professionals. In fact, 2017 is likely to be even worse. Some experts have predicted that ransomware revenues will reach $5 billion in 2017.
You can find out more interesting – and horrifying – ransomware statistics by clicking the image below to view the TitanHQ ransomware infographic. The ransomware infographic also includes information on the protections that should be put in place to prevent ransomware attacks and the encryption of sensitive data.
Consumers and businesses need to take steps to protect their computers from malware infections, but should there be more malware protection at the ISP level?
Businesses and personal computer users are being infected with malware at an alarming rate, yet those infections often go unnoticed. All too often malware is silently downloaded onto computers as a result of visiting a malicious website.
Websites containing exploit kits probe for vulnerabilities in browsers and plugins. If a vulnerability is discovered it is exploited and malware is downloaded. Malware can also easily be installed as a result of receiving a spam email – if a link is clicked that directs the email recipient to a malicious website or if an infected email attachment is opened.
Cybercriminals have got much better at silently installing malware. The techniques now being used see attackers install malware without triggering any alerts from anti-virus software. In the case of exploit kits, zero-day vulnerabilities are often exploited before anti-virus vendors have discovered the flaws.
While malware infections may not be detected by end users or system administrators, that does not necessarily mean that those infections are not detected. Internet Service Providers – ISPs – are in a good position to identify malware infections from Internet traffic and an increasing number are now scanning for potential malware infections.
ISPs are able to detect computers that are being used for malicious activities such as denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks, and doing so is a relatively easy process.
Malware Protection at the ISP Level
Malware protection at the ISP level involves implementing controls to prevent malware infections and notifying consumers when malicious activity is detected.
ISPs can easily check for potential malicious activity on IP addresses, although blocking those IP addresses is not the answer. While some computers are undoubtedly knowingly used for malicious purposes, in many cases the users of the computers are unaware that their device has been compromised.
ISPs can however alert individuals to a potential malware infection when suspicious activity is identified. Warning emails can be sent to end users to advise them that their computer is potentially infected with malware. Those individuals can be sent a standard email template that contains instructions on how to check for a malware infection.
An increasing number of ISPs are now performing these checks and are notifying their customers of suspicious activity. Many ISPs in Europe provide this cybersecurity checking service and Level 3 Communications is one such ISP that is taking the lead.
The ISP is assessing Internet traffic and is identifying potentially malicious activity associated with certain IP addresses. So far, the ISP has created a database containing around 178 million IP addresses that are likely being used for malicious activity. Many of those IP addresses are static and are part of a botnet. Level3 Communications has estimated that around 60% of those IP addresses have been added to a botnet and 22% of the suspicious IP addresses are believed to be used to send out phishing email campaigns.
The content of Internet traffic is not investigated, although the ISP has been able to determine the IP addresses being used and those which are being sent messages and Internet traffic. While the IP addresses are known, the individuals that use those IP addresses are not. In order to notify individuals of potential infections, Level3 Communications is working with hosting providers. Once the individuals are identified they are contacted and advised of a potential malware infection.
The war on cybercrime requires a collaborative effort between law enforcement, governments, ISPs, and consumers. Only when all of those parties are involved will it be possible to curb cybercrime. Consumers can take steps to prevent infection, as can businesses, but when those measures are bypassed, ISPs can play their part.
If all ISPs were to conduct these checks and send out alerts, malware infections could be tackled and life would be made much harder for cybercriminals.
ISP Web Filtering for WiFi Networks – Protecting Consumers from Malware Infections
Notifying consumers about malware infections is one thing that should be considered, but malware protection at the ISP level should be implemented to prevent consumers and businesses from being infected in the first place.
ISPs can implement web filtering controls to block the accessing of illegal website content such as child pornography. The same technology can also be used to block websites known to contain malware. Broadband providers can implement these controls to protect consumers, and providers of public Internet can use web filtering for WiFi networks.
WiFi filters have already been implemented on the London Underground to prevent users from accessing pornography. Those controls can be extended to block websites known to be malicious. In the UK, Sky WiFi networks use filtering controls to block certain malicious and inappropriate website content from being accessed to better protect consumers. Effective malware protection at the ISP level not only keeps consumers protected, it is also a great selling point in a highly competitive market.
If you are an ISP and are not yet using filtering controls to protect your customers, speak to TitanHQ today and find out more about malware protection at the ISP level and how low-cost web filtering controls can be implemented to keep customers better protected.
The past few months have seen an increase in phishing attacks on law firms. Cybercriminals are attacking law firms to gain access to the highly confidential data held by attorneys and solicitors. Healthcare industry attacks are often conducted to obtain sensitive patient data that can be used for identity theft and tax fraud. Phishing attacks on law firms on the other hand are conducted to steal data for insider trading. Data are also stolen to allow cybercriminals to blackmail law firms.
Law firms are threatened with reputation-killing publication of highly sensitive client data if sizeable payments are not made. Since law firms hold secret documents, including potentially damaging information on their clients, it is not only the law firm that can be blackmailed. Clients are also contacted and threatened. The profits that can be made from insider trading are enormous. The data held by law firms is incredibly valuable. It is therefore no surprise that phishing attacks on law firms are increasing. Cybercriminals see law firms as perfect targets.
Last year, more than 50 law firms were targeted by Russian hackers using a spear phishing campaign. The aim of that attack was to gather information that could be used for insider trading. The group, called Oleras, attacked some of the best-known law firms operating in the United States, including Cravath Swaine & Moor LLP and Gotshal and Manges LLP.
However, while those attacks were damaging, they arguably caused less harm than the Panama Papers Breach – The largest law firm data breach of the year. That attack resulted in an astonishing 2.6 Terabytes of data being stolen by the attackers – Documents that revealed highly sensitive banking activities of criminals, politicians, athletes and businessmen and women. More than 214,000 companies had data revealed as a result of that law firm data breach.
While law firms must ensure that firewalls are in place along with a host of other cybersecurity protections to prevent their systems from being hacked, all too often data breaches start with phishing attacks on law firms. A simple email containing a link to a website is sent to attorneys’ and solicitors’ inboxes. The links are clicked and users are fooled into revealing login credentials to networks and email accounts. The credentials are captured and used to gain access to sensitive data.
Website filtering for law firms is now as essential a protection as the use of antivirus software. Antivirus software may be able to detect attempted malware installations – although it is becoming less effective in that regard – although it will do little to prevent phishing attacks.
A web filter protects law firms by preventing users from visiting malicious links in emails. A website filtering solution also prevents end users from downloading malware, or accessing websites known to carry a high risk of infection with ransomware or malware. A web filter also prevents law firm staff from accidentally visiting phishing websites when browsing the Internet. Along with a robust spam filtering solution to prevent phishing emails from being delivered, law firms can make their networks and email accounts much more secure.
Further information on recent phishing attacks on law firms, along with steps that can be taken to prevent security breaches, can be found by clicking the image below. Clicking the image will direct you to a useful phishing infographic on this website.
You have secured your servers, you have end point protection, but have you ensured your organization is protected against printer hacking? According to one hacker, as many as 300,000 organizations have left a gaping hole in their security defenses as a result of leaving their printers open to the Internet and failing to even use any form of authentication.
Your Printer Has Been Owned!
The hacker decided to draw attention to the problem, not by publishing details of the flaws, but by attacking around 150,000 companies. The attack was rather benign. The hacker did not attempt to gain access to network resources or install malware. He just sent rogue jobs to the printers.
The printouts said “Your printer has been owned.” The hacker also claimed the printers had been added to ’a flaming botnet’ as a result of the lack of security in place. Some of the messages sent are not appropriate for reproduction. A common message was ‘everyone likes a meme, fix your bull***t.’
The claims were not true, but the hacker did prove a point. Printer hacking is a very real threat and future attacks may be much more malicious in nature. If printers are left open to the Internet with no authentication required, they could be subjected to DoS attacks. Companies would be left unable to print. Printers could also be added to botnets. Those would be best-case scenarios of course. Printer hacking could cause much more serious harm.
Hackers could take advantage of flaws and run arbitrary code. Printers could be used as a launchpad to gain access to corporate networks, sabotage systems, install malware and ransomware, and stealing corporate secrets and sensitive customer and patient data.
Following the printer cyberattack, the ‘victims’ took to social media to report the incidents. Some reported that corporate network printers were affected, others claimed their POS system printers had been owned. In the case of the former, the cyberattack could potentially have resulted in a network compromise. In the case of the latter, credit and debit card-stealing malware could have been installed.
The hacker in question claims he is a UK student with an interest in security research. He says he has access to RCE flaws that would enable him to take control of more than 300,000 printers. In this experiment, he took advantage of the lack of authentication controls on communications port 9100. The attacks involved the RAW protocol, Internet Printing Protocol (IPP) and the Line Printer Daemon (LPD).
Many of the printers susceptible to printer hacking are used by universities and other higher education establishments. In a separate ‘attack’ a different hacker also proved a point about the lack of security controls, the ease of finding computers to attack, and just how easy it was to send rogue output to printers. He chose to send anti-sematic print jobs to printers at universities in the United States for maximum coverage. After the attacks, reports started flooding social media from students at Yale, UC Berkeley, DePaul University and UMass Amherst.
Printer Hacking Mitigation Required
The two hacks come just a few days after security researchers in Germany announced they had discovered vulnerabilities in printer manufacturers by some of the big names in computer hardware, such as Samsung, HP, Dell and Lexmark. More than 20 models of printer were discovered to contain flaws that could be easily exploited. Undoubtedly many more printers are vulnerable.
If printers are left exposed and can be accessed by anyone over the Internet, it will only be a matter of time before a malicious attack occurs. Protecting against printer hacking is therefore essential. To do this, printers should be set up on a virtual private network (VPN) and organizations should make 100% sure that their printers cannot be accessed through public IP addresses. That would require access controls to be applied to routers to whitelist certain IP ranges.
A restaurant WiFi filtering service can help to keep customers safe when they use the Internet by blocking access to websites known to contain malware. A restaurant WiFi filtering service will also ensure that patrons can only view website content that is suitable for families.
WiFi networks are often abused and used by some individuals to view pornography or other material that has no place in a restaurant. If one diner chooses to view such material on a personal device while in a restaurant, other diners may catch glimpses of the screen – That hardly makes for a pleasant dining experience.
However, there is another important reason why a restaurant WiFi filtering service should be used. Diners can be protected from a range of web-borne threats while using free wi-Fi networks, but also the computer systems of the restaurant.
Each year, many restaurants discover that their computers and networks have been infected with malware. Malware infections are often random; however, restaurants are now being targeted by cybercriminals. If a hacker can gain access to a restaurant’s computer network and succeeds in loading malware onto its POS system, every customer who pays for a meal with their debit or credit card could have their credentials sent to the hacker.
Restaurants, especially restaurant chains, are targeted for this very reason. One infected POS system will give a cybercriminal a steady source of credit card numbers. Each year, there are many examples of restaurants that have been attacked in this manner. One of the latest restaurant chains to be attacked was Popeye’s Louisiana Kitchen – A multinational chain of fried chicken and fast food restaurants.
Popeyes recently discovered a cyberattack that resulted in malware being installed on its systems. The attack started on or around May 5, 2016 and continued undiscovered until August 18, 2016. During that time, certain customers who paid for their meals on their credit and debit cards had their card numbers stolen by the malware and passed on to the attackers.
Popeyes only discovered the cyberattack when it received notification from its credit card processor of suspicious activity on customers’ accounts. CCC Restaurant Enterprises, which operates Popeyes, retained a forensic expert to analyze its systems for signs of its systems having been compromised. That analysis revealed a malware infection. The information stealing malware was passing credentials to the attacker and those details were being used to defraud customers. Ten restaurants in the chain were known to have been affected. Those restaurants were located in Georgia, North Carolina, and Texas. The malware infection has now been removed and customers are no longer at risk, although the cyberattack undoubtedly caused reputation damage for the chain.
Malware can be installed via a number of different vectors. Vulnerabilities can be exploited in servers and software. It is therefore essential to ensure that all software is patched and kept up to date. Attacks can occur via email, with malicious links and attachments sent to employees. A spam filter can block those emails and prevent infection. Attacks can also take place over the Internet. The number of malicious websites now produced every day has reached record levels and the threat level is critical.
A restaurant WiFi filtering service will not protect against every possible type of attack but it does offer excellent protection against web-borne threats. A web filtering service can also prevent users from visiting malicious links sent in spam and phishing emails, blocking users’ attempts to click the links. A restaurant WiFi filtering service will also ensure family-friendly Internet access is provided to customers. Something that is increasingly important for parents when choosing a restaurant.
To find out more about how a restaurant WiFi filtering service can be implemented, the wide range of benefits that such a service offers, and for details of how you can trial the WebTitan restaurant WiFI filtering service for 30 days without charge, contact the TitanHQ team today.
The increase in cyberattacks and proliferation of web-borne threats has made web filtering for Managed Service Providers one of the most important, and profitable, opportunities for MSPs. However, not all MSPs have started offering a web filtering service to their clients, even though web filtering is now an essential cybersecurity defense
Why is web filtering for Managed Service Providers now so important? Listed below – and in a useful infographic – are some of the reasons why businesses need to control the websites that can be visited by their employees and why web filtering for Managed Service Providers is an important addition to any MSPs service stack.
Cybercriminals Have Switched from Email to the Web to Spread Malware
Email remains one of the most likely routes that malware can be installed. Malicious email volume is growing and in Q3, 2016, Proofpoint discovered 96.8% of malicious attachments were used to download Locky ransomware. Blocking malicious spam email messages is therefore an essential element of any organization’s cybersecurity defense strategy. However, times are a changing. The threat from web-borne attacks has increased significantly in the past few years.
Cybercriminals are well aware that most organizations now use a spam filter to block malicious messages and that they now conduct end user training to warn employees of the risks of opening email attachments or clicking on hyperlinks sent by strangers.
However, far fewer businesses have implemented a solution that blocks web-borne threats. Consequently, cybercriminals have changed their focus from email to the Internet.
The shift to the web means cybercriminals can reach a much bigger target audience and can spread malware and ransomware more effectively. The extent of this paradigm shift is deeply concerning.
Now, more than 80% of malware is web-related and spread via malicious web adverts, hijacked websites, and websites that have been created with the sole purpose of infecting visitors with malware.
As TitanHQ CTO Neil Farrell points out, “the average business user now encounters 3 malicious links per day.” Those links are rarely identified as malicious and the malware downloads that result from visiting malicious websites go undetected.
Web-Borne Threats have Increased Substantially in Recent Years
Cybercriminals use exploit kits – malicious software that probes for vulnerabilities in browsers – on hijacked webpages and purpose designed, malware-laced websites. Zero-day vulnerabilities are frequently identified in web browsers, browser plugins, and extensions and these flaws can be exploited and leveraged to download malware and ransomware. Each time a new flaw is identified, it is rapidly added to a swathe of exploit kits.
Anti-virus software is capable of detecting a high percentage of malware and preventing the malicious software from being installed on computers; however, new forms of malware are being released at an unprecedented rate. A new malware is now released every 4 seconds. Naturally, there is a lag between the release of new malware and the addition of its signature into antivirus software companies’ virus definition lists. Visits to malicious websites all too often result in malware installations that go undetected.
Malicious websites are constantly being created. Google reports that since July 2013, 113,132 new phishing websites have been created and it is businesses that are being targeted. TitanHQ now adds over 60,000 new malware-spreading websites to its blocklists every single day.
Companies that fail to block these web-borne threats face a high risk of their computers and networks being infected with malware. Figures from IDC show that 30% of companies employing more than 500 staff have experienced malware infections as a result of end users surfing the Internet.
New Threats are Constantly Being Developed
Malware is used to log keystrokes to obtain login credentials for further, more sophisticated attacks. Banking credentials are stolen and fraudulent transfers are made. Businesses also have to contend with the current ransomware epidemic. 40% of businesses have now been attacked with ransomware.
Malware and ransomware infections do not just occur via obscure websites that few employees visit. Hugely popular news sites such as the New York Times and the BBC have been discovered to display adverts containing malicious code. Social media websites are also a major risk. 24% of organizations have been infected with malware via Facebook and 7% via LinkedIn/Twitter, according to a recent study by Osterman Research.
These and other serious threats, along with the extent to which infections are occurring, have been summarized in a new infographic that can be accessed by clicking on the image below:
WebTitan Cloud – Web Filtering for Managed Service Providers
Fortunately, there is an easy solution to prevent web-borne attacks: WebTitan Cloud. WebTitan Cloud is a 100% cloud-based web filtering solution that can be used to prevent end users from visiting websites known to contain malware. WebTitan can be configured to block malicious adverts and can prevent end users from being directed to malware-infected websites if malicious links are clicked.
Given the range of threats and the extent to which cybercriminals are using the web, it is now essential for organizations to add web filtering to their cybersecurity defenses. Consequently, web filtering for Managed Services Providers presents a huge opportunity for growth. TitanHQ has seen a significant increase in uptake of its web filtering for Managed Service Providers in recent months as MSPs have started to appreciate the huge potential web filtering for Managed Services Providers has to improve bottom lines.
WebTitan can be rapidly added to an MSPs service stack and is an easy sell to clients. WebTitan can be deployed remotely and rapidly installed and configured. The solution is automatically updated, requires little to no IT support, is technology agnostic, and therefore so has an extremely low management overhead. The solution also has excellent scalability and can be used to protect any number of end users.
MSPs can be provided with a white-label version of WebTitan Cloud ready for branding and WebTitan Cloud can even be hosted within an MSPs own environment. Perhaps most important for MSPs is the high margin recurring SaaS model. That means high recurring revenues for MSPs and better bottom lines.
Contact TitanHQ today to find out more about web filtering for Managed Service Providers, for full technical specifications, and to discover just how easy it is to add WebTitan to your service stack and start boosting profits.
Many employers are not entirely happy with employees using social media sites in the workplace, and with good reason: There are many risks of social media in business and the costs can be considerable.
Social Media Use Can be a Huge Drain on Productivity
When employees are spending time updating their Facebook accounts or checking Twitter they are not working. All those minutes spent on social media platforms really do add up. Social media site use can be a major drain on productivity.
If every employee in an organisation spends an hour a day on social media sites, the losses are considerable. Unfortunately, many employees spend much more than an hour a day on the sites.
Salary.com reports that around 4% of employees waste more than half of each day on non-work related tasks. For a company employing 1,000 members of staff, that equates to more than 160 hours lost each day, not including the hour or two spent on social media sites by the remaining 96% of the workforce.
Social media site use is not all bad, in fact, the use of the sites can be good for productivity. Employees cannot be expected to work solidly for 8 or more hours each day; at least not 8 highly productive hours. If employees enjoy some ‘Facetime’ every hour or two, it can help them to recharge so they are more productive when they return to their work duties.
The problem for employers is how to control the use of Facebook in the workplace and ensure that social media site use is kept within acceptable limits. Taking 5 minutes off every hour or two is one thing. Taking longer can have a seriously negative impact. Unfortunately, relying on employees to self-moderate their use of social media sites may not be the best way to ensure that Internet use is not abused.
The Cost of Social Media Use Can Be Severe
Productivity losses can have a serious negative impact on profits, but there are far biggest costs to employers from social media site use. In fact, the risks of social media in business are considerable.
The cost from lost productivity can be bad, but nowhere near as bad as the cost of a malware or ransomware infection. Social media sites are commonly used by hackers to infect computers. Just visiting a malicious Facebook or Twitter link can result in a malware or ransomware infection. The cost of resolving those infections can be astronomical. The more time employees spend on non-work related Internet activities, the greater the risk of a malware infection.
Is there a genuine risk? According to PC Magazine, the risks are very real. There is a 40% chance of infection with malicious code within 10 minutes of going online and a 94% chance of encountering malicious code within an hour.
Controlling employees’ use of the Internet can not only result in huge increases in productivity, Internet control can help to reduce the risk of malware and ransomware infections. Further, by limiting the sites that can be accessed by employees, organizations can greatly reduce legal liability.
Fortunately, there is a simple, cost-effective, and reliable solution that allows organisations to effectively manage the risks of social media in business: WebTitan.
Managing the Risks of Social Media in Business
WebTitan is an innovative web filtering solution that allows organizations to accurately enforce Internet usage policies. Employers can block inappropriate content to effectively reduce legal liability, block or limit the use of social media sites to improve productivity, and prevent users from encountering malicious code that could give cybercriminals a foothold in the network.
If you have yet to implement a web filtering solution to control Internet use in the workplace or you are unhappy with the cost or performance of your current web filtering product, contact TitanHQ today and find out more about the difference WebTitan can make to your bottom line.
To find out more about the risks of social media in business and why it is now so important to manage social media use in the workplace, click the image below to view our informative infographic.
One of the questions most frequently asked of the WebTitan customer support team is how to block Facebook chat at work without blocking access to Facebook entirely.
Why Block Facebook Chat at Work?
There are many reasons why an organization would want to prevent employees from accessing Facebook. Social media websites can be a drain on productivity. Some employees may spend hours of each day accessing and updating their Facebook account, which is time spent not working.
However, an employee cannot remain productive for a full eight hours each day. By allowing access to Facebook – and other social media sites – employers can actually increase productivity, providing social media site use is kept within acceptable limits.
If employees take short breaks throughout the day and access Facebook for a few minutes every hour, they are likely to be more productive. Morale can also be improved with a little social media site use.
However, there is the question of security to consider and Facebook chat is a particular cause for concern. Many organisations believe Facebook Chat is a security risk. Use of Facebook chat can increase the risk of malware infections. The chat function also lacks the security standards demanded by many organizations and makes it too easy for employees to share sensitive corporate data. Use of Facebook chat is also difficult to police.
How to Block Facebook Chat Without Blocking Facebook Access
With WebTitan Cloud it is easy to block Facebook chat at work without blocking Facebook access entirely. The process takes just a few seconds and is detailed in the video presentation below (and described underneath.)
To block Facebook chat at work, open your WebTitan Cloud administration panel and navigate to “Filtering URL keywords.”
To block Facebook chat you need to add in two blacklisted keywords. Enter in the first keyword:
Then set filter options to ‘find keyword in entire URL’
The second keyword that must be blocked is:
As before, set filter options to ‘find keyword in entire URL’
These two files are used by Facebook chat and if the files are blocked, the Facebook chat will not function, although the Facebook website will still be accessible.
In order for URL keywords to work correctly it is necessary to have the SSL certificate pushed out to the browsers. Further information on how to do this via GPO or manually can be found in the help section on the WebTitan website.
Are you taking steps to prevent drive-by malware downloads? Have you implemented controls to reduce your attack surface and prevent your employees from inadvertently downloading malware onto your network?
Malvertising – A Major Security Risk that Should be Managed
Malvertising is the term used for the practice of displaying malicious adverts to website visitors. The malicious adverts are displayed via third party advertising networks which are present on a wide range of legitimate websites. Malicious adverts have been displayed to visitors to many of the top 500 global websites.
The New York Times website was discovered to be displaying malvertising via a third party ad networks. Those adverts redirected visitors to websites where ransomware was downloaded. The UK’s BBC website was similarly discovered to be displaying malicious adverts that resulted in ransomware downloads.
Other high profile sites found to be displaying malvertising include AOL, the NFL website, Realtor, theweathernetwork, newsweek, infolinks, answers.com, and thehill, amongst many many others.
Proofpoint recently announced it has succeeded in shutting down the AdGholas malvertising operation. This large-scale operation was reported to have resulted in malicious adverts being displayed to between 1 million and 5 million individuals per day. Researchers at Proofpoint estimated that between 10% and 20% of computers that loaded the malicious adverts were redirected to websites containing exploit kits. Exploit kits probe for security vulnerabilities in web browsers. If vulnerabilities are discovered, malware is silently downloaded onto the site visitor’s computer. Of course this was just one malvertising operation out of many.
Cost of Malware and Ransomware Infections
Many ransomware variants are capable of moving laterally within a network and replicating. One download may see multiple computers infected. Each infected device is encrypted with a separate key and a separate ransom demand is issued for each infection.
Organizations experiencing multiple infections can be issued with ransom demands of tens of thousands of dollars. In January, Hollywood Presbyterian Medical Center was forced to pay $17,000 for the decryption keys to unlock its computers.
The threat from malware can be far more serious. Malware such as keyloggers can be used to obtain login credentials to corporate bank accounts, allowing criminals to make fraudulent transfers and empty company accounts. Malware can install backdoors that can be used to steal patient data from healthcare organizations. Failing to prevent drive-by malware downloads can prove very costly indeed. Recently, the Ponemon Institute calculated the average healthcare data breach cost to be $4 million. The cost per compromised healthcare record was calculated to be $158.
Prevent Drive-by Malware Downloads
To prevent drive-by malware downloads you need to employ a range of tactics. Good patch management policies can help to ensure that devices are not left vulnerable. Software, browsers, and browser plugins should be kept up to date and patches applied promptly. Plugins and software commonly exploited by cybercriminals include Java, Adobe Flash, and PDF reader, as well as out of date web browsers.
Organizations can prevent employees from being directed to malicious websites by using a web filtering solution. A web filter can be configured to block websites known to contain malware or host exploit kits. A web filter can be used to block third party advertising from being displayed. Block the ad networks, and you will ensure that malvertising is not displayed.
You should also implement Acceptable Usage Policies (AUPs) to limit the websites that employees can visit. A web filtering solution can help in this regard. Employees can be instructed not to visit certain categories of websites which are known to carry a higher than average risk, but a web filter can be used to enforce those policies. By blocking access to gambling websites, pornography, sites containing illegal website content, and other risky websites such as p2p file sharing sites, risk can be greatly reduced.
A web filtering solution cannot prevent all data breaches and malware attacks, but it is a vital element of cybersecurity defenses that should not be ignored. It is one of the most important controls to employ to prevent drive-by malware downloads.
Another day passes and another ransomware variant emerges, although the recently discovered Ranscam ransomware takes nastiness to another level. Ranscam ransomware may not be particularly sophisticated, but what it lacks in complexity it more than makes up for in maliciousness.
The typical crypto-ransomware infection involves the encryption of a victim’s files, which is accompanied by a ransom note – often placed on the desktop. The ransomware note explains that the victim’s files have been encrypted and that in order to recover those files a ransom must be paid, usually in Bitcoin.
Since many victims will be unaware how to obtain Bitcoin, instructions are provided about how to do this and all the necessary information is given to allow the victim to make the payment and obtain the decryption key to unlock their files.
There is usually a time-frame for making payment. Usually the actors behind the campaign threaten to permanently delete the decryption key if payment is not received within a specific time frame. Sometimes the ransom payment increases if payment is delayed.
Ranscam Ransomware will not Allow Victims to Recover Their Files
Rather than encrypting files and deleting the decryption key, Ranscam ransomware threatens to delete the victim’s files.
The ransomware note claims the victim’s files have been encrypted and moved to a hidden partition on their hard drive, which prevents the files from being located or accessed. The payment requested by the actors behind this scam is 0.2 Bitcoin – Around $133 at today’s exchange rate.
While the ransom note claims that the victim’s files will be moved back to their original location and will be decrypted instantly once payment is received, this is not the case.
Unfortunately for the victims, but the time the ransom note is displayed, the victim’s files have already been deleted. Paying the ransom will not result in the encrypted files being recovered. A decryption key will not be provided because there isn’t one.
Researchers at Talos – who discovered the Ranscam ransomware variant – noted that the ransomware authors have no way of verifying if payment has been made. The ransomware only simulates the verification process. There is also no process built into the ransomware that will allow a victim’s files to be recovered.
Backup Your Files or Be Prepared to Lose Them
Many ransomware authors have a vested interest in ensuring that a victim’s files can be recovered. If word spreads that there is no chance of recovering encrypted files, any individual who has had their computer infected will not pay the ransom demand. Locky, CryptoWall, and Samsa ransomware may be malicious, but at least the thieves are honorable and make good on their promise. If they didn’t, discovering that files had a locky extension would be a guarantee that those files would be permanently lost.
There are new ransomware variants being released on an almost daily basis. Many of the new variants are simplistic and lack the complexity to even allow files to be recovered. The discovery of Ranscam ransomware clearly shows why it is essential to make sure that critical files are regularly backed up. Without a viable backup, there is no guarantee that files can be recovered and you – or your organization – will be at the mercy of attackers. Not all will be willing – or able to – recover encrypted files.
Researchers at FireEye have reported that the Angler Exploit Kit has been updated and that it is now capable of bypassing Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) protection – the first time this behavior has been observed in the wild.
Angler Exploit Kit Could be Used to Deliver any Malicious Payload
The Angler exploit kit is being used to exploit vulnerabilities in Silverlight and Adobe Flash plug-ins. If vulnerabilities are found, Angler downloads its malicious payload: TeslaCrypt ransomware. Teslacrypt was closed down a few weeks ago and the authors released a universal decryption key that can unlock all infections. Anti-virus firms have since developed tools that can be used to remove TeslaCrypt infections. However, it is probable that the Angler exploit kit will be updated to deliver other malicious payloads for which there is no known fix. Many distributors of TeslaCrypt have already transitioned to CryptXXX.
Currently EMET protections are only being bypassed on devices running Windows 7, although it is probable that attackers will soon develop EMET bypasses that work on more recent versions of Windows. That said, updating to later versions of Windows will help organizations improve their security posture. If an upgrade is not possible or practical, sys admins should ensure that patches are applied promptly. If possible, ActiveX should also be disabled as should Flash and Silverlight plugins. Uninstalling unnecessary software and disabling plugins will reduce the attack surface.
EMET was developed to prevent malicious actors from exploiting memory corruption vulnerabilities, and while this has proved effective at some preventing attacks, the bypass shows that Microsoft’s protection is not 100% effective. While EMET can be used to reduce the risk of ransomware and other malware infections, system admins should not rely on EMET alone. Multi-layered security defenses should be employed to keep networks protected, as this bypass clearly shows. It is still essential to use anti-virus and anti-malware software and to keep definitions up to date.
While efforts can be made to prevent exploit kits from taking advantage of vulnerabilities in plugins, enterprises can reduce risk further by stopping end users from visiting websites known to host exploit kits. By implementing a web filtering solution and restricting access to certain categories of website, enterprises can greatly enhance their security posture.
There are a number of companies that offer web filtering services for MSPs; however, while many managed service providers are happy to provide web filtering to their clients if the service is requested, web filtering is not generally offered to clients as part of an MSP’s range of standard Internet services. Yet, by leveraging web filtering services for MSPs it is possible to substantially increase profits for very little effort.
Web filtering services for MSPs have been developed to be easy to implement, easy to sell to clients, and straightforward to manage, so why are more MSPs not offering web filtering to their clients as part of their Internet services?
Some MSPs may feel that there is not much of a market for web filtering. Draconian Internet usage policies may ensure that Internet access is not abused, yet highly restrictive Internet policies can have a negative impact on staff morale and productivity. Most employees can be trusted to get all of their daily tasks completed, while still occasionally checking Facebook, purchasing something on Amazon, and viewing the occasional YouTube video.
However, providing totally free access to the Internet is unwise. Not preventing employees from accessing illegal and inappropriate website content can cause employers many problems. Some of those problems can prove very costly to resolve. Any organization that has not chosen to filter the Internet – even to a minimal degree – may not be aware of the risks. If MSPs explain these risks, they are likely to find many of their clients will want to sign up for web filtering services.
What are the Main Benefits of Using Web Filtering Services?
There are two main reasons for using a web filter to control Internet content:
Reducing the Risk of Malware Infections
As we have seen in recent months, there is a clear and present danger of a serious malware infection. Cyberattacks are taking place with increasing regularity, new malware is being released at alarming rates, and cybercriminals have embraced ransomware and are using it to extort money out of businesses.
IT teams struggle to implement patches promptly, leaving their networks at risk of attack. This is mainly due to the frequency at which patches are released. Keeping all software – including web browsers and plugins – 100% up to date, 100% of the time is an uphill struggle.
If end users visit malicious websites containing exploit kits, malware and ransomware can be easily loaded onto networks. Issuing staff members with acceptable use policies (AUPs) can reduce the probability of end users visiting high-risk websites, while policies can help to reduce the risk from shadow IT installations, but unless those policies are enforced there is a risk that some employees will break the rules.
Numerous organizations have experienced phishing attacks even when training has been provided on how to identify phishing emails. Unfortunately, scammers are getting much better at crafting highly convincing emails to fool users into visiting websites containing exploit kits that can download malware.
Business email compromise scams have been increasing in recent months, prompting the FBI to issue warnings due to the high risk of attack. Scammers are impersonating CEOs, CISOs, and executives to get end users to visit websites and divulge their login credentials or download malware.
With so many Internet threats to deal with, policies are no longer enough to keep organizations’ networks free from malicious software and infections can prove very costly to resolve.
Controlling Personal Use of the Internet
Many companies take a relaxed attitude to personal Internet use, provided it is kept within certain limits. This is arguably the best option for employers and employees. Blocking personal access to the Internet can have a negative effect on staff morale, and all employees will need to use the Internet from time to time for personal reasons.
That said, there will always be some members of staff that choose to abuse their Internet access and this can lead to serious problems for employers. Not only is there a risk of malware infections, abuse of the Internet can have legal implications for employers. The use of illegal file sharing websites for copyright-infringing downloads, the accessing of illegal website content such as child pornography, or even the viewing of legal pornography in the workplace can cause many HR issues.
Of course, web filtering is not only about blocking access. It allows companies to monitor use of the Internet and identify employees who are breaking the rules before serious HR or legal issues arise. Web filtering also allows organizations to place limits on online activities at certain times of the day to ensure the workforce remains productive and bandwidth is not wasted.
Summary of the Benefits of Filtering the Internet
Blocks malware, ransomware, botnets, adware, and spyware installations
Prevents the accessing of illegal website content
Stops the downloading and installation of shadow IT
Prevents bandwidth wastage
Allows employers to monitor employees’ Internet usage
Prevents many HR issues
Helps organizations to comply with industry regulations
Can help to increase employee productivity
Benefits of Web Filtering Services for MSPs
Protects clients from Internet threats
Easily increases client revenue
Helps MSP’s to attract more clients and win new business
Allows MSPs to provide a more comprehensive range of Internet services
Web Filtering Services for MSPs can be Easily Incorporated into Existing Service Packages
Web filtering services for MSPs no longer require expensive appliances to be purchased, and it is not necessary to use local IT support teams to visit clients to install and configure web filters. In fact, it is not even necessary to install software on clients’ devices or servers at all. Clients can have their Internet filtered within 5 minutes of them saying yes to a sales representative if cloud-based web filtering services are used.
Cloud-based web filtering services for MSPs require clients to make a small change to their DNS settings, something that even the most technically inept employee could be talked through over the phone. By pointing the DNS to the service provider’s servers, the Internet can be filtered quickly and painlessly.
Web filtering services for MSPs can be easily offered to clients alongside managed service providers’ solutions. WebTitan Cloud – and WebTitan Cloud for WiFi – are offered as web filtering services for MSPs without any branding. MSPS are able to add their own logos and corporate color schemes, tailor block pages, and customize reports with their own branding. If required, MSPs can also host the solution within their own infrastructure or use a private cloud for clients.
The management overhead is low and the configuration of new accounts is quick and easy. New client accounts can be set up in approximately 20 minutes. Even reporting is taken care of with a full suite of pre-configured, schedulable reports, including instant email alerts.
The cost for the client is low with only a small spend required per user, per year, and the margins offered by TitanHQ on web filtering services for MSPs are generous. This allows MSPs to easily increase profits, in some cases, by tens of thousands of dollars.
If you want to attract new business, increase client spending, and easily increase profits, web filtering services for MSPs could well be the answer.
For further information on our web filtering services for MSPs, including a product demonstration and details of pricing, contact our sales team today.
This week, a new critical Symantec vulnerability has been discovered that enables an attacker to trigger a memory buffer overflow, allowing root-level control over a system to be gained without any user interaction. The cross-platform security vulnerability affects many Symantec and Norton anti-virus software releases.
Critical Vulnerability in Symantec AVE Scan Engine is “As Bad as it Can Possibly Get”
The critical fault has been found in the core scanning engine used in both Norton and Symantec anti-virus software, including Norton antivirus, and Symantec’s Scan Engine, Endpoint Antivirus, and Email Security, although other products may also be affected. The vulnerability affects Windows, Mac, Linux, and UNIX platforms.
Since the scan engine intercepts all system input and output, the vulnerability could be exploited by an attacker by simply sending a file attachment to a user’s inbox. The user would not even be required to open the file in order for the vulnerability to be exploited.
The vulnerability could therefore allow an attacker to take full control of the device on which the software has been installed with no user interaction necessary. The vulnerability has been described as “as bad as it can possibly get” by Tavis Ormandy – the researcher at Google Project Zero who discovered the security flaw.
Ormandy said that if the vulnerability is exploited it causes kernel memory corruption on Windows because “the scan engine is loaded into the kernel (wtf!!!).” It must be said, unpacking malware in the kernel was perhaps not the best decision. Ormandy also discovered a number of other remote code execution security vulnerabilities in Symantec products.
The new critical Symantec vulnerability has now been addressed – AVE version 20188.8.131.52 – although the remaining vulnerabilities have yet to be remediated. Users of Symantec and Norton branded products will have to wait until a patch is made available.
According to an advisory issued by Symantec, the critical vulnerability affects the AVE scanning engine and occurs “when parsing malformed portable-executable header files.” If one of these malformed portable-executable header files is downloaded in an application or document, or if a malicious website is visited which downloads one of these files onto the device, the flaw could be exploited. The flaw could also be exploited if an attacker sends one of these files to the user as an email attachment, or even if a link is sent in an email. The parsing of the malformed file would be triggered.
Symantec reported that “Sufficiently malformed, the code executed at the kernel-level with system/root privileges causing a memory access violation.”
The critical Symantec vulnerability needs to be remediated as soon as possible. If you run Symantec anti-virus software and your system is not set to update automatically, it is essential to perform a manual Symantec LiveUpdate to address the issue. A patch is expected to be released in the next few days to address the other serious vulnerabilities discovered by Ormandy.
Last week, the website of a major toy manufacturer was discovered to have been compromised and was being used to infect visitors with ransomware. The website of Maisto was loaded with the Angler exploit kit that probed visitors’ browsers for exploitable vulnerabilities. When vulnerabilities were discovered, they were exploited and ransomware was downloaded onto visitors’ devices. In this case, the ransomware used was CryptXXX.
Many ransomware infections require a system rebuild and restoration of data from a backup. If a viable backup does not exist there is no alternative but to pat the attackers for an encryption. Fortunately, in this case there is an easy fix for a CryptXXX infection. The ransomware-encrypted files can be decrypted for free according to Kaspersky Lab. However, there are many malicious strains of ransomware that are not so easy to remove.
While decrypting files locked by CryptXXX is possible, that is not the only malicious action performed by the ransomware. CryptXXX is also an information stealer and can record logins to FTP clients, email clients, and steal other data stored in browsers. It can even steal bitcoins from local wallets.
CryptXXX is now being used in at least two major exploit kit attack campaigns according to researchers from Palo Alto Networks. While Locky ransomware was extensively used in March this year – deployed using the Nuclear exploit kit – the attackers appear to have switched to the Angler exploit kit and the Bedep/CryptXXX combo.
How to Block Exploit Kits from Downloading Malware
To protect end users’ devices and networks from malware downloads and to block exploit kits, system administrators must ensure that all browser plugins are kept up to date. Exploit kits take advantage in security vulnerabilities in a wide range of plugins, although commonly vulnerabilities in Flash and Java are exploited. These two browser plugins are used on millions of machines, and new zero-day vulnerabilities are frequently discovered in both platforms. Cybercriminals are quick to take advantage. As soon as a new vulnerability is identified it is rapidly added to exploit kits. Any machine that contains an out-of-date plug in is at risk of attack.
It takes time for patches to be developed and released when a new zero-day vulnerability is discovered. Keeping all devices up to date is a time consuming process and sys admins are unlikely to be able to update all devices the second a patch is released. To effectively protect devices and networks from attacks using exploit kits, consider using a web filtering solution.
A web filter can be used to block websites containing exploit kits and thus prevent the downloading of malware, even if patches have not been installed. The best way to block exploit kits from downloading malware is to ensure that end users never visit a website containing an exploit kit!
A web filter should not be an excuse for poor patch management practices, but web filtering software can ensure devices and networks are much better protected.