Whereas news about Internet security often focuses solely on the latest threats or vulnerabilities, in addition to reporting hacks, data breaches and exposures, we also include advice about the best practices organizations should adopt to mitigate the threat from malware and other malicious software.
Consequently we strongly advise that individuals and organizations never use the same passwords for different accounts, make passwords as complex as possible and change them frequently. We also recommend that sensitive online accounts have 2-factor authentication whenever possible.
Ideally, organizations should implement a web filter to prevent Internet users from accessing websites that could compromise Internet security. With a web filter in place, the potential exists for productivity to increase and also for employees to enjoy a hostility-free workplace environment.
A malware delivery campaign has been identified that uses phishing emails, malicious macros, PowerShell, and steganography to deliver a malicious Cobalt Strike script.
The initial phishing emails contain a legacy Word attachment (.doc) with a malicious macro that downloads a PowerShell script from GitHub if allowed to run. That script in turn downloads a PNG image file from the legitimate image sharing service Imgur. The image contains hidden code within its pixels which can be executed with a single command to execute the payload. In this case, a Cobalt Strike script.
Cobalt Strike is a commonly used penetration testing tool. While it is used by security professionals for legitimate security purposes, it is also of value to hackers. The tool allows beacons to be added to compromised devices which can be used to execute PowerShell scripts, create web shells, escalate privileges, and provide remote access to devices. In this campaign, the hiding of the code in the image and the use of legitimate services such as Imgur and GitHub helps the attackers avoid detection.
The hiding of code within image files is known as steganography and has been used for many years as a way of hiding malicious code, typically in PNG files to prevent the code from being detected. With this campaign the deception doesn’t end there. The Cobalt Strike script includes an EICAR string that is intended to fool security solutions and security teams into classing the malicious code as an antivirus payload, except contact is made with the attacker’s command and control server and instructions are received.
This campaign was identified by researcher ArkBird who likened the campaign to one conducted by an APT group known as Muddywater, which emerged around 2017. The threat group, aka Static kitten/Seedworm/Mercury, primarily conducts attacks on Middle eastern countries, commonly Saudi Arabia and Iraq, although the group has been known to conduct attacks on European and US targets. It is unclear whether this group is responsible for the campaign.
Naturally one of the best ways to block these types of attacks is by preventing the malicious email from being delivered to inboxes. A spam filter such as SpamTitan that incorporates a sandbox for analyzing attachments in safety will help to ensure that these messages do not get delivered to inboxes. End user training is also recommended to ensure that employees are made aware that they should never enable macros in Word Documents sent via email.
A web filtering solution is also beneficial. Web filters such as WebTitan can be configured to give IT teams control over the web content that employees can access. Since GitHub is commonly used by IT professionals and other employees for legitimate purposes, an organization-wide block on the site is not recommended. Instead, a selective block can be placed for groups of employees or departments that prevents GitHub and other potentially risky code sharing sites such as PasteBin from being accessed, either deliberately or unintentionally, to provide an extra layer of protection.
Cybercriminals are using an increasing range of tactics, techniques and procedures to fool the unwary into disclosing their credentials or installing malware, which is making it hard for end users to distinguish between genuine and malicious messages.
It is common for cybercriminals to purchase lookalike domains for use in phishing scams and for distributing malware. Oftentimes the domains purchased are very similar to the domains they impersonate, aside from one or two changed letters.
For instance, the letters v v could be used in place of a w for a domain spoofing Wal-Mart – e.g. VVal-Mart. In internationalized domain name (IDN) homograph attacks, aka script spoofing, Greek, Latin, and Cyrillic letters are used in domains instead of standard letters. This can lead to domains being almost indistinguishable from the domains they are spoofing, especially since the web pages hosted on those domains include the logos and color schemes used on the official websites.
FBI Warns of Use of Spoofed FBI Domains
Recently the Federal Bureau of Investigation (FBI) issued a warning following the discovery that many FBI-related domain names have been purchased that closely resemble official FBI websites. While these domains are not believed to have been used for malicious purposes to date, it is probable that the individuals registering these domains were intending to use them in phishing attacks, for distributing malware, or for disinformation campaigns. The domains include fbidefense.com, fbimaryland, fbi-ny, fib.ca, fbi-intel.com, fbi.systems, and fbi.health.
These domains can be used to host phishing kits or exploit kits, but the domains can be used to create official-looking email addresses. An email from one of these domains, that has the FBI in the name, could easily scare someone into taking an action demand in the email, such as disclosing their login credentials or opening a malicious email attachment.
Legitimate Cloud Services Leveraged in Sophisticated Phishing Attacks
There have also been phishing campaigns detected in recent weeks that use legitimate cloud services to mask the malicious nature of the emails. Campaigns have been detected that use links to Google Forms, Google Docs, Dropbox, and cloud services from Amazon and Oracle. Emails are sent that include fake notifications with links to these cloud services; however, once the link is clicked, the user is taken through a series of redirects to a malicious website hosting fake Office 365 login prompts that steal credentials.
Several of these campaigns involved checks to make sure the recipient is a real person, with automated responses directed to official domains to prevent analysis. Phishers are also continuing to use typosquatting – the name given to the use of domains with natural typographical errors – to catch out careless typists.
Sophisticated Campaigns Call for Sophisticated Cybersecurity Defenses
The sophisticated nature of today’s phishing and malware campaigns, together with cybercriminals’ constantly changing tactics, techniques, and procedures, mean it is becoming harder for end users to distinguish between genuine and malicious emails. End user security awareness training is still important, but it has never been more important to have effective technical solutions in place to ensure that these threats are identified and blocked before any harm is caused.
The first line of defense against phishing is an email security gateway solution through which all emails need to pass before they reach inboxes. These solutions need to use a range of advanced mechanisms for identifying malicious and suspicious emails, so should one mechanism fail to identify a malicious email, others are in place to provide protection.
SpamTitan from TitanHQ is one such solution that incorporates many layers of protection to detect and block phishing and malware attacks via email. Checks are performed on the message headers, content is analyzed, and machine learning is incorporated to identify never before seen threats, in addition to blacklisting of known malicious email addresses and domains. To block malware threats, SpamTitan uses dual anti-virus engines to block known threats and sandboxing to identify and block zero-day malware threats. Working seamlessly together, these mechanisms will block 99.97% of malicious messages.
An additional anti-phishing solution that you may not have considered is a web filtering solution. Web filters are important for blocking the web-based component of phishing attacks and preventing individuals from visiting sites used for malware delivery. A web filter can also block redirects to malicious websites that hide behind links to legitimate cloud services.
WebTitan from TitanHQ is a smart, DNS-based web filtering solution that uses automation and advanced analytics to block emerging phishing and other malicious URLs, not just those that have been already used in attacks and have been added to blacklists. Through the use of AI-based technology, WebTitan can provide protection from zero-minute threats.
Advanced cybersecurity defenses do not need to be complicated for end users to use. Both SpamTitan and WebTitan have been developed to be easy to implement, use, and maintain. While they incorporate all the required protections and allow advanced users to drill down and analyze threats, they can also easily be used to protect networks and devices by users with little technical skill. The ease of implementation, use, and maintenance together with the superb threat protection are why the solutions are consistently rated so highly on review sites such as Capterra, GetApp, Software Advice, and on Google Reviews.
To improve your defenses against cybersecurity threats delivered via email and via the web, give the TitanHQ a team a call today and find out more about SpamTitan Email Security and WebTitan DNS filtering.
The first known ransomware attack occurred in 1989, but in the years since this form of malware has not proven popular with cybercriminals. That started to change in 2013 with Cryptolocker and the number of attacks – and ransomware threats as continued to grow ever since.
Today, ransomware is one of the biggest malware threats faced by businesses. Ransomware attacks are no longer relatively small campaigns conducted by ransomware developers. Rather than conduct their own attacks, it is now common for ransomware developers to leave the distribution of the ransomware to a network of affiliates. Under the ransomware-as-a-service model, more attacks can be conducted and more ransoms will be paid as a result. Most ransomware operations now operate under this RaaS model and there is no shortage of affiliates willing to distribute the ransomware for a cut of the profits.
While ransomware was once used simply to encrypt files and prevent them from being accessed by businesses unless a ransom was paid for the keys to decrypt files, the Maze ransomware operators started stealing data in 2019 prior to file encryption to add an extra incentive for victims to pay up. Many other ransomware operations followed suit and either threatened to publish the stolen data or sell it on to other cybercriminals if the ransom is not paid.
Data theft prior to file encryption is fast becoming the norm. Coveware, a company that works with ransomware victims to resolve ransomware attacks (often entering into negotiations with the attackers on behalf of its clients), recently published a report that shows half of all ransomware attacks now involve data theft prior to file encryption. It may be possible to recover encrypted data from backups, but that will not prevent the publication or misuse of stolen data.
This tactic has proven to be effective for the ransomware gangs, but there have been many cases where payment of the ransom has not resulted in the deletion of stolen data. In the United States, several victims in the healthcare industry have paid the ransom demand only to receive a second demand for a payment to prevent stolen data from being released.
According to Coveware, the Sodinokibi ransomware gang is known to issue further demands after the initial payment is made, and it has been a similar case with Netwalker and Mespinoza ransomware. The operators of Conti ransomware provide proof that files are deleted after the ransom is paid, but that proof is faked.
Ransom demands are also increasing. The average ransom demand in Q3, 2020 was $234,000, up 31% from the previous quarter according to the Coveware Quarterly Ransomware Report.
The healthcare industry has been extensively targeted by ransomware gangs and attacks have increased during the COVID-19 pandemic. The healthcare industry is heavily reliant on data and attacks aim to encrypt patient data and steal medical records prior to encryption. If the ransom is not paid, the data has a high value and can be sold on easily.
Recently, a joint warning was issued by the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), in conjunction with the FBI and the Department of Health and Human Services, warning of an increased and imminent threat of targeted ransomware attacks on the healthcare and public health sectors. A few days after the alert was issued, 6 healthcare providers were attacked with Ryuk ransomware in a single day.
Ransomware attacks are here to stay for the foreseeable future. They will only start to decline when they are no longer profitable. With attacks at record levels and no guarantee that stolen data will be returned even I the ransom is paid, it is more important than ever for businesses and healthcare organizations to ensure their defenses are hardened against ransomware attacks.
Ransomware can be delivered using a variety of techniques. Vulnerabilities in software and operating systems are commonly exploited to gain access to networks, so vulnerability scanning is important for identifying exploitable vulnerabilities to ensure they are promptly addressed before they can be exploited.
Email remains one of the most common attack vectors, not only for delivering ransomware, but delivering ransomware downloaders. Emotet and TrickBot are two Trojans commonly used to deliver ransomware as a secondary payload, and both are primarily delivered via email, as is BazarLoader, which has been used to deliver ransomware in many recent attacks.
To block this attack vector, an advanced AI-powered spam filter is required – one that is capable of not only detecting known malware threats, but zero-day malware and email attacks that have not been seen before. SpamTitan uses AI and machine learning techniques to identify these email threats at source and prevent them from being delivered to inboxes where employees unwittingly provide the attackers with access to their networks. In addition to dual anti-virus engines, SpamTitan has a sandboxing feature for identifying zero-day malware threats and SPF, DKIM, and DMARC to detect and block email impersonation attacks.
Ransomware, ransomware droppers, and other malware threats are often delivered via the Internet, so cybersecurity measures are needed to block this attack vector. WebTitan similarly uses AI and machine learning techniques to provide protection from websites used to deliver malware threats. The solution uses automation and advanced analytics to search through billions of URLs/IPs and phishing sites that could comprise a company and ensure those threats are blocked.
By implementing layered defenses, it is possible to block the majority of threats, but it is still important to ensure that your data is protected in the event that an attack succeeds. You should make sure that come what may, your data is secured.
A good approach to adopt is the 3-2-1 backup strategy, which involves making three backups, storing the copies on 2 different media (tape, disc, or cloud for instance), and ensuring one copy is stored securely off site. Should an attack succeed, you will not be at the mercy of the attackers and will at least be able to recover your data without paying the ransom.
If you want to improve your defenses against ransomware, give the TitanHQ team a call today for information and advice on the steps you can take to harden your defenses.
The Internet opened up a world of new opportunities for businesses, allowing them to get in touch with customers around the world, explore new markets, find new suppliers, and access a wealth of knowledge. Web filtering solutions allow businesses to control internet access and monitor its use by employees and guest users, but why is web filtering in the workplace necessary, what are the benefits, and what are the risks of not filtering the internet? In this post we will explore the benefits of web filtering in the workplace.
What Exactly is a Web Filter?
You will no doubt be aware of spam filters, which are used to carefully control what emails are delivered to inboxes, blocking threats such as phishing emails and malware. Spam filters may also scan outbound email and apply controls to prevent data loss and malicious emails from being sent externally. A web filter performs a similar function for Internet access.
A web filter sits between your end users and the Internet and applies controls over the websites that can be accessed and the files that can be downloaded. The main function of a web filter is content control to restrict access to NSFW websites and block phishing websites and malware downloads.
Reasons for Web Filtering in the Workplace
There are many different reasons for web filtering in the workplace. These include:
Blocking access to inappropriate web content
Web filters are often used to prevent employees from accessing NSFW content such as pornography, images of violence, and hate speech, which can lead to the development of a hostile work environment. Businesses such as coffee shops, along with libraries and schools, use web filtering to create a family-friendly online environment and prevent minors from accessing age-inappropriate content.
Blocking online threats
Phishing attacks are now commonplace and there is a significant risk of malware being downloaded from the Internet. A web filter blocks these threats, by first preventing users from accessing known malicious websites and secondly by preventing downloads of malicious files.
Controlling bandwidth use
There will be a limited amount of bandwidth available and sometimes that bandwidth may be squeezed, resulting in considerable latency that affects all Internet users on the network. A web filter can be used to restrict bandwidth use by blocking certain online activities – video streaming for instance – ensuring sufficient bandwidth is available for all.
The Internet makes slacking off very easy for employees. Business can suffer major productivity losses from employees accessing certain types of websites which serve no purpose in the workplace. A web filter can be used to block access to social media networks, dating websites, gambling and gaming sites, and video streaming services such as YouTube.
Preventing legal issues
Legal issues can arise from uncontrolled Internet use. If an employee or user of a Wi-Fi network engages in illegal activity, the business owner may be liable for their actions. For instance, illegal software, music, and video downloads from P2P file sharing networks. Web filters can also prevent data theft by blocking access to file sharing sites.
Monitoring Internet use
You may want to adopt a permissive approach and only restrict access to illegal content and malicious websites, but a web filter gives you insights into what users are doing online. This can help you to prevent and resolve HR issues and identify insider threats.
How Web Filtering in the Workplace is Achieved?
There are several ways that web filtering in the workplace can be implemented. A physical appliance can be purchased through which all Internet traffic is routed, with controls applied by a system administrator. Cloud-based web filters are now much more popular. With filtering taking place in the cloud, no equipment purchases are required.
DNS-based web filtering sees filtering take place at the DNS lookup stage of a web request, with filtering occurring without content being downloaded. Cloud-based filters that operate at the DNS level also avoid any latency issues, which can be a problem with physical appliances.
Methods of Web Filtering
There are various methods of web filtering in the workplace, with most solutions using a combination of all.
Whitelists and Blacklists
Blacklists are used to block access to specific domains and URLs, either through third-party or user-generated blacklists. Whitelists are used to always allow access to a specific URL or domain, regardless of the content filtering controls put in place.
Category filtering is the easiest way of exercising content control. A web filtering solution will assign websites into categories based on the content of the website. Using a checkbox in the UI, the system administrator can select which categories of content should be blocked. Commonly blocked categories include pornography, gambling, gaming, dating, social media, news, and webmail.
Web filters can perform analyses of web content to detect certain keywords and can assign a score to each URL. Thresholds can be set for individual users, departments, or the entire organization and if that threshold is exceeded, the content will not be displayed.
WebTitan Cloud: Workplace Web Filtering Made Simple
WebTitan cloud is a powerful web filtering solution that provides visibility into the online activities of users and allows controls to easily be set to control Internet access and block online threats that could threaten your business. WebTitan Cloud has been developed to be easy to set up and use, with no technical prowess required to use the solution.
Highly granular filtering controls allow precision control over the content that can be accessed, without overblocking and preventing important web content from being accessed. The solution is DNS-based, so no equipment purchases or software downloads are necessary, and there is zero latency.
WebTitan Cloud protects on-site workers on the network, Wi-Fi users, and remote workers no matter where they access the Internet.
There is a transparent pricing policy, no optional extras, the product is extremely competitively priced, and customers benefit from industry-leading customer support.
Managed Service Providers (MSPs) that want to add web filtering to their service stacks benefit from many MSP-friendly features such as multiple hosting options, a brandable white-label version of the product, monthly billing, and pricing that accommodates rapidly changing numbers of seats.
To find out more about the full benefits of WebTitan Cloud, to arrange a product demonstration, or to take advantage of a free trial of the solution, give the WebTitan team a call today.
Exploit kits used to be one of the most common methods of distributing malware, although their use has dwindled to a fraction of the level seen in 2016. That said, there has recently been an uptick in the use of exploit kits and multiple threat actors are conducting campaigns to deliver malware payloads.
An exploit kit is malicious code that incorporates exploits for one or more vulnerabilities. When a visitor arrives on a website hosting an exploit kit, their computer is scanned for vulnerabilities and if one that is being targeted, the exploit is executed and a malicious payload such as a banking Trojan, keylogger, or ransomware is silently downloaded.
Exploit kits are loaded onto websites under the control of the attackers, which can be their own domains or a legitimate site that has been compromised. Traffic is usually sent to the exploit kit through malicious adverts on third-party ad networks (malvertising). These ad networks are used by many websites for adding revenue-generating third party adverts.
According to research conducted by Malwarebytes, a campaign is being conducted using the Fallout exploit kit to deliver the Racoon Stealer, with the EK loaded onto popular adult websites. The campaign was reported to the ad network and the malicious advert was removed, only to be replaced with an advert directing visitors to a site hosting the Rig exploit kit.
Another campaign was identified involving a different threat actor who is known to have targeted various adult ad networks. The malicious adverts were displayed on a wide range of different adult websites, including one of the most popular adult websites that generates more than 1 billion page views a month.
The threat actor had submitted bids for users of Internet Explorer only, as the exploit kit contained an exploit for an unpatched IE vulnerability. The vulnerabilities exploited were CVE-2019-0752 and CVE-2018-15982, the former is an IE vulnerability and the latter is a vulnerability in Adobe Flash Player. In this campaign, Smoke Loader malware was delivered, along with Racoon Stealer and ZLoader.
For an exploit kit to work, a computer must have an unpatched vulnerability, an exploit for which must be included in the EK. Prompt patching is therefore one of the best ways of ensuring that these attacks are not successful. It is also strongly advisable to stop using Internet Explorer and Flash Player. Vulnerabilities in each are frequently targeted.
These campaigns can also easily be blocked by using a web filter. Unless your business operates in the adult entertainment sector, access to adult content on work devices should be blocked. A web filter allows your business to block access to all adult websites, and other categories of web content that employees should not be accessing in the workplace.
A cloud-based web filter such as WebTitan is a low cost solution that can protect against a web-based attacks such as exploit kits and drive-by malware downloads, while also helping businesses to improve productivity by preventing employees from visiting websites that have no work purpose. Web filters can also reduce legal liability by preventing employees from engaging in illegal online activities, such as copyright infringing file downloads.
Once implemented – a process that takes a few minutes – access to certain categories of website can be blocked with the click of a mouse and employees will be prevented from accessing websites known to harbor malware, phishing kits, and other potentially malicious websites.
For further information on WebTitan and protecting your business from web-based threats, give the TitanHQ team a call today.
The COVID-19 pandemic created a massive opportunity for cybercriminals, and they have been exploiting it with vigor, especially in phishing campaigns. Phishing is the use of deception to trick someone into performing an action. Social engineering techniques are used to get people to open malicious email attachments, visit hyperlinks to websites where sensitive information is harvested, or to take other actions such as make donations to fake charities.
In the early stages of the pandemic when little was known about the virus, how it was spread, the risk of infection, and the disease it caused, the public was very much in the dark and craved information. This created the perfect opportunity for cybercriminals for use in phishing and other cyberattacks.
Recently, the United Nations released data collected about phishing attacks involving COVID-19 related themes showing there had been a 350% increase in new phishing websites in the first quarter of the year, many of which were health-related and targeted health systems and hospitals.
Research conducted by Check Point also found a major rise in domain registrations linked to COVID-19. Research showed that phishing attacks increased from around 5,000 a week in February to more than 200,000 per week by late April, many of which were linked to COVID-19.
Early in the year the lack of knowledge about COVID-19 and the SARS-CoV-2 virus suited large-scale phishing campaigns involving millions of messages, with cybercriminals re-purposing their normal campaigns and started using COVID-19 themed websites and lures. Phishing emails offered information about the virus, possible cures, and advice to avoid being infected. When there was a shortage of personal protective equipment, phishing lures were used offering low cost supplies and testing kits.
Now that there is more information about the virus and cases and PPE shortages have largely been addressed, phishing scams related to COVID-19 have evolved. A study conducted by ProPrivacy showed that far from the COVID-19 related phishing attacks disappearing and cybercriminals returning to their old campaigns using fake invoices and alike, these campaigns are still running, but they have become more targeted and sophisticated.
These targeted campaigns offer answers to new questions being raised by the public, such as whether it is safe for children to return to schools. The study, conducted in partnership with VirusTotal and WHOIS XML, identified 1,200 COVID-related domains were still being registered each day and a sample of 600,000 of those domains revealed around 125,000 of them were malicious and were mostly being used for phishing.
We can expect to see another wave of phishing emails and websites set up related to COVID-19 vaccines when they start to come to market. Since the threat has not gone away and is likely to remain for some time to come, it is important to remain on your guard and to be cautious with any emails received, especially those related to COVIID-19.
Businesses also need to take extra care to ensure that their employees and devices are protected. Most businesses will already have a spam filtering solution in place to block phishing emails, but now is a good time to review those controls. If spam and phishing emails are still reaching inboxes, consider an alternative solution or a third-party spam filter if you are using Office 365 and are relying on Exchange Online Protection for spam and phishing protection.
One anti-phishing measure that is less commonly used by businesses is a web filter. A web filter allows businesses to control the websites and webpages that their employees can visit. Web filters, such as WebTitan, block access to websites known to be malicious, such as those known to be used for phishing. Web filters also categorize websites and allow certain categories to be blocked. By carefully controlling the web content that can be accessed by employees, businesses will be much better protected against phishing attacks and other cyber attacks with a web-based component.
It is also strongly recommended to implement 2-factor authentication, which will provide protection in the event of credentials being compromised in a phishing attack.
If you would like more information about web filtering, WebTitan, or improving your spam filter, give the TitanHQ team a call.
Cybercriminals have adopted a new tactic to deliver malware and conduct phishing attacks on unsuspecting internet users. They are hijacking inactive domains and using them to direct visitors to malicious websites in a form of malvertising.
Malvertising is the term given to the use of malicious code in seemingly legitimate adverts, which are often displayed on high-traffic websites. Website owners use third-party ad networks as a way to increase revenue from their websites. Most of these adverts are genuine and will direct users to a legitimate website, but cybercriminals often sneak malicious code into these adverts. Clicking the link will direct the user to a website hosting an exploit kit or phishing form. In some cases, ‘drive-by’ malware downloads occur without any user interaction, simply if the web content loads and the user has a vulnerable device.
The new tactic uses domains that have expired and are no longer active. These websites may still be listed in the search engine results for key search terms. When user conducts a search and clicks the link or uses a link in their bookmarks to a previously visited website, they will arrive at a landing page that explains that the website is no longer active. Oftentimes, that page will include a series of links that will direct the visitor to related websites.
What often happens is these expired domains are put up for sale. They can be attractive for purchasers as there may already be many links to the website, which is preferable to starting a brand-new website from scratch. These expired domains are then auctioned. Researchers at Kaspersky found that cybercriminals have taken advantage of these auction-listed websites and have added links that direct visitors to malicious websites.
When a visitor arrives on the site, instead of being directed to the auction stub, the stub is replaced with a link to a malicious website. The study uncovered around 1,000 domains that had been listed for sale on a popular auction site, which redirected visitors to more than 2,500 unwanted URLs. In the majority of those cases, the URLs were ad-related pages, but 11% of the URLs were malicious and were mostly being used to distribute the Shlayer Trojan via infected documents that the user is prompted to download. The Shlayer Trojan installs adware on the user’s device. Several of the sites hosted malicious code on the site rather than redirecting the visitor to a different website.
These domains were once legitimate websites, but are now being used for malicious purposes, which makes the threat hard to block. In some cases, the sites will display different content based on where the user is located and if they are using a VPN to access the internet. These websites change content frequently, but they are indexed and categorized and if determined to be malicious they are added to real time block lists (RBLs).
A web filtering solution such as WebTitan can provide protection against malvertising and redirects to malicious sites. If an attempt is made to send a user to a known malicious website, rather than being connected the user will be directed to a local block page, negating the threat. WebTitan can also be configured to block downloads of risky file types from these websites.
Many organizations have implemented firewalls to prevent direct attacks by hackers, use antivirus software to block malware, and use an anti-spam solution to block attacks via email, but there is a gap in their security protections and web-based threats are not effectively blocked. WebTitan allows organizations to plug that gap and control the websites that can be accessed by employees.
For further information on WebTitan and filtering the internet, give the TitanHQ team a call. WebTitan is available on a free trial to allow you to evaluate the solution and see for yourself how you can block attempts to visit malicious web content and NSFW sites.
The 2019 Novel Coronavirus pandemic has caused major disruption for many businesses, and while it is far from business as usual for many firms, work has been continuing by letting employees work from home but doing so opens a business up to new cybersecurity risks, some of the most important of which we have covered in our COVID-19 cybersecurity checklist.
Under normal circumstances, the risks from allowing workers to spend some of their working week at home can be effectively managed, but having virtually the entire workforce working remotely creates many cybersecurity challenges. Further, threat actors are exploiting the pandemic and are actively targeting remote workers.
COVID-19 Cybersecurity Checklist
To help you address the risks of remote working we have produced a quick reference COVID-19 cybersecurity checklist covering some of the most important aspects of cybersecurity that should be addressed, in light of the recent rise in cyberattacks on remote workers.
All remote employees should be using VPNs to access corporate systems, but VPNs can also introduce vulnerabilities. There has been an increase in attacks exploiting unpatched vulnerabilities in VPNs during the pandemic and scans are being performed to find vulnerable VPNs.
VPNs clients must be kept up to date and patches should be applied promptly. There have been several attacks reported recently that have exploited the Pulse Secure vulnerability CVE-2019-11510 to deliver ransomware, even though a patch was released to correct the flaw in April last year. Vulnerabilities in other VPNS have also been targeted.
You should also consider disabling split tunneling for VPN profiles to prevent employees from accessing the internet directly while they are connected to corporate information systems or should ensure all internet traffic is routed through the VPN. You should enable multi-factor authentication for VPNs and create a separate VPN zone in your firewall and apply security policies to protect incoming and outgoing traffic.
Remote Desktop Protocol
Many businesses rely on Remote Desktop Protocol (RDP) to allow their employees to connect remotely, but If you do not use RDP, you should disable port 3389. There has been a growing number of brute force attacks on RDP. A recent Kaspersky report showed brute force attacks on RDP increased. There was a major increase between January and February, with global attacks rising to 93,102,836. In April, attacks had increased to a staggering 326,896,999.
If you use RDP, make sure strong passwords are set, enable multi-factor authentication, and ensure connections are only possible through your VPN – Do not allow RDP connections from outside.
Communication and Collaboration Platforms
You will need to use some form of communication and collaboration platform, such as a videoconferencing solution, to allow workers to easily get in touch with colleagues. There are many choices available, but the security capabilities of each can vary considerably. Some solutions that were considered to be secure, such as Zoom, have been shown to have vulnerabilities, some of which have been exploited in attacks. The U.S. National Security Agency (NSA) has recently issued a useful checklist for selecting appropriate communication tools along with information on how they can be used securely.
With everyone at home, burglaries may be down, and lockdown have reduced the risk of loss and theft of mobile devices, but encryption is still important. All corporate owned mobile computing devices should have encryption enabled, which is straightforward for Windows devices by enabling BitLocker. You should also encrypt web applications and FTP to ensure any data that is uploaded or downloaded is encrypted.
Ensure Firewalls are Enabled
Your employees will be beyond the protection of the corporate firewall so they should have local firewalls enabled. The easiest and most cost-effective way of applying a local firewall is to use the Windows Defender firewall, which can be configured through your MDM solution or Group Policy.
The volume of phishing emails may not have increased by a very large degree during the COVID-19 lockdown, but there have been a large number of phishing related data breaches. Phishers have changed their campaigns and are now extensively using COVID-19 themed campaigns, which are proving to be very effective. People crave information about COVID-19 and are responding to COVID-19 themed phishing emails in large numbers. Many of the emails we have seen have been highly convincing, spoofing authorities such as WHO and the CDC.
You should consider adding an additional layer to your email defenses if you are only using Microsoft’s Exchange Online Protection (EOP). Many phishing emails are bypassing Microsoft’s defenses and are being delivered to inboxes. SpamTitan can be layered on top of Office 365 protections and will greatly improve the detection of phishing emails and zero-day malware and ransomware threats.
Multi-factor authentication for email accounts should be set up. In the event that email credentials are compromised, multi-factor authentication should prevent those credentials from being used to access accounts.
You should also set up a system that allows employees to report any suspicious emails they receive to the security team, to allow action to be taken to remove all similar messages from the email system and to tweak email security controls to block the threats.
With email security improved, you should also take steps to block web-based attacks. Malicious websites can be accessed by employees through general web browsing, redirects via malvertising, malicious links on social media networks, and links in phishing emails. A DNS filtering solution such as WebTitan Cloud prevents employees from visiting known malicious websites and will block drive-by malware downloads. WebTitan Cloud will protect employees whether they are on or off the network. If you don’t have web filtering capabilities for remote workers, ensure that internet access is only possible through your VPN to ensure bad packets are filtered out.
Cybersecurity Alerts and Log Checking
You should have systems in place that generate cybersecurity alerts automatically and you should enable security logs and regularly check them for signs of compromise. Monitor the use of PowerShell and red team tools such as Mimikatz and Cobalt Strike. These tools are often used by manual ransomware attackers to move laterally once access to networks is gained.
There has been a massive rise in the number of telecommuting workers as a result of the 2019 Novel Coronavirus pandemic and cybercriminals are taking advantage. Phishing and malware attacks have soared in the past few weeks and home workers are being targeted.
Individuals who regularly worked from home before the COVID-19 crisis will be used to taking precautions when connecting to virtual environments set up by their employers, but huge numbers of employees are now logging in remotely for the very first time and may not be aware of the telecommuting cybersecurity risks. IT and IT security departments have also had to set up the workforce for home working in a hurry, and the sheer number of employees that have been forced into telecommuting means corners have had to be cut which has created opportunities for cybercriminals.
Even if the transition to having the entire workforce telecommuting has been expertly managed, risk will have increased considerably. Cybersecurity is far harder to manage when the entire workforce is outside the protection of the corporate firewall and with most workers telecommuting, the attack surface has grown considerably.
Telecommuting workers are seen as low hanging fruit and cybercriminals are taking advantage of the ease at which attacks can be conducted. Since January there has been a massive increase in phishing attacks, malware attacks, and attacks over the internet targeting remote workers.
NASA Sees “Exponential Increase” in Malware Attacks
On April 6, 2020, NASA sent a memo to all personnel warning of a massive increase in targeted attacks on the agency. NASA explained in the memo that the number of phishing attempts on NASA employees has doubled in the past few days and its systems designed to block employees from accessing malicious websites has gone into overdrive. The number of malicious websites that are now being blocked has also doubled, which strongly suggests employees are clicking on links in phishing emails and are being fooled by these scams. NASA also reports that there has been an “exponential increase in malware attacks on NASA systems.”
Attacks are being conducted by a diverse range of threat actors, from small players to prolific advanced persistent threat (APT) groups and nation-state sponsored hackers. NASA has warned its employees that those attackers are targeting NASA employees’ work and personal devices and that the attacks are likely to continue to increase throughout the Novel Coronavirus pandemic.
NASA is far from alone in experiencing a massive increase in attempted cyberattacks. Businesses of all sizes are now having to deal with unprecedented risks and are struggling to defend their networks from attack. They now have to defend a massively increased attack surface and the number of attacks has skyrocketed.
There are other factors that are making it difficult for employers. Employees crave information about the Novel Coronavirus and COVID-19 and cybercriminals are sending huge numbers of emails offering them just the information they seek. Huge numbers of websites are being set up that purport to offer advice on the Novel Coronavirus and COVID-19. Check Point has reported that more than 16,000 domains related to coronavirus or COVID-19 have been registered since January and those domains are 50% more likely to be malicious than other domains registered in the same period.
How to Protect Telecommuting Workers
There are three main ways that telecommuting workers are being attacked: Email, malicious websites, and the exploitation of vulnerabilities.
To prevent the latter, it is essential for software and operating systems to be kept up to date. This can be a challenge for IT departments at the best of times, but much harder when everyone is working remotely. Despite the difficulty, prompt patching is essential. Vulnerabilities in VPNs are being targeted by cybercriminals and offer an easy way to gain access to corporate networks. Employees should be told to make sure their VPN clients are running the latest software version and businesses should ensure their VPN infrastructure is kept up to date, even if it means some downtime while updates are applied.
TitanHQ Can Help You Strengthen Email and Web Security
Advanced email security defenses are now required to protect against phishing and email-based malware threats. Some of the COVID-19 phishing campaigns that are now being conducted include some of the most sophisticated phishing threats we have ever seen.
You should not rely on one form of email security, such as Microsoft’s Exchange Online Protection for Office 365 accounts. Layered defenses are essential. Office 365 email security can be significantly strengthened by layering SpamTitan on top of Microsoft’s EOP protections. SpamTitan does not replace Office 365 protections, it improves them.
SpamTitan is an advanced email security solution that incorporates powerful, real time updated AI-driven threat intelligence to block spam, phishing, malware, malicious links, and other email threats from incoming mail. SpamTitan sandboxing identifies threats that signature-based detection solutions miss and is effective at identifying and blocking zero-day malware threats.
Each day, the number of malicious websites related to COVID-19 grows. These websites are used to phish for sensitive information such as email and VPN credentials and for drive-by downloads of malware. To protect remote workers and prevent them from accessing these malicious websites, a web filtering solution is required.
WebTitan DNS Security offers protection against web-based threats and prevents employees from accessing known malicious websites. WebTitan DNS Security is seeing massively increased traffic demand for its scanning and web detection features, but the solution is cloud based and has been developed with scalability in mind. WebTitan DNS Security is blocking new threats as soon as they are identified to keep customers and their employees protected. The solution can be easily implemented to protect remote workers but inserting simple code into enterprise devices which points the DNS to WebTitan. That small change will ensure the internet is filtered for all employees, no matter where they are working.
TitanHQ is committed to providing safe and secure email and internet usage for our customers, partners and their users, now more than ever. Contact TitanHQ today for help improving security at your organization.
IT departments have been forced to address cybersecurity risks with remote workers in a hurry due to the 2019 Novel Coronavirus pandemic that has seen large sections of the workforce forced into working from home.
The International Workplace Group conducted a study in 2019 and found that 50% of employees spend at least half of the week working remotely, and 70% of workers spend at least one day each week working from home. The 2019 Novel Coronavirus pandemic has increased that percentage considerably. Many companies have all but closed down their offices and have told their employees they must work from home.
While this is an important strategy for ensuring the safety of the workforce, there are many cybersecurity risks with remote workers and IT departments will find it much harder to secure their systems, protect confidential data, and quickly respond to security incidents.
One of the biggest problems for IT departments is the speed at which changes had to be made to accommodate a massive increase in remote workers. There has been little time to prepare properly, provide training, and ensure the cybersecurity risks with remote workers are all addressed.
Cybercriminals are Targeting Remote Workers
The massive increase in remote workers due to the 2019 Novel Coronavirus pandemic has given cybercriminals easy targets to attack, and unsurprisingly remote workers are being targeted. Remote workers are seen as low hanging fruit and attacks are far easier than when workers are in the office.
Several phishing campaigns have been detected targeting home workers that attempt to obtain email and VPN credentials. These phishing attacks are likely to increase considerably over the coming weeks and months. Attacks on VPNs have also increased, with cybercriminals exploiting unpatched vulnerabilities to steal credentials and gain access to corporate networks.
Campaigns have been detected spoofing Zoom and other videoconferencing platforms. According to Check Point, there have been 1,700 new Zoom domains registered in 2020 and 25% of those have been registered in the past two weeks. Other videoconferencing and communication platforms are also being targeted.
Addressing Cybersecurity Risks with Remote Workers
The massive increase in the number of employees working from home has increased the attack surface dramatically. Laptops, smartphones, and tablets are remotely connecting to the network, often for the very first time. It is essential that al of those devices are secured and data is appropriately protected.
Any device allowed to connect to the network remotely must have the best security software installed to protect against malware. Devices must be running the latest versions of operating systems and patches need to be applied promptly. Some studies suggest that it takes companies around 3 months on average to patch vulnerabilities. For remote workers, patching needs to be accelerated considerably and, ideally, software and operating systems should be configured to update automatically. Computers used by remote workers must also have firewalls enabled.
Ensure Home Routers are Secured
With many countries in lockdown and people being told not to leave the house, one of the biggest problem areas with remote working has been solved. The use of unsecured pubic Wi-Fi networks. When remote workers connect to unsecured public Wi-Wi networks, it is easy for cybercriminals to intercept sensitive corporate data, steal login credentials, and install malware. The Novel Coronavirus pandemic has seen remote workers abandon coffee shops and public Wi-Fi access points and stay at home; however, home Wi-Fi networks may be just as vulnerable.
Home workers will connect to the internet through consumer-grade routers, which will be far less secure than the office. Home Wi-Fi is often poorly secured and many devices that connect to Wi-Fi will have scant security controls in place. Remote workers must ensure that their home Wi-Fi network is protected with a strong password and that routers have WPA2 enabled.
Ensure Remote Workers Use a VPN and Establish a Secure Connection
It is essential for remote workers to establish a secure connection when accessing work resources and the easiest way to do this is with a virtual private network (VPN). A VPN client should be installed on all devices that you allow to remotely connect to the network.
Several vulnerabilities have been found in VPNs over the past year, and even months after patches have been released by VPN solution providers that patches have yet to be applied. Patching VPNs can be difficult when they are in use 24/7, but prompt patching is essential. There has been an increase in cyberattacks exploiting vulnerabilities in VPNs in recent weeks. In addition to ensuring the latest version of VPN clients are used and VPN solutions are patched quickly, training must be provided to remote workers to ensure they know how to use VPNs.
Ensure Multifactor Authentication Is Enabled
Strong passwords must be set to prevent brute force password guessing attempts from succeeding, but passwords alone do not provide sufficient protection for remote workers. You must ensure that multifactor authentication is enabled for all cloud services and for email accounts. If credentials are compromised in a phishing attack, it will not be possible for the credentials to be used to access accounts and sensitive data without another factor also being provided, such as a one-time code sent to an employee’s cellphone.
Security Awareness Training for Remote Workers
IT staff will be well aware that even the best security defenses can be breached as a result of the actions of employees. Employees are the weakest link in the security chain, but through security awareness training risk can be significantly reduced. Most companies will provide security awareness training to staff as part of the onboarding process, and often refresher training sessions will be provided on an annual basis. Consider increasing training for remote workers and conducting training sessions far more frequently.
The purpose of cybersecurity awareness training is to teach employees the skills they will need to recognize and avoid threats and to change the mindset of workers and create a culture of cybersecurity. Best practices for cybersecurity must be taught to prevent employees from falling prey to cyberattacks when working remotely. Employees need to be made aware of the cybersecurity risks with remote workers, which may not have been covered in training sessions when employees were only working in the office. Training remote staff should now be a priority. It is important to step up training to help remote workers identify phishing emails, spoofing, impersonation attacks, and also to teach remote workers about good IT hygiene.
Protect Against Web-Based Attacks
The dangers that come from the internet should be covered in security awareness training, but not all web-based threats are easy for remote workers to identify. Malicious adverts can be found on all manner of websites that direct users to phishing sites and websites where drive by malware downloads occur. To address cybersecurity risks for remote workers when accessing the internet, a web filtering solution should be deployed.
Cloud-based web filters are the most practical choice as they are easy to deploy, require no software downloads, and do not need to be patched or updated as that is handled by the solution provider. DNS-based filters are the best choice as they will involve no latency, which can be a major issue when bandwidth will be limited in workers’ homes.
WebTitan prevents remote workers from visiting or being redirected to known malicious websites and allows IT teams to control the types of websites that can be accessed on work devices to further reduce risk. Since WebTitan integrates with Active Directory and LDAP, IT teams can monitor the internet activity of all employees and can configure the solution to block malicious file downloads and the downloading unauthorized programs onto work devices.
It is fair to say that more people are now working from home than ever before and the number is growing rapidly due to the coronavirus pandemic. Here we explore some of the key cybersecurity challenges for remote working and suggest ways that CIOs and IT managers can reduce risk, keep their networks secure, and protect their workers.
COVID-19 and Remote Working
Even in the absence of a pandemic, an increasing number of people are working from home for at least part of the week. One study conducted by the International Workplace Group in 2018 suggests 50% of employees spend at least two and a half days a week working from home and 70% spend at least one day a week working from home.
The coronavirus pandemic is rapidly changing that. Governments around the world are recommending people work from home if they possibly can and many want to do so to reduce the risk of contracting COVID-19. With the 2019 Novel Coronavirus pandemic likely to last for several months at the very least, that is unlikely to change any time soon. Businesses will come under increasing pressure to get their employees set up for working at home.
Cybersecurity Challenges for Remote Working
For many businesses, having to set up large number of employees to work from home in such a short space of time will have come as a major shock. Rather than being able to transition gradually, the quarantine measures and social distances demanded in response to the coronavirus pandemic has given businesses and their CIOs and IT teams little time to prepare and address the cybersecurity challenges for remote working.
Some employees will already be working from home some of the time, so they will be familiar with the steps they need to take to access work networks and applications securely from home, but for a great deal of workers this will be their first time. Those workers therefore need to be trained and made aware of the additional risks, they must learn how to access work systems remotely, and the steps they need to take to do so securely.
Measures need to be considered to reduce the harm that can be caused should devices be lost or stolen, as the risk of device theft increases considerably when IT equipment is taken out of the office. Even if workers are not venturing out of the house to coffee shops, home environments may not be as safe and secure as the office.
Cyberslacking is likely to increase considerably when workers are not being directly supervised due to working at home, so loss of productivity is a real issue. Productivity losses due to people working from home is a key business concern that should be addressed. Cyber risks also increase from internet access at home.
The risk of insider threats also increases with more remote workers. Steps should be taken to reduce the potential for fraud and data theft.
It is relatively easy for organizations to effectively manage risk when users are connected to internal networks when working in the office. Doing the same when most of the workforce is working remotely is a different matter entirely. As the attack surface increases, mitigating risks and protecting against cyberthreats becomes a major challenge.
There are also issues with authentication. A known individual may be attempting to connect to the network, but it becomes harder to determine is that person is who they claim to be. Authentication measures need to be stepped up a gear.
Many businesses will be faced with the problem of simply not having enough devices to allow workers to work remotely on company-issued devices, so the decision will need to be taken about whether to allow employees to use their personal devices. Personal devices are unlikely to have the same level of protection as company-owned devices and it is much harder to control what employees do on those devices and to protect against malware that could easily be transferred onto the work network.
There is also a greater risk of shadow IT when workers are home-based. The downloading of applications and use of non-authorized tools increases risk considerably. Vulnerabilities may be introduced that can easily be exploited by cybercriminals.
Then there is the problem of having so many people accessing work networks using VPNs. Systems may not be able to cope with the increased number, which means workers will not be able to connect and work from home. IT departments must ensure there is sufficient bandwidth and licenses for VPN solutions. Those VPNs also need to be updated and patched.
These are just some of the many cybersecurity challenges for home working. The list of security concerns is very long.
Cybercriminals are Taking Advantage of a Huge Opportunity
Cybercriminals are constantly changing tactics to attack businesses and the coronavirus pandemic offers them opportunities on a silver platter. It is unsurprising that they are taking advantage. In January, phishing campaigns were launched taking advantage of fear about coronavirus. Those campaigns have increased significantly as the COVID-19 crisis has deepened. Coronavirus and COVID-19 are being used as phishing lures and to COVID-themed emails are being used to distribute malware. Cyberattacks exploiting vulnerabilities in VPNs are also increasing.
As the COVID-19 crisis worsens and lockdowns are enforced, businesses will be forced to have more workers working from home and cyberattacks are likely to continue to increase. Since shutting down the business temporarily or indefinitely simply isn’t an option for most businesses, addressing the cybersecurity challenges for remote working will soon become critical.
Addressing the Cybersecurity Challenges for Home Working
Addressing the cybersecurity challenges for home workers is likely to be difficult. Listed below are some of the steps that should be taken to prepare.
When creating new accounts for home workers, ensure strong passwords are set and use the principle of least privilege to reduce risk.
Enable two-factor authentication.
Ensure workers can connect through VPNs and there are sufficient licenses and bandwidth.
Make sure VPN software is patched and the latest version is installed. Ensure procedures are in place to keep the software updated.
Consider disabling USB ports to prevent the use of portable storage devices. This will reduce the risk of malware infections and the risk of data theft.
Ensure portable devices are protected with encryption. Use software solutions that lock devices in the event of theft or allow devices to be remotely wiped.
Ensure you set up communications channels to allow remote workers to collaborate, such as teleconferencing, chat facilities, document sharing platforms, and SaaS applications. Make sure employees are aware of what can and cannot be shared via chat apps such as Slack and Google Chat.
Ensure staff are trained on new applications, the use of VPNs, and are aware of the additional risks from remote working. Train remote workers on how to identify phishing and other cybersecurity threats.
Ensure policies and procedures are set up for reporting threats to IT security teams. Instruct employees on the correct course of action if they believe they have fallen for a scam.
Implement a DNS filter to prevent employees from accessing high risk websites on corporate-issued devices and block downloads of risky file types.
Ensure email security controls are implemented to block phishing attacks and detect and quarantine malware threats.
How TitanHQ Can Help Protecting Remote Workers and Their Devices
TitanHQ has developed two cybersecurity solutions that can help businesses protect their remote workers and their networks from email and web-based threats. Being 100% cloud-based, these solutions are just as effective when employees are working remotely as they are for office workers.
SpamTitan Cloud is a powerful email security solution that protects against the full range of email threats. SpamTitan has advanced threat detection capabilities to detect known and zero-day phishing, spear phishing, malware, botnet, and ransomware threats and ensure the threats never reach inboxes. SpamTitan Cloud also scans outbound email to detect spamming and malware distribution, as well as improving protection against insider threats through tags for sensitive data.
WebTitan Cloud is a DNS filtering solution that provides protection from web-based attacks for user working on and off the network. Being cloud based, there is no need to backhaul traffic to the office to apply filtering controls. Since the filter is DNS-based, clean, filtered internet access is provided with no latency. Controls can easily be applied to restrict access to certain types of websites to prevent cyberslacking and block cybersecurity threats and malware downloads.
Both of these solutions are easy to implement, require no local clients, and can be set up to protect your employees in minutes. They are also available on a free trial if you want to evaluate the solutions before committing to a purchase.
For further information on SpamTitan Cloud Email Security and WebTitan Cloud DNS filtering and to discover how these solutions can help to protect your business and remote workers at this extremely challenging time, give the TitanHQ team a call today.
There are many ways that ransomware can be downloaded onto business networks, but most commonly, ransomware attacks occur via Remote Desktop Protocol (RDP), drive-by downloads, or email.
Scans are performed to discover organizations with open RDP ports, which are then attacked using brute force tactics to guess weak passwords. Cybercriminals also add credentials from historic data breaches to their password lists.
The best way to defense against this method of ransomware delivery is to disable RDP entirely; however, RDP is often required for remote management or remote access to virtual desktops, so this may not be an option. If RDP cannot be disabled, there are steps that should be taken to make it as secure as possible.
Use of strong passwords is important to protect against brute force attempts to guess passwords. You should follow NIST advice on creating complex passwords. Passwords must be unique and not used on any other platform. Two-factor authentication should be implemented to prevent stolen credentials from being used.
You must make sure you are running the latest software versions for servers and clients. RDP connections to listening RDP ports should only be permitted through a secure VPN, and ideally, an RDP gateway should be used. You should also restrict who is permitted to login to remote desktop. Finally, you should use rate limiting to lock users out after a set number of failed attempts to enter the correct password.
Drive-By Ransomware Downloads
Drive-by downloads occur on websites controlled by hackers, either their own sites or insecure sites that have been compromised. Malicious scripts are added to the websites that download ransomware and other malware payloads onto a user’s device when they visit the malicious webpage. This method of attack does not require any user interaction, other than visiting the malicious website. That could occur by clicking a malicious link in an email, via a redirect, or even through general web browsing.
A web filter such as WebTitan is one of the best defenses against drive-by ransomware downloads. WebTitan is a DNS filtering solution that prevents end users from visiting websites known to be malicious. Rather than connecting to the website, the user will be directed to a local block page if they attempt to visit a known malicious website. WebTitan can also be configured to block downloads of risky file types such as executable files.
Ransomware is also commonly delivered via email. This could be via an embedded hyperlink to a website where a drive-by download occurs or via malicious scripts in file attachments. Protecting against email-based attacks requires a defense in depth approach, as no single solution will provide total protection against all email attacks.
An advanced email security solution such as SpamTitan should be implemented. SpamTitan scans all inbound and outbound emails and uses a variety of techniques, including machine learning, to identify and block potentially malicious emails. SpamTitan incorporates two antivirus engines that detect known malware variants and a sandbox to analyze suspicious files for malicious actions. Sandboxing protects against never-before-seen malware and ransomware variants.
End user training is also important to ensure that in the event of a malicious email reaching an end user’s inbox, it can be recognized as such. A web filtering solution will help to ensure that any attempt to visit a malicious website via a hyperlink in an email or email attachment is blocked before ransomware is downloaded.
Ransomware as a Secondary Payload
Several ransomware operators use commodity malware to deliver their ransomware payloads. The threat actors behind DoppelPaymer ransomware have been using the Dridex banking Trojan to deliver their malicious payload, while the Ryuk ransomware gang uses the TrickBot Trojan.
Even if these commodity malware infections are discovered and removed, the ransomware gangs may still have access to systems. These commodity malware infections are often viewed as relatively trivial and when these malware variants are discovered the attacks are not properly investigated. The Trojans are removed, but the ransomware operators continue to spread laterally before deploying their ransomware payloads.
In the case of TrickBot, once it is downloaded it gets to work harvesting data such as passwords files, cookies, and other sensitive information. Once the attackers have harvested all the data they can, a reverse shell is opened to the Ryuk ransomware operators who perform recon of the network and attempt to gain administrator credentials. They then use PSExec and other Windows tools to deploy ransomware on all devices connected to the network.
That is exactly what happened with the attack on the e-discovery firm, Epiq Global. The initial TrickBot infection occurred in December 2019. Access was provided to the Ryuk operators who deployed the ransomware on February 29, 2020. Prior to the deployment of ransomware, the Ryuk operators compromised computers in all 80 of Epiq’s global offices.
TrickBot and other Trojans are primarily delivered via phishing emails. SpamTitan will help to keep you protected against these Trojans and other ransomware downloaders.
A campaign has been detected that uses alerts about out of date security certificates to fool unsuspecting web users into downloading malware. The warnings have been placed on several legitimate websites that have been compromised by cybercriminals.
When visitors arrive on the compromised websites they are presented with an error message that tells them the digital security certificate has expired and they need to download an updated one. Downloading and running the file results in malware being installed on the user’s device – The Mokes backdoor (aka Smoke Loader) and the Buerak malware downloader.
This tactic of malware distribution is nothing new. Cybercriminals have been using this method for years to fool users into downloading malware under the guide of a browser or Flash update, but this is the first time that expired website security certificate error messages have been used for malware distribution.
The NET::ERR_CERT_OUT_OF_DATE error message is delivered via an iframe that is overlaid over the website using a jquery.js script. The warning matches the size of the original page, so it is all the visitor sees when they land on the website. If they want to be able to view the content, they are told they should update their security certificate to allow the connection to the website to be made. The content of the message is loaded from a third-party web resource, but the URL displayed is of the legitimate website the user has navigated to.
It is not clear how the threat actors compromised the websites. Oftentimes websites are compromised using brute force tactics to guess weak passwords, or exploits are used for vulnerabilities that have not been patched. It is also unclear how people are being sent to the websites. Typically, traffic is sent to the compromised websites through phishing scams or malicious web adverts (malvertising), but visitors could simply navigate to the website through a Google search.
Since the warnings are appearing on legitimate websites, users may think the messages are genuine. One of the compromised websites is the official website of a zoo, another identified by Kaspersky Lab was for a legitimate auto parts dealer. The campaign has been active for at least two months.
Protecting against this method of malware distribution requires a combination of security solutions. Up-to-date anti-virus software is a must to ensure that any files downloaded to business computers are scanned for malware. A web filtering solution such as WebTitan will also provide protection by preventing users from visiting compromised websites that are being used to distribute malware and also blocking downloads of dangerous file types.
Contact TitanHQ today to find out more about web filtering and how you can protect your business from web-based attacks.
Today, February 11, is Safer Internet Day 2020 – A day where safe and positive use of digital technology is promoted around the world. Safer Internet Day started out as part of the EU SafeBorders project in 2004 but has grown into a global event with more than 150 countries participating and promoting safe use of the internet. The aim of Safer Internet Day is to help create a better and safer internet by empowering everyone to use technology responsibly, respectfully, critically, and creatively. This year’s theme is “A better internet: How to look after yourself and others.”
Everyone has a role to play in making the internet a more positive and safer environment, from seeking positive opportunities to create and connect with others, being kind and respectful to others online, and reporting illegal and inappropriate content.
Businesses that provide Wi-Fi access to their customers also have a responsibility to ensure their Wi-Fi hotspot is not abused and cannot be used to access harmful content, especially by minors. The easiest way to do that is by implementing a web filtering solution and today is the perfect day to get started.
The easiest-to-implement and most cost-effective web filtering solution is a DNS filter. A DNS filter allows content to be controlled at the DNS lookup stage of internet access, when the human-friendly domain name of a website is converted to an IP address that a computer uses to find the server hosting the website. This method of web filtering requires no hardware purchases or software downloads. You simply change your DNS record to point to your DNS filtering service provider. You then access a web-based interface and stipulate the categories of content your customers are not permitted to access. Getting started takes just a few minutes. Since all filtering takes place at the DNS level before any content is downloaded, this form of web filtering has almost zero latency, which means internet speeds are unaffected.
With WebTitan Cloud for Wi-Fi you can decide on the content that you don’t want people to access and can use the checkboxes in your user interface to block categories of web content with the click of a mouse. To make the internet family friendly, you can check the adult content checkbox to ensure pornographic material cannot be accessed through your Wi-Fi network. You can also block access to illegal websites to protect your business, such as torrents sites where copyright-infringing downloads of music, software, and films take place. Controls can also be applied to limit access to streaming websites to conserve bandwidth and make sure everyone can enjoy fast internet speeds.
WebTitan has categorized more than 500 million websites into 53 categories, including all of Alexa’s top million websites and web content in 200 languages. You can set internet content controls for different locations, different user groups, and you can manage multiple locations through a single portal.
Blacklists are a useful way to ensure unsuitable or illegal content cannot be accessed. One of the main blacklists is maintained by the Internet Watch Foundation and includes webpages and websites known to host child pornography and child abuse-related content.
Blacklists also protect Wi-Fi users from malicious content, such as phishing websites and sites hosting malware and ransomware, which can help you to protect your users and your company’s reputation.
WebTitan Cloud for Wi-Fi is ideally suited to all businesses that provide Wi-Fi access, such as:
Wireless Wi-Fi ISPs, MSPs and other Wi-Fi service providers
Cafes, coffee shops & restaurants
Retail outlets & shopping malls
Schools & universities
Health systems & hospitals
Rail & bus networks
This Safer Internet Day is the perfect time to implement a DNS filtering solution to make your Wi-Fi (or wired) network much safer for all users.
To find out more about WebTitan Cloud for Wi-Fi, WebTitan Cloud for wired networks, for a product demonstration, or to register for a free trial, contact TitanHQ today.
On January 1, 2020, the California Consumer Privacy Act (CCPA) took effect, giving state residents greater control over the use and sale of their personal data and introduced. In this post we explore the CCPA data security requirements for businesses and the consequences of failing to adequately protect consumer data.
What is the California Consumer Protection Act?
California already had some of the strictest privacy laws in the United States, but CCPA took consumer privacy a step further. CCPA has been likened to the EU’s General Data Protection Regulation (GDPR), as it gives California residents similar rights over the personal data collected and used by companies.
CCPA requires companies to inform California residents about the categories of data that are being collected, at or before the point of collection. There is a right to access all personal information held by a company and find out with whom personal data has been shared. Consumers have a right to opt out and prevent their personal data from being sold and can request that their personal data is deleted. Consumers also have a right to equal services and prices, and cannot be discriminated against, or denied goods or services or levels of services if they opt out of the sale of their personal data.
Who Must Comply with CCPA?
On January 1, 2020, CCPA applies to all companies that do business with California residents, regardless of where the company is based, if one of the following conditions is met:
The company generates revenues of at least $25 million each year; or
The company collects, purchases, sells, or shares the personal data of at least 50,000 people; or
The company generates at least 50% of its revenues from the sale of personal data
CCPA does not apply to insurance institutions, agents, and support organizations, which are covered by different state laws.
CCPA Data Security Requirements
CCPA does not specify what security measures need to be implemented to protect the personal data of California residents; however, businesses do have a duty to implement reasonable security measures based on the level of risk, in accordance with other state laws. Under CCPA, penalties can be applied for a “violation of the duty to implement and maintain reasonable security procedures and practices.”
Since legal action can be taken against companies over a breach of personal data, it is important for companies to ensure appropriate measures are taken to protect data and prevent data breaches.
CCPA does not specify what controls need to be implemented nor what constitutes “reasonable security procedures and practices.” A 2016 Data Breach Report released by the California Attorney General acts as a good guide. It includes a list of 20 controls that the Center for Internet Security says are requirements to protect against known cyberattack vectors. These should therefore serve as guide to the CCPA data security requirements. They are:
How TitanHQ Can Help You Comply with CCPA Data Security Requirements
Email is the most common attack vector used for phishing and malware distribution, so safeguards need to be implemented to keep email systems secure. Phishing attacks often have a web-based component where credentials are harvested, and many malware downloads occur via the internet. Internet controls are therefore also essential to protect against cyberattacks and data breaches. Due to the risk of attack via email and the web, email and browser protections are listed as the first of the foundational Center for Internet Security controls.
This is an area where TitanHQ can help. We have developed two powerful cloud-based security solutions that can help you meet CCPA data protection requirements.
SpamTitan Email Security is a powerful spam filtering solution that keeps inboxes free from email-based threats. SpamTitan incorporates multiple layers of anti-spam and anti-phishing controls, including Sender Policy Framework (SPF), DMARC, SURBL’s, RBL’s Bayesian analysis and more. SpamTitan uses twin antivirus engines to block known malware threats and sandboxing to protect against breaches and data loss from zero-day threats.
WebTitan is a cloud-based DNS filtering solution that protects against the internet component of phishing attacks and stops wired and wireless network users from accessing malicious websites. These solutions will help you meet your email and web security responsibilities and protect your organization from phishing attacks, malware and ransomware downloads. Together they will help you prevent costly data breaches and avoid the resultant CCPA fines.
Penalties for Noncompliance with CCPA
Each intentional violation carries a maximum penalty of $7,500 per record. Unintentional violations carry a penalty of $2,500 per record.
There is also a private cause of action in CCPA. In the event of a data breach, victims of the breach can sue for a CCPA violation. Statutory damages of between $100 and $750 by each California resident affected by the breach. Alternatively claims can be made for actual damages, whichever is greater, along with other relief determined by the courts. Class action lawsuits are also permitted under CCPA. The California Attorney General can also take legal action against the company rather than permitting civil suits to be filed.
TitanHQ and Pax8 have announced a new strategic partnership that will see TitanHQ’s cloud-based email security and DNS filtering solutions incorporated into the Pax8 ecosystem.
Pax8 simplifies the journey into the cloud through billing, provisioning, automation and industry-leading PSA integrations and is proven leader in cloud distribution. Pax8 has achieved position 60 in the 2019 Inc. 5000 list of the fastest growing companies and has been named CRN’s Coolest Cloud Vendor and Best in Show at the NextGen and Xchange conferences for two years in a row.
In order to have products added to the Pax8 marketplace, vendors must have developed exceptional channel friendly solutions. As the leading provider of cloud-based email and web security solutions for managed service providers (MSPs) serving the SMB marketplace, TitanHQ was an ideal fit.
Under the new partnership, Pax8 partners will have easy access to TitanHQ’s leading email security solution, SpamTitan Cloud, and can protect clients from web-based threats with WebTitan Cloud, TitanHQ’s DNS filtering solution.
These cloud-based AI-driven solutions help MSPs secure their own environments and protect their clients from malware, ransomware, botnets, viruses, and phishing and email impersonation attacks and avoid costly data breaches.
Both solutions have been developed with MSPs firmly in mind. The solutions are easy to integrate into an MSP’s security stack through TitanHQ’s APIs, there are multiple hosting options, the solutions can be supplied in white label form, and there are generous margins. Pax8 partners also benefit from a fully transparent pricing policy and industry leading technical support.
TitanHQ’s solutions have much loved by users and are consistently rated highly on business software review platforms, including G2 Crowd, Gartner Peer Insights, and Capterra.
“Our partners are excited about the addition of TitanHQ and the ability to protect their clients’ businesses by blocking malware, phishing, ransomware, and links to malicious websites from emails.” said Ryan Walsh, chief channel officer at Pax8.
You will no doubt have heard of a man in the middle (MiTM) attack. Here we define this attack method, explain how a MiTM attack occurs, and show you how to prevent a man in the middle attack and keep your devices and networks secure.
What is a Man in the Middle Attack?
Man in the middle attacks are commonly cited as a threat, but what exactly is a man in the middle attack? As the name suggests, this is a scenario where a person inserts him or herself between two communicating systems and intercepts conversations or data sent between the two. It is the computer equivalent on eavesdropping on a phone call where neither party is aware that their conversation is not private and confidential.
With a phone call, eavesdropping would allow an attacker to gather a host of sensitive information, which is divulged verbally between both parties. In this scenario, the attacker does not influence the conversation. He/she must wait until a valuable nugget of information is disclosed by either party.
A MiTM attack is concerned with intercepting data transferred between two parties. This could be data sent between a smartphone app and a server, between two parties on a messaging app such as WhatsApp, or an email conversation between two parties. It could also be communication between a user’s browser and a website.
In contrast to the telephone call scenario, which is passive, in a MiTM attack the attacker can influence what is being said. In fact, with a MiTM attack, the two people or systems communicating are not really communicating with each other. Each is communicating with the attacker.
Take email for example. Person A initiates an email conversation with Person B and requests a wire transfer to pay for services rendered. Person A supplies the bank details, and Person B agrees to the wire transfer. Various details are discussed, and the transfer is eventually made. There could be 10 or more messages sent by each party in the conversation. Each message between the two is altered by the attacker, crucially including the bank account details for the transfer. Neither party has been communicating with each other, yet both parties would be convinced they are.
Types of Man in the Middle Attack
The goal of a MiTM is to intercept information, usually for financial gain, but there are different ways that this can be achieved. Generally speaking, there are four main ways that a MiTM attack occurs: Packet sniffing, packet injection, session hijacking, and SSL stripping
Packet sniffing is one of the most common MiTM attack methods and is a type of eavesdropping or wiretapping, except it is not phone conversations that are obtained. It is packets of data sent between the two systems. Packet sniffing is much easier when sensitive data is not encrypted, such when information is disclosed between a browser and a HTTP website, rather than HTTPS where the connection is encrypted.
The above email example is a type of packet injection. Data is intercepted, but additional packets are introduced, or data packets are altered. For instance, malware could be introduced.
Session hijacking is where an attacker hijacks a session, such as a session between a browser and a banking website where the user has logged in. In this example, the attacker is the one in control of the session. SSL stripping is where a HTTPS session, which should be secure as the session is encrypted, is stripped of the encryption, turned from HTTPS to HTTP, and data is identified. This latter example is utilized by web filtering solutions that feature SSL inspection. It allows businesses to check for threats in encrypted traffic.
How to Prevent a Man in the Middle Attack
Fortunately, MiTM attacks can be difficult to perform, so the potential for an attack is limited, but there are skilled hackers who can – and do – perform these attacks and gain access to sensitive data and empty bank accounts. One of the most common examples is a coffee shop scenario where an attacker creates an evil twin hotspot. When a user connects to this evil twin – a Wi-Fi network set up to look like the genuine coffee shop Wi-Fi hotspot – all data sent between their browser and the website is intercepted.
There are several steps you can take to prevent a Man in the Middle Attack.
Never disclose sensitive data when connected to an untrusted public Wi-Fi network. Only ever connect via a VPN, and ideally wait until you are on a trusted Wi-Fi network to access online bank accounts.
Ensure the website is protected by an SSL certificate (starts with HTTPS). Bear in mind that hackers also use SSL certificates, so HTTPS does not mean a website is genuine.
Do not use hyperlinks included in emails, always visit the website directly by typing the correct URL into your browser or finding the correct URL through a Google search.
Do not install unauthorized software, apps from third-party app stores, and do not download and use pirated software.
Businesses should implement a DNS filtering solution to protect their workers and prevent them from visiting malicious websites.
Make sure your networks are secured and have appropriate security tools installed.
Disable insecure SSL/TLS protocols on your website (Only TLS 1.1 and TLS 1.2 should be enabled) and implement HSTS.
At face value, SpamTitan and VadeSecure may appear to be equivalent products. In this post we offer a comparison of SpamTitan and VadeSecure to help managed service providers (MSPs) differentiate between the two solutions.
SpamTitan and VadeSecure
SpamTitan and VadeSecure are two email security solutions that block productivity-draining spam emails, phishing emails, and malspam – spam emails that deliver malware or malware downloaders. These cloud-based solutions assess all incoming emails and determine whether they are genuine communications, unwanted spam, or malicious messages and deal with them accordingly to prevent employees from opening the messages.
TitanHQ is the leading provider of cloud-based email and web security solutions for MSPs that serve the SMB market and has been providing email security for MSPs for more than 2 decades. SpamTitan is TitanHQ’s email security offering, which has been developed for SMBs and MSPs that serve the SMB market.
VadeSecure is a French company that has developed an email security solution for the SMB market. As is the case with SpamTitan, VadeSecure offers protection from email-based threats and provides an important extra layer of security, especially for Office 365 environments. The company is now venturing into the MSP market and has recently raised an additional $79 million in venture capital to help it make inroads into the MSP market. However, at present, the solution is primarily geared toward SMBs rather than MSPs that serve them.
Enhanced Phishing Protection for Office 365 Accounts
Office 365 is the most widely used cloud service by user count and 2019 figures show that Office 365 cloud services are used by 1 in 5 corporate employees, with Office 365 email being the most common. With so many businesses using Office 365 for email, it should come as no surprise that Office 365 email accounts are being heavily targeted by hackers and scammers.
Microsoft does have measures in place to block spam and phishing emails, but the level of protection provided by Exchange Online Protection (EOP) is not sufficient for many businesses. A large percentage of phishing emails manage to sneak past Microsoft’s defenses. According to research from Avanan, 25% of phishing emails are delivered to Office 365 inboxes.
Consequently, additional protection is required, and many businesses choose to implement an anti-phishing solution provided by third parties such as SpamTitan and VadeSecure. MSPs also offer third party solutions to block phishing attacks on Office 365 accounts, not only to better protect their customers, but also to reduce the amount of time they spend mitigating phishing attacks that have not been blocked by EOP.
SpamTitan and VadeSecure have been developed to work on top of Office 365 and add an important extra layer of protection for Office 365 email.
Here we will concentrate on a comparison of SpamTitan and VadeSecure with a specific focus on the features and benefits for MSPs rather than SMBs.
Comparison of SpamTitan and VadeSecure for MSPs Serving the SMB Market
Since VadeSecure has historically focused on the Telco market, the email security solution lacks many features to make MSP’s lives easier and does not provide the level of control, flexibility, or the management tools and reports that MSPs seek. SpamTitan has been developed by MSPs for MSPs, so important features for MSPs have always been offered. We will cover these features below, but initially it is useful to include an infographic that summarizes some of the basic features of SpamTitan and VadeSecure for comparison purposes.
Basic Features of SpamTitan and VadeSecure
SpamTitan Features for MSPs Not Offered by VadeSecure
This comparison of SpamTitan and VadeSecure may seem a little one-sided, and that is because VadeSecure is very much focused on end users rather than MSPs. No doubt the solution will be updated to incorporate more MSP-friendly features over time as the company tries to move into the MSP market, but at present, the features below are provided by SpamTitan but are not offered by VadeSecure.
Configuration Flexibility and Customization Potential
One of the biggest bug bears with VadeSecure is the inability to configure the solution to suit the needs of MSPs. It is not possible to create custom rules for instance, and MSPs must therefore use the Exchange Admin functionality of Office 365.
With SpamTitan, MSPs can create rules based on their own requirements and the needs of each individual client, and those rules can be highly granular and can easily be applied to specific groups, users, and for specific domains. That level of granularity and the ease of customization allows MSPs to fine-tune filtering policies to maximize the detection of threats while minimizing false negatives. MSPs can easily select more permissible or more aggressive policies for each client, but with VadeSecure there is no option for customization for each customer.
SpamTitan includes a full multi-tenancy view of all customers, with multiple management roles. This allows MSPs to easily monitor their entire customer base and trial base, assess the health of the deployments, view activity volumes across all customers, and quickly identify issues that require attention. With VadeSecure, there is no possibility of integrating with PSAs and RMMs, and there is no customer-wide view of the entire system.
Highly Granular Reporting
MSPs can tell their clients how important it is to improve their security defenses, but they must also be able to demonstrate that the solutions are proving effective at blocking threats to ensure they can continue to provide those services and receive regular, repeating revenue.
With SpamTitan, MSPs have highly granular reports that give them full visibility into what is happening and a detailed view of system performance. Client reports can easily be generated to show them how effective the solution is and why it is important to keep it in place. Furthermore, this level of reporting – per domain, per group, and at the group domain level – gives MSPs the information they need to identify potential issues and obtain detailed information on spam emails. The solution also has the management capabilities to allow any issues to be quickly identified and corrected to ensure the solution remains effective over time. With VadeSecure, visibility and control options are lacking and there are no options for demonstrating how effective the solution is and to demonstrate that to clients.
High Margins and Significant Revenue Potential
As previously mentioned, the flexibility and scope for customization is a real benefit for MSPs as it allows them to add more value through superior management capabilities. That means MSPs can build solutions that really benefit their clients and it helps them become more of a strategic partner rather than an IT service provider. It is much harder for clients to change a strategic partner than switch IT service providers. VadeSecure lacks this customization which means it is not possible for MSPs to add value to generate reliable, recurring revenue.
Further, with VadeSecure you get one product, but TitanHQ offers a trio of solutions for MSPs to better protect their clients and add more recurring revenue streams. Through the TitanShield for Service Providers program, MSPs also have access to WebTitan DNS filtering and ArcTitan email archiving. This allows MSPs to maximize revenue from each client by cross-selling new services, while also offering a layered security package to protect clients from the full range of email- and web-based threats.
Fully Transparent Pricing
When it comes to pricing, VadeSecure (and many other email security solutions) lack transparency and the pricing model is complex and expensive. Several features are not included as standard with VadeSecure and come at an additional cost. This makes it hard to perform a SpamTitan and VadeSecure pricing comparison.
For instance, with VadeSecure the solution is priced per module, so the Greymail, Spam, and Virus Protection options are not provided as standard and have to be added onto the cost. Based on feedback we have received from MSPs the solution is expensive, which reduces MSP profits and makes the email security solution more difficult to sell to SMBs.
With VadeSecure, the total number of users is not aggregated, which shows a lack of experience of working with MSPs. An MSP with 100 x 10-seat licenses will have that pay at 10 seats each rather than 1,000 seats overall. As such, discounts will be far lower.
With SpamTitan there is just one price which includes all features, including sandboxing, full support, dual anti-virus protection, all security modules, and updates. Furthermore, the price is exceptionally competitive (less than $1 per user). The pricing model was created to incorporate the flexibility for dealing with fluctuating numbers of customers, which often happens when providing managed email services.
Effectiveness at Blocking Threats
Price, usability, and flexibility are all important for MSPs, but features and benefits are the icing on the cake. Email security solutions are used to protect against threats, so the effectiveness of a solution is critical. SpamTitan and VadeSecure are effective at blocking threats and will provide an important additional layer of security for Office 365 users, but feedback we have received from MSPs show there is a clear winner.
VadeSecure includes ‘time-of-click’ protection against embedded hyperlinks, which rewrites URLs and sends them to a scanner. However, MSPs have reported that it can take a long time for phishing emails to be detected, even after threats would be blocked by Chrome. That means that phishing emails are being delivered and there is a window during which a successful attack could occur. This URL click feature only appears to work in OWA or the Outlook client as it is an API integration with Office 365.
SpamTitan includes more advanced detection methods to ensure that malicious URLs are detected and phishing emails are filtered out. SpamTitan includes SURBL filtering and other malicious URL detection mechanisms that complement the default mechanisms in Office 365 such as Recipient Verification Protocols, Sender Policy Frameworks, and Content Filter Agents. This means end users are better protected and there is a much lower probability of a phishing email evading detection.
Dual anti-virus protection is also provided and SpamTitan features a sandbox where suspicious attachments can be safely analyzed for malicious actions. This provides superior protection against malware, ransomware, and zero-day threats that are not detected by the two AV engines.
The WannaCry ransomware attacks that started on May 12, 2017 were blocked quickly when a kill switch was identified and activated, but how much money did WannaCry make during the time it was active?
WannaCry was a devastating global cyberattack, the likes of which had been predicted by many cybersecurity professionals but had yet to materialize. WannaCry was the fastest spreading ransomware ever created.
WannaCry combined ransomware with a worm, which allowed it to automatically spread and infect huge numbers of devices on a network. The ransomware exploited a vulnerability in Windows Server Message Block (SMBv1) using an NSA exploit called EternalBlue.
The flaw exploited by EternalBlue had been reported to Microsoft and a patch was issued in March 2017, two months before the attacks started. However, many businesses were slow to apply the patch and were vulnerable to attack. Within a matter of hours, around 200,000 computers had been attacked in 150 countries. It is worth noting here that there are still many computers that have not been patched more than 2 and a half years after the patch was released, in spite of widespread news coverage about the threat of attack and its huge cost. WannaCry is still one of the biggest ransomware threats and accounts for a significant percentage of all successful ransomware attacks in 2019.
WannaCry was blocked by a British security researcher who discovered the ransomware checked a domain name prior to encrypting data, but that domain name had not been registered. He purchased the domain name, thus preventing file encryption.
That said, the speed at which the ransomware spread meant many devices were infected and encrypted. Since businesses were not protected if the ransomware encryption had already started by the time the kill switch was activated, the attackers must have had a huge payday. So how much did WannaCry make?
By today’s standards, the ransom demand was very small. Just $300 per infected device, which doubled to $600 if the payment was not paid within 3 days. It is actually easy to see how many payments were made, as the transactions are detailed in the blockchain. The recipient remains anonymous, but the payments can be seen.
The three Bitcoin addresses known to have been used in the WannaCry attacks currently show 430 payments have been made and 54.43228033 BTC has been sent to those accounts. The value of BTC is somewhat volatile and was much higher at points between now and the attacks, but at today’s exchange rate that equates to around $386,905. Most of the BTC payments have now been moved out of the accounts so they attackers have managed to cash out. Payments are also still being made to those accounts. The latest payments to one of the addresses were made in December 2019.
$386,905 may not seem like much of a payday considering the number of devices infected and the damage caused by the attack, and it’s not. Further the attackers will need to convert that total to real money, and a considerable amount will be lost in that process. The payday was tiny considering the scale of the attack. However the cost of the attack to businesses was colossal.
The National Health Service in the United Kingdom was hit bad and the cleanup operation, and loss of business while that occurred, has been estimated to have cost £92 million. That was just one victim, albeit a major one. Estimates on the total cost of WannaCry range from hundreds of millions to $4 billion globally.
Next time you delay applying a patch or updating software, consider WannaCry and the potential costs of exploitation of a vulnerability. In all of the above cases – all 200,000+ attacks – applying the patch would have prevented the attack and the huge cost of remediation.
Black Friday phishing scam are rife this year. With almost a week to go before the big discounts are offered by online retailers, scammers are stepping up their efforts to defraud consumers.
Spam email campaigns started well ahead of Black Friday this year and the scams have been plentiful and diverse. Black Friday phishing emails are being sent that link to newly created websites that have been set up with the sole purpose of defrauding consumers or spreading malware and ransomware. It may be a great time of year to pick up a bargain, but it is also the time of year to be scammed and be infected with malware.
A wide range of spam emails and scam websites have been detected over the past few weeks, all of which prey on shoppers keen to pick up a bargain. This year has seen the usual collection of almost too-good-to-be-true offers on top brands and the hottest products, free gift cards, money off coupons, and naturally there are plenty of prize draws.
Anyone heading online over the next few days to kick start their holiday shopping spree needs to beware. The scammers are ready and waiting to take advantage. With legitimate offers from retailers, speed is of the essence. There is a limited supply of products available at a discount and shoppers are well aware that they need to act fast to secure a bargain. The scammers are playing the same game and are offering limited time deals to get email recipients to act quickly without thinking, to avoid missing out on an exceptional deal.
This time of year always sees a major uptick in spam and scams, but this year has seen much more sophisticated scams conducted than in previous years. Not only are the scammers insisting on a quick response, several campaigns have been identified that get users to help snag more victims. In order to qualify for special offers or get more deals, the scammers require users to forward messages and share social media posts with their friends and contacts. This tactic is highly effective, as people are more likely to respond to a message or post from a friend.
So how active are the scammers in the run up to Black Friday and Cyber Monday? According to an analysis by Check Point, the number of e-commerce phishing URLs has increased by 233% in November. Those URLs are being sent out in mass spam campaigns to direct people fake e-commerce sites that impersonate big name brands. Those sites are virtual carbon copies of the legitimate sites, with the exception of the URL.
While consumers must be wary of Black Friday phishing scams and potential malware and ransomware downloads, businesses should also be on high alert. With genuine offers coming and going at great speed, employees are likely to be venturing online during working hours to bag a bargain. That could easily result in a costly malware or ransomware infection.
The scams are not limited to the run up to Black Friday. Cyber Monday scams can be expected and as holiday season fast approaches, cybercriminals remain highly active. It’s a time of year when it pays to increase your spam protections, monitor your reports more carefully, and alert your employees to the threats. A warning email to employees about the risks of holiday season phishing scams and malicious websites could well help to prevent a costly data breach or malware infection.
Its also a time of year when a web filtering solution can pay dividends. Web filters prevent employees from visiting websites hosting exploit kits, phishing kits, and other known malicious sites. They can also be configured to block downloads of malicious files. A web filter is an important extra layer to add to your phishing defenses and protect against web-based attacks.
If you have yet to implement a web filter, now is the ideal time. TitanHQ is offering a free trial of WebTitan to let you see just how effective it I at blocking web-based threats. What’s more, you can implement the solution in a matter of minutes and get near instant protection from web-based phishing attacks and holiday season malware infections.
According to research from Channel Futures, security is the fastest growing service for 73% of managed service providers (MSPs). If you have yet to start offering security services to your clients, you are missing out on a steady income stream that could really boost your profits. But where should you start? What services should you be offering? In this post we will be exploring the ideal security stack for MSPs and the essential services that should form the core of your security offering.
Why is Managed Security is so Important?
As an MSP, you should be aware of the importance of security. Companies are being targeted by cybercriminals and data breaches are occurring at an alarming rate. It is no longer a case of whether a business will be attacked, it is a case of when and how often.
Many SMBs do not have sufficiently skilled staff to handle IT and it is far easier, and often more cost effective, to outsource their IT to MSPs. The same is true for security, but even more so due to the difficulty finding sufficiently skilled cybersecurity staff. With so many positions available and a national shortage of cybersecurity staff, cybersecurity professionals can afford to pick and choose there they work. SMBs must ensure they are well protected against cyberattacks, so they look to MSPs to provide security-as-a-service either as a stop gap measure while they try to fill internal positions or so they can forget about security and let an MSP look after that side of the business.
If you are not providing security services to your clients, they will most likely search for another MSP that can protect their business from threats such as malware, ransomware, phishing, botnets, and prevent costly data breaches.
What do SMBs Want?
SMBs may be aware of the need for security, but they may not be so clued up about the solutions they need to protect them from cyber threats. You may need to explain to them exactly what they need and why. What is vital when explaining cybersecurity to SMBs is to emphasize the need for layered security. No single solution will provide protection against all threats and you will need to educate your clients about this.
Layered security is essential for protecting against ever increasing cybersecurity threats. No single solution will provide total protection. You need overlapping layers so that if one layer is bypassed, others are there to block the attack.
You should certainly be initiating conversations with your clients about security. Many SMBs only look for security services after they experience a costly data breach. By being proactive and approaching your clients and offering security services, you will not only have a much greater opportunity for increasing sales quickly, you will help them avoid a costly data breach and will not have to clear up the mess that such a breach causes.
What is the Ideal Security Stack for MSPs?
The best place to start is with a cybersecurity package that includes the core security services that all businesses need to protect them from a broad range of threats. Different packages can be offered based on the level of protection your clients need and their level of risk tolerance. Extra services can always be provided as add-ons.
There are four key security services you should be offering to your clients to give them enterprise-grade protection to secure their networks and protect against the main attack vectors. The ideal security stack for MSPs will differ from company to company, depending on the kind of clients that each MSP has. It may take some time to find the ideal security stack, but a good place to start is with core security services that every business will need.
Core Security Services for MSPs
Firewalls are essential for securing the network perimeter and separating trusted from untrusted networks. They will protect network resources and infrastructure against unauthorized access. It may even be necessary to implement multiple firewalls.
Email security is essential as this is the most common attack vector. Without email security, malware and phishing emails will hit inboxes and employees’ security awareness will be regularly put to the test. The threat of email attacks cannot be understated.
Email security must be explained to clients to ensure they understand its importance and why standard email security such as that provided by Microsoft through Office 365 simply doesn’t cut in anymore. Too many threats bypass Office 365 defenses. A study by Avanan showed that 25% of phishing emails bypass Office 365 security and are delivered to inboxes.
DNS filtering is also a requirement to protect against web-based attacks such as malvertising, drive-by downloads, and exploit kits. Even the best email security solutions will not block all phishing threats. DNS filtering provides an additional layer of security to protect against phishing attacks. While email was once the primary method of delivering malware, now malware is most commonly delivered via web-based attacks. The average business user now encounters three malicious links per day and 80% of malware is downloaded via the internet. Further, with more and more employees spending at least some of the week working remotely, protection is needed for public Wi-Fi hotspots. DNS filtering provides that protection when they are off the network.
Endpoint security solutions add another layer to the security stack. If any of the above solutions fail and malware is downloaded, endpoint security solutions will provide extra protection. This can include basic protection such as antivirus software or more advanced solutions such as intrusion detection systems.
When choosing solutions for your security stack, it is important to make sure they work seamlessly together. This can be difficult if you purchase security solutions from a lot of different vendors.
Additional Services to Add to your Security Stack.
The above security services should form the core of your security offering, but there are many additional services you can easily provide to ensure your clients are better protected. These can be offered as addons or as part of more comprehensive security packages.
Data loss protection
Email archiving and backup services
Vulnerability scanning and patch management
Security policy management
Security information and event management (SIEM)
Incident response and remediation
Security awareness training and phishing email simulations
How TitanHQ Can Help
TitanHQ is the global leader in cloud-based email and web security solutions for the MSP that services the SMB market. TitanHQ products are consistently rated highly by MSPs for the level of protection, ease of use, ease of admin, and the level of support provided.
The TitanHQ portfolio of cybersecurity products consists of three core solutions:
SpamTitan Email Security
WebTitan DNS Filtering
ArcTitan Email Archiving
Each of these solutions has a 100% cloud-based architecture and has been developed for MSPs to easily incorporate into their security stacks. TitanHQ offers seamless deployments and easy incorporation into MSP’s management portals via RESTful API.
The above solutions can be supplied with multiple hosting options. You can host with TitanHQ, on your existing infrastructure or in the cloud with AWS, Azure or any other system.
SMBs want to know they are protected, but many don’t care about what solutions are used. This gives you an opportunity to reinforce your brand. This is easily achieved with TitanHQ as the above solutions can be provided in white label form, ready for you to add your own branding. You can even customize the user interface and only include the features that you need to reduce complexity.
Need reports for your clients? No problem. TitanHQ has an extensive range of pre-configured reports that can be scheduled to ease your admin burden, including board-level reports with scope to create your own reports to meet you and your clients’ needs.
Other key features for MSPs include:
Automated policy management
Full visibility of usage
Flexible, affordable, and transparent pricing with monthly billing
Set and forget solutions to ease the admin burden
World-class customer support included with all solutions
Generous margins for MSPs
Excellent MSP program – TitanShield – with dedicated account managers, assigned sales engineers, scalable pre-sales and technical support, and sales and technical training
TitanHQ has made it as easy as possible for MSPs to start offering security services to their clients. These solutions will also help established security-as-a-service providers ease their management burden and improve their margins.
To find out more about the TitanShield program and for further information on any or all of TitanHQ’s security solutions for MSPs, get in touch with the channel team today. Product demonstrations can be arranged and free 14-day trials are available to allow you to see for yourself why TitanHQ is the leading provider of email and web security solutions for MSPs.
The Racoon Stealer is a relatively new form of malware that was first detected in April 2019. The malware is not sophisticated, it does not incorporate any never before seen features, in fact it is pretty unremarkable. The Racoon Stealer can take screenshots, harvest system information, monitor emails, and steal information from browsers, such as passwords, online banking credentials, and credit card numbers.
However, the malware is effective and very popular. In the past six months, the Racoon Stealer has been installed on hundreds of thousands of Windows devices and it is now one of the most talked about malware variants on underground forums.
What makes the Racoon Stealer stand out is a highly aggressive marketing campaign aimed at signing up as many affiliates as possible. Racoon is being marketed as malware-as-a-service on underground forums and affiliates can sign up to use the malware for a flat fee of $200 per month.
The information stealer can be used to steal a range of sensitive information such as passwords, credit card numbers, and cryptocurrencies. Under this distribution model, affiliates do not have to develop their own malware, and little skill is required to start conducting campaigns. The malware developers are also providing bulletproof hosting and are available to give affiliates support 24/7/365, and the package comes with an easy to use backend system.
While the cost is certainly high compared to other malware-as-a-service and ransomware-as-a-service offerings, affiliates are likely to make that back and much more from the information that they can steal. There is no shortage of takers.
How is the Racoon Stealer Being Distributed?
Affiliates are distributing the Racoon Stealer via phishing emails containing Office and PDF files that incorporate code that downloads the Racoon payload. The information stealer has been bundled with software on third-party websites, although a large percentage of the infections come from exploit kits.
The Racoon Stealer has been added to both the Fallout and Rig exploit kits which are loaded onto compromised websites and attacker-owned domains. Traffic is sent to those sites via malicious adverts on third party ad networks (malvertising).
When a user lands on a webpage hosting an exploit kit, their device is probed for vulnerabilities that can be exploited. If a vulnerability is found it is exploited and the Racoon Stealer is silently downloaded.
Once installed, Racoon connects to its C2 server and the resources required to start stealing information are obtained, that information can be sold on darknet marketplaces or used by affiliates to conduct their own attacks.
Given the huge potential for profit, it is no surprise that malware developers are now opting for this business model. The problem is likely to get a lot worse before it gets better and the threat from these malware-as-a-service offerings is significant.
How to Block the Racoon Stealer and Other Web and Email Threats
Fortunately, there are steps that businesses can take to improve their defenses against these MaaS campaigns.
Exploit kits usually incorporate exploits for a small number of known vulnerabilities rather than zero-day vulnerabilities for which no patches have been released. To block these exploit kit attacks, businesses need to apply patches and update software promptly.
It is not always possible for businesses to apply patches promptly as extensive testing may be necessary before the patches can be applied. Some devices may be skipped – accidentally or deliberately due to compatibility issues. Those devices will remain vulnerable to attack.
Patching is important, but it will not stop drive-by malware downloads from the internet that do not involve exploit kits. What is therefore required is a web security solution that can block access to malicious sites and prevent downloads of risky file types.
A DNS filtering solution such as WebTitan provides an additional layer of security to block these web-based threats. Through a combination of blacklists, content control, and scanning websites for malicious content, businesses can protect themselves against web-based attacks. A DNS filter will also prevent employees from visiting websites used for phishing.
Blocking attacks that take place via email requires strong email security defenses. An advanced spam filter such as SpamTitan can prevent malicious emails and attachments from reaching end users’ inboxes. SpamTitan scans all incoming emails for malware using two anti-virus engines but is also effective at blocking zero-day threats. SpamTitan includes a Bitdefender-powered sandbox, where suspicious attachments are subjected to in-depth analysis to identify any potentially malicious actions.
With these two solutions in place, businesses will be well protected from malware threats and phishing attacks and managed service providers can ensure their environment and those of their clients are kept malware free.
To find out more about these two powerful anti-malware solutions and to discover why TitanHQ is the global leader in cloud-based email and web security for the managed service provider serving the SMB market, give the TitanHQ team a call.
The event will be attended by thousands of IT professionals, business owners, and industry leaders who will be discussing the IT industry, recent advances in information technology, and the latest trends affecting MSPs. The conference provides an excellent opportunity for learning, networking, and collaboration and boasts an extensive program of interactive sessions, keynotes, and in-depth training sessions. The event also showcases the latest IT solutions and provides tips and tricks to ensure every ounce of value is squeezed from those tools.
This year’s event promises to be bigger and better than ever before, thanks to an all-star cast of thought leaders and industry professionals who will provide practical advice to help you improve every aspect of your business.
Connect IT Europe covers the entire Kaseya universe and the diverse ecosystem of solutions that serve IT professionals. The conference will help attendees find new revenue streams, increase their profit margins, and simplify IT management through educational presentations, workshops, roundtables, and interactive challenges.
As the leading provider of cloud-based email and web security solutions for MSPs serving the SMB market, TitanHQ is proud to be a Silver sponsor of the event. Attendees will have the opportunity to discover why TitanHQ is the leading provider of cloud-based email and web security solutions for MSPs servicing the SMB marketplace and the features and benefits of SpamTitan email security, WebTitan DNS filtering, and ArcTitan email archiving that make the solutions such a hit with MSPs and IT professionals.
The event will be attended by TitanHQ Strategic Alliance Manager Marc Ludden and Alliances/MSP Partner Manager Eddie Monaghan. Marc and Eddie will be explaining the recently launched TitanShield program for MSPs and how TitanHQ solutions can help MSPs improve efficiency, profitability, and security of their operations and enhance their customers’ security postures.
If you would like further information on TitanHQ products, feel free to reach out to Marc and Eddie ahead of the event:
Eddie Monaghan, MSP Alliance Manager, LinkedIn
Marc Ludden, MSP Alliance Manager, LinkedIn
TitanHQ is proud to be a platinum sponsor of DattCon19, Paris – The leading event for MSPs looking to keep up to date on the latest industry trends, learn best practices, form new and profitable partnerships, and obtain invaluable advice that will help them grow their business and become more successful.
The event gives the TitanHQ team an opportunity to meet with leading MSPs, MSSPs, and ISPs and explain why TitanHQ is the global leader in cloud-based email and web security solutions for the MSP that services the SMB market.
The team will be available to explain the benefits of the TitanShield MSP program and show just how easy it is to integrate TitanHQ products into your service stacks and start rolling out spam filtering, web filtering, and email archiving to your customers… and the best way to sell those services, reduce the time you spend on providing support, and improve the profitability of your business.
The event will be attended by Rocco Donnino, TitanHQ VP of Strategic Partnerships, Marc Ludden, TitanHQ Strategic Alliance Manager, and Eddie Monaghan. Alliances/MSP Partner Manager.
On Tuesday October 22 between 11:15am and 11:35am, Rocco Donnino will be explaining Email & Web Security for the SMB Market. Rocco will talk about the trends TitanHQ are seeing in the email and web security for SMB markets globally, drawing on the experience from working with over 2,200 MSP customers worldwide.
Marc Ludden and Eddie Monaghan will be on hand to meet with MSPs and ISPs to explain the benefits of joining the TitanShield MSP Program and how best to take advantage of TitanHQ’s proven technology and deliver our advanced network security solutions directly to their client base. The pair will be helping MSP partners push TitanHQ products downstream to their customers and grow their businesses.
The event will be attended by more than 1000 MSPs, ITSPs, and industry leaders. Over the three days of the conference, attendees will get to hear from the most successful MSPs and MSSPs and discover what they are doing differently and how they are driving growth.
The sessions, keynotes, and networking opportunities will help you get better at running your business with Datto Solutions and discover how the addition of key products such as SpamTitan email security, WebTitan DNS filtering, and ArcTitan email archiving can improve profitability and add greater value.
The keynotes will be bigger and better than ever before and will be taken by 80 of the best and brightest business tycoons, MSPs, and Datto executives, who will share valuable real-world insights and best practices.
The Peer Forums are more intimate small-group roundtable sessions that provide high-value networking on key topics. These sessions are driven by attendees who will share pain points, success stories, and best practices that have been proven to help MSPs grow their business. This year’s Peer Forums are on the following topics:
Service Delivery: Driving Efficiency & Automation
Selling Networking as a Managed Service
Women in Tech
French Language Peer Forum: Business Strategy
Service Delivery: Service Desk & Professional Services
M&A: How Do I Acquire or Be Acquired?
Security: Securing Your MSP First
German Language Peer Forum: Business Strategy
Service Delivery: Client Engagement & vCIO
Add to that the networking opportunities and the stunning location and you have an invaluable event that is not to be missed.
DattoCon19 Paris will be taking place on October 21st, 22nd and 23rd at the Palais des congrès de Paris, 2 Place de la Porte Maillot, 75017 Paris, France.
Malvertising is the term given to the abuse of ad networks to serve malicious adverts on legitimate websites that scam visitors by displaying popup ads or direct them to malicious websites hosting phishing forms or exploit code to silently deliver malware. Many website owners place third-party advertising blocks on their websites to increase revenue. While the ad networks have controls in place to prevent abuse, cybercriminals often succeed in bypassing those security measures.
One cybercriminal group has been particularly active over the past year and has been conducting attacks on a massive scale. Researchers at Confiant have been tracking the activity of the group – known as eGobbler – and report that the group delivered fake adverts on 500 million user sessions in Europe and the United States in the past week alone. The campaigns are on a truly massive scale. One of the latest campaigns, conducted between August 1 and September 23 involved around 1.16 billion ad impressions.
Typically, the criminals behind these campaigns target mobile users as the security protections on their devices are nowhere near as robust as on desktop computers; however, this campaign has targeted desktop users on Windows, Linux, and macOS.
Several content delivery networks have been used to serve the malicious adverts, which redirect users to websites that exploit two browser vulnerabilities to deliver their malicious payloads. The first is a bug in the Chrome browser – CVE-2019-5840 – which was patched by Google in June. The second is a zero-day vulnerability in WebKit, the browser engine used by old Chrome versions and the Safari web browser. The bug has already been patched for Safari, but currently Google has not patched Chrome. Since the latest browser engine used by Chrome is based on WebKit, later versions are also affected.
While sandboxing features protect advertising iframes, the zero-day vulnerability has allowed the group to break out of the iframes and display malicious code to visitors and perform redirects.
This cybercriminal group is atypical of most groups that use malvertising to deliver malware. The group is highly skilled and capable of finding bugs in the source code of browsers and conducts campaigns on a massive scale. The group poses a significant threat to internet users although there are steps that can be taken to reduce the likelihood of an attack.
Personal users can harden their defenses by using ad-blockers and ensuring they keep their browsers updated. Businesses similarly need to ensure browsers are updated and block these malicious adverts using a web filtering solution.
In addition to blocking malicious adverts, a web filter can be configured to block the download of malicious files and prevent employees from visiting phishing websites and other malicious websites. A web filter can also be used by businesses to enforce acceptable internet usage policies.
TitanHQ has developed a powerful DNS-based web filtering solution for SMBs and MSPs – WebTitan – that provides protection against malvertising and other types of web-based attacks. The solution is easy to use and can be implemented in just a few minutes. No technical skill is required.
Considering the level of protection provided by WebTitan, you are likely to be surprised at how little the solution costs. To find out more, to arrange a product demonstration, or to set up free trial of the full solution, give the TitanHQ sales team a call.
Due to the high cost per user, many SMBs and managed service providers (MSPs) are looking for an OpenDNS alternative that provides the same or better protection at a much lower cost. At TitanHQ, we have the solution. We offer an advanced cloud-based web filtering solution that provides excellent protection from online threats with highly granular filtering for precision control over the types of web content that can be accessed by end users.
In this post we will explain why so many SMBs and MSPs have signed up for our OpenDNS alternative, and why WebTitan Cloud is, in general terms, a direct swap out for OpenDNS. However, first we should explain about OpenDNS and Cisco Umbrella as the two names are often used interchangeably.
What is Cisco Umbrella?
OpenDNS is a company that was founded on 2006 and provides domain name system resolution services and provides protection against Internet threats. OpenDNS was acquired by Cisco in August 2015. Under the terms of the $635 million acquisition, the OpenDNS name was retained for its free-to-use home solutions but Cisco re-branded the business and enterprise solutions as Cisco Umbrella. The reason the OpenDNS solution cannot be used by businesses is due to the limits placed on the number of users. Since there is a maximum number of users that can be protected, the business version – Cisco Umbrella – must be used.
The Cisco Umbrella business DNS filtering solutions, which this post covers, are not free services, but paid subscription services. These subscription services are available in three different packages. The most basic package: Cisco Umbrella DNS Security Essentials; the mid-range solution: DNS Security Advantage; and the top level solution: DNS Secure Internet Gateway.
OpenDNS Cost Per User
First, let us consider one of the most important reasons for seeking an OpenDNS alternative: Cost. Cisco’s OpenDNS business DNS filtering service is a popular choice with enterprises, SMBs, and MSPs for good reason. It is an accomplished web filtering solution but that comes at a price. At the time of writing, the OpenDNS cost per user is around $2.20 per month (based on 100 users). While that is a small price to pay for the level of protection that a web filter provides and the potential for productivity increases through careful content control, the cost adds up. For 100 users, that’s $220 per month and $2,640 per year.
WebTitan costs $0.90 per user, per month. That’s just $90 per month and only $1,080 per year. That provides a saving of $1,560 per year based on a 1-year subscription and the cost can be lowered further with a 3-year subscription.
Such a major cost saving makes WebTitan Cloud a very attractive OpenDNS alternative, but price isn’t everything and lowest cost solutions are not always the best. In this case however, it is possible to save a small fortune without compromising security and control, while improving usability and gaining other important benefits.
A Direct Swap Out for OpenDNS That Will Save a Small Fortune
OpenDNS Cisco Umbrella and WebTitan are best-of-breed DNS-based web filtering solutions that combine advanced protection against malware, phishing, and other web-based threats. They also offer precision control for restricting access to certain types of online material.
Both solutions have been designed with the same core principles and both can be used to block downloads of file types commonly associated with malware and ransomware, such as .exe, .js, .scr, .dll and other executable file types.
To protect against phishing, both solutions support the use of blacklists – Lists of websites and IPs that have previously been identified as malicious or have a low trust score. These phishing web pages are often visited by end users after clicking embedded hyperlinks in emails. Both web filters therefore serve as an important additional layer of protection against phishing.
Both solutions allow filtering controls to be set for different users, at the individual, user group, department, or organization level via category-based filters, which makes it easy to quickly apply and enforce your acceptable Internet usage policies.
Both solutions offer a high level of protection, but for many SMBs and MSPs, the price of WebTitan is the deal clincher. However, there are several other benefits of WebTitan Cloud over OpenDNS.
WebTitan Cloud Advantages over OpenDNS
Some of the key advantages of WebTitan Cloud over OpenDNS are detailed below.
Certain types of businesses, such as MSPs, will be reluctant to direct users to an external cloud service. To meet the needs of those businesses, TitanHQ offers different hosting options. Typically, WebTitan is hosted within TitanHQ’s own environment, but it is also possible for the solution to be hosted locally to give users greater control and privacy.
The WebTitan pricing model is perfectly transparent and all features are included in the price, including customer support at no additional cost. TitanHQ can also offer flexible licensing and can negotiate commercial arrangements that suit both parties. OpenDNS Cisco Umbrella has a multi-tiered pricing system with some of the advanced features only available as an add-on which further increases the cost.
World Class Support
All WebTitan Cloud users benefit from industry leading, world class support, including scalable pre-sales and technical support and sales & technical training. Support is provided for all users at no additional cost. Support is also provided to customers taking advantage of the free trial.
There will be times when organization-wide or individual filtering controls need to be bypassed. Rather than changing a policy for a particular user and then having to revert back to the original policy, TitanHQ developed bypass codes called cloud keys. These cloud keys can be used to temporarily bypass filtering policies. They can be set to expire after a certain time period or after a certain number of uses.
An Ideal OpenDNS Alternative for Managed Service Providers
The biggest exodus from OpenDNS to WebTitan is MSPs. As mentioned in the previous section, the ability to host WebTitan locally is a major benefit for many MSPs who prefer to host their solutions in their own private clouds.
As an additional benefit, WebTitan Cloud can be supplied in full white-label form and is completely re-brandable. The solution allows customized block pages to be created – these pages are displayed when a user attempts to visit a web page that contravenes company policies. The UI can also be re-branded and customized to include corporate branding. OpenDNS does not offer MSPs a white-label solution and cannot be re-branded.
TitanHQ also ensures WebTitan Cloud fits seamlessly into MSPs service stacks through the use of APIs and RMM integrations. The multi-tenant dashboard allows MSPs to keep clients separated and apply controls on an individual client basis and also to manage client settings in bulk.
The low price of our OpenDNS alternative allows MSPs to add web filtering to their existing security packages to better protect their customers while saving themselves a great deal of support time. TitanHQ also offers monthly billing and high margins for MSPs. With WebTitan it really is possible to make 100 points.
How Do WebTitan and OpenDNS Compare?
One of the best ways to find out about how the two different solutions compare is to use independent review sites such as G2 Crowd. The site includes more than 650,000 reviews from verified users. Those users consistently rate WebTitan Cloud higher than alternative web filtering solutions and across the 6 rating areas, WebTitan Cloud achieves higher ratings than OpenDNS and is the highest rated solution out of all OpenDNS alternatives reviewed on the platform.
Speak to TitanHQ About Changing from OpenDNS to WebTitan
If you are looking for an OpenDNS alternative and would like further information about WebTitan Cloud, would like to book a product demonstration to see WebTitan Cloud in action, or are interested in signing up for a free trial of the full solution, contact the TitanHQ team today and our friendly sales staff will be happy to help.
Exploit kit activity may be at a fraction of the level of 2016 when peak activity was reached, but the threat has not gone away. In fact, the mid-year cybersecurity roundup from Trend Micro shows exploit kit activity is now triple the level of mid-2018. Websites hosting exploit kits still pose a significant threat to businesses.
Exploit kits are toolkits that contain exploits for vulnerabilities in popular software applications, such as Internet Explorer and Adobe Flash Player. When a user lands on a web page that hosts an exploit kit, it will scan the user’s browser for vulnerabilities. If an exploitable flaw is identified, malware is automatically downloaded and executed on the user’s device. In many cases, the downloading of a Trojan, ransomware, or other form of malware is not identified by the user.
Traffic is sent to exploit kits through malvertising – malicious advert – on high traffic websites. User’s can be directed to malicious websites through phishing emails, and it is also common for hackers to hijack high traffic websites and use them to host their exploit kit. That means users could visit a malicious website just through general web browsing.
There are several exploit kits currently in use such as Magnitude, Underminer, Fallout, Green Flash/Sundown, Rig, GrandSoft, and Lord. These exploit kits are pushing cryptocurrency miners and botnet loaders, although ransomware and banking Trojans are the most common payloads.
Many of the exploits used by these toolkits are for old vulnerabilities, but since businesses are often slow to apply patches, they still pose a major threat. Exploit kits such as GrandSoft and Rig are regularly updated and now host exploits for much more recently disclosed vulnerabilities.
One of the most recently identified campaigns has seen the threat actors behind Nemty ransomware team up with the operators of RIG to push their ransomware on businesses still using old, vulnerable versions of Internet Explorer.
A new exploit kit named Lord is being used to infect users with Eris ransomware. In this case, traffic is being directed to the exploit kit through malvertising on the PopCash ad network. The EK primarily uses exploits for flaws in Adobe Flash Player such as CVE-2018-15982.
Protecting against exploit kits is straightforward on paper. Businesses need to ensure that vulnerabilities are identified and patched promptly. If there are no vulnerabilities to exploit, no malware can be downloaded. Unfortunately, in practice things are not quite so simple. Many businesses are slow to patch or fail to apply patches on all devices in use.
Anti-spam software can help to reduce risk by blocking phishing emails containing links to exploit kits, but most of the traffic comes from search engines and malvertising, which anti-spam software will do nothing to block. To improve your defenses against exploit kits, drive-by downloads, and phishing websites, one of the best cybersecurity solutions to deploy is a DNS filtering solution.
A DNS filter allows businesses to carefully control the websites that employees can access when connected to the business’s wired and wireless networks. Controls can be set to block different types of web content such as gambling, gaming, and adult websites but crucially, the DNS filter also blocks all known malicious websites. DNS filters use blacklists of known malicious websites such as those hosting exploit kits or phishing forms. If a web site or web page is included in the blacklist, it will automatically be blocked. Websites are also scanned in real time to identify malicious content.
Since all filtering takes place at the DNS level, access to malicious or undesirable content is blocked without any content being downloaded. Setting up the solution is also quick and easy, as it only requires a change to the DNS record to point it to the service provider. No hardware is required and there is no need to download any software.
If you want to improve your defenses against malware, ransomware, botnets, and phishing and are not yet controlling the web content that your employees can access, contact TitanHQ today and ask about WebTitan. Alternatively, sign up for a free trial of the solution by clicking the image below.
The year 2018 saw a reduction in ransomware attacks on businesses as cybercriminals opted for alternative means to make money. Major ransomware attacks were still occurring, just at a slightly lower rate than in 2017.
Some reports were released that suggested ransomware was no longer such a massive threat as it was in 2016 and 2017, but the number of reported attacks in 2019 have shown that is definitely not the case. Any business that has not implemented defenses to protect against ransomware attacks could well be the next victim and have to pay millions to recover from an attack.
Make no mistake. Ransomware is one of the most dangerous threats faced by businesses. If ransomware is installed on the network, all files, including backups, could be encrypted. That could prove catastrophic, as one small Michigan medical practice discovered.
The two-doctor practice in Battle Creek, MI suffered an attack that resulted in the encryption of all patient data. A ransom demand was issued by the attackers, but as there was no guarantee that files could be recovered after the ransom was paid, the decision was taken not to pay up. The hackers then deleted all the encrypted files. Faced with having to rebuild the practice from scratch, the doctors decided to call it quits and took early retirement.
Ransomware attacks on healthcare providers are now being reported at an alarming rate and government entities, cities, and municipalities are being extensively targeted. The city of Baltimore suffered a major attack in May involving a ransomware variant called RobbinHood. The attack brought down the city’s servers and systems, causing major disruption across the city. A ransom of $6 million was paid for the keys to regain access to the encrypted files.
Two small cities in Florida also suffered major attacks. Lake City was forced to pay a ransom of $460,000 and Riviera Beach paid a ransom of $600,000, while Jackson County in Georgia paid $400,000 after its court system was attacked.
As the year has progressed, the attacks have increased. A report from Malwarebytes indicates there was a 195% increase in ransomware attacks in Q1, 2019. Figures from Kaspersky Lab show ransomware attacks almost doubled in Q2, 2019, with 46% more attacks reported than the corresponding period in 2018.
The increase in attacks means businesses need to be prepared and have the necessary security tools in place to make it difficult for the attacks to succeed.
There is no one cybersecurity solution that can be implemented to eliminate the threat of attack, as hackers are using a variety of methods to gain access to networks and download their malicious payloads. Layered defenses are key to repelling an attack.
Email is the primary method of delivering ransomware. All it takes if for a malicious email to arrive in an inbox and for an employee to be fooled into opening a malicious attachment or clicking on a hyperlink for ransomware to be installed. An advanced email filtering solution such as SpamTitan Cloud is therefore needed to block malicious emails and ensure they do not reach employees’ inboxes.
SpamTItan includes Domain-based Message Authentication, Reporting, and Conformance (DMARC) to block email impersonation attacks and a sandbox where suspicious attachments can be executed in safety and studied for malicious activity. Sandboxing is essential as it allows zero-day ransomware threats to be identified and blocked.
Not all attacks occur via email. Attacks over the Internet are also common. A web filtering solution should therefore be implemented to block these web-based attacks. A web filter will prevent employees from accessing known malicious sites where ransomware is automatically downloaded. With these two technical measures in place, businesses will be well protected from attacks. Along with security awareness training for staff and the adoption of good data backup practices, businesses can mount a strong defense against ransomware attacks.
A new phishing campaign has been detected that uses Google Drive links to avoid detection by Office 365 Exchange Online Protection and ensure messages are delivered to inboxes.
The emails, reported through Cofense Intelligence, impersonated the CEO of the company who was attempting to share an important document. The document had been shared via Google Drive and came with the message, “Important message from – CEO.”
Google Drive allows files and collaboration requests to be easily sent to other individuals. The account holder chooses who to share a file with and the system generates an email alert containing a link to the shared file.
In this case, the name of the CEO was correct, but the email address used was different to the format used by the company. While this is a clear sign that the emails are not what they seem, some employees would likely be fooled by the message.
Importantly, the messages are not detected as malicious by EOP and are delivered to inboxes. A scan of the message would reveal nothing untoward, as the embedded URL is a legitimate shared link to a genuine cloud service operated by Google.
The shared document itself is not malicious, but it does link to another Google Docs document and a phishing URL. Any anti-phishing solution that only assesses the embedded hyperlink in the email to determine whether it is malicious would allow the email to be delivered. Only a deeper inspection would reveal the true nature of the URL.
If the link is visited by an end user, a fake login window is presented. If login credentials are entered, they are captured and stored on the attacker’s server.
This campaign highlights the importance of multi-layered anti-phishing defenses and the risks of relying on EOP to provide protection against phishing attacks.
An advanced spam filtering solution should be implemented on top of Office 365 to provide greater protection from phishing and other email-based attacks. This will ensure more sophisticated phishing attacks are blocked.
If a malicious message is delivered and a link is clicked, the connection to the malicious webpage could be blocked using a web filtering solution.
WebTitan is a DNS-based content filtering solution that serves as an additional layer in organization’s anti-phishing defenses. Should an attempt be made by an employee to visit a malicious website or suspicious domain, the attempt would be blocked before any content is downloaded. WebTitan assesses each website when the DNS query is made. Malicious websites and those that violate an organization’s content control policies are blocked.
To find out more about how a DNS filter can improve your defenses against phishing attacks and malware downloads, contact TitanHQ today.
Malware creators are constantly developing new techniques to circumvent traditional anti-virus defenses and ensure their malicious code can run undetected on a targeted machine.
Zero-day malware variants, those which have never been seen before, are not picked up by signature-based AV solutions. However, the malware will need to communicate with its owner, so the source code will contain URLs and IPs for that purpose. These URLs can be detected when scanning files. If the URLS are detected and they are known to be malicious, the file will be deemed to be malicious and will be quarantined.
To ensure this does not happen, malware developers use a variety of techniques to hide the URLs and IPs in the source code. This is often achieved by converting the IP address into a decimal value, which is stored as XML content. When in decimal format, even a malicious URL would not be detected as such by most antivirus software. When the IP address is needed by the malware, it can be converted back to its original form and then reconverted to digital when no longer required.
Similarly, a URL – or part of a URL – could be encoded in its hexadecimal equivalent. That URL would be unlikely to be detected as malicious yet can be read by a browser. AV software would likely detect the file example.com/maliciousfile.exe as malicious in nature and would block it accordingly. In hexadecimal, that translates to:
That address would not be recognizable as malicious and would likely go undetected during a scan by an AV solution. The use of both obfuscation techniques together is not unusual, to make it even harder for AV solutions to detect malicious URLs and IPs.
While these techniques can be used to fool endpoint AV solutions, connections to those malicious servers can be blocked using a DNS-based content filter such as WebTitan.
It doesn’t matter how the URL or IP address is masked. Before a connection can be made, it is necessary to make a DNS query, and the collection must be permitted by the DNS-based filter. If the URL is malicious, the DNS filter will block the attempt to connect before any content is downloaded.
WebTitan works in conjunction with a real time database of millions of malicious URLS and uses a real-time classification system to assign websites to one of 53 categories. Those categories can be allowed or blocked with the click of a mouse. In addition to blocking access to malicious content, the category-based controls can be used to prevent employees from accessing content that could cause offense or lower productivity.
To find out more about how WebTitan can benefit your organization and improve your security posture, contact the TitanHQ team today.
Ransomware attacks have been increasing since late December 2018 and attacks have been reported with increasing frequency as 2019 has progressed. Ransomware may have fallen out of favor with cybercriminals in 2018, but it is once again a firm favorite as it was in 2016 and 2017.
In recent months there has been an extensive ransomware campaign targeting local government offices, cities, and municipalities. These attacks have caused massive disruption, and many have resulted in ransoms being paid.
In the past few days alone, three ransomware attacks have been reported that have seen more than $1,200,000 in ransoms paid. Riviera Beach in Florida paid a ransom of $600,000 for the keys to unlock its encrypted files and Lake City in Florida paid around $460,000. Most recently, La Porte County in Indiana paid a ransom demand of $130,000.
These are just three of many. According to the United States Conference of Mayors, in the past 6 years, more than 170 city, county, or state government systems have been taken out of action as a result of ransomware attacks and there have been 22 attacks so far in 2019.
Cybercriminals will continue to conduct attacks as long as it is profitable to do so. When ransoms are paid, it simply encourages further attacks. The United States Conference of Mayors has decided to take a stand. The organization represents more than 1,400 majors across the United States and has vowed that in the event of attack, ransom demands will not be paid.
That is a necessary step to take to de-incentivize attacks but it could potentially be very costly. In 2018, the City of Atlanta was attacked with ransomware and refused to pay the $50,000 ransom demand. The city has ended up spending tens of millions of dollars on recovery.
The high cost of recovery without paying the ransom could prove too much for small cities, which is why several have been advised by their insurers to pay the ransoms.
In such cases, help is required from the federal government. The majors have urged Congress to pass the State Cyber Resiliency Act, which would give state and local governments the support needed to help them implement their cyber resiliency plans
What is also needed is greater investment in cybersecurity defenses. Attacks are being conducted because there are security holes that can be easily exploited. Until those holes are plugged, the attacks will continue.
TitanHQ can help plug those holes and thwart ransomware attacks by blocking the main attack vectors. SpamTitan is a powerful email security solution that blocks email-threats at source and keeps inboxes threat free. WebTitan protects users while online and blocks malicious websites and malware downloads. With both of these powerful, but low-cost solutions in place, you will be well protected against ransomware attacks.
There has been a spate of ransomware attacks on cities and government agencies in recent months and the healthcare industry sees more than its fair share of attacks, but they are not the only industries being targeted.
Schools, colleges, and universities are prime targets for hackers and ransomware attacks are common. One recent attack stands out due to its scale and the massive ransom demand that was issued. The attackers demanded $2 million (170 BTC) for the keys to unlock the encryption.
Monroe College in New York City was attacked at 6:45am on Wednesday, July 10, 2019. The ransomware quickly spread throughout the network, shutting down the computer systems at its campuses in Manhattan, New Rochelle and St. Lucia and taking down the college website.
The college has switched to pen and paper and is finding workarounds to ensure students taking online courses receive their assignments. No mention has been made about whether files will be recovered from backups or if the ransom will need to be paid.
This is one of many recent ransomware attacks in the United States. Ransomware may have fallen out of favor with cybercriminals in 2018, but it now appears to be back in vogue and attacks are rising sharply. So too have the ransom demands.
$2 million is particularly high, but there have been several recent attacks involving ransom demands for hundreds of thousands of dollars. In several cases, the ransom has been paid.
Riviera Beach City in Florida was attacked and was forced to pay a $600,000 ransom to regain access to its files and bring its computer systems back online. Lake City in Florida also paid a sizeable ransom – $500,000. Jackson County was also attacked and paid a $400,000 ransom.
There have been several cases where ransoms have not been paid. The City of Atlanta was attacked and around $51,000 in Bitcoin was demanded. Atlanta refused to pay. Its cleanup bill has already reached $3 million. With such high costs it is clear to see why many choose to pay up.
In all of the above cases, the cost of implementing cybersecurity solutions to protect against the main attack vectors would have cost a tiny fraction of the cost of the ransom payment or the mitigation costs after an attack.
For less than $2 per employee, you can ensure that the email network is secured and you are well protected against web-based attacks. To find out more, call TitanHQ today.
Sodinokibi and Buran ransomware are being pushed via the RIG exploit kit and now another exploit kit has joined the ranks, although its payload is currently banking Trojans.
Exploit kits are utility programs on websites that conduct automated attacks on visitors. When a visitor lands on a page hosting the exploit kit, the user’s browser and browser-based applications are probed to determine whether vulnerabilities exist.
Exploit kits contain exploits for several vulnerabilities, only one of which is required to silently download and execute a malicious payload on a visitor’s device. Traffic to these malicious pages is generated through malvertising/malicious redirects. The exploit kit code is also commonly added to compromised high-traffic websites.
Exploit kits were once the malware delivery mechanism of choice, but they fell out following a law enforcement crackdown. The threat from exploit kits has never disappeared, but activity has been at a much-reduced level. In recent months however, exploit activity has been at an elevated level.
The new exploit kit is called Spelevo and its purpose is to deliver two banking Trojans – Dridex and IceD – via a business to business website. The exploit kit was discovered by a security researcher named Kafeine in March 2019.
The exploit kit currently hosts multiple exploits for Adobe Flash and one for Internet Explorer. A user visiting a web page hosting the Spelevo exploit kit would unlikely tell that anything untoward was occurring. A tab would be opened to the gate and the browser would appear to go through a series of redirects before landing on Google.com. The entire process from the user landing on a page hosting the exploit kit, to a vulnerably being identified, exploited, and the user redirected to Google.com takes just a few seconds.
The exploit kit could be hosted on an attacker-owned domain, but it is easy to add the exploit kit to any website. All that is required is the addition of four lines of code once a website has been compromised.
Exploit kits are an efficient, automated way of delivering a malware payload, but they are reliant on users that have not patched their browsers and plugins. If browsers and plugins are kept up to date, there are no vulnerabilities to exploit.
The Spelevo exploit kit appears to be used in a campaign targeting businesses. IT teams often struggle to keep on top of patching and have poor visibility into the devices that connect to the network. As a result, it is easy for devices to be missed and remain unpatched. If one device is compromised, an attacker can use a variety of tools to spread laterally and infect other devices and servers.
The primary defense against exploit kits is patching, but additional protections are required. To protect against attacks while patching takes place, to prevent attacks from succeeding using zero-day exploits, and to stop users from visiting websites hosting exploit kits, a web filter is required.
WebTitan is a DNS filter that provides real-time, automated threat detection and blocking and protects against exploit kits and web-based phishing attacks. The WebTitan database contains three million malicious URLs that are blocked to protect end users. More than 300,000 malware and ransomware websites are blocked every day.
If you want to improve protection against web-based threats, exercise control over the content that your employees can access, and gain visibility into what your employees are doing online, WebTitan Cloud is the answer and it can be set up in minutes.
As one ransomware-as-a-service operation shuts down, another is vying to take its place. Sodinokibi ransomware attacks are increasing and affiliates are trying to carve out their own niche in the ransomware-as-a-service operation.
Developing ransomware and staying one step ahead of security researchers is important, but what made the GandCrab operation so successful were the affiliates conducting the campaigns that generated the ransom payments. The GandCrab developers have now shut down their operation and that has left many affiliates looking for an alternative ransomware variant to push.
Sodinokibi ransomware could well fill the gap. Like GandCrab, the developers are offering their creation under the ransomware-as-a-service model. They already have a network of affiliates conducting campaigns, and attacks are on the increase.
As is the case with most ransomware-as-a-service operations, spam email is one of the most common methods of ransomware delivery. One Sodinokibi ransomware campaign has been detected that uses spoofed Booking.com notifications to lure recipients into opening a Word document and enabling macros. Doing so triggers the download and execution of the Sodinokibi payload.
Download websites are also being targeted. Access is gained the websites and legitimate software installers are replaced with ransomware installers. Managed Service Providers (MSPs) have also been targeted. The MSP attacks have exploited vulnerabilities in RDP to gain access to MSP management consoles.
Two cases have been reported where an MSP was compromised and malicious software was pushed to its clients through the client management console. In one case, the Webroot Management Console and the Kaseya VSA console in the other.
Recently, another attack method has been detected. Sodinokibi ransomware is being distributed through the RIG exploit kit. Malvertising campaigns are directing traffic to domains hosting RIG, which is loaded with exploits for several vulnerabilities.
With so many affiliates pushing Sodinokibi ransomware and the wide range of tactics being used, no single cybersecurity solution will provide full protection against attacks. The key to preventing attacks is defense in depth.
TitanHQ can help SMBs and MSPs secure the email and web channels and block the main attack vectors. Along with security awareness training and good cybersecurity best practices, it is possible to mount a formidable defense against ransomware, malware, and phishing attacks.
The excitement is building as DattoCon19 draws ever closer. Starting on June 17, 2019 in San Diego and running for three days, DattoCon19 is an unmissable event for managed service providers (MSPs).
At the conference, attendees benefit from practical advice and best practices to grow their businesses, increase sales, and boost monthly recurring revenue (MRR). A huge range of vendors will be on hand to offer information on exciting products and attendees will have the opportunity to learn strategies to increase business impact growth, boost profitability, and broaden their service stacks.
Sessions will be taken by industry experts and leading MSPs who will share tips and tricks to take back home and apply at the office. On average, attendees at DattoCon achieve 41% sales growth year-over-year as a result of attending the conference.
TitanHQ is sponsoring DattoCon19 and is excited about having the opportunity to meet new MSPs and help them grow their businesses. As a Datto Select Vendor, TitanHQ offers MSPs three cloud-based solutions that can be easily integrated into existing MSPs service stacks: Anti-phishing and anti-spam protection, DNS-based web filtering, and email archiving. All three solutions are available through the TitanShield program for MSPs.
MSPs can meet the TitanHQ team at booth 23 at DattoCon19 to find out more about the TitanShield program and the exciting opportunities for MSPs that work with TitanHQ. TitanHQ will be on hand to help MSPs that support Office 365 to improve protection against phishing attacks and malware. MSPs can also find out more about the TitanHQ threat intelligence that protects Datto DNA and D200 boxes, and how TitanHQ’s DNS filter is a direct swap out for Cisco Umbrella and the cost advantages of doing so.
TitanHQ Executive Vice President-Strategic Alliances, Rocco Donnino, is one of the panel members for the Datto Select Avendors event on Monday. The event brings together experts from different fields to help come up with solutions for some of the major problems faced by MSPs in today’s marketplace.
TitanHQ at DattoCon19
TitanHQ will be at booth 23
Special Show Pricing available
Daily TitanHQ vintage Irish whiskey raffle
TitanHQ and BVOIP are sponsoring a GasLamp District Takeover Party on Monday 6/17 and Wed, 6/19.
DattoCon19 will be taking place in San Diego, California on June 17-19, 2019. If you are not yet registered for the event you can do so here
TitanHQ, the leading provider of cloud security solutions for SMBs, has announced a new partner program has been launched to support Managed Service Providers (MSPs), Managed Security Service Providers (MSSPs), Cloud Distributors, Wi-Fi Providers, OEM Partners and Technology Alliance Partners..
TitanHQ started its journey in 1999. Initially, the company provided anti-spam solutions to local businesses in Ireland. Over the next two decades, the company expanded its range of products to include DNS filtering and email archiving solutions and is now a leading global player of cloud-based cybersecurity solutions.
While TitanHQ initially focused on meeting the needs of the SMB market, its products have been developed to meet the needs of MSPs. For instance, TitanHQ solutions are available with a range of hosting options, including the ability to host the solution within the MSPs own environment, and they can be provided in white-label form ready to take MSP’s branding.
TitanHQ’s cloud-based solutions have been developed to be easy to implement, use, and manage and are already a firm favorite with MSPs.
To make TitanHQ cloud security solutions even more attractive for MSPs, the existing partner program has been significantly enhanced and relaunched as TitanShield.
The TItanShield Partner Program makes it even easier to offer TitanHQ cloud security products to clients. Partners benefit from access to engineers, a highly capable support team that understands the needs of MSPs, and a dedicated account manager.
Partners have access to APIs to allow them to easily sell, onboard, manage and deliver advanced network security solutions directly to their client base from within their own user interfaces. In addition, partners receive free access to sales and technical resources, deal registration and lead generation resources, and benefit from flexible, volume-based monthly pricing models and profitable margins.
Under the new, enhanced partner program, customers are separated into their specific areas of expertise to ensure that each can be provided with focused information for the markets and customers they serve.
“Our program takes a unique and strategic approach for our partners and can be customized to fit all business models,” said Rocco Donnino, Executive VP of Strategic Alliances at TitanHQ.
If you want to become a highly valued member of the TitanHQ TitanShield Partner Program, enrollment is now open. Call TitanHQ today or email email@example.com for further information.
In our previous post we explained why managed service providers (MSPs) should be offering a web filtering service to their customers and the benefits that can be gained by customers and MSPs alike. In this post we explain what makes WebTitan Cloud the go-to web filtering solution for MSPs and why so many MSPs have chosen TitanHQ as their web filtering partner.
Why WebTitan Cloud is the Best Web Filter for MSPs
One problem MSPs face before they can start offering a web filtering service to their clients is how to incorporate the solution into their service stacks and their existing cloud offerings. While there are many providers of web filtering services, not all solutions have been developed with MSPs in mind. TitanHQ differs in that respect.
TitanHQ’s web filtering solution, WebTitan Cloud, has been developed specifically to meet the needs of MSPs and make it as easy as possible for the solution to be added to their existing cloud offerings. WebTitan Cloud seamlessly integrates within existing workflows regardless of whether MSPs self-host, use AWS, Azure, or other cloud platforms.
How Does WebTitan Cloud Integrate into MSPs Management Systems?
To make integration as easy as possible, TitanHQ uses RESTful API, which allows fast and risk-free integration into MSPs management systems. WebTitan Cloud uses the OAuth 1.0 protocol for authentication and has a full set of keys and secrets in the WebTitan Cloud user interface (UI). Once an MSP has signed up, no further registration or authentication is necessary. The API client provides the appropriate oauth_signature to authorize requests to protected resources.
Overly complex user interfaces are a problem with many cloud-based solutions. With WebTitan Cloud, the UI is made as clean and easy to use as possible. MSPs can remove all elements from the UI that are not required to keep the UI clean and simple. WebTitan Cloud can also be integrated into MSP cloud interfaces to create a better user experience and greater consistency for customers.
Having information at your fingertips is important when customers send in requests or when reports are required on web use and blocking. WebTitan Cloud allows MSPs to create and integrate a full suite of high-level system and customer reports into their own management consoles.
Onboarding new customers is also a quick and simple process, which can be integrated into current MSP on-boarding processes. New customer accounts can easily be created (or deleted) from within an MSP’s own UI, in addition to performing updates and listing all current customer accounts.
MSPs can connect to WebTitan Cloud to manage their customers settings, including locations, whitelists, and blacklists. Customers that would prefer to manage their own settings can perform a limited number of operations themselves using APIs. Since WebTitan Cloud is available in a full white label, customers who do access their own settings can be given a UI with MSP branding rather than TitanHQ’s to maintain consistency and help reinforce the MSPs brand.
TitanHQ also operates an extremely competitive pricing strategy with generous margins for MSPs and aligned monthly billing cycles through the TitanShield MSP Program.
If you have yet to start offering web filtering to your clients as part of your service stack or if you are unhappy with your current provider’s product, contact TitanHQ today and as about becoming a member of the TitanShield MSP Program. Product demonstrations can also be scheduled on request.
A web filtering service allows Managed Service Providers (MSPs) to better protect their clients from accidental malware downloads and phishing attacks while improving their bottom lines. Further, by preventing phishing attacks and malware infections, they can reduce the amount of time they spend fighting fires. For busy MSPs, the latter will be especially beneficial.
Why is Web Filtering Important?
There are several reasons why MSP clients will benefit from a web filtering service. First and foremost, a web filter will help to prevent their customers’ employees from visiting phishing websites and malicious URLs. Most phishing attacks start with a phishing email, so a powerful spam filtering solution is essential. While commercial spam filters such as SpamTitan will block more than 99% of spam and phishing emails, additional protections are required to protect against the 1% that bypass spam defenses.
Naturally end user security awareness training will help in this regard, but as the 2018 Verizon Data Breach Investigations Report shows, 30% of delivered phishing messages are opened by end users and 12% of those users also click on malicious links in the messages.
A web filter is an additional layer of anti-phishing and anti-malware defenses that kicks in when malicious links are clicked and when end users attempt to visit other malicious sites while browsing the Internet. With a web filter in place, when an employee attempts to access a malicious web page, that attempt will be blocked before any content is downloaded. Instead of displaying the web page, a block page will be displayed.
Web filters also allow companies to carefully control the types of content their employees can access. This allows them to enforce acceptable internet usage policies with ease. Employers can prevent their employees from accessing NSFW content such as pornography, illegal content and, if tighter controls are required to improve productivity, other categories of web content such as dating sites, social media networks, gambling sites, and gaming sites.
With a web filter in place, security and productivity can both be quickly improved and the gains in both of those areas is likely to more than pay for the cost of the web filtering package provided by their MSP.
Cloud Based Web Filtering Solutions for MSPs
Convincing customers to implement a web filtering solution should be straightforward given the number of phishing attacks that are now being conducted and the cost of mitigating phishing attacks and malware infections. The cost of web filtering is tiny by comparison.
For MSPs, cloud-based filtering solutions are the natural choice. They can be implemented in minutes once a customer request has been received, no hardware is required, there is no software to install, and patching is handled by the service provider. All that is required from the MSP is a brief set up and configuration for each customer and ongoing management and reporting.
However, not all cloud-based web filtering solutions make set up, management and reporting simple. WebTitan Cloud differs in this respect. Not only does the solution offer excellent protection, the solution has been developed specifically with MSPs in mind. The ease of integration into MSP’s back-end systems and management has made WebTitan Cloud the go-to web filtering solution for MSPs.
In our next post we will explain how WebTitan Cloud differs from other web filtering solutions, why it is the easiest solution for MSPs to integrate into their existing cloud offerings, and how TitanHQ makes getting started, provisioning new customers, and managing customer accounts a quick and easy process requiring the minimal management overhead.
For many people, Game of Thrones Season 8 is the TV highlight of the past 12 months, but not all fans of the series are keen to pay for the channel to watch the latest installments of this hugely popular series.
Some fans are turning to P2P file sharing sites to download the latest episodes, but hackers are ready and waiting. Many illegal video files of Game of Thrones episodes have been embedded with malware, most commonly adware and Trojans.
Research from Kaspersky Lab revealed Trojans to be the most common form of malware to be embedded in rogue video files. A third of all fake TV show downloads that have been impregnated with malware include a Trojan.
When one of these infected files is opened after it has been downloaded, the Trojan is launched and silently runs in the background on the infected device.
Many of the Trojans embedded into video files are brand new. These zero-day malware variants are not detected by traditional AV solutions as their signatures are not present in malware definition lists. That means malware infections are likely to go undetected. When signatures are updated, the malware may continue to run until a full system scan is completed. Either way, during the time that the malware is active it could be collecting a range of sensitive data including usernames and passwords.
Malware can also be installed that gives the attacker access to an infected device and the ability to run commands, change programs, download further malware variants, and add the infected device to a botnet.
File sharing websites offer an easy way of distributing malware. Users of the platforms voluntarily download the files onto their computers. However, only a small percentage of internet users visit P2P file sharing sites. Hackers therefore have turned to other methods to get users to execute their infected video files.
Prior to the release date of Game of Thrones Season 8, offers of free access to the TV show were being distributed via email. Campaigns were also detected offering episodes in advance of the release date to tempt GOT fans into installing malicious software or visiting malicious websites.
It is no surprise that fake Game of Thrones video files have been embedded with malware, given the huge popularity of the show. However, Game of Thrones fans are not the only people targeted using this tactic of malware distribution. In the past few months, malware has been detected in fake videos files claiming to be the latest episodes of the Walking Dead, Suits, and the Vikings to name but a few.
Some people feel the risk of a malware infection from downloading pirated video files to be low, or they do not even consider the risks. That is bad news for businesses. When employees ignore the risks and download illegal files at work, they risk infecting their network with malware.
The easiest solution to prevent illegal downloads at work and the visiting of other malicious websites is to use a web filtering solution. A web filter – WebTitan for instance – can be configured to prevent users from accessing file sharing and torrents websites. WebTitan uses a continuous stream of ActiveWeb URLs from over 550 million end users, which provides important threat intelligence to TitanHQ’s machine learning technology. This allows new, malicious URLs to be identified, and users are then prevented from visiting those malicious URLs.
Blocking email attacks is simple with SpamTitan. SpamTitan blocks 99.97% of spam emails to prevent malicious messages from reaching end users, including messages offering free access to Game of Thrones and other TV shows. In addition to dual AV engines to protect against known malware, SpamTitan also now has a sandboxing feature. Suspicious attachments can be safely executed and analyzed in the sandbox to identify potentially malicious actions. The sandboxing feature provides superior protection against zero-day malware which AV software does not block.
With both of these solutions in place, businesses will be well protected against malware, ransomware, botnets, viruses, and phishing attacks.
Each solution is available with a range of different deployment options to suit the needs of all businesses. For a product demonstration and further information, contact the TitanHQ team today.
A new report has confirmed the need for robust, multi-layered cybersecurity protections for SMBs to prevent successful cyberattacks. SMBs are increasingly being targeted by cybercriminals as security is often weak and attacks are easy to pull off.
While large corporations are an attractive target for cybercriminals, large corporations tend to have mature cybersecurity programs and they are usually very well protected. A successful attack could prove extremely profitable but breaking through the cybersecurity defenses of large corporations is difficult and attacks can be extremely time consuming and labor intensive.
Cybercriminals often choose the path of least resistance, even though the potential for profit may not be so high. Cyberattacks on SMBs are much easier and hackers are concentrating their efforts on SMB targets. This was clearly demonstrated in the latest cybersecurity report from Beazley Breach Response (BBR) Services.
BBR Services analyzed all of the data breaches that it investigated in 2018. 9% of the successful attacks involved ransomware and 71% of those ransomware attacks were on SMBs. The healthcare industry suffered the highest number of ransomware attacks, and accounted for one third of successful attacks. Companies in the professional and financial services sectors accounted for 12% of ransomware attacks each, followed by the retail industry with 8% of attacks.
The costs of those ransomware attacks can be considerable. If companies are unable to recover data from backups, a sizable ransom must be paid to recover encrypted data. In 2018, the average ransom demand was $116,400 and the median ransom demand was $10,310. One client was issued a ransom demand of $8.5 million. The highest ransom demand paid was $935,000.
Massive demands for payment for the keys to unlock encrypted files may not be the norm, but even at the lower end of the spectrum SMBs may struggle to find the money to pay. The ransom demand is also likely to be considerably higher than the cost of cybersecurity protections for SMBs to prevent ransomware attacks.
One of the main ways that hackers gain access to the networks of SMBs is by exploiting flaws in Remote Desktop Protocol. SMBs that leave RDP ports open are at a much higher risk of being attacked. RDP is required by many SMBs because they outsource IT to managed service providers, which need to use RDP to access their systems. In such cases it is essential for default RDP ports to be changed and for very strong passwords to be implemented to reduce the risk of brute force attacks succeeding.
There was also an increase in sextortion scams in 2018. These scams attempt to extort money by threatening to expose victims’ use of adult websites. While these scams usually contain empty threats, they are often successful. In addition to attempting to extort money, the scams are used to install malware or ransomware. Email attachments are sent which claim to contain videos of the victim accessing adult websites, which the scammers claim to have been recorded using the computer’s webcam. When the files are opened to be checked, malware or ransomware is installed.
2018 also saw a 133% increase in Business Email Compromise attacks. These attacks spoof the email address of a senior executive to make the emails and requests seem more plausible. These scams are usually conducted to obtain sensitive information or to get employees to make fraudulent wire transfers. BEC attacks accounted for 24% of all breaches investigated by BBR Services in 2018.
One of the most important cybersecurity protections for SMBs to implement to prevent these attacks is an advanced email filtering solution – One that is capable of detecting spoofed emails. SpamTitan, TitanHQ’s cloud-based spam filtering solution, has recently been updated to include DMARC authentication to detect email impersonation attacks such as BEC scams. The solution also now includes a new sandboxing feature that allows potentially malicious attachments to be analyzed in detail in the sandbox where no harm can be caused. This helps to identify more malicious attachments and better protect SMBs from zero-day malware and other malicious files.
TitanHQ’s powerful cybersecurity protections for SMBs can greatly improve email security and block a wide range of web-based attacks. For further information on effective cybersecurity protections for SMBs to deploy to improve security posture and block costly attacks, contact TitanHQ today.