Our news items relating to network security have a very common theme running through them – too many companies are ill-prepared against online threats and vulnerabilities. The failure of organizations to optimize their online defenses – and train their employees on network security – is demonstrated by the huge number of systems that get infected.
A considerable number of network infections are the result of employees downloading infected software onto their computers and mobile devices without authorization. This scenario would be avoided – and network security improved generally – with the implementation of an Internet content filter. Speak with us for more information.
The most common wireless network attacks are easy to pull off and can be highly profitable for criminals. It is therefore no surprise that wireless network attacks have increased significantly in the past couple of years.
Wi-Fi is Ubiquitous, Yet Many Businesses Neglect Security
Wi-Fi access used to be something you had to pay for, but now free WiFi is something that is taken for granted. Visitors to a hotel, coffee shop, bar, retail outlet, or restaurant now expect WiFi to be provided. The decision to use a particular establishment is often influenced by whether free WiFi is available, but increasingly the quality of the connection.
The quality of the WiFi on offer is not only about bandwidth. The massive rise in cyberattacks via public WiFi networks has seen consumers choose establishments based on the security of the WiFi access points. Parents often choose to visit establishments that offer controls over the types of content that can be accessed.
If you run a business and are providing WiFi or have yet to provide that service and are considering adding a WiFi hotspot to attract more customers, be sure to consider the security of your network. The past couple of years have seen many major attacks on WiFi networks. Some of the most common wireless network attacks are detailed below.
What are the Most Common Wireless Network Attacks?
Some of the most common wireless network attacks are opportunistic in nature. Businesses that fail to secure their WiFi networks leave the door wide open to amateur scammers and hackers who are all too happy to take advantage of poor security to steal credentials from users and spread malware. Unsecured WiFi networks are also targeted by sophisticated cybercriminals and organized crime groups.
Tel Aviv Free WiFi Network Hacked
One notable example of how easy it can be for a hacker to take over a WiFi network comes from Tel Aviv. Tel Aviv offers a city-wide free WiFi network, which incorporates basic security controls to keep users secure. However, it did not prove to be as secure as city officials thought.
While commuting home, Tel Aviv resident Amihai Neiderman noticed a new WiFi access point had appeared. The FREE_TLV access point was provided by the city and Neiderman decided to test its security controls. After determining the IP address through which WiFi clients accessed the Internet, he disconnected, scanned the router, and discovered the web-based login interface was run through HTTPS port 443.
While he found no major vulnerabilities, after extensive analysis he identified a buffer overflow vulnerability which he successfully exploited to take full control of the router. By doing so, if he was so inclined, he could have intercepted the traffic from tens of thousands of users.
Toasters Used to Hack Unsecured WiFi Networks
Perhaps not one of the most common WiFi network attacks, but notable none the less due to the rise in use of IoT devices. IoT capability has been incorporated into all manner of devices from toasters to washing machines. However, these devices can be vulnerable to supply chain attacks – Where hardware is altered which allows the devices to be used to attack WiFi networks. In 2016, Russian officials discovered chips imported from China had been altered and were being used to spread malware that could eavesdrop on unsecured WiFi networks from a range of 200 meters. They were used to infect those networks with malware that could steal information.
Interception of Unencrypted Traffic
Research by Kaspersky Lab in 2016 showed more than a quarter of public Wi-Fi hotspots set up in malls were insecure and lacked basic security controls. A quarter did not encrypt traffic at all, while research conducted by Skycure showed that five of the busiest 10 malls in the USA had risky WiFi networks. One mall in Las Vegas was discovered to be operating 14 risky WiFi access points. Hackers can use sniffers to monitor traffic on unencrypted WiFi networks.
Fake WiFi Access Points
Visitors to hotels, coffee shops and malls often connect to the free WiFi on offer, but various studies have shown that care is not always taken to connect to the official WiFi network. Criminals can easily set up fake WiFi access points, often using the name of the establishment. By connecting to the fake networks, users can still access the Internet, yet everything they do online is being monitored by cybercriminals. These man-in-the-middle attacks allow criminals to steal banking credentials, credit card numbers, and login information.
How is this done? The attacker simply creates a hotspot on a smartphone and pairs it with a tablet or laptop. The hacker can then sit in the coffee shop drinking a latte while monitoring the traffic of everyone that connects. One study indicated more than a third of WiFi hotspot users take no precautions when accessing WiFi hotspots and frequently connect to unsecured networks.
WiFi Networks Used to Gain Access to Business Data
Creating a WiFi network for guests is simple. Ensuring it is secure and cannot be used for attacks on the business network requires more thought and effort. Any business that allows customers to make purchases using credit and debit cards is a major target for hackers. The past few years have seen many major attacks that have resulted in malware being installed on POS systems. These are now some of the most common wireless network attacks.
How Can Businesses Prevent the Most Common Wireless Network Attacks?
How can businesses protect against some of the most common wireless network attacks? While it is difficult to prevent the creation of fake WiFi hotspots, there are steps that can be taken to prevent many common wireless network attacks.
Isolate the Guest Network
If your business network is not isolated from your guest WiFi network, it could be used to gain access to business data and could place your POS at risk of compromise. Use a router that offers multiple SSIDs – most modern routers have that functionality. These routers often have a guest SSID option or separate guest portal. Make sure it is activated when it is deployed. Alternatively, your wireless router may have a wireless isolation feature which will prevent WiFi users from accessing your internal network and other client devices. If you require multiple access points throughout your establishment, you are likely to need a VLAN or EoIP tunnel configuration – A more complicated setup that will require you to seek professional advice on security.
Create a Secure SSID
Your router will have a default SSID name, but this should be changed to personalize it to your business. If you make it easily identifiable, it will reduce the potential for rogue access points to be confused with your own. Ensure that you enforce WPA2 encryption with a shared key and post that information for your customers along with your SSID.
Restrict WiFi Access
If your wireless router or access point is too powerful, it could be accessed from outside your premises. Choose a router that allows you to alter the strength of your signal and you can ensure only your customers will use your connection. Also ensure that your WiFi access point is only available during business hours. If your access points are left unsupervised, it increases the risk of attack.
Secure Your Infrastructure
Administrator access can be abused, so ensure that your login name and your passwords are secure. If the default credentials are not changed, it will only be a matter of time before they are abused. Change the username from ‘admin’ or any other default username. Set a strong password that includes upper and lower-case letters, at least one number, and a special character. The password must be at least 8 characters although more is better. Alternatively use a 14-character+ passphrase.
Use Web Filtering
A web filtering solution is an essential protection for all WiFi networks. Web filters will prevent users from visiting websites and webpages that are known to have been compromised or have been confirmed as malicious. This will protect your customers from web-based threats as well as help to keep your network secure. A web filter will also allow you to prevent your network from being used to download or view unacceptable content such as pornography and lets you control bandwidth usage to ensure all customers can enjoy decent Internet speeds.
TitanHQ offers a scalable, easy to deploy, granular web filter for WiFi networks. WebTitan Cloud for WiFi requires no hardware purchases and no software downloads, and being 100% cloud-based, can be managed and monitored from any location.
A web-based malware distribution network that was redirecting around 2 million website visitors a day to compromised websites hosting exploit kits has been disrupted, crippling the malware distribution operation. The web-based malware distribution network – known as EITest – was using compromised websites to redirect web visitors to sites where exploits were used to download malware and ransomware, as well as redirect users to phishing websites and tech support scams that convinced visitors to pay for fake software to remove non-existent malware infections.
Due to the scale of the operation, removing the redirects from compromised websites is a gargantuan task. Efforts to clean up those sites are continuing, with national CERTs notified to provide assistance. However, the web-based malware distribution network has been sinkholed and traffic is now being redirected to a safe domain. Proofpoint researchers were able to seize a key domain that was generating C&C domains, blocking the redirects and re-routing them to four new EITest domains that point to an abuse.ch sinkhole.
The sinkhole has only been in operation for a month – being activated on March 15 – yet already it has helped to protect tens – if not hundreds of millions – of website visitors. In the first three weeks alone, an astonishing 44 million visitors had been redirected to the sinkhole from around 52,000 compromised websites and servers.
The majority of the compromised websites were running WordPress. Malicious code had been injected by taking advantage of flaws in the CMS and plugins installed on the sites. Vulnerabilities in Joomla, Drupal, and PrestaShop had also been exploited to install the malicious code.
The web-based malware distribution network has been in operation since at least 2011, although activity increased significantly in 2014. While previous efforts had been made to disrupt the malware distribution network, most failed and others were only temporarily successful.
The malicious code injected into the servers and websites primarily redirected website visitors to an exploit kit called Glazunov, and to a lesser extent, the Angler exploit kit. Those exploit kits probed for multiple vulnerabilities in software to download ransomware and malware.
The threat actors behind EITest are believed to have responded and have attempted to gain control of the sinkhole, but for the time being those efforts have been thwarted.
How to Improve Security and Block Web-Based Malware Attacks
While it is certainly good news that such a major operation has been disrupted, the scale of the operation highlights the extent of the threat of web-based attacks. Spam email may have become the main method for distributing malware and ransomware, but organizations should not ignore the threat from web-based attacks.
These attacks can occur when employees are simply browsing the web and visiting perfectly legitimate websites. Unfortunately, lax security by website owners can easily see their website compromised. The failure to update WordPress or other content management systems and plugins along with poor password practices makes attacks on the sites a quick and easy process.
One of the best cybersecurity solutions to implement to reduce the risk of web-based attacks is a web filter. Without a web filter in place, employees will be permitted to visit any website, including sites known to host malware or be used for malicious purposes.
With a web filter in place, redirects to malicious websites can be blocked, downloads of risky files prevented, and web-based phishing attacks thwarted.
TitanHQ is the leading provider of cloud-based web filtering solutions for SMBs and enterprises. WebTitan Cloud and WebTitan Cloud for WiFi allow SMBs and enterprises to carefully control the website content that can be accessed by their employees, guest network users, and WiFi users. The solution features powerful antivirus protections, uses blacklists of known malicious websites, and incorporates SSL/HTTPS inspection to provide protection against malicious encrypted traffic.
The solution also allows SMBs and enterprises to enforce their acceptable internet usage policies and schools to enforce Safe Search and YouTube for Schools.
For further information on how WebTitan can protect your employees and students and prevent malware infections on your network, contact TitanHQ today.
If you have yet to implement a web filtering solution to control the content that your employees can access at work, you are taking an unnecessary risk that could result in a costly malware infection, ransomware being installed on your network, or a lawsuit that could have been prevented by implementing basic web filtering controls. Many SMBs have considered implementing a web filter yet have not chosen a solution due to the cost, the belief that a web filter will cause more problems than it solves, or simply because they do not think it offers enough benefits. In this post we explain some of the common misconceptions about web filtering and attempt to debunk some common web filtering myths.
Common Web Filtering Myths
Antivirus Solutions Provide Adequate Protection from Web-Based Malware Attacks
Antivirus software is a must, although products that use signature-based detection methods are not as reliable as they once were. While antivirus companies are still quick to identity new malware variants, the speed at which new variants are being released makes it much harder to keep up. Further, not all malware is written to the hard drive. Fileless malware remains in the memory and cannot easily be detected by AV software. Antivirus software is still important, but you now need a host of other solutions to mount a reasonable defense against attacks. Layered defenses are now a must.
Along with AV software you should have anti spam software in place to block email-based threats such as phishing. You need to train your workforce to recognize web and email threats through security awareness training. Firewalls need to be set with sensible rules, software must be kept updated and patches must be applied promptly, regular data backups are a must to ensure recovery is possible in the event of a ransomware attack, and a web filtering solution should be installed.
A web filter allows you to carefully control the web content that can be accessed by employees. By using blacklists, websites known to host malware can be simply blocked, redirects via malvertising can be prevented, and controls can be implemented to prevent potentially malicious files from being downloaded. You can also prevent your employees from visiting categories of sites – or specific websites – that carry a higher than average risk.
There are other benefits to web filtering that can help you avoid unnecessary costs. By allowing employees to access any content, organizations leave themselves open to lawsuits. Businesses can be held liable for activities that take place on their networks such as accessing illegal content and downloading/sharing copyright-protected material.
Web Filtering is Prohibitively Expensive
Many businesses are put off implementing a web filtering solution due to the perceived cost of filtering the Internet. If you opt for an appliance-based web filter, you need to make sure you have an appliance with sufficient capacity and powerful appliances are not cheap. However, there is a low-cost alternative that does not require such a major cash commitment.
DNS filtering requires no hardware purchases so there is no major capital expenditure. You simply pay for the licenses you need and you are good to go. You may be surprised to find out just how low the price per user actually is.
Web Filtering is Too Complicated to Implement
Some forms of web filters are complex, and hardware-based filters will take some time to install and configure, which will take IT staff away from important duties. However, DNS based filters could not be any easier to implement. Implementing the solution is a quick process – one that will take just a couple of minutes. You just need to point your DNS to your web filtering service provider.
Even configuring the filter is straightforward. With WebTitan you are given a web-based portal that you can use to configure the settings and apply the desired controls. In its simplest form, you can simply use a checkbox option to select the categories of websites that you want to block.
Since WebTitan includes a database of malicious websites, any request to visit one of those websites will be denied. You can also easily upload third party blacklists, and for total control, use a whitelist to only allow access to specific websites.
Employees Will Just Bypass Web Filtering Controls
No web filtering solution is infallible, although it is possible to implement some basic controls that will prevent all but the most determined and skilled workers from accessing prohibited websites. Simple firewall rules can be easily set and you can block DNS requests to anything other than your approved DNS service. You can also set up WebTitan to block the use of anonymizers.
IT Support Will be Bombarded with Support Calls from Employees Trying to Access Blocked Websites
If you decide to opt for whitelisting acceptable websites, you are likely to be bombarded with support calls when users discover they are unable to access sites necessary for work. Similarly, if you choose to heavily filter the Internet and block most categories of website, then your helpdesk could well be swamped with calls.
However, for most companies, filtering the internet is simply a way of enforcing acceptable usage policies, which your employees should already be aware of. You are unlikely to get calls from employees who want access to porn at work, or calls from employees who want to continue gambling and gaming on the clock. Restrict productivity draining sites, illegal web content, phishing websites, and sites that are not suitable in the workplace, and explain to staff your polices in advance, and your support calls should be kept to a minimum.
Find Out More About DNS Filtering
If you have yet to implement DNS filtering in your organization, it is possible to discover the benefits of Internet filtering before committing to a purchase. TitanHQ offers a free trial of WebTitan Cloud (and WebTitan Cloud for WiFi) so you can try before committing to a purchase.
If you would like further information on getting started with web filtering, have technical questions about implementation, would like details of pricing or would like a demo or a free trial, contact the TitanHQ team today.
The Rockingham school district in North Carolina discovered Emotet malware had been installed on its network in late November. The cost of resolving the infection was an astonishing $314,000.
The malware was delivered via spam emails, which arrived in multiple users’ inboxes. The attack involved a commonly used ploy by cybercriminals to get users to install malware.
The emails appeared to have been sent by the anti-virus vendor used by the school district, with the subject line ‘incorrect invoice’ and the correct invoice included as an attachment. The emails were believable and were similar to many other legitimate emails received on a daily basis.
The emails asked the recipient to open and check the attached invoice; however, doing so would see malware downloaded and installed on the email recipient’s computer.
Soon after those emails were received and opened, staff started to experience problems. Internet access appeared to have been blocked for some users. Reports from Google saying email accounts had been shut down due to spamming started to be received. The school district investigated and discovered several devices and servers had been infected with malware.
Emotet malware is a network worm that is capable of spreading across a network. Infection on one machine will see the virus transmitted to other vulnerable devices. The worm drops a type of banking malware on infected devices that is used to steal victims’ credentials such as online banking details.
Emotet is a particularly advanced malware variant that is difficult to detect and hard to remove. The Rockingham school district discovered just how problematic Emotet malware infections can be when attempts were made to remove the worm. The school district was able to successfully clean some infected machines by reimaging the devices; however, the malware simply re-infected those computers.
Mitigating the attack required assistance from security experts, but even with expert help the recovery process is expected to take up to a month. 10 ProLogic ITS engineers will spend around 1,200 on site reimaging machines. 12 servers and potentially up to 3,000 end points must be reimaged to remove the malware and stop reinfection. The cost of cleanup will be $314,000.
Attacks such as this are far from uncommon. Cybercriminals take advantage of a wide range of vulnerabilities to install malware on business computers and servers. In this case the attack took advantage of gaps in email defenses and a lack of security awareness of employees. Malware can similarly be installed by exploiting unpatched vulnerabilities in software, or by drive-by downloads over the Internet.
To protect against Emotet malware and other viruses and worms layered defenses are required. An advanced spam filtering solution can ensure malicious emails are not delivered, endpoint detection systems can detect atypical user behavior, antivirus solutions can potentially detect and prevent infections, while web filters can block web-based attacks and drive-by downloads. End users are the last line of defense and should therefore be trained to recognize malicious emails and websites.
Only a combination of these and other cybersecurity defenses can keep organizations well protected. Fortunately, with layers defenses, it is possible to avoid costly malware and phishing attacks such as the one experienced by the Rockingham school district.
15 years after the launch of the wireless security protocol WPA2, the Wi-Fi Alliance has announced this year will see the release of the WPA3 protocol. The transition period from the WPA2 to WPA3 protocol is expected to take several months.
WPA2 was released in 2003, bringing with it a number of key security enhancements to its predecessor WPA. WPA2 fast became the accepted Wi-Fi CERTIFIED security technology and is now used in more than 35,000 certified Wi-Fi products, including smartphones, tablets, and IoT devices.
Since its launch, WPA2 has received several enhancements and the protocol will continue to be updated this year. The Wi-Fi alliance says updates will be applied over the coming weeks and months and will occur ‘under-the-hood’ and will be unnoticeable to users. The enhancements will address configuration, authentication, and encryption.
The first major update to WPA2 is for Protected Management Frames (PMF) in Wi-Fi devices, which ensure the integrity of network management traffic on Wi-Fi networks. The update concerns when devices are required to use PMF, refining configurations for Wi-Fi CERTIFIED devices to ensure the highest possible level of security.
The second enhancement requires companies to conduct additional checks of their devices to ensure best practices for using the Wi-Fi security protocols have been adopted. This will reduce the potential for the misconfiguration of networks and devices, further safeguarding managed networks with centralized authentication services.
The third major update standardizes 128-bit level cryptographic suite configurations, which will deliver more consistent network security configurations. The Wi-Fi Alliance VP, Kevin Robinson, said, “Often people may focus exclusively on the level of encryption when evaluating security of a technology, but there are a number of components—such as information protection (encryption), key establishment, digital signatures, and condensed representations of information—that work together as a system to deliver strong security.” This update will ensure all cryptographic components used are of the required standard, ensuring there are no weak links in the encryption chain.
By adding these enhancements to its Wi-Fi certification program, users can be sure all certified Wi-Fi devices will have the highest level of security.
The Wi-Fi Alliance says WPA2 will continue to be deployed in Wi-Fi devices, although following the launch of the WPA3 protocol later this year there will be a gradual transition to the WPA3 protocol. During the transition period, both WPA2 and WPA3 will be run concurrently. The process of changeover is expected to take several months, as it is necessary for all hardware to be certified to make sure the new protocol can be supported.
The WPA3 protocol will incorporate several important enhancements to improve Wi-Fi security. The full specifications have not yet been published but are expected to include increased privacy protections for users of open networks with individualized data encryption.
Controls to prevent malicious actors from undertaking multiple login attempts via commonly used passwords is expected, as well as more simplified configuration for IoT devices that do not have a display. The new WPA3 protocol will also use 192-bit security or the Commercial National Security Algorithm to improve security for government, defense, and industrial networks.
“Wi-Fi security technologies may live for decades, so it’s important they are continually updated to ensure they meet the needs of the Wi-Fi industry,” said Joe Hoffman, SAR Insight & Consulting. “Wi-Fi is evolving to maintain its high-level of security as industry demands increase.”
Passwords should be complex and difficult to guess, but that makes them difficult to remember, so what about using password managers to get around that problem? Are password managers safe and secure? Are they better than attempting to remember passwords for every one of your accounts?
First of all, it is worth considering that most people have a great deal of passwords to remember – email accounts (work and personal), social media accounts, bank accounts, retail sites, and just about every other online service. If you rarely venture online and do not make online purchases, that means you will need to learn a handful of passwords (and change them regularly!).
Most people will have many passwords. Far too many to remember. That means people tend to choose easy to remember – and easy to guess – passwords and tend to reuse passwords on multiple sites.
These poor security practices are a recipe for disaster. In the case of password reuse, if one password is guessed, multiple accounts can be compromised. So, are password managers safe? If that is the alternative, then most definitely.
With a password manager you can generate a strong and impossible to remember password for every online account. That makes each of those accounts more secure. Emmanuel Schalit, CEO of Dashline, a popular password manager, said, “Sometimes, it’s better to put all your eggs in the same basket if that basket is more secure than the one you would be able to build on your own.”
That does mean that if the server used by the password manager company is hacked, you do stand to lose all of your passwords. Bear in mind that no server can ever be 100% secure. There have been hacks of password manager servers and vulnerabilities have been discovered (see below). Password managers are not risk-free. Fortunately, password managers encrypt passwords, so even if a server is compromised, it would be unlikely that all of your passwords would be revealed.
That said, you will need to set a master password to access your password manager. Since you are essentially replacing all of your unique passwords with a single password, if the master password is guessed, then your account can be accessed and with it, all of your passwords. To keep password managers safe and secure, it is important to use a strong and complex password for your account – preferably a passphrase of upwards of 12 characters and you should change that password every three months.
If you use a cloud-based password manager, it is possible that when that service goes down, you will not be able to access your own account. Fortunately, downtime is rare, and it would still be possible to reset your passwords. You could also consider keeping a local copy of your passwords and encrypting that file. In a worst-case scenario, such as the password manager company going bust, you would always have a copy. Some services will also allow you to sync your encrypted backups with the service to ensure local copies are kept up to date.
Flaws Discovered in Password Managers
Tavis Ormandy, a renowned researcher from the Google Project Zero team, recently discovered a flaw in Keeper Password Manager that could potentially be exploited to gain access to a user’s entire vault of stored passwords. The Keeper Password Manager flaw could not be exploited remotely without any user interaction. However, if the user was lured onto a specially crafted website while logged into their password manager, the attacker could inject malicious code to execute privileged code in the browser extension and gain access to the account. Fortunately, when Keeper was alerted to the flaw, it was rapidly addressed before the flaw could be exploited.
Last year Ormandy also discovered a flaw in LastPass, one of the most popular password managers. Similarly, that flaw could be exploited by luring the user to a specially crafted webpage via a phishing email. Similarly, that flaw was rapidly addressed. The LastPass server was also hacked the year before, with the attackers gaining access to some users’ information. LastPass reports that while it was hacked, users’ passwords were not revealed.
These flaws do go to show that while password managers are safe, vulnerabilities may exist, and even a password manager can potentially be hacked.
Are Password Managers Safe to Use?
So, are password managers safe? They can be, but as with any other software, vulnerabilities may exist that can leave your passwords exposed. It is therefore essential to ensure that password manager extensions/software are kept up to date, as is the case with all other software and operating systems.
Security is only as good as the weakest link, so while your password manager is safe, you will need to use a complex master password to prevent unauthorized individuals from accessing your password manager account. If that password is weak and easily guessable, it will be vulnerable to a brute force attack.
In addition to a complex master password, you should take some additional precautions. It would be wise not to use your password manager to save the password to your bank account. You should use two-factor authentication so if a new device attempts to connect to any of your online accounts, you will receive an alert on your trusted device or via email.
As an additional protection, businesses that allow the use of password managers should consider implementing a web filtering solution that prevents users from visiting known malicious websites where vulnerabilities could be exploited. By restricting access to certain categories of website, or whitelists of allowable sites, the risk of web-based attacks can be reduced to a low and acceptable level.
Password managers should also be used with other security solutions that provide visibility into who is accessing resources. Identity and access management solutions will help IT managers determine when accounts have been breached, and will raise flags when anomalous activity is detected.
HTTPS phishing websites have increased significantly this year, to the point that more HTTPS phishing websites are now being registered than legitimate websites with SSL certificates, according to a new analysis by PhishLabs.
If a website starts with HTTPS it means that a SSL certificate is held by the site owner, that the connection between your browser and the website is encrypted, and you are protected from man-in-the-middle attacks. It was not long ago that a green padlock next to the URL, along with a web address starting with HTTPS, meant you could be reasonably confident that that the website you were visiting was genuine. That is no longer the case, yet many people still believe that to be true.
According to PhisLabs, a recent survey showed that 80% of respondents felt the green padlock and HTTPS indicated the site was legitimate and/or secure. The truth is that all it means is traffic between the browser and the website is encrypted. That will prevent information being intercepted, but if you are on a phishing website, it doesn’t matter whether it is HTTP or HTTPS. The end result will be the same.
Over the past couple of years there has been a major push to move websites from HTTP to HTTPS, and most businesses have now made the switch. This was in part due to Google and Firefox issuing warnings about websites that lacked SSL certificates, alerting visitors that entering sensitive information on the sites carried a risk. Since October, Google has been labelling websites as Not Secure in the URL via the Chrome browser.
Such warnings are sufficient to see web visitors leave in their droves and visit other sites where they are better protected. It is no surprise that businesses have sat up and taken notice and made the switch. According to Let’s Encrypt, 65% of websites are now on HTTPS, compared to just 45% in 2016.
However, it is not only legitimate businesses that are switching to secure websites. Phishers are taking advantage of the benefits that come from HTTPS websites. Namely trust.
Consumer trust in HTTPS means cybercriminals who register HTTPS sites can easily add legitimacy to their malicious websites. It is therefore no surprise that HTTPS phishing websites are increasing. As more legitimate websites switch to HTTPS, more phishing websites are registered with SSL certificates. If that were not the case, the fact that a website started with HTTP would be a clear indicator that it may be malicious and cybercriminals would be at a distinct disadvantage.
What is a surprise is the extent to which HTTPS is being abused by scammers. The PhishLabs report shows that in the third quarter of 2017, almost a quarter of phishing websites were hosted on HTTPS pages. Twice the number seen in the previous quarter. An analysis of phishing sites spoofing Apple and PayPal showed that three quarters are hosted on HTTPS pages. Figures from 2016 show that less than 3% of phishing sites were using HTTPS. In 2015 it was just 1%.
While checks are frequently performed on websites before a SSL certificate is issued, certification companies do not check all websites, which allows the scammers to obtain SSL certificates. Many websites are registered before any content is uploaded, so even a check of the site would not provide any clues that the site will be used for malicious purposes. Once the certificate is obtained, malicious content is uploaded.
The PhishLabs report also shows there is an approximate 50/50 spread between websites registered by scammers and legitimate websites that have been compromised and loaded with phishing webpages. Just because a site is secure, it does not mean all plugins are kept up to date and neither that the latest version of the CMS is in use. Vulnerabilities exist on many websites and hackers are quick to take advantage.
The rise in HTTPS phishing websites is bad news for consumers and businesses alike. Consumers should be wary that HTTPS is no guarantee that website is legitimate. Businesses that have restricted Internet access to only allow HTTPS websites to be visited may have a false sense of security that they are protected from phishing and other malicious sites, when that is far from being the case.
For the best protection, businesses should consider implementing a web filter that scans the content of webpages to identify malicious sites, and that the solution is capable of decrypting secure sites to perform scans of the content.
For more information on how a web filter can help to protect your organization from phishing and malware downloads, give the TitanHQ sales team a call today.
The Terdot Trojan is a new incarnation of Zeus, a highly successful banking Trojan that first appeared in 2009. While Zeus has been retired, its source code has been available since 2011, allowing hackers to develop a swathe of new banking Trojans based on its sophisticated code.
The Terdot Trojan is not new, having first appeared in the middle of last year, although a new variant of the credential-stealing malware has been developed and is being actively used in widespread attacks, mostly in Canada, the United States, Australia, Germany, and the UK.
The new variant includes several new features. Not only will the Terdot Trojan steal banking credentials, it will also spy on social media activity, and includes the functionality to modify tweets, Facebook posts, and posts on other social media platforms to spread to the victim’s contacts. The Terdot Trojan can also modify emails, targeting Yahoo Mail and Gmail domains, and the Trojan can also inject code into websites to help itself spread.
Further, once installed on a device, Terdot can download other files. As new capabilities are developed, the modular Trojan can be automatically updated.
The latest variant of this nasty malware was identified by security researchers at Bitdefender. Bitdefender researchers note that in addition to modifying social media posts, the Trojan can create posts on most social media platforms, and suspect that the stolen social media credentials are likely sold on to other malicious actors, spelling further misery for victims.
Unfortunately, detecting the Terdot Trojan is difficult. The malware is downloaded using a complex chain of droppers, code injections and downloaders, to reduce the risk of detection. The malware is also downloaded in chunks and assembled on the infected device. Once installed, it can remain undetected and is not currently picked up by many AV solutions.
“Terdot goes above and beyond the capabilities of a Banker Trojan. Its focus on harvesting credentials for other services such as social networks and e-mail services could turn it into an extremely powerful cyber-espionage tool that is extremely difficult to spot and clean,” warns Bitdefender.
Protecting against threats such as banking Trojans requires powerful anti-malware tools to detect and block downloads, although businesses should consider additional protections to block the main attack vectors: Exploit kits and spam email.
Combosquatting is a popular technique used by hackers, spammers, and scammers to fool users into downloading malware or revealing their credentials.
Combosquatting should not be confused with typosquatting. The latter involves the purchasing of domains with transposed letters or common spelling mistakes to catch out careless typists – Fcaebook.com for example.
Combosquatting is so named because it involves the purchasing of a domain that combines a trademarked name with another word – yahoofiles.com, disneyworldamusement.info, facebook-security.com or google-privacy.com for example.
The technique is not new, but the extent that it is being used by hackers was not well understood. Now researchers at Georgia Tech, Stony Brook University and London’s South Bank University have conducted a study that has revealed the extent to which hackers, spammers, and scammers are using this technique.
The research, which was supported by the U.S. Department of Defense, National Science Foundation and the U.S. Department of Commerce, was presented at the 2017 ACM Conference on Computer and Communications Security (CCS) on October 31, 2017.
For the study, the researchers analyzed more than 468 billion DNS records, collected over 6 years, and identifed combosquatting domains. The researchers noted the number of domains being used for combosquatting has increased year over year.
The extent to which the attack method is being used is staggering. For just 268 trademarks, they identified 2.7 million combosquatting domains, which they point out makes combosquatting more than 100 times as common as typosquatting. While many of these malicious domains have been taken down, almost 60% of the domains were active for more than 1,000 days.
The team found these domains were used for a wide variety of nefarious activities, including affiliate abuse, phishing, social engineering, advanced persistent threats, malware and ransomware downloads.
End users are now being taught to carefully check domain names for typos and transposed letters to detect typosquatting, but this technique fools users into thinking they are on a website that is owned by the brand included in the domain.
First author of the study, Georgia Tech researcher Panagiotis Kintis, said, “These attacks can even fool security people who may be looking at network traffic for malicious activity. When they see a familiar trademark, they may feel a false sense of comfort with it.”
In order to prevent these types of trademark use attacks, many companies register hundreds of domains that contain their trademark. The researchers found that many of the domains being used by hackers had previously been owned by the holders of the trademark. When the domains were not renewed, they were snapped up by hackers. Many of the malicious domains that had been previously purchased by hackers, had been re-bought by other scammers when they came up for renewal.
Users are being lured onto the domains using a variety of techniques, including the placing of adverts with the combosquatting domains on ad-networks, ensuring those adverts are displayed on a wide variety of legitimate websites – a technique called malvertising. The links are also distributed in spam and phishing emails. These malicious URLS are also frequently displayed in search engine listings, and remain there until complaints are filed to have the domains removed.
Due to the prevalence of this attack technique, organizations should include it in their cyber awareness training programs to alert users to the attack method and ensure they exercise caution.
The researchers also suggest an organization should be responsible for taking these domains down and ensuring they cannot be re-bought when they are not renewed.
TitanHQ Sales Director Conor Madden will be talking enterprise Wi-Fi security at this year’s Wi-Fi Now Europe 2017, explaining some of the key innovations in Wi-Fi security to keep enterprise Wi-Fi networks secure.
This will be the fourth time in two years that Conor has provided his insights into Wi-Fi security developments at Wi-Fi Now conferences. Conor will be giving his presentation – Four Great Innovations in Enterprise Wi-Fi – Part One – on the first day of the conference between 12:00 and 12:30.
Conor will explain how DNS-based Wi-Fi security adds an essential layer of security to keep enterprise Wi-Fi networks secure, and will offer insights into how enterprises can easily create customized Wi-Fi services. In addition to Conor’s headline speech, the TitanHQ team will be in attendance and will be demonstrating WebTitan Cloud for Wi-Fi at Stand 23 over the three days of the event. The team will also demonstrate some of the big-ticket deployments from the past 18 months. The team will also explain some of the new refinements and updates that have made WebTitan even more useful and user friendly, including the new API capability that is proving so popular with product managers and engineers.
Wi-Fi Now Europe 2017 – The Premier Conference for the Wi-Fi Industry
The Wi-Fi Now Europe 2017 event brings together leaders, entrepreneurs, innovators, and experts from all areas of the Wi-Fi industry. This year there will be more than 50 speakers including analysts, thought leaders, technology leaders, carriers and service providers. More than 40 companies from all areas of the Wi-Fi industry will be demonstrating their products and services to attendees.
The conferences are a highlight in the calendar for anyone involved in the Wi-Fi industry and provide attendees with an incredible networking opportunity and the chance to learn about the latest advances in Wi-Fi, exciting new products and new services on offer.
The Wi-Fi Now Europe 2017 Conference will be taking place between October 31st and November 2nd at the NH Den Haag Hotel atop The Hague’s World Trade Center Building.
Gold passes give attendees complete access to all events at the 3-day conference, with day passes also available. Advance registration is required for all attendees.
TitanHQ On the Road
It has been a busy few weeks for TitanHQ. The team has been traveling across Europe and the United States, showcasing its web filtering, spam filtering and email archiving solutions.
The Wi-Fi Now Europe 2017 comes hot on the heels of the DattoCon17 conference in London, where the team met with more than 400 MSPs and the ASCII Summit in Washington D.C., where TitanHQ explained how Managed Service Providers can grow their business and easily increase monthly recurring revenues. Earlier this month, TitanHQ attended the Kaseya Connect Europe IT Management Event and explained about the new integration of WebTitan with Kaseya.
The road trip continues into November in the United States, with TitanHQ attending both the upcoming HTG Meeting in Orlando, FL (Oct 30-Nov 3) and the IT Nation, ConnectWise Conference at the Hyatt Regency, Orlando, between November 8-10, 2017.
Last month saw a significant rise in healthcare data breaches, clearly demonstrating that healthcare providers, health plans, and business associates are struggling to prevent healthcare data breaches.
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule was introduced to ensure that healthcare organizations implement a range of safeguards to ensure the confidentiality, integrity, and availability of healthcare data. It has now been more than decade since the Security Rule was introduced, and data breaches still occurring with alarming frequency. In fact, more data breaches are occurring than ever before.
September Data Breaches in Numbers
The Protenus Breach Barometer Report for September, which tracks all reported healthcare data breaches, showed there were 46 breaches of protected health information (PHI) in September, with those breaches resulting in the exposure of 499,144 individuals’ PHI. Hacking and IT incidents were cited as the cause of 50% of those breaches, with insiders causing 32.6% of incidents. Loss and theft of devices was behind almost 11% of the month’s breaches. Previous monthly reports in 2017 have shown that insiders are often the biggest cause of healthcare data breaches.
HIPAA Compliance Will Not Prevent Healthcare Data Breaches
HIPAA compliance can go some way toward making healthcare organizations more resilient to cyberattacks, malware and ransomware infections, but simply complying with the HIPAA Security Rule does not necessarily mean organizations will be impervious to attack.
HIPAA compliance is about raising the bar for cybersecurity and ensuring a minimum standard is maintained. While many healthcare organizations see HIPAA compliance as a goal to achieve a good security posture, the reality is that it is only a baseline. To prevent data breaches, healthcare organizations must go above and beyond the requirements of HIPAA.
Detect Insider Breaches Promptly
Preventing insider data breaches can be difficult for healthcare organizations. Healthcare employees must be given access to patient records in order to provide medical care, and there will always be the occasional bad apple that snoops on the records of patients who they are not treating, and individuals who steal data to sell to identity thieves.
HIPAA Requires healthcare organizations to maintain access logs and check those logs regularly for any sign of unauthorized access. The term ‘regularly’ is open to interpretation. A check every six months or once a year could be viewed as regular and compliant with HIPAA regulations. However, during those 6 or 12 months, the records of thousands of patients could be accessed. Healthcare organizations should go above and beyond HIPAA requirements and should ideally implement a system that constantly monitors for unauthorized access or at least conduct access log reviews every quarter as a minimum. This will not prevent healthcare data breaches, but it will reduce their severity.
Close the Door to Hackers
50% of breaches in September were due to hacking and IT incidents. Hackers are opportunistic, and while targeted attacks on large healthcare organizations do occur, most of the time hackers take advantage of long-standing vulnerabilities that have not been addressed. In order to correct those vulnerabilities, they must first be identified, hence the need for regular risk analyses as required by the HIPAA Security Rule. An organization-wide risk analysis should take place at least every year to remain HIPAA compliant, but more frequently to ensure vulnerabilities have not crept in.
Additionally, a check should be performed at least every month to make sure all software is up to date and all patches have been applied. There have been numerous examples recently of cloud storage instances being left unprotected and accessible by the public. There are free tools that can be used to check for exposed AWS buckets for example. Scans should be regularly conducted. Cybercriminals will be doing the same.
Prevent Impermissible Disclosures of PHI
One of the leading causes of PHI disclosures occurs when laptop computers, zip drives, and other portable devices are lost or stolen. While employees can be trained to take care of their devices, thieves will seize any opportunity if devices are left unprotected. HIPAA does not demand the use of encryption, and alternative measures can be used to secure devices, but HIPAA covered entities and their business associates should use encryption on portable devices to ensure that in the event of loss or theft, data cannot be accessed. If an encrypted device is stolen or lost, it is not a HIPAA breach. Using encryption on portable devices is a good way to prevent healthcare data breaches.
Small portable storage devices such as pen drives are convenient, but they should never be used for transporting PHI – They are far too easy to lose or misplace. Use HIPAA-compliant cloud storage services such as Dropbox or Google Drive as they are more secure.
Block Malware and Ransomware Attacks
Malware and ransomware attacks are reportable breaches under HIPAA, and can result in major data breaches. Email is the primary vector for delivering malware, so it is essential for an effective spam filtering solution to be implemented. HIPAA requires training to be provided to employees regularly, but a once-a-year training session is no longer sufficient. Training sessions should take place at least every 6 months, with regular security alerts on the latest phishing threats communicated to employees as and when necessary. Ideally, training should be an ongoing process, involving phishing simulation exercises.
Malware and ransomware can also be downloaded in drive-by attacks when browsing the Internet. A web filtering solution should be used to prevent healthcare employees from visiting malicious sites, to block phishing websites, and prevent drive-by malware downloads. A web filter is not a requirement of HIPAA, but it is an important extra layer of security that can prevent healthcare data breaches.
Cybercriminals are delivering Smoke Loader malware via a new malvertising campaign that uses health tips and advice to lure end users to a malicious website hosting the Terror Exploit Kit.
Malvertising is the name given to malicious adverts that appear genuine, but redirect users to phishing sites and websites that have been loaded with toolkits – exploit kits – that probe for unpatched vulnerabilities in browsers, plugins, and operating systems.
Spam email is the primary vector used to spread malware, although the threat from exploit kits should not be ignored. Exploit kits were used extensively in 2016 to deliver malware and ransomware, and while EK activity has fallen considerably toward the end of 2016 and has remained fairly low in 2017, attacks are still occurring. The Magnitude Exploit it is still extensively used to spread malware in the Asia Pacific region, and recently there has been an increase in attacks elsewhere using the Rig and Terror exploit kits.
The Smoke Loader malware malvertising campaign has now been running for almost two months. ZScaler first identified the malvertising campaign on September 1, 2017, and it has remained active throughout October.
Exploit kits can be loaded with several exploits for known vulnerabilities, although the Terror EK is currently attempting to exploit two key vulnerabilities: A scripting engine memory corruption vulnerability (CVE-2016-0189) that affects Internet Explorer 9 and 11, and a Windows OLE automation array RCE vulnerability (CVE-2014-6332) affecting unpatched versions of Windows 7 and 8. ZScaler also reports that three Flash exploits are also attempted.
Patches have been released to address these vulnerabilities, but if those patches have not been applied systems will be vulnerable to attack. Since these attacks occur without any user interaction – other than visiting a site hosting the Terror EK – infection is all but guaranteed if users respond to the malicious adverts.
Smoke Loader malware is a backdoor that if installed, will give cybercriminals full access to an infected machine, allowing them to steal data, launch further cyberattacks on the network, and install other malware and ransomware. Smoke Loader malware is not new – it has been around since at least 2011 – but it has recently been upgraded with several anti-analysis mechanisms to prevent detection. Smoke Loader malware has also been associated with the installation of the TrickBot banking Trojan and Globelmposter ransomware.
To protect against attacks, organizations should ensure their systems and browsers are updated to the latest versions and patches are applied promptly. Since there is usually a lag between the release of a new patch and installation, organizations should consider the use of a web filter to block malicious adverts and restrict web access to prevent employees from visiting malicious websites.
For advice on blocking malvertisements, restricting Internet access for employees, and implementing a web filter, contact the TitanHQ team today.
A critical WiFi security flaw has been discovered by security researchers in Belgium. The WPA2 WiFi vulnerability can be exploited using the KRACK (Key Reinstallation attack) method, which allows malicious actors to intercept and decrypt traffic between a user and the WiFi network in a man-in-the-middle attack. The scale of the problem is immense. Nearly every WiFi router is likely to be vulnerable.
Exploiting the WPA2 WiFi vulnerability would also allow a malicious actor to inject code or install malware or ransomware. In theory, this attack method would even allow an attacker to insert malicious code or malware into a benign website. In addition to intercepting communications, access could be gained to the device and any connected storage drives. An attacker could gain full control of a device that connects to a vulnerable WiFi network.
There are two conditions required to pull off KRACK– The WiFi network must be using WPA2-PSK (or WPA-Enterprise) and the attacker must be within range of the WiFi signal.
The first condition is problematic, since most WiFi networks use the WPA2 protocol and most large businesses use WPA-Enterprise. Further, since this is a flaw in the WiFI protocol, it doesn’t matter what device is being used or the security on that device. The second offers some protection for businesses for their internal WiFi networks since an attack would need to be pulled off by an insider or someone in, or very close to, the facility. That said, if an employee was to use their work laptop to connect to a public WiFi hotspot, such as in a coffee shop, their communications could be intercepted and their device infected.
In the case of the latter, the attack could occur before the user has stirred sugar into his or her coffee, and before a connection to the Internet has been opened. That’s because this attack occurs when a device connects to the hotspot and undergoes a four-way handshake. The purpose of the handshake is to confirm both the client and the access point have the correct credentials. With KRACK, a vulnerable client is tricked into using a key that is already in use.
The researchers explained that “our attack is exceptionally devastating against Android 6.0: it forces the client into using a predictable all-zero encryption key.” The researchers also pointed out, “Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can be bypassed in a worrying number of situations.”
The disclosure of this WPA2 WiFi vulnerability has had many vendors franticly developing patches to block attacks. The security researcher who discovered the WPA2 WiFi vulnerability – Mathy Vanhoef – notified vendors and software developers months previously, allowing them to start work on their patches. Even with advance notice, relatively few companies have so far patched their software and products. So far, companies that have confirmed patches have been applied include Microsoft, Linux, Apple, and Cisco/Aruba. However, to date, Google has yet to patch its Android platform, and neither has Pixel/Nexus. Google is reportedly still working on a patch and will release it shortly.
There is also concern over IoT devices, which Vanhoef says may never receive a patch for the WPA2 WiFi vulnerability, leaving them highly vulnerable to attack. Smartphones similarly may not be patched promptly. Since these devices regularly connect to public WiFi hotspots, they are likely to be the most vulnerable to KRACK attacks.
While the WPA2 WiFi vulnerability is serious, there is perhaps no need to panic. At least, that is the advice of the WiFi Alliance – which co-developed WPA2. “There is no evidence that the vulnerability has been exploited maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on Wi-Fi to deliver strong security protections.” The WiFi Alliance also explained, “Wi-Fi Alliance now requires testing for this vulnerability within our global certification lab network and has provided a vulnerability detection tool for use by any Wi-Fi Alliance member.”
The UK’s National Cyber Security Center pointed out that even with the WPA2 WiFi vulnerability, WPA2 is still more secure than WPA or WEP, also explaining that there is no need to change WiFi passwords or enterprise credentials to protect against this vulnerability. However, businesses and consumers should ensure they apply patches promptly, and businesses should consider developing policies that require all remote workers to connect to WiFi networks using a VPN.
The healthcare industry has been extensively targeted, and now Dark Overlord cyberattacks on schools have soared – The education sector is now being targeted.
The cyberattacks on healthcare institutions included threats to publish data. Those threats were often ignored, resulting in sensitive data being dumped online. While such data dumps are damaging to healthcare organizations and their patients, many attacked institutions followed the advice of the FBI and chose not to give in to the mafia-style extortion tactics.
The recent Dark Overlord cyberattacks on schools have been different. Educational institutions have not only been hacked and had sensitive data stolen, the hacking group has escalated its threats. Additionally, rather than just sending threats to the schools, parents of some of the children whose data were stolen have also been contacted by text. The aim is clear. To put pressure on schools to pay up.
The latest wave Dark Overlord cyberattacks on schools have been spread across the country. Schools in Alabama, Iowa, Montana, and Texas have all been attacked in recent weeks. The attacks have followed a similar pattern to the attacks on healthcare organizations, Gorilla Glue, and Netflix. Sensitive data have been stolen, a payment was demanded, and a threat issued to publish the data online if the payment was not made.
Payment of a ransom does not guarantee data will not be released. The latest episode of Orange is the New Black was stolen and Netflix was threatened. A $50,000 ransom was paid, but the episode was still released – It was claimed this was for contacting the FBI.
The latest attacks have got more personal. The Dark Overlord cyberattacks on schools have seen parents of children sent personalized text messages threatening violence against their children. One of those messages included the address of the family with the message “your child is still so innocent. Don’t have anyone look outside.” The Des Moines Register reported that one parent responded to the message telling the sender of the messages to stop and was told, “we are just getting started.” Other text messages threatened to kill kids at the school resulting in the school closing for a day as a precaution.
In the case of the cyberattack on Johnston Community School District in Iowa, data was dumped online. TDO allegedly said the data would help child predators.
The attack on Montana’s Columbia Falls School district was accompanied by a 7-page letter, in which Sandy Hook was referenced. Threats were issued about publishing grades, sensitive behavioral reports, details of ‘shoddy student work’, nurse reports, and private health information. While various methods of payment were offered, a ransom payment of $150,000 was demanded in Bitcoin. In exchange, TDO said all stolen data would be deleted.
Similar attacks have occurred at Alabama’s Crenshaw County Schools District and Splendora School District in Texas. The escalation in the threats was reportedly in response to the FBI telling breach victims not to respond to the messages and not to pay the ransom demands.
While these Dark Overlord cyberattacks on schools follow a similar pattern to other attacks, there are notable differences, raising the prospect that some of the attacks were performed by other hackers piggybacking on the name.
Regardless of who is conducting the attacks, the message to schools – and all other organizations – is clear. Make sure your networks are well defended. Implement layered cybersecurity defenses, patch promptly, and consider using encryption for all stored data.
There has been a rapid evolution of ransomware over the past two years. New variants of ransomware are now being released on an almost daily basis, and the past two years have seen a massive explosion in new ransomware families. Between 2015 and 2016, Proofpoint determined there had been a 600% increase in ransomware families and Symantec identified 100 totally new ransomware families in 2016.
The development of new ransomware variants has largely been automated, allowing developers to massively increase the number of threats, making it much harder for the developers of traditional, signature-based security solutions such as antivirus and antimalware software to maintain pace.
The latest ransomware variants use a wide variety of techniques to evade detection, with advanced obfuscation methods making detection even more problematic.
Ransomware is also becoming much more sophisticated, causing even greater problems for victims. Ransomware is now able to delete Windows Shadow Volume copies, hampering recovery. Ransomware can interfere with file activity logging, making an infection difficult to detect until it is too late. Ransomware can encrypt files on removable drives – including backups – and spread laterally on a network, encrypting files on network shares and multiple end points.
Not only have the ransomware variants become more sophisticated, so too have the methods for distributing the malicious code. Highly sophisticated spam campaigns use a variety of social engineering techniques to fool end users into visiting malicious links and opening infected email attachments. Droppers with heavily obfuscated code are used to download the malicious payload and a considerable amount of effort is put into crafting highly convincing emails to maximize the probability of an end user taking the desired action.
Then, there is ransomware-as-a-service – the use of affiliates to spread ransomware in exchange for a cut of the profits. Ransomware kits are now supplied, complete with intuitive web based interfaces and instructions for crafting ransomware campaigns. Today, it is not even necessary to have any technical skill to conduct a ransomware campaign.
The profits from ransomware are also considerable. In 2016, the FBI estimated profits from ransomware would exceed $1 billion. With such high returns, it is no surprise that ransomware has become the number one malware threat for businesses.
The Evolution of Ransomware – Notorious Ransomware Variants from the Past Two Years
- Locky: Deletes volume shadow copies from the compromised system, thereby preventing the user from restoring files without paying the ransom.
- Jigsaw: An extremely aggressive ransomware variant that deletes encrypted files every hour until the ransom is paid, with total file deletion in 72 hours.
- Petya: Rather than encrypting files, Petya changes and encrypts the master boot record, preventing files from being accessed. Petya is also capable of installing other malware payloads.
- NotPetya: A wiper that appears to be ransomware, although NotPetya permanently changes the master boot record making file recovery impossible.
- CryptMix: Attackers claim they will donate the ransom payments to a children’s charity, in an effort to get victims to pay up. There is no evidence ransom payments are directed to worthy causes.
- Cerber: Now used to target users of cloud-based Office 365, who are less likely to have backed up their data. Some Cerber variants speak to their victims and tell them their files have been encrypted.
- KeRanger: One of the first ransomware strains to target Mac OS X applications.
- Gryphon: Spread via remote desktop protocol (RDP) using brute force tactics to guess weak passwords.
- TorrentLocker: A ransomware variant being used to target SMBs, spread via spam email attachments claiming to be job applications
- HDDCryptor: A ransomware variant that targets network shares, file, printers, serial ports, and external drives. HDDCryptor locks the entire hard disk
- CryptMIC: A ransomware variant that does not change file extensions, making it harder for victims to identify the threat
- ZCryptor: Ransomware with worm-like capabilities, able to rapidly spread across a network and infect multiple networked devices and external drives
- WannaCrypt: A 2017 ransomware variant with worm-like capabilities, able to spread rapidly to infect all vulnerable computers on a network.
Ransomware is most commonly spread via spam email, exploit kits and by remotely exploiting vulnerabilities. To protect against ransomware you need an advanced spam filter, a web filter such as WebTitan to block access to sites containing exploit kits, and you need to ensure software and operating systems are kept 100% up to date.
In the event that you are infected with ransomware, you must be able to recover files from a backup. Use the 321 approach to ensure you can recover files without paying the ransom – Make three backup copies, on two different media, with one copy stored securely off site. Also make sure backups are tested to ensure files can be restored in an emergency.
Cybercriminals have realized they can greatly increase the number of infections – and profits – by adopting an affiliate model – termed ransomware-as-a-service. The affiliate model works well for online retailers, who can generate sales from customers they would be unlikely to reach if they worked on their own. The same applies to ransomware developers.
Affiliates are recruited to distribute ransomware in exchange for a cut of the profits. Ransomware developers can recruit would-be cybercriminals to send out their malicious code in targeted attacks around the world, extending their reach considerably. The greater the number of affiliates, the wider ransomware can be spread and the more payments are received. The returns are substantial for relatively little effort.
In addition to developing the ransomware, kits have been created that make it simple for affiliates to launch their own campaigns. No technical skill is required, affiliates simply enter in their own parameters via an online interface and they can start conducting their own campaigns. Affiliates just need to know how to distribute the ransomware. Full instructions are usually provided.
With an army of spammers sending out the ransomware, the number of devices infected has soared. In 2017, Cerber became the most widely used ransomware variant, even surpassing Locky. The secret of the success was adopting the ransomware-as-a-service model.
For the most part, ransomware is a numbers game. The more individuals that are actively distributing ransomware, the greater the number of infections. With the threat of email and web-based attacks growing, businesses must invest in new technologies to counter the threat.
There are two key solutions that should be adopted by all businesses to improve protections against ransomware. A spam filter is a must – a fact not lost on the majority of businesses. However, even though email is the primary vector used to spread ransomware and malware, there are still businesses that have not yet purchased a spam filtering solution.
A recent survey by PhishMe indicates only 85% of businesses are using spam filtering technology to block phishing emails. That means 15% of businesses have yet to implement this most fundamental of ransomware defenses.
The second key solution is a web filter. Web filters allow employers to carefully control the websites that their employees can access, including blocking websites known to host malware. If an email makes it past a spam filter and an employee clicks on a malicious hyperlink, a web filter can prevent the malicious site from being accessed. A web filter also offers protection from malvertising – malicious adverts that direct users to phishing websites and sites hosting exploit kits.
Of course, technology can only go so far. Even layered defenses can be breached, which is why employees need to be taught how to identify potentially malicious emails. Employees should receive regular security awareness training and be encouraged to report potentially malicious emails. When those emails are reported, IT teams can add the malicious links to the web filter to prevent other individuals in the organization from visiting the malicious websites.
For further information on spam and web filtering, contact the TitanHQ today.
The average cost of a SMB data breach is now $117,000 per incident, according to a large study of data breach costs at small to medium sized businesses.
The study was conducted by Kaspersky Lab and B2B International, with over 5,000 businesses in 30 countries asked about the costs of resolving data breaches.
There has been a rise in the average cost of a SMB data breach again this year and some notable changes to how those costs break down, compared to last year when the study was previously conducted. There were also notable differences between the main costs for SMBs and large enterprises.
Last year, the single biggest cost of data breaches was the reallocation of staff time, although this year, respondents from SMBs said the biggest costs were the loss of business as a result of a data breach and bringing in external experts to help investigate and resolve data breaches.
Out of the $117,000 average cost of a SMB data breach, $21,000 was spend on bringing in external experts and a further $21,000 had to be covered as a result of lost business. Other major costs were additional wages for staff ($16,000), credit rating damage and increases in insurance premiums ($11,000), improving software and infrastructure ($11,000), repairing brand damage ($10,000), and employing new staff ($10,000). The lowest costs were training ($9,000) and compensation ($8,000).
Kaspersky Lab points out that the reason these costs are so high for SMBs is likely due to a lack of skilled in-house staff, meaning they have little choice but to call in the professionals. Small businesses are also particularly vulnerable to loss of business as a result of a data breach. However, the study showed that small to medium sized businesses tend not to have to dig deep to pay compensation, which has been attributed to less formal business relationships.
The cause of SMB data breaches has a significant bearing on resolution costs. Some types of attack proved much costlier to resolve. The average cost of a SMB data breach that resulted from a targeted attack was $188,000, followed by security incidents affecting non-computing connected devices (IoT) at $152,000 per incident.
Breaches caused by the loss of devices containing sensitive information cost an average of $83,000 to resolve, inappropriate use of IT resources cost $79,000, while virus and malware infections were the cheapest to resolve, costing an average of $68,000.
For enterprises, average data breach costs jumped from $1.2 million in 2016 to $1.3 million in 2017, with the main costs of a breach being additional wages for internal staff ($207,000), software and infrastructure improvements (172,000), bringing in external professionals ($154,000), training ($153,000), lost business ($148,000), and compensation ($147,000).
SMBs have increased spending on IT security in response to the increased threat of attack, devoting 19% of their IT budgets to security compared with 16% in 2017. There was a much smaller increase in security spending at very small businesses (1-49 employees), rising just 1% from 13%-14% of their IT budgets. There was no change in spending for large enterprises (1000+ employees) with 19% of IT budgets spent on security.
Popup warnings of missing fonts, specifically the Hoeflertext font, are being used to infect users with malware. The Hoeflertext warnings appear as popups when users visit compromised websites using the Chrome or Firefox browsers. The warnings flash up on screen with the website in the background displaying jumbled or unreadable text.
Hoeflertext is a legitimate font released by Apple in 1991, although popup warnings that the font is missing are likely to be a scam to fool users into downloading Locky Ransomware or other malware.
Visitors to the malicious websites are informed that Hoeflertext was not found, which prevents the website from being displayed. The popup contains an option to “update” the browser with a new font pack, which will allow the website content to be displayed.
This is not the first time the Hoeflertext font scam has been used. NeoSmart Technologies discovered the scam in February this year, although recently both Palo Alto Networks and SANS Internet Storm Center have both report it is being used in a new campaign.
Another version of the campaign is being used to deliver the NetSupport Manager remote access tool (RAT). In this case, the file downloaded is called Font_Chrome.exe, which will install the RAT if it is run. The researchers suggest the RAT is being favored as it offers the attackers a much wider range of capabilities than ransomware. The RAT is commercially available and has been used in several malware campaigns in the past, including last year’s campaign using hacked Steam accounts.
The RAT, once installed, gives the attackers access to the infected computer allowing them to search for and steal sensitive information and download other malware.
The actors behind this campaign have been using spam email to direct users to the malicious websites where the popups are displayed. The SANS Internet Storm Center says one campaign has been identified using emails that appear to have been sent via Dropbox, asking the user to verify their email address to complete the sign-up process.
Clicking on the ‘verify your email’ box will direct the user to a malicious website displaying fake Dropbox pages where the popups appear. Internet Explorer users do not have the popups displayed, instead they are presented with a fake anti-virus alerts linked to a tech support scam.
The latest campaign shows why it is so important for businesses to use an advanced spam filtering solution to block malicious messages. A web filtering solution is also beneficial to prevent end users from visiting malicious websites in case the messages are delivered and opened. Along with security awareness training for employees to alert them to the risks of email and web-based attacks such as this, businesses can protect themselves from attack.
A new Facebook Messenger malware and adware campaign has been detected by Kaspersky Lab. The malware is capable of gathering information about the user and directing them to websites that offer downloads tailored to the users’ operating system and browser. Landing pages are also customized to maximize the probability of the user taking the required actions. This advanced Facebook Messenger malware and adware campaign works on Windows PCs and Macs and is not dependent on the browser being used.
The Facebook Messenger malware and adware campaign starts with a Messenger message containing a link to a video file, with that link pointing to Google Docs. Since Facebook Messenger is used with Bitly URLs it is hard for users to determine that the links are not what they seem.
Cleverly, a picture is taken from the user’s Facebook page which is incorporated into a dynamic landing page that is tailored to the individual. The landing page appears to host a playable video file. Clicking on the video will direct the user to a website where information is gathered on their environment, including their operating system, browser type and other information. The user is then directed to another website that is tailored to the information obtained from the first website.
Windows users using Firefox are directed to one website, IE users to another, and Mac users elsewhere. Those sites offer updates such as Flash downloads and malicious Chrome extensions. At present, these campaigns are being used to download adware, although they could easily be tweaked to install malware.
The Chrome extension is adware, but also includes a downloader which will allow further payloads to be delivered to the user’s device. What is not currently known is how the messages are being sent via Messenger. David Jacoby, the Kaspersky Lab researcher who discovered the Facebook Messenger malware and adware campaign, said, “It may be from stolen credentials, hijacked browsers or clickjacking. At the moment, we are not sure because this research is still ongoing.”
While the messages could be sent by unknown individuals, they may also be sent from Facebook contacts whose accounts have been compromised. Any hyperlinks sent via Messenger should therefore be treated with suspicion, especially when they appear out of the blue.
This new campaign is clever, although it is just one of many that are distributed via Messenger. Businesses can protect themselves against Facebook Messenger malware campaigns by using a Web Filtering solution such as WebTitan.
Many businesses choose not to block Facebook due to the negative impact it has on staff morale. However, with WebTitan it is possible to block Facebook Messenger without blocking the Facebook website. Employees can still access Facebook, while employers are protected from malicious messages that could result in malware downloads.
With the volume of cyberattacks increasing and heightened pressure on businesses to offer family-friendly WiFi access, a partnership with a company that offers Internet filtering for managed service providers is now a must.
Businesses that offer WiFi access to customers provide greater value and are more likely to attract customers. Younger age groups in particular are more likely to choose an establishment that allows them to connect to the Internet and not use their own data allowance. Coffee shops, restaurants, bars, and retail outlets now appreciate that providing WiFi access brings in more customers.
However, it is becoming increasingly important for secure WiFi access to be provided. Customers are now demanding more. They want reassurance that efforts are being made to make WiFi networks secure. Parents also want to make sure their children will not be exposed to harmful website content when hooking up to WiFi networks.
With demand for a filtered Internet service high, it is an easy sell for managed service providers. Further, Internet filtering brings in regular monthly revenue for next to no effort. Once the service is set up there is very little maintenance. Due to the low maintenance overhead and ease of implementation, Internet filtering for managed service providers could even be provided as part of an existing security suite to give clients even greater value for money.
Visiting clients to install solutions and perform updates is costly and eats into profits. It can also be difficult to convince businesses to pay out for an appliance to keep customers safe online. Free WiFi may increase footfall, but having to pay for a $500 appliance is a difficult sell.
However, with a cloud-based filter there is no need for any hardware purchases, no need for MSPs to visit their clients for an installation, and all settings can be changed remotely via an online administration control panel. Customers can even be given their own logins so they can tweak their own settings and whitelist and blacklist certain webpages at will.
WebTitan Cloud for WiFi – Internet Filtering for Managed Service Providers Made Simple
WebTitan Cloud for WiFi has been developed to make Internet filtering for managed service providers as simple as possible. This go-to-market content filtering solution can be set up for each client in around 20 minutes, with no need for site visits or any software downloads. WebTitan Cloud for WiFi is also supplied with a full set of APIs for easy backend integration and reports can be scheduled and sent automatically.
Each client can have their own administration control panel to tweak their content filtering settings, and since the interface is non-technical, there is no steep learning curve. Internet filtering controls are applied by category, so configuration is a quick and easy process.
Content filtering with WebTitan Cloud for WiFi has no discernible impact on Internet speed, there is no limit to the number of WiFi points that can be protected and no limit on bandwidth.
Setting different web filtering controls for different users and user groups is straightforward, since the solution integrates with LDAP and Active Directory. Filtering settings can also be set by the time of day or night.
If you want to offer your clients real-time spyware, malware and virus protection and allow them to carefully control Internet access to keep customers safe online and avoid legal liability, WebTitan Cloud for WiFi is the ideal choice.
To make it even better for MSPs, WebTitan Cloud for WiFi can be supplied in white label form ready to accept MSPs branding and there is a choice of hosting options, including the option of hosting the solution in your own environment. Add to that Industry leading customer service and you have the complete package.
If you are an MSP and are Interested in offering Internet filtering to your service stack or are looking for a lower cost service provider with better margins, contact the MSP team at TitanHQ today and find out how easy – and profitable – Internet filtering for managed service providers can be.
The cost of a malware attack is difficult to predict. There are many factors that affect the cost. The type of malware, whether data were stolen, the extent of the infection, how easy it is to mitigate, and how much business is lost while the infection is resolved. For many companies, the customer churn rate increases after a cyberattack, and certainly one in which sensitive data are stolen.
For Maersk, the NotPetya attack did not result in any theft of customer data. Consequently, there was no need to pay for credit monitoring services or mail breach notification letters to customers – Two additional and sizable costs associated with a malware attack. That said, the cost was considerable. Maersk has estimated the NotPetya wiper attack has cost as much as $300 million.
NotPetya was initially thought to be ransomware. The malware had a number of similarities to Petya ransomware – The malware overwrote and encrypted the master file table and a ransom demand was issued. However, in the case of NotPetya, paying the ransom would not result in keys being sent to unlock the encryption. The purpose of the attack was sabotage. The attackers had no intention of providing keys and allowing firms to recover their data.
For A.P. Møller – Maersk, the consequences of the attack were considerable. After its systems were taken out of action, the company was unable to load and unload its cargo ships in ports around the world. Many ships had to be rerouted as a result of the attack. Systems had to be rebuilt and the firm suffered considerable disruption while the infection was resolved.
A Model Response to A Cyberattack
Maersk was extremely quick to announce it had been attacked. The attacks occurred on June 27, 2017 and Maersk announced the following day that it had been affected. The company also maintained transparency throughout the following days and weeks while it attempted to recover, giving frequent updates on its progress in resolving the infection. The transparency has been applauded, with many security experts saying the company executed a model breach response. Not all companies were nearly as transparent.
The company recently issued an interim statement explaining how severe the attack was and how it would dent profits saying, “Business volumes were negatively affected for a couple of weeks in July. We expect that the cyberattack will impact results negatively by $200-$300 million.”
Nuance Communications was also affected, and similarly gave frequent updates to its customers on the impact of the attack and its efforts to resolve the infection. That communication undoubtedly reduced customer churn, although with its systems taken out of action for more than three weeks, many customers were forced to seek alternate vendors. Whether they will return remains to be seen. Nuance believes its Q2 profits are down about $15 million as a result of the attack, although losses are likely to be ongoing and the attack will certainly affect its Q3 profits. The manufacturer Reckitt Benckiser has estimated the NotPetya attack has cost the company around $129 million in lost revenue.
These are just three large companies to have disclosed the cost of the malware attack. Logistics firm TNT suffered considerable disruption as a result of the attack, as did FedEx, Mondelez, Merck, Heritage Valley Health System, WPP, Rosneft, DLA Piper, Saint-Gobain and many firms in Ukraine – the country worst affected by the attacks. The total cost of these malware attacks will certainly be measured in billions.
The Ponemon institute calculated the average cost of a malware attack that results in a data breach to be $3.62 million. This malware attack clearly shows the devastating effect of a malware attack and why it is so important for companies to invest improving policies, procedures and cybersecurity defenses.
From May 25, 2018, all companies doing business with EU residents must comply with the General Data Protection Regulation (GDPR), but how can companies protect personally identifiable information under GDPR and avoid a penalty for non-compliance?
The General Data Protection Regulation
GDPR is a new regulation in the EU that will force companies to implement policies, procedures and technology to improve the privacy protections for consumers. GDPR also gives EU citizens more rights over the data that is recorded and stored by companies.
GDPR applies to all companies that do business with EU citizens, regardless of whether they are based in the EU. That means a company with a website that can be accessed by EU residents would be required to comply with GDPR.
Personally identifiable information includes a wide range of data elements relating to consumers. Along with the standard names, addresses, telephone numbers, financial and medical information, the GDPR definition includes IP addresses, logon IDs, videos, photos, social media posts, and location data – essentially any information that is identifiable to a specific individual.
Policies must be developed covering data subjects (individuals whose data is collected), data controllers (organizations collecting data) and data processors (companies that process data). Records must be maintained on how data is collected, stored, used and deleted when no longer required.
Some companies are required to appoint a data protection officer (DPO) whose role is to ensure compliance with GDPR. That individual must have a thorough understanding of GDPR, and technical knowledge of the organization’s processes and procedures and structure.
In addition to ensuring data is stored securely and consumers have the right to have their stored data deleted, GDPR will also force companies to disclose data breaches quickly – within 72 hours of a breach being discovered.
Failure to comply with GDPR could result in a heavy fine. Fines of up to €20,000,000 or 4% of a company’s annual revenue are possible, whichever is the greater.
Many companies are not prepared for GDPR or think the regulation does not apply to them. Others have realized how much work is required and have scrambled to get their businesses compliant before the deadline. For many companies, the cost of compliance has been considerable.
How Can I Protect Personally Identifiable Information under GDPR?
GDPR imposes a number of restrictions on what companies can and cannot do with data and how it must be protected, although there are no specific controls that are required of companies to protect personally identifiable information under GDPR. The technology used to protect data is left to the discretion of each company. There is no standard template to protect personally identifiable information under GDPR.
A good place to start is with a review of the processes and systems that collect and store data. All data must be located before it can be protected and systems and processes identified to ensure appropriate controls are applied.
GDPR includes a right to be forgotten, so all data relating to an individual must be deleted on request. It is therefore essential that a company knows where all data relating to an individual is located. Controls must also be put in place to restrict the individuals who have access to consumer data. Training must also be provided so all employees are aware of GDPR and how it applies to them.
Companies should perform a risk assessment to determine their level of risk. The risk assessment can be used to determine which are the most appropriate technologies to implement.
Technologies that allow the pseudonymisation and encryption of data should be considered. If data is stored in encrypted form, it is not classed as personal data any more.
Companies must consider implementing technology that improves the security of systems and services that process data, mechanisms that allow data to be restored in the event of a breach, and policies that regularly test security controls.
To protect personally identifiable information under GDPR, organizations must secure all systems and applications used to store or process personal data and have controls in place to protect IT infrastructure. Systems should also be implemented that allow companies to detect data breaches in real time.
Compliance with GDPR is not something that can be left to the last minute. May 25 is a long way off, but given the amount of work involved in compliance, companies need to be getting to grips with GDPR now.
The National Institute of Standards and Technology (NIST) has updated its guidance on strengthening passwords, suggesting the standard of using a combination of capital letters, lower case letters, numbers and special characters may not be effective at improving password strength. The problem is not with this method of strengthening passwords, but with end users.
Hackers and other cybercriminals attempt to gain access to accounts by guessing passwords. They try many different passwords until the correct one is guessed. This process is often automated, with many thousands of guesses made using lists of commonly used passwords, dictionary words and passwords discovered from past data breaches.
By implementing password policies that force end users to use strong passwords, organizations can improve their resilience against these brute force attacks.
By using capital and lower-case letters, there are 52 possible options rather than 26, making the guessing process much more time consuming. Add in 10 numerals and special characters and guessing becomes harder still. There is no doubt that this standard practice for creating strong passwords is effective and makes passwords much less susceptible to brute force attacks.
The problem is that in practice, that may not be the case. Creating these strong passwords – random strings of letters, numbers and symbols – makes passwords difficult to guess but also virtually impossible to remember. When multiple passwords are required, it becomes harder still for end users and they get frustrated and cut corners.
A good example is the word ‘password’, which is still – alarmingly – used to secure many accounts, according to SplashData’s list of the worst passwords of the year. Each year, ‘password’ makes it onto the list, even though it is likely to be the first word attempted in any brute force attack.
When companies update their password polices forcing users to use at least one capital letter and number in a password, many end users choose Password1, or Passw0rd or P455w0rd. All would be high up on a password list used in a brute force attack.
Attempts such as these to meet company password requirements mean security is not actually improved by password policies. If this is going to happen, it would make more sense – from a security perspective – to allow employees to make passwords easier to remember in a more secure way.
NIST Tweaks its Guidance on Strengthening Passwords
As NIST points out in its guidance on strengthening passwords, “Analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought.” With current standard password practices, “The impact on usability and memorability is severe.” That results in end users creating weak passwords that meet company password policies.
Rather than force end users to use special characters and end up with ‘Password!’, a better way would be to increase the length of passwords and allow the use of spaces. End users should be encouraged to choose easy to remember phrases.
The use of a space does not make a password any more secure, although increasing a password from 8 characters to say, 15 or 20 characters, certainly does. It also makes passwords much easier to remember. NIST suggests passwords must have a minimum of 8 characters, and that “Users should be encouraged to make their passwords as lengthy as they want, within reason.”
NIST also explains in its guidance on strengthening passwords that certain types of common cyberattacks involving passwords are unaffected by password strength. Take phishing for instance. It doesn’t matter whether a password is ‘12345678’ or ‘H19g46”&”^’ to a phisher. Provided the phishing email is well crafted, the password will still be disclosed. The same applies to keyloggers. A keylogger logs keystrokes and the strength of the password is irrelevant.
NIST’s guidance on strengthening passwords also suggests that rather than strengthening passwords further, there are far more effective ways of making brute force attacks much harder without frustrating end users. Limiting the number of failed login attempts before a user is blocked is one such option. Organizations should also combine this with blacklists of unacceptable passwords that should include dictionary words, other weak passwords and those revealed from past data breaches. NIST also recommends secured hashed storage of passwords
The NIST guidance on strengthening passwords can be found in – NIST Special Publication 800-63B – Appendix A – Strength of Memorized Secrets
Exploit kit activity has fallen considerably since last year, but new variants are being developed, one of the latest being the Disdain exploit kit.
An exploit kit is a web-based toolkit capable of probing web users’ browsers for vulnerabilities. If vulnerabilities are discovered, they can be exploited to silently download ransomware and malware.
All that is required for an attack to take place is for web users to be directed to the domain hosting the exploit kit and for them to have a vulnerable browser or out of date plugin. Currently, the author of the Disdain exploit kit claims his/her toolkit can exploit more than a dozen separate vulnerabilities in Firefox, IE, Edge, Flash and Cisco WebEx – Namely, CVE-2017-5375, CVE-2016-9078, CVE-2014-8636, CVE-2014-1510, CVE-2013-1710, CVE-2017-0037, CVE-2016-7200, CVE-2016-0189, CVE-2015-2419, CVE-2014-6332, CVE-2013-2551, CVE-2016-4117, CVE-2016-1019, CVE-2015-5119, and CVE-2017-3823. Many of those exploits are recent and would have a high chance of success.
No malware distribution campaigns have so far been identified using the Disdain exploit kit, although it is likely to just be a matter of time before attacks are conducted. The Disdain exploit kit has only just started being offered on underground forums.
Fortunately, the developer does not have a particularly good reputation on the forums, which is likely to slow the use of the exploit kit. However, it is being offered at a low price which may tempt some malware distributors to start conducting campaigns. The EK can be rented for as little as $80 a day, with discounts being offered for weekly and monthly use. The Disdain exploit kit is being offered for considerably less than some of the other exploit kits currently being touted on the forums, including the Nebula EK.
All that is required is for someone to rent the kit, provide the malicious payload, and direct traffic to the domain hosting the Disdain exploit kit – such as via a malvertising campaign or botnet. The price and capabilities of the EK mean it has potential to become a major threat.
Protecting Your Business from Online Threats
Cybercriminals may be favouring spam email over exploit kits for delivering malware, although the threat of web-based attacks should not be ignored. To a large extent, good patch management practices can reduce the risk of exploit kit attacks, although not entirely. Exploit kits are frequently updated with new vulnerabilities for which patches have yet to be released. If end users are directed to domains hosting exploit kits, malware and ransomware downloads can be expected.
Along with prompt patching, businesses should consider implementing a web filtering solution. A web filter can be configured to carefully control the websites that end users can visit. A web filter will block access to all webpages known to host malware or contain exploit kits. Risky categories of website, which end users have no work purpose for visiting, can also easily be blocked reducing the risk of phishing attacks and improving employee productivity.
An appliance-based web filter can be costly to implement and can have a negative effect on Internet speed. A DNS-based web filter on the other hand requires no hardware purchases and has no latency. Internet speed is unaffected. Since a web filter can also be used to restrict access to websites that take up a lot of bandwidth, Internet speeds for all can actually improve.
WebTitan Cloud – and WebTitan Cloud for WiFi – are DNS-based web filtering solutions for enterprises that allow precision control over the sites that can be accessed by end users and offer excellent protection against web-based threats such as exploit kits and phishing websites.
The solutions require no hardware purchases, no software downloads, there is no latency, and they are highly scalable. Implementing and configuring the solutions is quick and easy and they require minimal maintenance.
WebTitan is also ideal for MSPs, being available in full white-label form with a choice of hosting options – including hosting in an MSPs environment.
If you want to improve the productivity of your workforce and effectively manage online threats – or offer web filtering to your clients – contact the TitanHQ team today to discuss your options and register for a free trial.
The importance of implementing good patch management policies was clearly highlighted by the WannaCry ransomware attacks in May. The ransomware attacks were made possible due to poor patch management policies at hundreds of companies. The attackers leveraged a vulnerability in Windows Server Message Block (SMB) using exploits developed by – and stolen from – the U.S. National Security Agency.
The exploits took advantage of SMB flaws that had, by the time the exploits were made public, been fixed by Microsoft. Fortunately for the individuals behind the attacks, and unfortunately for many companies, the update had not been applied.
In contrast to the majority of ransomware attacks that required some user involvement – clicking a link or opening an infected email attachment – the SMB flaws could be exploited remotely without any user interaction.
WannaCry was not the only malware variant that took advantage of unpatched systems. The NotPetya (ExPetr) attacks the following month also used the same EternalBlue exploit. Again, these attacks required no user involvement. NotPetya was a wiper that was used for sabotage and the damage caused by those attacks was considerable. Entire systems had to be replaced, companies were left unable to operate, and the disruption continued for several weeks after the attacks for many firms. For some companies, the losses from the attacks were in the millions.
These attacks could have easily been prevented with something as simple as applying a single patch – MS17-010. The patch was available for two months prior to the WannaCry attacks. Even patch management policies that required software to be checked once a month would have prevented the attacks. In the case of NotPetya, companies affected had also not reacted to WannaCry, even though there was extensive media coverage of the ransomware attacks and the risk of not patching promptly was clearly highlighted.
The take home message is unaddressed security vulnerabilities will be exploited. Companies can purchase a swathe of expensive security solutions to secure their systems, but companies with poor patch management policies will experience data breaches. It is no longer a case of if a breach will occur, just a matter of when.
Poor Patch Management Policies Cost Insurer More than $5 Million
This month has shown another very good reason for patching promptly. A multi-state action by attorneys general in 32 states has resulted in a settlement with Nationwide Mutual Insurance Company and its subsidiary, Allied Property & Casualty Insurance Company. Nationwide has agreed to a $5.5 million settlement to resolve the investigation into its 2012 data breach.
The breach involved the theft of data relating to 1.27 million policy holders and individuals who obtained insurance quotes from the company. In that case, the data theft was possible due to an unaddressed vulnerability in a third-party application. Even though the vulnerability was rated as critical, the insurer did not update the application. The vulnerability remained unaddressed for three years. The update was only applied after data were stolen.
The investigation into the breach was jointly led by Connecticut Attorney General George Jepsen. Announcing the settlement Jepsen said, “It is critically important that companies take seriously the maintenance of their computer software systems and their data security protocols.”
Unaddressed vulnerabilities will be exploited by cybercriminals. Attacks will result in data theft, hardware damage, law suits filed by breach victims, attorneys general fines and fines by other regulators. These costs can all be avoided with good patch management policies.
In November last year, the San Francisco Municipal Transportation Agency (Muni) was attacked with Mamba ransomware. The attackers issued a ransom demand of 100 Bitcoin – $73,000 – for the keys to unlock the encryption. Muni refused to pay up, instead opting to recover files from backups. However, the Mamba ransomware attack still proved costly. The attack took its fare system out of action and passengers had to be allowed to travel for free for more than a day. The average take on fares on a weekend day is $120,000.
It has been relatively quiet on the Mamba ransomware front since that attack, although this month has seen several Mamba ransomware attacks, indicating the gang behind the malware is back in action. Those attacks are geographically targeted with businesses in Saudi Arabia and Brazil currently in the firing line, according to Kaspersky Lab researchers who first detected the attacks.
Mamba ransomware uses DiskCryptor for full disk encryption rather than searching for and encrypting certain file types. That means a Mamba ransomware attack will prevent the operating system from running.
Once installed, the malware forces a reboot of the system and modifies the Master Boot Record and encrypts disk partitions and reboots again, this time victims are presented with a warning screen advising data have been encrypted. The attacks share some similarities with the NotPetya (ExPetr) attacks of June.
The algorithms used to encrypt the data are strong and there is no known decryptor for Mamba Ransomware. If the disk is encrypted, victims face permanent file loss if they do not have a viable backup and refuse to pay the ransom demand. However, the latest attacks make no mention of payment of a ransom. Victims are just instructed to email one of two email addresses for the decryption key.
The reason for this approach is it allows ransoms to be set by the attackers on an infection by infection basis. Once the extent of encryption is determined and the victim is identified, the attackers can set the ransom payment accordingly.
It is currently unclear whether the attackers hold the keys to unlock the encryption and whether payment of the ransom will result in file recovery. Kaspersky reports that the group behind this ransomware variant has not been identified. This may be a criminal attack by an organized crime gang or a nation-state sponsored cyberattack where the intention is not to obtain ransoms but to sabotage businesses.
Businesses can enhance their defences against this and other malware variants by implementing WebTitan.
WebTitan is a web filtering solution for the enterprise that allows businesses to prevent end users from visiting malicious websites, such as those used for phishing and for downloading malware and ransomware. By blocking access to malicious sites and carefully controlling access to sites known to carry a high risk of malware delivery – file sharing websites for example – businesses can prevent web-based malware attacks.
There are many reasons why businesses want to restrict Internet access at work. Allowing employees to have unrestricted access to the Internet can result in a major drain on productivity, the risk of malware and ransomware downloads must be managed and inappropriate Internet access at work can cause legal issues. However, restricting Internet access at work can also cause problems.
The Problem of Personal Internet Use at Work
Some employees spend an unreasonable amount of the working day surfing the Internet, playing games or accessing their social media accounts. Personal Internet use can see hours of the working day wasted. Multiple an hour a day by your number of employees and the losses are considerable.
There are other drains on productivity as a result of these activities. They can have a knock-on effect on Internet speed. If employees are downloading large files from file sharing websites or streaming music or videos, this can result in latency that affects all employees. Internet speed slows and important websites may become temporarily unavailable.
The Danger of Malware and Ransomware Downloads
Personal Internet use at work can cause other productivity-draining issues. If employees are accessing social media websites, downloading files or are visiting questionable websites, the risk of a malware or ransomware downloads increases significantly.
Ransomware can result in an entire network being taken out of action, as has recently been seen at companies affected by the WannaCry and NotPetya attacks. In the case of the latter, companies have experienced major disruptions for weeks following the attacks.
Even if antivirus software is installed, it may not prevent malware and ransomware downloads. Cybercriminals are getting better at obfuscation. Ransomware may not be detected until it is too late.
Accessing of Inappropriate Web Content
While most employees do not use the Internet to access unsavoury or illegal web content, there are always a few bad apples. The problem of accessing pornography at work is a real issue, and could be much worse than you think.
In 2014, a survey conducted by the Barna Group showed 63% of men and 36% of women have viewed pornography at work. A survey in Forbes in 2013 Forbes revealed 25% of adults have viewed porn at work. 28% of employees have downloaded porn at work according to another survey.
Many businesses feel the best way to tackle the problem of personal Internet use is through acceptable usage policies and greater oversight of employees by line managers. When individuals are discovered to be abusing the Internet, action can be taken against individuals without restricting Internet access at work for everyone. This does not always prove effective.
Even if policies are introduced that threaten instant dismissal for accessing pornography at work, it may not curb use. The use of anonymizer services will prevent bosses from discovering what sites are being visited. In the case of personal Internet use, differentiating between minor personal use and persistent abuse can be difficult.
The alternative is to restrict Internet access at work with a web filter. A web filter can be used to block access to specific websites or categories of website content.
Problems with Using a Web Filter to Restrict Internet Access at Work
A web filter may seem like a quick and easy solution, although companies that restrict Internet access at work with a web filter can experience problems. Those problems can be worse than the issues the web filter was installed to correct.
If you restrict Internet access at work using an appliance-based web filtering solution it can result in latency. Each website must be inspected before it is accessed. In the case of secure (HTTPS) sites, each webpage must be decrypted, inspected, and re-encrypted. This places a considerable strain on resources. The result is considerable latency. As more sites switch to SSL certification and also use 4096-bit encryption, the problem will only get worse.
If you restrict Internet access at work, employees who were only accessing the occasional personal site may be unhappy with the new restrictions. This can have an effect on productivity and create a hostile working environment. Why should all employees be made to suffer because of the actions of a few?
How to Avoid Problems and Still Restrict Internet Access at Work
The issue of latency can be avoided if a cloud-based web filter is used. Cloud-based filters allow employers to restrict Internet access at work, but since the solutions are based in the cloud, they use the service providers resources. The result is Internet control without latency. There are other benefits. Cloud-based web filters are more flexible, scalable, and do not require the purchase of any hardware.
Some cloud-based filters, WebTitan for instance, allow time-based controls to be applied. Employers can use this feature to restrict Internet access at work during busy times and relax control at others. It is easy to block access to certain sites 100% of the time, others some of the time – relaxing controls during breaks for instance – and setting different controls for different employees or groups of employees. Since the filter integrates with LDAP and Active Directory, setting controls for different user groups is simple. It is also possible to block anonymizer websites to prevent users from bypassing content filtering controls.
Speak to TitanHQ About Internet Filtering Controls
Internet content control is quick, easy and low cost with WebTitan. The solution allows you to easily restrict Internet access at work and avoid the common problems associated with web filtering. If you are Interested in curbing personal Internet use at work, contact TitanHQ today for advice. You can also sign up for a free trial and evaluate WebTitan in your own environment before you commit to a purchase.
2017 has seen a major rise in malware attacks on schools. While cybercriminals have conducted attacks using a variety of different malware, one of the biggest problems is ransomware. Ransomware is malicious code that encrypts files, systems and even master file tables, preventing victims from accessing their data. The attack is accompanied by a ransom demand. Victims are required to pay a ransom amount per infected device. The ransom payments can range from a couple of hundred dollars to more than a thousand dollars per device. Ransom demands of tens of thousands of dollars are now common.
Data can be recovered from a backup, but only if a viable backup of data exists. All too often, backup files are also encrypted, making recovery impossible unless the ransom is paid.
Ransomware attacks can be random, with the malicious code installed via large-scale spam email campaigns involving millions of messages. In other cases, schools are targeted. Cybercriminals are well aware that cybersecurity defenses in schools are often poor and ransoms are more likely to be paid because schools cannot function without access to their data.
Other forms of malware are used to record sensitive information such as login credentials. These are then relayed back to the attackers and are used to gain access to school networks. The attackers search for sensitive personal information such as tax details, Social Security numbers and other information that can be used for identity theft. With ransomware, attacks are discovered immediately as ransom notes are placed on computers and files cannot be accessed. Keyloggers and other forms of information stealing malware often take many months to detect.
Recent malware attacks on schools have resulted in entire networks being sabotaged. The NotPetya attacks involved a form of malware that encrypts the master file table, preventing the computer from locating stored data. In this case, the aim of the attacks was to sabotage critical infrastructure. There was no way of recovering the encrypted MFT apart from with a full system restore.
The implications of malware attacks on schools can be considerable. Malware attacks on schools result in considerable financial losses, data can be lost or stolen, hardware can be rendered useless and educational institutions can face prosecution or law suits as a result of attacks. In some cases, schools have been forced to turn students away while they resolve infections and bring their systems back online.
Major Malware Attacks on Schools in 2017
Listed below are some of the major malware attacks on schools that have been reported in 2017. This is just a very small selection of the large number of malware attacks on schools in the past 6 months.
Minnesota School District Closed for a Day Due to Malware Attack
Malware attacks on schools can have major consequences for students. In March, the Cloquet School District in Minnesota experienced a ransomware attack that resulted in significant amounts of data being encrypted, preventing files from being accessed. The attackers issued a ransom demand of $6,000 for the keys to unlock the encryption. The school district is technology-focused, so without access to its systems, lessons were severely disrupted. The school even had to close for the day while IT support staff restored data. In this case, sensitive data were not compromised, although the disruption caused was severe. The ransomware is understood to have been installed as a result of a member of staff opening a phishing email that installed the ransomware on the network.
Swedesboro-Woolwich School District Suffers Cryptoransomware Attack
The Swedesboro-Woolwich School District in New Jersey comprises four elementary schools and has approximately 2,000 students. It too suffered a crypto-ransomware attack that took its computer systems out of action. The attack occurred on March 22, resulting in documents and spreadsheets being encrypted, although student data were apparently unaffected.
The attack took a significant part of the network out of action, including the District’s internal and external communications systems and even its point-of-sale system used by students to pay for their lunches. The school was forced to resort to pen and paper while the infection was removed. Its network administrator said, “It’s like 1981 again!”
Los Angeles Community College District Pays $28,000 Ransom
Ransomware was installed on the computer network of the Los Angeles County College District, not only taking workstations out of action but also email and its voicemail system. Hundreds of thousands of files were encrypted, with the incident affecting most of the 1,800 staff and 20,000 students. A ransom demand of $28,000 was issued by the attackers. The school had no option but to pay the ransom to unlock the encryption.
Calallen Independent School District Reports Ransomware Attack
The Calallen Independent School District in northwestern Corpus Christi, TX, is one of the latest victims of a ransomware attack. In June, the attack started with a workstation before spreading to other systems. In this case, no student data were compromised or stolen and the IT department was able to act quickly and shut down affected parts of the network, halting its spread. However, the attack still caused considerable disruption while servers and systems were rebuilt. The school district also had to pay for improvements to its security system to prevent similar attacks from occurring.
Preventing Malware and Ransomware Attacks on Schools
Malware attacks on schools can occur via a number of different vectors. The NotPetya attacks took advantage of software vulnerabilities that had not been addressed. In this case, the attackers were able to exploit the vulnerabilities remotely with no user interaction required. A patch to correct the vulnerabilities had been issued by Microsoft two months before the attacks occurred. Prompt patching would have prevented the attacks.
Software vulnerabilities are also exploited via exploit kits – hacking kits loaded on malicious websites that probe for vulnerabilities in browsers and plugins and leverage those vulnerabilities to silently download ransomware and malware. Ensuring browsers and plugins are 100% up to date can prevent these attacks. However, it is not possible to ensure all computers are 100% up to date, 100% of the time. Further, there is usually a delay between an exploit being developed and a patch being released. These web-based malware attacks on schools can be prevented by using a web filtering solution. A web filter can block attempts by end users to access malicious websites that contain exploit kits or malware.
By far the most common method of malware delivery is spam email. Malware – or malware downloaders – are sent as malicious attachments in spam emails. Opening the attachments results in infection. Links to websites that download malware are also sent via spam email. Users can be prevented from visiting those malicious sites if a web filter is employed, while an advanced spam filtering solution can block malware attacks on schools by ensuring malicious emails are not delivered to end users’ inboxes.
TitanHQ Can Help Schools, Colleges and Universities Improve Defenses Against Malware
TitanHQ offers two cybersecurity solutions that can prevent malware attacks on schools. WebTitan is a 100% cloud-based web filter that prevents end users from visiting malicious websites, including phishing sites and those that download malware and ransomware.
WebTitan requires no hardware, involves no software downloads and is quick and easy to install, requiring no technical skill. WebTitan can also be used to block access to inappropriate website content such as pornography, helping schools comply with CIPA.
SpamTitan is an advanced spam filtering solution for schools that blocks more than 99.9% of spam email and prevents malicious messages from being delivered to end users. Used in conjunction with WebTitan, schools will be well protected from malware and ransomware attacks.
To find out more about WebTitan and SpamTitan and for details of pricing, contact the TitanHQ team today. Both solutions are also available on a 30-day no-obligation free trial, allowing you to test both products to find out just how effective they are at blocking cyberthreats.
Providing free WiFi in shops helps to attract more foot traffic and improves the shopping experience, although retailers are now realizing the benefits of providing secure WiFi access for shops. Over the past two years, there has been considerable media coverage of the dangers of public WiFi hotspots. Consumer websites are reporting horrifying cases of identity theft and fraud with increasing regularity.
With public awareness of the risks of connecting to public WiFi networks now much greater than ever before, secure WiFi access for shops has never been more important. Consumers now expect free WiFi access in shops, but they also want to ensure that connecting to those WiFi networks will not result in a malware infection or their personal information being obtained by hackers.
Fortunately, there are solutions that can easily be adopted by retailers that mitigate the risks and ensure consumers can connect to WiFi networks safely, but before we cover those options, let’s look a little more closely at the risks associated with unsecured WiFi networks.
The Risks of Unsecured WiFi Networks
If retailers provide free WiFi access in store it helps to attract more foot traffic, individuals are encouraged to stay in stores for longer, they have access to information and reviews about products and studies have shown that customers spend more when free WiFi is provided. A survey by iGT, conducted in 2014, showed that more than 6 out of ten customers spend longer in shops that provide WiFi access and approximately 50% of customers spend more money.
Connecting to a public WiFi network is different from connecting to a home network. For a start, considerably more people connect, including individuals who are intent on stealing information for identity theft and fraud. Man-in-the-middle attacks are common. Man-in-the-middle attacks involve a hacker intercepting or altering communications between a customer and a website. If login details or other sensitive information is entered, a hacker can obtain that information.
Malware and ransomware can be downloaded onto users’ devices and phishing websites can easily be accessed if secure WiFi access for shops is not provided. Consumers typically have Internet security solutions in place on home networks that block these malicious websites. They expect the same protections on retailers’ WiFi networks. Malware poses a significant threat. Alcatel-Lucent, a French telecommunications company, reports that malware attacks on mobile devices are increasing by 25% per year.
Then there is the content that can be accessed. Recently, before Starbucks took steps to block the accessing of pornography via its WiFi networks, the coffee shop chain received a lot of criticism from consumers who had caught glimpses of other customers accessing pornography on their devices.
Secure WiFi Access for Shops Brings Many Benefits
The provision of secure WiFi access for shops tells customers you are committed to ensuring they can access the Internet safely and securely on your premises. It tells parents that you are committed to protecting minors and ensuring they can access the Internet without being exposed to adult content. It tells consumers that you care, which helps to improves the image of your brand. It is also likely to result in positive online reviews.
Providing secure WiFi access for shops makes it easier for you to gain an insight into customer behavior. A web filtering solution will provide you with reports on the sites that your consumers are accessing. This allows you to profile your customers and find out more about their interests. You can see what sites they access, which can guide your future advertising programs and help you develop more effective marketing campaigns. You can also find out more about your real competitors from customers browsing habits.
The provision of secure WiFi access for shops will also help you to reduce legal liability. If you do not block illegal activities on your WiFi network, such as file sharing (torrents) sites, you could face legal action for allowing the downloading of pirated material. The failure to block pornography could result in a lawsuit if a minor is not prevented from accessing adult content.
WebTitan – Secure WiFi Access for Shops Made Simple
Secure WiFi access for shops doesn’t have to be complicated or expensive. TitanHQ offers a solution that is cost effective, easy to implement, requires no technical skill, has no effect on Internet speed and the solution can protect any number of shops in any number of locations. The filtering solution can be managed from an intuitive web-based graphical user interface for all WiFi access points, and a full suite of reports provides you with invaluable insights into customer behavior.
WebTitan Cloud for WiFi is a 100% cloud-based DNS filtering solution. Point your DNS records to WebTitan and you will be filtering the Internet in minutes and blocking undesirable, dangerous and illegal web content. You do not need any additional hardware, you do not need to download any software and configuring the filtering settings typically takes about 30 minutes.
To find out more about WebTitan Cloud for WiFi, including details of pricing and to register for a 30-day, no obligation free trial, contact TitanHQ today.
Hospitals have invested heavily in solutions to secure the network perimeter, although Internet and WiFi filtering in hospitals can easily be forgotten. Network and software firewalls have their uses, although IT security staff know all too well that cyberattacks targeting employees can see those defenses bypassed.
A common weak point in security is WiFi networks. IT security teams may have endpoint protection systems installed, but not on mobile devices that connect to WiFi networks.
A look at the Department of Health and Human Services’ Office for Rights breach portal shows just how many cyberattacks on hospitals are now occurring. Cybercriminals are targeting healthcare organizations due to the value of protected health information (PHI) on the black market. PHI is worth ten times as much as credit card information, so it is no surprise that hospitals are in cybercriminals’ crosshairs. Even a small hospital can hold the PHI of more than 100,000 individuals. If access is gained to a hospital network, that signals a huge pay day for a hacker.
There has also been a massive increase in ransomware attacks. Since hospitals need access to patients’ PHI, they are more likely to pay a ransom to regain access to their data if it is encrypted by ransomware. Hollywood Presbyterian Medical Center paid $17,000 for the keys to unlock its ransomware infection in February last year. It was one of several hospitals to give in to attackers’ demands.
The Hospital WiFi Environment is a Potential Gold Mine for Cybercriminals
The increasing number of wireless devices that are now in use in hospitals increases the incentive for cybercriminals to attempt to gain access to WiFi networks. Not only do physicians use mobile phones to connect to the networks and communicate PHI, there are laptops, tablets and an increasing number of medical devices connected to the networks. As use of mobile devices in healthcare continues to grow and the explosion in IoT devices continues, the risk of attacks on the WiFi environment will only ever increase.
Patients also connect to hospital WiFi networks, as do visitors. They too need to be protected from malware and ransomware when connected to hospital guest WiFi networks.
Internet and WiFi filtering in hospitals is therefore no longer an option, it should be part of the cybersecurity strategy for all healthcare organizations.
Internet and WiFi filtering in Hospitals is Not Just About Blocking Cyberthreats
Malware, ransomware, hacking and phishing prevention aside, there are other important reasons for implementing Internet and WiFi filtering in hospitals.
Guest WiFi access in hospitals is provided to allow patients and visitors to gain access to the Internet; however, there is only a certain amount of bandwidth available. If Internet access is to be provided, all patients and visitors should be able to gain access. Internet and WiFi filtering in hospitals can be used to restrict access to Internet services that consume bandwidth, especially at times when network usage is heavy. Time-based controls can be applied at busy times to block access to video streaming sites to ensure all users can still enjoy reasonable Internet speeds.
It is also important to prevent patients, visitors and healthcare professionals from accessing inappropriate website content. Internet and WiFi filtering in hospitals should include a block on adult content and other inappropriate or illegal material. Blocks can easily be placed on illegal file sharing websites, gambling or gaming sites, or any other undesirable category of web content.
Internet and WiFi filtering in hospitals ensures WiFi networks can be used safely and securely by all users, including minors. Blocking illegal and undesirable content is not just about protecting patients and visitors. It also reduces legal liability.
Internet and WiFi Filtering in Hospitals Made Simple
WebTitan Cloud for WiFi is an ideal solution for Internet and WiFi filtering in hospitals. WebTitan Cloud for WiFi is cost effective to implement, the solution requires no additional hardware or software installations and there is no latency. Being DNS-based, set up is quick and simple. A change to the DNS settings is all that is required to start filtering the Internet.
WebTitan Cloud for WiFi is ideal for hospital systems. The solution is highly scalable and can be used to protect any number of users in any number of locations. Multiple sites can be protected from one easy-to-use web-based graphical user interface. Separate filtering controls can be applied for different locations, user groups or even individuals. Since the solution links in with Active Directory the process is quick and simple. Separate content controls can easily be set for guests, visitors and staff, including by role.
WebTitan Cloud for WiFi supports blacklists, whitelists and allows precision content control via category or keyword and blocks phishing websites and sites known to host exploit kits and malware. In Sort, WebTitan Cloud for WiFi gives you control over what happens on your WiFI network.
To find out more about WebTitan Cloud for WiFi, details of pricing and to register for a free trial, contact the TitanHQ team today.
Regardless of whether you run a hotel, coffee shop or retail outlet, Internet access is expected by customers, but make sure you secure guest WiFi for business visitors. Providing business visitors and customers with access to the Internet brings many benefits, but if you do not secure guest WiFi for business visitors you will be exposing yourself to considerable risk.
Why Is Providing Internet Access so Important?
In 2013, one study revealed that 80% of customers in retail outlets felt the provision of free WiFi access would influence their purchasing decisions. If retailers provide guest WiFi access, they are likely to encourage more potential customers into their stores and get more sales opportunities.
With more people purchasing online, businesses need to adapt. Customers want to be able to check online before making a purchase or signing up for a service, such as reading online reviews. Fail to offer Internet access and customers are more likely to leave and make a purchase at another time. Chances are that sale will be made elsewhere.
Why is Secure Guest WiFi for Business So Important?
There are considerable benefits to be gained from offering customers free Internet access. It is what customers want, it provides businesses with an opportunity to communicate with customers, it allows them to collect contact details for future marketing and business can gain valuable customer insights.
However, giving customers and guests access to the Internet opens a business up to considerable risks. If those risks are not mitigated, guest WiFi access can prove incredibly costly. You may have trained your employees to be more security aware and have introduced policies covering allowable Internet usage, but guests, customers and other visitors are likely to have different views about the content that can be accessed on your WiFi network.
Guests and customers could take advantage of a lack of control over accessible website content to access inappropriate material such as pornography. Individuals could engage in morally or ethically questionable activities. They may accidentally or deliberately install malware or ransomware, or visit phishing websites. Secure guest WiFi for business means protecting yourself and your customers. Secure guest WiFi for business visitors and it will ensure they are protected when connected to your network, preventing man-in-the-middle attacks, malware downloads and blocking phishing attacks. You will also be protected from legal liability.
5 Things to Consider About Secure Guest WiFi for Business Customers
If you are going to open up your network to guests, security cannot be an afterthought. Before providing WiFi access be sure to consider the points below:
Segregating your network is important for two reasons. Secure guest WiFi for business means visitors should not be able to gain access to parts of the network used by your employees. Your internal network must be totally separate from the network used by guests. It should not be possible for guests to see your network assets and confidential files and resources. Use a network firewall or create a separate VLAN for guest use and use a software firewall to protect servers and workstations from traffic from the guest network. Secondly, in the event of a malware or ransomware infection, it will not spread from the guest network to your internal network.
Always Change Default Passwords and SSIDs
This is one of the most basic security practices, yet because of that it is easy to forget. The Internet is littered with reports of data breaches that have occurred as a result of the failure to change default passwords. All network peripherals should have strong, unique passwords set.
It is also important to change your SSID for your WiFi network. The SSID should reflect the name of your business and it should be quite clear to your customers which is your network. Fail to do this and you make it too easy for malicious individuals to set up rogue access points to conduct man-in-the-middle attacks.
Keep your Firmware Updated!
Firmware updates are issued for a reason. They correct vulnerabilities that could easily be exploited by cybercriminals to gain access to your devices. If those vulnerabilities are exploited, configurations can be changed for a variety of nefarious purposes. You should have policies in place that require firmware updates to be installed promptly, with checks performed on a monthly basis.
Encrypt Your Wireless Signals
You want to make it as easy as possible for your guest WiFi network to be accessed by your customers and visitors, but don’t make it too easy for hackers to spy on individuals connected to the network. Make sure you encrypt your wireless network with WPA2 encryption. You can then post the SSID and password in your business to make it easy for legitimate users to gain access to your network.
Secure Guest WiFi for Business Means Content Filtering
Secure guest WiFi for business means adding some controls over the content that can be accessed on your WiFi network. Content filtering is a must. You should block access to adult content – which includes pornography, gambling sites and other web content that is ethically or morally questionable. A web filtering solution will also protect your customers from accidental malware and ransomware downloads while blocking phishing websites. Consider using a cloud-based web filter as these require no additional hardware to be purchased. They can also be configured and maintained remotely and will not require software or firmware upgrades.
Family-Guard offers its customers online protection by blocking access to adult website content such as pornography and stopping malware infections, ensuring the Internet can be accessed safely and securely by all family members.
Family-Guard supplies WiFi routers with pre-configured DNS settings to its customers. Plug in the router and customers are instantly protected from online threats and inappropriate content. As more families take steps to prevent their children from harm online, the company has gone from strength to strength.
However, the firm was not entirely satisfied with its previous web filtering provider and sought a partnership with a new company. Before deciding to deploy WebTitan Cloud for WiFi, Family-Guard needed to be certain that WebTitan offered the required level of protection for its customers. It was essential that all harmful and dangerous website content could be filtered out to ensure customers received the service they paid for. TitanHQ could reassure Family-Guard that its URL filtering technology was up to the task.
The problem with the firm’s previous partner was the inaccuracies in categories and site classifications. Those problems could not be overcome. WebTitan on the other hand offers accurate classification of websites, with more than 500 million web addresses present in its database, including sites in more than 200 languages. Since deploying WebTitan Cloud for WiFi through its router packages, Family-Guard has not experienced the accuracy problems of its previous provider.
Another key consideration when selecting a service provider was the ability to provide the solution in white-label form. It was essential for Family-Guard to incorporate its own branding, which includes the product as well as the user interface for setting filtering controls. With WebTitan, the solution can be supplied without any branding, ready for customization. The white label option and choice of hosting also makes WebTitan an ideal web content filter for managed service providers.
While reassurances could be provided by TitanHQ, the proof of the pudding is in the eating. Before committing, Family-Guard needed to perform extensive testing of the solution. The firm signed up for a free trial and conducted independent tests. Tanner Harman, President of Family-Guard said, “In terms of the trial everything was very straightforward, it was good to speak to an engineer that was able to answer all my questions, this is not common in the technology industry.”
WebTitan is incredibly easy to use and maintain. There are no software updates necessary as all are managed by TitanHQ. Setting up the solution is also straightforward. Once the DNS has been directed to WebTitan, it is just a case of configuring the web filtering controls. For Family Guard, it took staff around 30 minutes to become familiar and comfortable with using the solution. The company is now reaping the benefits.
“For our technical staff, it reduced the time spend on support calls as the number of support calls reduced dramatically almost immediately,” the solution has also dramatically reduced the time the support team has spent dealing with malware. Tanner said, “WebTitan Cloud blocks all the bad stuff before it hits the customers location so issues that previously occurred regularly are now avoided.”
It can take some time following deployment to fully appreciate the benefits that WebTitan brings to an organization. Family-Guard implemented the solution in April 2016. The cost saving from deploying WebTitan Cloud has been considerable. In the 12 months following the implementation of WebTitan Cloud, Family Guard has enjoyed savings of more than $10,000.
Further, as Family-Guard grows, it is not limited by its license. With WebTitan, additional licenses can be added as and when required with a dynamic pricing plan lacking the barriers and wastage typical of other web filtering solutions.
Whether you are looking for a web content filter for public hotspots, a filtering solution to package into your products and services or a content filtering solution for your business WiFi network, TitanHQ can help.
For further information on the features and benefits of WebTitan, answers to technical questions and to register for a free trial, contact the TitanHQ team today.
Customers are increasingly choosing to visit retailers based on whether free Internet access is available in store. Providing WiFi access doesn’t just attract more customers. It provides retailers with an opportunity to communicate new sales initiatives to customers and allows valuable information to be gathered on what customers do inside stores. Monitoring the websites accessed by customers also allows retailers to gain a valuable insight into customer behavior.
Retailers are increasingly offering free WiFi in-store to attract more customers, but providing access to the Internet in-store carries risks. If customers have free, unfettered access to the Internet they would be able to access inappropriate content, accidentally download malware or use the connection for illegal file downloads.
Retailers can gain huge benefits from offering customers free access to WiFi network, but without security solutions to mitigate risk, the offer of free WiFi can backfire. A web content filter for public hotspots is now essential.
Selfridges understands the benefits of providing free WiFi access to customers, but also the risks. If WiFi was to be provided in-store, it would need to be secure to prevent customers from installing malware or accessing phishing websites
Selfridges also needed protection from legal liability. Steps therefore needed to be taken to prevent customers from accessing inappropriate website content in store and to stop minors from accessing adult content.
Selfridges prides itself on providing high quality products and customer service, so it was important to ensure for its WiFi service to reflect the stores values. Alisdair Morison, IT manager at Selfridges, said “We had to ensure that guests could not access malicious sites or to view inappropriate content while in the store.”
In the case of inappropriate website content, the risks are considerable. Morison said, “We knew that if a guest accessed porn on the WiFi connection and a child or other person could inadvertently view that screen, we would be legally liable.” The same applies to illegal file downloads via its WiFi network.
Choosing a solution posed a number of challenges. Selfridges has a small, but busy IT department so a web filtering solution needed to have a small administrative burden. Technical staff are not present in each store so it was important that the solution could be managed remotely for all four locations without the need for any site visits.
Selfridges contacted TitanHQ and chose WebTitan Cloud for WiFi. “We looked at a bunch of solutions. I was really taken aback by the price point, features and functionality we were going to get with WebTitan WiFi,” said Morison, “Other solutions didn’t have all the features and functionalities we wanted; they could do some of what we now do with WebTitan WiFi, but at a higher cost.”
The solution was set up in less than half a day and the IT team can manage the solution remotely and monitor WiFi connections. All four locations are managed through a central administration management console. All that was required to get started was to add the company’s external IP address to the GUI, update DNS forwarders and set the filtering controls.
Selfridges now blocks pornography, illegal activities such as file sharing and activities that are ethically or legally questionable. The WiFi network is child-friendly, so parents need not worry about the content that their children can access in-store. The WiFi network can be used safely and securely by all its 200 million annual visitors, with both Selfridges and its customers gaining benefits from in-store WiFi.
TitanHQ has announced a new partnership agreement with the intelligent spaces firm Purple. TitanHQ will be securing the firm’s WiFi networks and providing content filtering with WebTitan Cloud for WiFi.
Purple is a leader in its field, with over 20 million users spread across 125 countries around the globe. Its solution helps businesses monitor their physical spaces and promote their brand, in addition to gaining valuable insights into customer behavior at their venues. Purple’s clients include the City of New York, Legoland, Jaguar, Pizza Express, Outback Steakhouse, the Indiana Pacers, Merlin Entertainments Group and British Land to name but a few.
Purple will be adding WebTitan to its WiFi and Analytics package to improve security for its customers. Current and new customers will benefit from a more secure WiFi package and will be protected from a wide range of web-based threats.
WebTitan is a market-leading web content filtering solution that currently blocks more than 60,000 malware variants each day, protecting end users when they venture online. WebTitan can be used to control the content that can be accessed via WiFi networks around the globe from a single administration console. Companies can protect thousands – or tens of thousands – of WiFi access points simultaneously with WebTitan without any latency. The solution is easy to set up and configure, requires no additional hardware and has an extremely low management overhead.
Protection from exploit kits, phishing websites, and malware and ransomware downloads is more important now than ever. Cybercriminals having increased their efforts and malware, phishing and ransomware attacks are becoming increasingly common.
In the case of ransomware, payment of the ransom demand may not allow data to be recovered as has clearly been demonstrated by the NotPetya attacks. Many companies that were attacked with NotPetya are still experiencing major problems and disruptions to services, with several firms forced to replace entire networks following installation of the malware.
Cyberattacks such as WannaCry and NotPetya are likely to become the new norm, with companies needing to do more to protect their networks – and their customers – from attack.
With WebTitan, malware and ransomware protection is only part of the story. WebTitan is a powerful content filter that prevents inappropriate content from being accessed by WiFi users – Something that is becoming increasingly important in the retail and hospitality industries. With Purple’s retail and hospitality sector clients growing fast, this additional protection was essential.
For Purple, it soon became clear that the partnership with TitanHQ was the perfect choice, as James Wood, Head of Integration at Purple explained, “We approached TitanHQ with a number of specific requirements that were unique to Purple. From day one it was evident that they were capable of not only providing what we needed but were very responsive and technically adept.”
WebTitan was also ideal for Purple customers, Woods said, “We take guest Wi-Fi security seriously so it was important that our customers were protected in the right way. Along with superior protection, WebTitan also allows us to extend the control to our customers via their API. Our customers can now manage their own filtering settings directly from the Purple Portal.”
Installing the new web filtering system and replacing the incumbent system was completed in the quickest possible time frame, with tens of thousands of users migrated to the new system in a matter of days. Woods said, “With demanding timescales involved for the migration, we invested heavily in WebTitan and they have not failed to deliver.”
The Kaseya Connect Europe User Conference will be taking place on October 3, 2017 in Amsterdam, Netherlands with the company recently having announced its line-up of speakers and exhibiting partners for the event.
The Kaseya Connect Europe User Conferences are hugely popular. The events provide an excellent networking and learning opportunity with attendees able to see technical presentations with hands on demonstrations to improve usage of Kaseya solutions and find out more about the latest product releases.
Attendees benefit from expert advice, gain strategic insights and receive useful practical knowledge from industry experts and thought leaders and have the opportunity of taking part in product training and other instructional sessions to help them get the most out of their business, optimize their technical operations and boost revenues.
The upcoming Kaseya Connect Europe User Conference will include a business track to help MSPs monetize their business, increase their service stack and boost revenues.
Sue Gilkes, faculty member of CompTIA and founder and managing director of Your Impact Ltd, will be providing her insights into how MSPs can grow their business and improve revenues, while Transmentum’s Adam Harris – Author of “Check-In Strategy Journal” – will be delivering a keynote speech – “7 Sales Strategies to Take Away and Implement Immediately” – a must attend session for all MSPs.
Next year, the General Data Protection Regulation (GDPR) will come into effect in May. MSPs need to start preparing to ensure the deadline for compliance is met. With the deadline just a few months away, a session will be focused on helping MSPs prepare.
TitanHQ is pleased to announce it is an Emerald Sponsor for the event and will be demonstrating its WebTitan and SpamTitan solutions for MSPs.
WebTitan is an innovative web filtering solution ideal for MSPs. The solution can easily be added to MSPs service stacks allowing them to improve the cybersecurity defenses of their clients. WebTitan is a DNS-based web filtering solution that blocks a wide range of online threats and allows users to carefully control the web content that can be accessed via their wired and wireless networks.
SpamTitan is a leading spam filtering solution that blocks more than 99.9% of spam and malicious emails to keep end users protected from phishing attacks, malware and ransomware infections.
Both solutions are provided as white labels with a range of hosting options, including hosting within an MSPs own environment.
Following the massive global ransomware attacks of recent months, businesses are demanding additional protections, with both solutions offering MSPs a golden opportunity to generate regular additional monthly revenue with minimal management time.
“It’s exciting to bring together hundreds of our European customers and partners for this conference, and provide them with convenient access to educational sessions, networking opportunities and insightful discussions from industry leader, said Sabine Link, vice president, customer success for Kaseya” Through this event, we can deliver a unique experience for our European users that will empower them with the knowledge they need to achieve the results they desire.”
The event is free of charge for MSP executives, regardless of whether they are already Kaseya users. However, registration is required in advance of the event. If you are interested in attending the Kaseya Connect Europe User Conference in October, you can register for the conference here.
The RoughTed malvertising campaign was rampant in June, causing problems for 28% of organizations around the world according to Check Point.
Malvertising is the name given to adverts that redirect users to malicious websites – sites hosting exploit kits that download malware and ransomware, phishing kits that gather sensitive information for malicious purposes or are used for a variety of scams.
Malvertising campaigns pose a significant threat because it is not possible to avoid seeing the malicious adverts, even if users are careful about the websites they visit. Malicious adverts are displayed through third party ad networks, which are used on a wide range of websites. Even well known, high traffic websites such as the BBC, New York Times, TMZ and MSN have all been discovered to have displayed malicious adverts. Cybercriminals only need to place their adverts with one advertising network to see their adverts displayed on many thousands of websites.
The RoughTed malvertising campaign was first identified in May, although activity peaked in June. By that time, it had resulted in infections in 150 countries throughout North and South America, Europe, Africa, Asia and Australasia.
It is sometimes possible to block malvertising using ad blockers, which prevent adverts from being displayed; however, the RoughTed malvertising campaign can get around these controls and can bypass ad blockers ensuring adverts are still displayed.
A web filtering solution can be useful at preventing categories of websites from being accessed that commonly host malicious adverts – sites hosting pornography for example – although due to the wide range of websites that display third party adverts, it would not be possible to eradicate risk. That said, an advanced web filtering solution such as WebTitan offers excellent protection by blocking access to the malicious sites rather than the malvertising itself.
Websites are rapidly added to blacklists when they are detected as being used for nefarious purposes. WebTitan supports blacklists and can block these redirects, preventing end users from visiting malicious sites when they click on the ads.
In addition to blacklists, WebTitan URL classification uses a multi-vector approach to deeply analyze websites. The URL classification uses link analysis, content analysis, bot detection and heuristic analysis to identify websites as malicious. These advanced techniques are used to block ad fraud, botnets, C2 servers, sites containing links to malware, phishing websites, spam URLs, compromised websites and malware distribution sites including those hosting exploit kits. The URL classification system used by WebTitan leverages data supplied by 500 million end users with the system continuously updated and optimized.
If you want to protect your organization from the actions of your end users and block the majority of online threats, contact the TitanHQ team today for further information on WebTitan and take a closer look at the web filtering solution in action.
A massive global cyberattack is underway involving Petya ransomware. Ukraine has been hit particularly hard although companies all over Europe have reported that systems have been taken out of action and ransoms demanded. Social media websites are awash with reports of disruption to services across a wide range of industries and countries. The attacks appear to have started in Russia/Ukraine but spread rapidly across Europe, with reports emerging that companies in India have also been affected.
The attacks appear to involve a variant of Petya ransomware – a particularly nasty ransomware variant for which there is no kill switch or free decryptor. Petya ransomware takes the Master File Table (MFT) out of action rather than encrypting individual files. Consequently, the attacks occur faster than with other ransomware variants. Without access to the MFT, computers are unable to locate files stored on the hard drive. Those files remain unencrypted, but cannot be accessed.
The ransom demand to unlock the infection is understood to be approximately $300, although that figure will need to be multiplied by the number of devices affected.
Another WannaCry Style Global Ransomware Attack
The WannaCry ransomware attacks used exploits stolen from the NSA, which were published online by Shadow Brokers. Those exploits worked on unpatched systems, exploiting vulnerabilities to automatically download a network worm and WannaCry ransomware. The attacks spread rapidly – around the world and within organizations.
This wave of attacks appears to be similar. The attacks started happening this morning with the Russian cybersecurity firm Group-IB one of the first to suggest this was a WannaCry-style attack involving an NSA exploit. That has since been confirmed by other cybersecurity firms. Fabian Wosar of Emisoft said he has confirmed that the infection is spreading using the same EternalBlue exploit as WannaCry, as has MalwareHunterTeam.
Organizations that applied the patch issued by Microsoft in March were protected from WannaCry and will likely be protected from this Petya ransomware attack. Following WannaCry, Microsoft issued patches for unsupported operating systems to prevent further attacks from occurring. However, judging by the number of attacks that have already occurred, the WannaCry attacks did not spur some companies into action. Many have still not patched their systems.
Several well-known companies have reported they are under attack and have had servers and computers taken out of action, with companies in Russia, Ukraine, France, Spain, Denmark, India and the UK all understood to have been affected. Companies that have confirmed they have been attacked include:
Russia – Oil company Rosneft and metal maker Evraz
Ukraine – Boryspil Airport, aircraft manufacturer Antonov, two postal services, the Ukraine government, the Ukraine national bank. The Cernobyl nuclear powe plant has also been attacked, as have many other energy companies in the country.
Denmark – Shipping firm A.P. Moller-Maersk, including APM Terminals which runs shipping container ports around the world.
France – Construction firm Saint Gobain
International – Companies reportedly affected include the law firm DLA Piper, advertising firm WPP, food manufacturer Mondalez and U.S pharmaceutical firm Merck.
Time will tell whether this Petya ransomware attack will be on a similar scale to WannaCry. Since it is currently occurring it will likely be a few days before the true scale of the attack becomes known.
2016 was a bad year for data breaches, but a new analysis by the Identity Theft Resource Center (ITRC) shows 2017 data breaches figures are far worse. Year over year, data breaches have increased by 29.1%.
Last year saw record numbers of data breaches, with 1,093 incidents tracked by the ITRC; however, If breaches continue to occur at the rate seen over the past 6 months, this year is likely to be another record breaking year. 2017 is likely to see more than 1,500 breaches – a particularly worrying milestone to pass.
55.4% of 2017 data breaches have been reported by organizations in the business sector. Those 420 incidents have involved more than 7.5 million records, more than 64% of all records exposed so far in 2017. The healthcare industry has also experienced many data breaches, accounting for 22% of the total. So far this year, the protected health information of 2.5 million individuals has been exposed – 21.1% of all records exposed so far in 2017.
Education may have only experienced 87 data breaches this year – 11.5% of the year to date total – but those breaches account for 9% of exposed records, helped in no small part by a single breach at Washington State University that involved at least 1 million records.
The government/military (43 breaches) is in fourth place, accounting for 1.8% of the total with the 200,000+ exposed records. Fifth place is taken by the financial services with 41 breaches, with more than 526,000 exposed records accounting for 5.4% of the year to date figures.
The ITRC has been tracking data breaches since 2005, with the 2017 data breaches bringing the overall total number of incidents up to 7,656. The total number of exposed records has now risen to 899,792,157.
In the case of healthcare data breaches, more incidents have been reported following the clarification of HIPAA Rules covering ransomware attacks. Last year there was some confusion as to whether ransomware attacks were reportable. The Department of Health and Human Services’ Office for Civil Rights confirmed late last year that most ransomware attacks are reportable under HIPAA Rules. Consequently, there has been an increase in reports of these events in recent months.
Companies in other industries are also reporting more data breaches due to changes in state legislation and public pressure. However, ITRC points out the big jump in 2017 data breaches can also be explained by an increase in insider incidents and cyberattacks.
The increase in data breaches in 2017 clearly highlights the importance of conducting a thorough, organization-wide risk analysis to identify all potential vulnerabilities that could potentially be exploited. A risk management plan should then be put in place to address any vulnerabilities that are identified.
While organizations should consider augmenting security to protect the network perimeter, the threat from within should not be ignored. Employees are typically a weak point in security defenses, although action can be taken to reduce risk. Training should be provided to improve security awareness, technological solutions implemented to reduce the risk from phishing and other malicious email-born attacks, while web-based attacks can be limited with a web filtering solution.
2017 may be shaping up to be a particularly bad year for data breaches, but with investment in people and cybersecurity defenses, it is not too late to prevent 2017 from being another record-breaking year.
The healthcare industry has been heavily targeted by cybercriminals, but retail industry data breaches are now the most common according to a recent study by Trustwave. Retail industry data breaches account for 22% of all reported breaches, closely followed by the food and beverage industry on 20%.
In 2016, corporate and internal networks were the most commonly breached systems although there was a marked increase in POS system breaches, which are now the second most targeted systems accounting for 31% of all reported breaches. Last year, POS data breaches only accounted for 22% of the total. POS data breaches were most common in the United States. In 2015, E-commerce platforms were heavily targeted accounting for 38% of all breaches, although in 2016 the percentage fell to 26%.
Healthcare data is in high demand, although it is still credit card numbers that are most commonly stolen. 63% of data breaches involved card data, split between card track data (33% of incidents) – mostly from hospitality and retail industry data breaches – and card-not-present data (30% of incidents) which came from breaches of e-commerce platforms.
The United States was also the most targeted country, accounting for 49% of all breaches – more than double the percentage of Asia-Pacific in second place with 21% of reported breaches. Europe was in third place with 20%.
Zero-day exploits are in high demand, commanding an initial price of $95,000 on the black market, although there were only 9 zero-day vulnerabilities exploited in the wild in 2016 – 5 for Adobe Flash, 3 for Internet Explorer and one for Microsoft Silverlight.
The top two methods of compromise were remote access – 29.7% of attacks – and phishing and social engineering, which accounted for 18.8% of attacks.
Exploit kit activity has fallen since the fall of the Angler, Magnitude and Nuclear exploit kits, although others such as Rig are increasing in popularity. Exploit kits activity could increase further due to the low cost of conducting malvertising campaigns – malicious adverts on third party ad networks that direct individuals to sites hosting exploit kits. Trustwave reports it now costs cybercriminals $5 to target 1,000 vulnerable computers with malicious adverts. Trustwave warns that while exploit kit activity has fallen, it would be wrong to assume it is gone for good. If it is profitable to use exploit kits, more will be developed.
Spam email is still the primary attack vector. In 2016, there was an increase in spam email messages rising from 54% of message volume in 2015 to 60% of total email volume in 2016. 35% of those messages contained malicious attachments, which Trustwave reports is up from 3% in 2015.
The most common malware variants discovered in 2016 data breach investigations attacked POS systems and were PoSeidon (18%) and Alina (13.5%) with Carbanak/Anunak in third place on 10%.
A recent Ponemon Institute study suggest data breaches take more than six months to detect, while Trustwave’s figures suggest the median number of days between intrusion and detection for external incidents was 65 days in 2016, although some companies took up to 2,000 days to discover a breach. Detection rates have improved from 2015, when it took an average of 80.5 days to detect a breach.
Over the past few days, a new threat called Fireball malware has been spreading rapidly and has allegedly been installed on more than 250 million computer systems. An estimated 20% of corporate networks have been infected with the malware. 10% of infections are in India, 9.6% in Brazil, 6.4% in Mexico, 5.2% in Indonesia and 2.2% in the United States.
The new malware variant was discovered by security researchers at Check Point, who claim the malware campaign is “possibly the largest infection operation in history.”
Fireball malware targets web browsers and is used to manipulate traffic. Once infected, the end user is redirected to fake search engines, which redirect search queries to Google and Yahoo. Fireball malware is being used to generate fake clicks and boost traffic, installing plugins and new configurations to boost the threat actor’s advertisements.
The malware is also capable of stealing user information using tracking pixels and can easily be turned into a malware downloader. Once installed, Fireball malware can run any code on the victims’ computer, making the infection especially dangerous. While Fireball malware is not believed to be dropping additional malware at this stage, it remains a very real possibility. The malware has a valid certificate, hides the infection and cannot be easily uninstalled.
The malware is being distributed bundled with other software such as the Mustang browser and Deal WiFi, both of which are provided by a large Chinese digital marketing agency called Rafotech. It is Rafotech that is understood to be behind Fireball malware.
Rafotech is not using the malware for distributing other malware, nor for any malicious purposes other than generating traffic to websites and serving end users adverts, but Fireball may not always remain as adware. At any point, Fireball could simultaneously drop malware on all infected systems.
The recent WannaCry ransomware attacks serve as a good comparison. Once the network worm had spread, it was used to deploy WannaCry. More than 300,000 computers were infected the worm, which then dropped the ransomware. If a more advanced form of malware had been used that did not have a kill switch, the WannaCry attacks would have been far more severe. Now imagine a scenario where the same happened on 250 million computers… or even more as Fireball malware spreads further.
Fireball could also drop botnet malware onto those computers. A botnet involving 250 million or more computers would result in absolutely devastating DDoS attacks on a scale never before seen. As a comparison, Mirai is understood to include around 120,000 devices and has wreaked havoc. A botnet comprising 250 million or more devices could be used to take down huge sections of the internet or target critical infrastructure. It would be a virtual nuclear bomb.