Widespread Emotet malicious software targeting businesses and individuals

What’s happened?

Emotet is a banking trojan malware program which obtains financial information by injecting computer code into the networking stack of an infected Microsoft Windows computer, allowing sensitive data to be stolen via transmission. Emotet malware also inserts itself into software modules which are then able to steal address book data and perform denial of service attacks on other systems. It also functions as a down-loader or dropper of other banking Trojans.

The Australian Cyber Security Centre (ACSC) is aware of a widespread malicious email virus (malware), known as ‘Emotet’, targeting Australian businesses and individuals.

Cybercriminals use malware for different reasons, most commonly to steal personal or valuable information from which they can profit, hold recipients to ransom or install damaging programs onto devices without your knowledge. Do not pay the ransom if affected by ransomware. There is no guarantee that paying the ransom will fix your computer, and it could make you vulnerable to further attacks. Restore your files from backup and seek technical advice.

How it works

The Emotet malware appears as a normal or useful file attachment in emails (.doc, .docx, .pdf), but includes hidden code which allows cybercriminals to access and control your devices or computer systems. It can also appear as a website hyperlink in emails.

Emotet malware infects devices or computers if users click on links or open files in these emails, which are sent as phishing emails to make them look like they come from someone you know, or an organisation you deal with.

Once a user account is infected, the malware forwards itself to all the users’ email contacts, increasing the likelihood of further infection.

Here is an example of one of these emails, but it can come in many different formats.

Example of Emotet phishing email

How do I stay safe?

Always use caution before opening emails and attachments, and clicking on links.

To prevent malware infection, the ACSC recommends you take the following steps immediately:

  • Disable Microsoft Office macros. (Macros are small programs used to automate simple tasks in Microsoft Office documents but can be used maliciously – visit the Microsoft website for information on disabling macros in your version of Office.)
  • Maintain firewalls.
  • Make sure you have an offline backup of your information.

If you run a business, we recommend you also alert your staff to be aware of any emails that look unusual or suspicious. Refer to ACSC advice, www.cyber.gov.au/advice/improving-staff-awareness

The ACSC has also issued advice to help organisations protect systems and customer data.

Organisations that require further assistance or advice about Emotet malware can contact the ACSC by emailing ASD.Assist@defence.gov.au

For more information, please visit: www.staysmartonline.gov.au

How to stay protected from ransomware?

Businesses large and small are under threat from increasingly aggressive and brutal ransomware attacks. Loss of access to critical files, followed by a demand for payment can cause massive disruption to an organization’s productivity.

But what does a typical attack look like? And what security solutions should be in place to give the best possible defense?

This article examines commonly used techniques to deliver ransomware, looks at why attacks are succeeding, and gives nine security recommendations to help you stay secure. It also highlights the critical security technologies that every IT setup should include.

Ransomware – a brief introduction

Ransomware is one of the most widespread and damaging threats that internet users face. Since the infamous CryptoLocker first appeared in 2013, we’ve seen a new era of file-encrypting ransomware variants delivered through spam messages and Exploit Kits, extorting money from home users and businesses alike.

The current wave of ransomware families can have their roots traced back to the early days of Fake AV, through “Locker” variants and finally to the file-encrypting variants that are prevalent today. Each distinct category of malware has shared a common goal – to extort money from victims through social engineering and outright intimidation. The demands for money have grown more forceful with each iteration.

A survey of 2,700 organizations found that 54% have been hit by ransomware – twice on average. Of those hit, 77% were running up-to-date antivirus at the time of the attack. And the costs are punitive, with the median impact per organization US$133k (£100k).

Why are ransomware attacks so successful?

Most organizations have at least some form of IT security in place. So why are ransomware attacks slipping through the net?

  1. Sophisticated attack techniques and constant innovation
  • Access to ready-made ‘Exploit as a Service’ (EaaS) programs is increasingly easy, making it simple to initiate, successfully complete and benefit from an attack, even for less tech-savvy criminals. Below is a EaaS program for sale.

  • Skillful social engineering is used to prompt the user to run the installation routine of the ransomware. For example you may receive an email that reads something like this: “My organization’s requirements are in the attached file, please provide me with a quote.”
  • Producers of ransomware operate in a highly professional manner. This includes providing a working decryption tool after the ransom has been paid, although this is by no means guaranteed.
  1. Security holes at affected companies
  • Inadequate backup strategy (no real-time backups, backups not offline/off-site).
  • Updates/patches for operating system and applications are not implemented swiftly enough.
  • Dangerous user/rights permissions (users work as administrators and/or have more file rights on network drives than necessary for their tasks).
  • Lack of user security training (“Which documents may I open and from whom?”, “What is the procedure if a document looks malicious”, “How do I recognize a phishing email?”).
  • Security systems (virus scanners, firewalls, IPS, email/web gateways) are not implemented or are not configured correctly. Inadequate network segmentation can also be included here (servers and work stations in the same network).
  • Lack of IT security knowledge (.exe files may be blocked in emails but not Office macros or other active content).
  • Conflicting priorities (“We know that this method is not secure but our people have to work…”).
  1. Lack of advanced prevention technology
  • Many organizations have some form of generic protection.
  • Ransomware is constantly being updated to exploit and avoid this protection. For example, deleting itself so quickly after encrypting files that it can’t be analyzed.
  • Solutions need to be designed specifically to combat ransomware techniques.

How does a ransomware attack happen?

There are two main ways that a ransomware attack starts. Via an email with a malicious attachment, or by visiting a compromised (often a legitimate, mainstream) website.

Malicious email

Today’s criminals are crafting emails that are indistinguishable from genuine ones. Grammatically correct with no spelling mistakes, and often written in a way that is relevant to you and your business.

When opened, the zip file appears to contain an ordinary .txt file.

However, when the file is executed the ransomware is downloaded and installed onto your computer. In this example it’s actually a JavaScript file disguised as a .txt file that’s the Trojan horse, but there are many other variations on the malicious email approach, such as a Word document with macros, and shortcut (.lnk) files.

Malicious websites

Another common way to get infected is by visiting a legitimate website that has been infected with an exploit kit. Even popular websites can be temporarily compromised. Exploit kits are black market tools that criminals use to exploit known or unknown vulnerabilities (such as zero-day exploits).

You browse to the hacked website and click on an innocent-looking link, hover over an ad or in many cases just look at the page. And that’s enough to download the ransomware file onto your computer and run it, often with no visible sign until after the damage is done.

What happens next?

After initial exposure such as via the email and web examples, the ransomware takes further action:

  • It contacts the attacker’s Command & Control server, sending information about the infected computer and downloading an individual public key for it.
  • Specific file types (which vary by ransomware type) such as Office documents, database files, PDFs, CAD documents, HTML, XML, etc., are encrypted on the local computer, removable devices and all accessible network drives.
  • Automatic backups of the Windows operating system (shadow copies) are frequently deleted to prevent data recovery.
  • A message appears on the desktop explaining how the ransom can be paid (typically in Bitcoins) in the specific time frame.

  • Finally, the ransomware deletes itself leaving the encrypted files and ransom note behind.

Ransomware Evolved

One of the first major ransomware outbreaks was the CryptoLocker ransomware which appeared in 2013. CryptoLocker infected hundreds of thousands of machines, earning millions of dollars for the attackers. It eventually was shut down when the Gameover Zeus botnet, which was used to distribute the attacks, was taken offline. CryptoLocker was followed by variants such as CryptoWall, TeslaCrypt, and Cerber.

In 2017 ransomware gained global attention with the outbreak of WannaCry. The attack was launched using suspected NSA code that was leaked by a group of hackers known as the Shadow Brokers. It used a variant of the ShadowBrokers APT EternalBlue Exploit (CC-1353). WannaCry was followed by another high profile attack, Petya or NotPetya. This attack is believed to be a nation-state attack started by Russia. Unlike file-based encryption ransomware, Petya was a “wiper” ransomware attack which encrypted the Master Boot Record causing significant damage to the device.

After WannaCry, attackers became even more ruthless with their attacks, focusing on specific targets such as businesses, hospitals, schools, and government agencies, rather than just a “spray and pray” approach. Some of the more impactful ransomware variants included Emotet and SamSam which used advanced stealthy techniques to get by endpoint defenses.

This has continued in 2019 with Ryuk. Ryuk has leveraged (and stolen) the techniques that have been proven to be successful from previous attackers. Techniques include entering via an exposed Remote Desktop Protocol (RDP), escalating privileges, tampering with security software, and spreading far and wide before executing the payload.

Nine best security practices to apply now

Staying secure against ransomware isn’t just about having the latest security solutions. Good IT security practices, including regular training for employees are essential components of every single security setup. Make sure you’re following these nine best practices:

  1. Patch early, patch often

Malware that doesn’t come in via a document often relies on security bugs in popular applications, including Microsoft Office, your browser, Flash and more. The sooner you patch, the fewer holes there are to be exploited.

  1. Backup regularly and keep a recent backup copy off-line and off-site

There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.

  1. Enable file extensions

The default Windows setting is to have file extensions disabled, meaning you have to rely on the file thumbnail to identify it. Enabling extensions makes it much easier to spot file types that wouldn’t commonly be sent to you and your users, such as JavaScript.

  1. Open JavaScript (.JS) files in Notepad

Opening a JavaScript file in Notepad blocks it from running any malicious scripts and allows you to examine the file contents.

  1. Don’t enable macros in document attachments received via email

Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of infections rely on persuading you to turn macros back on, so don’t do it!

  1. Be cautious about unsolicited attachments

The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt leave it out.

  1. Don’t give yourself more login power than you need

Don’t stay logged in as an administrator any longer than is strictly necessary and avoid browsing, opening documents or other regular work activities while you have administrator rights.

  1. Stay up-to-date with new security features in your business applications

For example Office 2016 now includes a control called “Block macros from running in Office files from the internet”, which helps protect against external malicious content without stopping you using macros internally.

  1. Patch early, patch often!

Staying on top of patches is so important that we’ve included it twice. Don’t let ransomware exploit vulnerabilities that have patches available!

How can we protect you from ransomware?

To stop ransomware you need to have effective, advanced protection in place at every stage of an attack.

Securing your endpoints

We use multiple layers of defense to stop ransomware in its tracks. Anti-exploit technology stops the delivery of ransomware, deep learning blocks ransomware before it can run and CryptoGuard prevents the malicious encryption of files, rolling back affected files. It works alongside your existing antivirus from any vendor.

Protecting your servers

Server Advanced includes CryptoGuard functionality to prevent the malicious encryption of your files, rolling back affected files. Whitelisting and lockdown permits only authorized applications and identifies what they can change – all other attempts to make changes are blocked. Malicious traffic detection stops ransomware from contacting command & control servers and downloading the payload.

Stop phishing emails

Phish Threat sends simulated phishing attacks to your organization, testing preparedness against real world attacks. Emails can be customized to your organization and industry and have been carefully localized for multiple languages. Detailed feedback lets you see how many users failed, overall susceptibility to attacks and more.

Are you infected with ransomware?

Looking for a solution?

Don’t worry, Computer Support Professionals have got you covered.

Contact us at 1300 660 368 and get rid of ransomware in no time.

Users of older versions of Windows urged to update their software immediately

What’s happened?

The Australian Cyber Security Centre is aware of widespread abuse of a security vulnerability (called BlueKeep) that affects older versions of Windows operating systems including Windows Vista, Windows 7, Windows XP, Server 2003 and Server 2008.

Hackers can use the BlueKeep vulnerability to access computers and devices that don’t have the latest software updates.

Once a device is infected, BlueKeep can spread malware to other computers or devices on the same network – including devices which have access to a remote desktop environment if you have a business that uses this.

Does it affect me?

Any organisation or business that relies on the older Microsoft systems is at risk.

How do I stay safe?

  • Organisations and individuals using older versions of Windows systems should immediately install the Windows’ BlueKeep vulnerability software update at https://www.microsoft.com/security/blog/2019/08/08/protect-against-bluek…
  • If you’re a business and you use remote desktop, it’s very important to apply all the updates.
  • Windows users shouldn’t access Remote Desktop Protocols (RDP) directly from the internet. Use a Virtual Private Network with two factor authentication if RDPs are required, whichever version of Windows you are running.

For more information, please visit: www.staysmartonline.gov.au

Still using Windows 7? It will be a risk!

All good things must come to an end, even Windows 7. After January 14, 2020, Microsoft will no longer provide security updates or support for PCs running Windows 7. But you can keep the good times rolling by moving to Windows 10.

Between now and then, the operating system (OS) is in an in-between phase known as “extended support.” During this phase, Microsoft is offering paid support, though not the complimentary support that comes with the license; and will continue to provide security updates, but not design and feature updates.

Every Product has a Life Cycle

Every Windows product has a life cycle.  Like many Microsoft products, Windows 7 came with a predetermined support timeline. It’s good to know a product’s support life cycle so that you know when to upgrade.
However, there’s absolutely nothing stopping you from using Windows 7 even after its End of Life. But you should know that using an outdated operating system makes your computer vulnerable to cyber-attacks.

Vulnerable to Viruses & Threats

“End of life” is the date after which an application is no longer supported by the company that makes it. Imagine using a product that a company doesn’t want to take responsibility for anymore. You’ll be using the product at your own risk. This means that Microsoft will not take responsibility for loss of data due to security breaches on Windows 7. New computer viruses and other malware are developed all the time and, without the security updates to fight them off, your data and your system are vulnerable.

Upgradation is the Solution

Windows 7 has been one of the most successful operating systems developed by Microsoft. Its resilience has been boosted by many conspiracies and controversies surrounding Windows 8. In fact, millions of organizations skipped the Windows 8 upgrade and stuck with Window 7. Many businesses are still not convinced that Windows 10 is any better than Windows 8. Even though there are numerous valid reasons to stay with Windows 7, it’s time to start preparing for the inevitable upgrade.

Now you know that the Windows 7 OS will not be a safe product to use over the internet in a couple of years. So you have to ask yourself if you’re ready to move into the future with the more modern Windows 10 operating system. Windows 10 gets regular patches and updates to keep it secure. It will install on most devices and machines with no problems or issues, but Microsoft does have a vast array of help and support documents on their website in case you run into trouble.

Contact our Microsoft specialists who can provide more information on upgrading your system to Windows 10 without any hassle. Email us at helpdesk@cspro.com.au or call us at 1300 660 368.

Update Windows platforms to protect yourself from a security threat

What’s happened?

Microsoft has released a software update to fix a security flaw in some older versions of Windows including Windows 7, Windows XP, Windows Server 2008 and 2008 R2. The update addresses a vulnerability that attackers may use to gain unauthorised access or to perform other malicious activity.

Does it affect me?

If you are using an older version of Windows including Windows 7, Windows XP, Windows Server 2008 or 2008 R2, you could be affected.

If you have Windows 8 or 10, Microsoft advises you are not affected by this vulnerability.

To find out which Windows operating system you’re using, check the Microsoft website.

How do I stay safe?

To protect yourself, you should install the software update to older versions of Windows as soon as possible. Microsoft has issued customer guidance on how to update older Microsoft operating systems.

Why is using current software important?

Microsoft will not provide official security updates or fixes to Windows 7 after 14 January 2020. To ensure you are using secure software that is supported by Microsoft, you should consider upgrading to Windows 8 or 10 in the near future.

For more information, please visit: www.staysmartonline.gov.au

Update WhatsApp to protect yourself from a security threat

What’s happened?

WhatsApp users are urged to update their WhatsApp app with the latest software update.

The update was released this week to address a security vulnerability that could allow a cybercriminal to remotely install surveillance software on a user’s device.

WhatsApp, owned by Facebook, is a popular messaging app for smartphones. It offers a secure messaging service for one-on-one or small group conversations. As a result, it is a target for scammers trying to hack into users’ confidential conversations and perform other malicious activities.

How to make sure your WhatsApp app is up-to-date

On an iPhone or iOS device:

Go to the App Store and search for WhatsApp. Tap UPDATE next to WhatsApp Messenger.

On an Android device:

Go to Play Store and search for WhatsApp. Tap UPDATE under WhatsApp Messenger.

Why are software updates so important?

Software and security updates fix vulnerabilities in your apps, devices and operating systems that cybercriminals may use to gain unauthorized access or to perform other malicious activity.

Typically attackers exploit vulnerabilities in order to perform other malicious actions, such as stealing or corrupting information, installing malware or stopping the affected system from working correctly.

How do I stay safe?

Whenever possible, choosing to automatically apply security updates when they become available. Automatic updates minimize the risk of delaying or forgetting to apply an update and limit the chance that cybercriminals will gain access to your devices and sensitive personal and financial data.

For more information, please visit: www.staysmartonline.gov.au

Why IT Security is Important for Medical Practices

In healthcare, instant access to patient data could be critical. If doctors can’t get the patient’s
info they need, the standard of healthcare can be severely compromised with potentially
unpredictable consequences.

The privacy and security of patient health information is a top priority for patients and their
families, health care providers and professionals, and the government. Laws require many of the key
persons and organizations that handle health information to have policies and security safeguards
in place to protect your health information — whether it is stored on paper or electronically.

This means that the data privacy and storage is of vital importance in healthcare. Downtime must be
avoided at all costs. However the data storage and privacy has become increasingly diffi cult,
time-consuming and expensive for healthcare organizations.

REASONS

There are several reasons for this. To begin with, the volume of healthcare data is growing at an
astronomical rate, driven in part by necessary efforts at healthcare organizations to digitize all
their patient health records.

Another driver of data growth is diagnostic devices like CT scanners, MRIs and X-ray machines,
which produce massive amounts of imaging data. As these technologies continue to advance, the image
files they produce become better, have higher resolution and grow larger and larger in
file-size. Connected devices like fitness monitors and in-room sensors all produce their own
streams of data, all of which must be stored and managed.

The storage demand at even a small medical practice can quickly reach petabyte-size. However the
challenge does not stop there – as the data grows, the time, budget and resources required to
store,
protect and manage this critical patient data grows as well.

SOLUTION

Medical Practices need proper data backup and security management solutions that delivers con-
stant data availability. The solution must be reliable and cost effective, also covers Virus
protection covering ransomware and cyberattacks, because healthcare organizations are increasingly
under attack from a growing list of threats.

Data breaches in health care come in a variety of forms. They can include cases in which criminal
hackers steal protected health information to commit medical identity theft, or instances when an
employee views the records of one patient without authorization.

This is partly why healthcare suffered more ransomware attacks than any other industry in 2017,
according to a report from global cybersecurity insurance company Beazley. The report found that 45
per cent of all ransomware attacks in 2017 were aimed at the healthcare sector.

GOOD NEWS

The good news is that the market offers solutions designed to handle the ever-increasing amounts of
healthcare data securely and cost-effectively, ensuring that quality care is never risked by lack
of access to vital information.

SECURE YOUR PRACTICE

Here are five ways healthcare organizations can protect themselves against the triple threat of out
of control data costs, system downtime and loss of data integrity:

1: Look for converged primary and secondary storage
To properly deal with explosive data growth, healthcare centers need to integrate primary,
secondary and cloud data-management capabilities which can eliminate storage and data protection
silos while decreasing the risk of any downtime.

2: Benefit from cost-effective, scale-out storage
Small and medium-size healthcare practices with fewer resources and smaller budgets, need scalable
storage that will adapt to their data needs.

3: Protect against data degradation
Medical images, in particular, are highly vulnerable to data degradation. The silent corruption of
data in medical images caused by bit rot is a significant concern. The problem is compounded
because legacy systems store images such as X-rays to a picture archiving and communication system
and may not detect if data has been compromised. As a result, the information read from the legacy
storage system may be corrupt and unusable. Healthcare organizations need modern data solutions
that can guard against this kind of data degradation.

4: Inoculate against ransomware
Data protection is a top priority for practices as they battle against the constant threat of
cyberat- tacks. Modern healthcare practices solve this issue by implementing a storage solution
that protects information continuously and takes data snapshots every 90 seconds. Because the
object store is immutable, these snapshots remain completely unaffected in the event of an attack.
As a result, medical practices can recover the most recent version of data, and thus thwart any
ransomware attack.

5. Insist on a tangible ROI
Cyberattacks are increasingly common and as a result, practices are seeking insurance policies that
provide coverage in the event of a data breach or loss. As every medical record is assigned a
dollar value by insurance companies as part of the risk assessment, this can quickly add up to tens
of mil- lions of dollars in premiums. However, these insurance premiums can be reduced when
practices can demonstrate they have effective data management and protection strategies in place.
With the right data management solution, healthcare facilities can not only protect their data and
decrease costs, they can better treat their patients and ultimately save more lives.

For more information, please visit Medical IT Services