Blog

Never Be a Ransomware Hostage

by Julian Martin - Vice President Product Marketing

What often impacts more than 100,000 computers a day, and can cost you thousands of dollars in remediation, downtime, and cleanup cost? Ransomware.

In a ransomware attack, you are literally held hostage and denied access to critical productivity tools and data like file servers, email, databases and more.

How’s an organization supposed to cope? Start with protecting the most prevalent ransomware delivery system - your email. Download this infographic to learn about the only cloud solution that combines prevention, business continuity and replication for email in a single solution.

Don’t wait. Protect your organization from ransomware now.

FILED IN

In a brief warning alert last week, US-CERT urged individuals and organizations to proactively secure systems against an increase in malware spread via macros. Mimecast is today offering new guidance to help organizations combat this threat. 

Our own research also points to resurgence in this attack technique. We found that:

  • 50% of firms have seen email attacks that use macros in attachments increase
  • 44% saw increase in attacks with social engineering asking users to enable macros
  • 67% are not confident employees would spot this combined attack

These findings came from a recent Mimecast security survey of 436 IT experts at organizations in the US, UK, South Africa and Australia in March 2016.

While most organizations choose to block executable attachments at the gateway by default, they must still allow files such Microsoft Office documents to pass freely if employees are to be productive. Attackers exploit this by weaponizing files in these common formats.

Here’s a recent targeted attack email we saw containing a weaponized attachment:

Mimecast Email Security Guide to Stop Malicious Macros

Here are five recommendations to help you stop weaponized attachments and macro-enabled malware:

  1. Ensure macros are not enabled by default across your Microsoft Office application estate, and that ‘Protected View’ is enabled at all times
  2. Consider disabling macros and VBA code in all but essential applications
  3. Ensure all email attachments are sandboxed by an appropriately advanced email security gateway. Remember non-sandboxing gateways are not able to recognize or signature macros, as the code is not a viral payload
  4. Consider a secure email gateway that offers the capability to neutralize weaponized attachments, or strip active code from all inbound Office documents
  5. Train and educate end users to the changing nature of threats in email. Ensure they understand the risks presented to their inboxes, and how to handle unexpected email and attachments. Ensure they understand the hacker’s tactics and how to recognize simple social engineering attacks

You can see more examples in my recent security advisory on macro threats.

FILED IN

Cyber insurance uptake is growing quickly but a lack of employee training on the latest email attacks is leaving organizations at great risk of breaking policy terms. These new social-engineering and impersonation attacks could leave leaving firms of all sizes at risk of taking the full financial brunt of crime.

Waves of high-profile breaches and new breach notification legislation is setting the scene for a huge growth in cyber insurance take-up. But while insurers often pay for clean-up fees after a breach, it is important that organizations check that their policies protect them if an employee is tricked into sending a large amount of money to a fraudulent account.

Whaling (CEO fraud) attacks have been growing rapidly in volume and in scale. Mimecast revealed in April that 67% of firms have seen an increase. Then only last month, Austrian aerospace manufacturer FACC sacked its CEO after his apparent mistakes led to the firm being defrauded out of €50 million ($55.8m) in a whaling attack.

Attacks where employees are tricked into sending personal data or intellectual property are even less likely to be fully covered. For example, how would an insurer decide compensation if a set of W-2 tax forms were stolen compared to the secret plans for a new and theoretical product? What about hacks that compromise the integrity of data rather than stealing it? Can insurance ever really fully provide coverage for these data-specific use cases? 

One other concern for insurers is that it can be difficult to separate real crime from potential insurance fraud.

As part of Mimecast’s research into cyber insurance policies, Mimecast questioned 436 IT experts at organizations in the US, UK, South Africa and Australia. The research revealed that:

  • 45% of firms with cyber insurance are unsure if their policy is up-to-date for covering new cyber social engineering attacks, and only 10% believe it is completely up-to-date
  • 43% of firms with cyber insurance are confident that their policies would pay out for whaling financial transactions
  • 64% of firms don’t have any cyber insurance at all

One example of this growing risk is the legal proceeding between Texas-based AFGlobal Corp and Federal Insurance Co., a division of insurance giant Chubb Group. AFGlobal maintains that the policy it held provided coverage for both computer fraud and funds transfer fraud, but insurer denied a claim when scammers impersonating AFGlobal’s CEO convinced the company’s accountant to wire $480,000 to a bank in China.

The rise of whaling has created an attack climate where many insured organizations may not be protected from fraudulent transactions because they fall outside of the coverage scope of when their policies were originally signed.

Mimecast research also found that:

  • 58% of organizations have seen an increase in untargeted phishing emails
  • 65% have seen targeted phishing attacks grow
  • 50% said they have seen social engineering attacks that utilize malicious macros in attachments increase

A survey of risk managers by The Hartford Steam Boiler Inspection and Insurance Co. (HSB) highlighted the primary reasons for not buying coverage. Perceived complexity (44 percent), lack of a sufficient threat (34 percent) and cost (22 percent) were cited.

With the cybersecurity landscape constantly evolving, cyber insurers will have great difficulty keeping their coverage up-to-date. CEO fraud is a prime example how quickly an attack can grow morph. Tomorrow’s threats will almost always comes as a surprise.

Mimecast is recommending that all organisations review their cyber insurance policies regularly. A comprehensive cyber resilience strategy is only effective alongside regular employee training on the latest threats combined with appropriate technology fail-safes.

 

*Mimecast will be exhibiting at Infosecurity Europe, 7-9 June, at stand #G100. Mimecast security experts will discuss the top email attack strategies being used against millions of organizations around the world today. 

FILED IN

Surely everyone changed their LinkedIn credentials in 2012, when the LinkedIn hack was made public right?

Furthermore, most users would have doubled down on their credential security - changing their passwords to something complex and perhaps using a secure service like LastPass to manage those credentials securely, right?

LinkedIn confirmed last week that more than 100 million members' email and password combinations stemming from a 2012 data breach have been posted online.
LinkedIn confirmed last week that more than 100 million members' email and password combinations stemming from a 2012 data breach have been posted online.

So when LinkedIn confirmed last week that more than 100 million members' email and password combinations stemming from a 2012 data breach have been posted online, the natural question is 'why bother'?

As I pointed out to CNET this week, it's no longer the credentials themselves which have value (although there might be a few laggards who still haven't changed their passwords). It's the fact that cybercriminals now hone in on a target by building very accurate pictures of companies and employees ripe for targeting. Also, as I discussed with Computing in March, LinkedIn is now the principle super market for enterprise hacking intelligence - a front door for hackers.

Once the overall picture of an organization is complete, the email account of the target be it personal or professional becomes the Holy Grail for the attackers. Suddenly the penny drops…Peace, who according to a story from Vice's Motherboard is trying to sell the credentials for about $2,200 in bitcoin is actually selling the email addresses.

And I'm sure he or she will sell the information in no time at all - because who thought it was important to change their password and email address in 2012? Not many.

Aside from the immediate damage of social engineering-based attacks, the damage will really be felt by organizations who've been hacked over the last few years and are high-value targets in general. What this action has done is highlight the long-tail value of hacking - inspiring cybercriminals to re-harvest old hack data and inspire more audacious attacks in future as the financial incentive has been boosted further still.

FILED IN