April Update – Increase in Cyber Threats

I need to call your attention to a current security matter. In the past several weeks there has been a measurable increase in sophisticated email phishing attacks orchestrated through intense targeted social engineering.

There has been a sharp rise in email cyber threats across the nation. I have been made aware of this situation on a national level through my affiliation with the FBI and my participation in a national information technology peer group. Throughout the United States, the FBI has seen an increase in these cyber breaches and a significant increase in losses reported to the internet cybercrime division, IC3. Managed Service Providers across the nation have been battling this increased email threat level. I have seen evidence of the immediate cyber threat in our own client base here in Houston as well.

Executive level awareness is of paramount importance. For our clients whose network is managed by MergerTree, multiple layers of network security are in place and actively managed. The current attack is a direct cybersecurity threat with the ability to circumvent network security. The vulnerability to our clients is via the susceptibility of staff to social engineering. Network security can lock up the network and secure the data, but if a staff member falls victim to a phishing email and inadvertently gives their access to a criminal then they have effectively opened the door and invited the perpetrator into your network. This is what we are seeing over and over across the country.

There is an intangible element to cyber threats that can make them difficult to grasp. It is simpler to illustrate with an example of physical security. Let me explain .

  • Suppose you purchase and have installed strong locks on all the doors and windows of your home. Then you purchase and have installed a security system with cameras that record events such as doors opening. You have alert levels set for things like smoke, or a window breaking. You have established multiple layers of home security as we have established network security for your organization.
  • You talk to your family about stranger danger and tell them to lock the doors when they leave and lock up again when they come back inside. You have established a security procedure.
  • Now suppose someone with bad intentions comes to the door and your family opens the door. Security is breached.
  • Aware of a higher threat level you may counsel your family not to open the door to strangers, reestablishing a higher security level as we have by warning clients not to open suspicious emails or click on unknown links.

Cyber-attacks have evolved.

  • Suppose someone texts a member of your family and says they are in the drive way and need help carrying things inside. Suppose the text looks like it is coming from you, the words in the text sound like you, they know things only you should know; nicknames, speech patterns, common phrases. But it isn’t you. It is a criminal with knowledge gained from intelligent phishing using social engineering to manipulate access through your carefully constructed layers of security. That is where we stand with this current cybersecurity threat.

The  largest threat vector in our client base is through staff awareness. These criminals are not brute forcing their way in, they are cleverly disguising themselves and being ushered through security. Your strongest action for mitigating this threat is to immediately make it clear to staff that this is an executive priority and insure your team pays attention to the alerts and training coming to them from MergerTree.


  1. Make it known this is an Executive priority.
  2. Immediate emphasis on procedure where any money transfer or irregular payment is confirmed by phone prior to transaction.
  3. Instruct employees to pay attention to emails from MergerTree and complete offered training.

What to know about Meltdown & Spectre

Credit – Stu Sjouwerman of KnowBe4

“Computer researchers have recently found out that the main chip in most modern computers—the CPU—has a hardware bug. It’s really a design flaw in the hardware that has been there for years. This is a big deal because it affects almost every computer on our network, including your workstation and all our servers.

This hardware bug allows malicious programs to steal data that is being processed in your computer memory. Normally, applications are not able to do that because they are isolated from each other and the operating system. This hardware bug breaks that isolation.

So, if the bad guys are able to get malicious software running on your computer, they can get access to your passwords stored in a password manager or browser, your emails, instant messages and even business-critical documents. Not good.

So, What Are We Doing About This?

We need to update and patch all machines on the network. This is going to take some time, some of the patches are not even available yet. We also may have to replace some mission-critical computers to fix this.

In the meantime, we need you to be extra vigilant, with security top of mind and Think Before You Click.”

Thank you Stu! You have a knack for bringing the techno-babble to layman’s terms!



Recent increase in breach attempts against remote access vectors.

Our security systems have recently detected numerous breach attempts originating from IP’s in Europe attacking remote access ports. Specifically we are seeing remote access systems targeted with DDoS and Brute Force password attacks. While these attacks are active, your staff might not be able to access their business applications.

Our threat detection systems and procedures have protected our managed services clients from breach. Just curious if others are also seeing an increase in this threat vector. I suspect many organizations may be seeing the same, but lack the systems to detect and prevent these threats.


From <https://www.linkedin.com/post/edit/6354353081727143936>

Important Notice regarding WannaCry/WannaCrypt Ransomware threat

News is spreading fast about this global ransomware threat. Over the weekend Europe, China, and Russia based computer systems were struck heavily by this new threat. We are still seeing this threat grow and it has reached the U.S. as well.

For MergerTree Managed services clients we run endpoint protection and Windows updates to protect your systems from such threats. However, there are still necessary precautions and considerations for your home systems and friends and family that may not have such system protection.
Precautionary measures to mitigate ransomware threats include:

  • Ensure anti-virus software is up-to-date. (Webroot is included with MergerTree Managed Desktop services).
  • Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks. (Server backups are included in the MergerTree Managed Services Agreements).
  • Scrutinize links contained in e-mails, and do not open attachments included in unsolicited e-mails.
  • Only download software – especially free software – from sites you know and trust.
  • Enable automated patches for your operating system and Web browser.

A Message From Webroot:

Webroot does currently protect you from WannaCry ransomware. In simple terms, although this ransomware is currently causing havoc across the globe, the ransomware itself is similar to what we have seen before. It’s the advanced delivery mechanism that has unfortunately caught many organizations off guard.

In addition to deploying Webroot as part of a strong endpoint control strategy, it is essential you continue to keep your systems up-to-date on the latest software versions, and invest in user education on the dangers of phishing, ransomware, social engineering and other common attack vectors.

Read the full Alert from US-CERT:

Cybersecurity Tips

Cyber threats continue to evolve at an alarming pace. I recently came across a couple of cybersecurity awareness tips and felt that I should pass these along. The first tips came from the SANS Institute https://www.sans.org/tip-of-the-day . I have mentioned some of these tips in previous blog posting, but repetition is the greatest form of emphasis.

Email Auto-Complete

Be careful with email auto-complete. This is an email feature that automatically completes a name for you when you begin typing it in the TO field. However, your email client can easily complete the wrong name for you. If you are emailing anything sensitive, always be sure to check the TO field a second time before hitting the send button.

To learn more, check out this OUCH! newsletter.


Every plugin or add-on you install in your browser can expose you to more danger. Only install the plugins you need and make sure they are always current. If you no longer need a plugin, disable or remove it from your browser via your browser’s plugin preferences.

To learn more, check out this OUCH! newsletter.

Patch and Update

One of the most effective ways you can protect your computer at home is to make sure both the operating system and your applications are patched and updated. Enable automatic updating whenever possible.

To learn more, check out this OUCH! newsletter.

Back up Your Files

Eventually, we all have an accident or get hacked. And when we do, backups are often the only way to recover. Backups are cheap and easy; make sure you are backing up all of your personal information (such as family photos) on a regular basis.

To learn more, check out this OUCH! newsletter.

IoT Trojan Horse

The new “Trojan Horse” loT

The IoT, Internet of Things, has been a discussion point for many security experts this year. The more technology we introduced into everyday life brings great automation and convenience. But it also brings substantial risk. Consider last Friday’s DDoS (distributed denial of service) attack on the Dyn data centers. This attack took down Netflix, Twitter, PayPal, and other online businesses. What looked like a data center issue at Dyn was really a well-orchestrated cyber-attack. But by whom? While we may not have the answer to this yet, we do know what happened.

It all begins with Chinese manufactured web cameras (IoT devices). Millions of said cameras are in operation and connected to network around the world. They are online so that the owners can connect and monitor their cameras. Everything connected to the Internet is a target for bad actors and hackers.

A new malware named Mirai was created to hunt out and breach these and many other camera systems. And it was REALLY easy. You see the cameras have security, but most users never take the time to change the default credentials. Meaning they just plug in the cameras and are happy they are working. Never giving thought to any security risk! These and all devices connected to the Internet must be secured and must not be left with default settings!

As Mirai searched the internet with a list of 60 known default credentials, it planted a Trojan Horse and reported back to the bad actors awaiting command. Last Friday the bad actors began their attack using the compromised IoT devices to send malicious traffic at the Dyn data center. This traffic hit with such a pace and volume that the data center could not keep up and resulted in service outages. No fault to Netflix or Twitter or PayPal, but it certainly appeared that their systems were down. The reality was they just could not be reached due to this DDoS.

After half a day the threat was mitigated. The Dyn security team was able to deflect traffic and restore services. But there is still a huge risk on the internet and millions of breached IoT devices. The Chinese manufacturer has offered a recall on many of the cameras, and many other models can be fixed with a firmware update. But who really will take action on this? How do people know if they have a breached camera? And would they understand how to update the firmware? There are far more questions than answers at this point.

I can’t help but consider that this could be a nation state sponsored threat. Isn’t anyone else concerned that a foreign nation propagated millions of cameras with embedded credentials that could allow them to take control of them at any time?

This time we lost Netflix and Twitter for a few hours. What if the attack had been directed at our financial institutions or national infrastructure?

A case of Corporate Spying

Oil and natural gas intellectual property (IP) includes a company’s trade secrets, proprietary information, and research. This ranges from drilling equipment to pipeline insulation, which if stolen could result in lost revenue, lost employment, damaged reputation, lost investment for research and development (R&D), and interruption in production.

Who might steal your IP?

  • Domestic and foreign commercial rivals
  • Domestic and foreign start-up companies
  • Foreign Intelligence Officers (spies)
  • Disgruntled employees (insider threat)
  • Organized criminals

A good description of actual economic espionage was reported by the FBI. In 2012, two Chinese nationals were arrested by the FBI for attempting to pay $100,000 to a Project Manager employee for “Pipeline Insulation,” a trade secret belonging to a well-known US company. The two individuals were seeking the technology to open a plant in China to compete with US companies. They solicited the company’s employee via a newspaper ad seeking “technical talent” with 10 or more years’ experience in “Pipeline Insulation” and a willingness to work in Asia.

The Chinese nationals used low-tech and careless methods of collection. Given the high risk of getting caught, these individuals displayed minimal concern for possible repercussions of their actions. Outlined below are espionage indicators noted during the course of the FBI investigation:

  • Supplying a company insider with a requirements list through unclassified e-mail.
  • Seeking specific types of information at selected companies.
  • Targeting a 24-hour operational facility with the highest production of trade secrets, allowing for more opportunities to acquire technology.
  • Providing inconsistent information when confronted by plant management for trespassing.
  • Asking that trade secrets be provided on a thumb drive.
  • Knowingly purchasing documents with proprietary markings with the intention to remove the information.
  • Seeking a consultant who can travel to China two to three times a year to support plant developments

The example above is but a brief summary of threats in today’s world. Companies hold IP in drilling fluids, pipeline testing, chemical plant unit design, waste disposal, power generation, rig automation, geoscience data and analytics and much more.   These are all valuable commodities to bad actors bent on stealing them for profit or stealing market capture. This puts companies at extreme risk of loss of market share, profit and employment of US citizens. Now is the best time to review your physical security and cybersecurity defenses.

Click here to read more.

Zero-percent cybersecurity unemployment, 1 million jobs unfilled

Given the reported shortage of cybersecurity talent, it makes sense that Managed Cyber Security providers offer numerous leveraged advantages for SMBs that want to bolster their IT security. These advantages include:

  1. Extensive resources– Many SMB owners and managers said they believe their businesses are more prone to cyber attacks because they lack the resources to maintain their defenses. Conversely, an MSP possesses the skills and know-how to minimize such issues.
  2. Better preparation– Many SMB’s note that they are unprepared to deal with insider threats, while almost half say they are unprepared for unsecured internal or external networks. An MSP can help an SMB understand and manage these problems.
  3. Specialization– One third of SMB IT staff say they juggle security along with their other IT responsibilities. However, an MSP can focus exclusively on security and ensure an SMB gets the cybersecurity support it needs at all times.

MSPs, like MergerTree Solutions, that offer platforms that leverage cloud-based security architecture are becoming increasingly important because they allow SMBs to implement protection without investing in new infrastructure or being burdened by upfront deployment and management costs.

Contact us today to learn more about the MergerTree Solutions Managed Cybersecurity Platform troy@mergertree.com

What Should You Do About the “Microsoft Tech” Support Scam?

What Should You Do About the “Microsoft Tech” Support Scam?

Anyone claiming to be from “Microsoft tech” or “Windows” should be expected to know if there was a virus on your PC, right? And when they guide you into checking the Windows Event Viewer (where harmless errors are logged) and reading out a string of numbers, they usually manage to snare you into their swindle. After all, you don’t want to lose your hard work, or be without your computer due a virus, right?

The objective of this type of scam is to talk you into installing remote software on your computer, so that they then can take control. Once control is taken, this will either allow them to steal data, introduce a Trojan horse or other malware (the remote software itself may be a malicious tool) or just perform a bit of “tech support theatrics” to make it seem as though they know what they’re doing.

Once the “virus” is discovered the scammer will, of course, demand money for their services of “removing” it. This can go a number of directions, but if you refuse, there is the possibility that the scammers have remotely changed your password or encrypted your files, transforming this into a one-on-one ransomware scam.

How do you handle a scam call?

  • Hang up the phone when you identify that the call is uninvited.
  • Do not allow remote access to your computer.
  • Never divulge passwords or pin numbers.
  • Microsoft nor anyone on their behalf will ever call you.

Last, if you paid a “Microsoft tech” support scammer to “remove” a “virus”, call your credit card company right away. Tell them you have been scammed, and they should cancel the transaction. You should also change the password for your credit card account… and all other passwords you use, too.

By giving your credit card details to the scammers to pay for their “service”, you’re also likely to give them the information they need to use your card. By sharing the 16-digit number, the valid until date and the three-digit number on the reverse, you’ve essentially given them everything they need to steal from you. Remember, they called you: this is not a safe way to conduct business!

Let the bad guys spend their money and spin their wheels.

As hackers get smarter so must we…a locked screen no longer secures a pc. There are still simple measures to secure your pc.

Don’t leave your unattended workstation logged in, especially overnight, even if you lock the screen.

Most users lock their computer screens when they temporarily step away from them. While this seems like a good security measure, it is no longer good enough, researchers have found recently. There is new evidence that attackers can use some USB-to-Ethernet adapters to steal credentials from locked Windows computers

Industry experts found out that all it takes to copy an OS account password hash from a locked Windows computer is to plug in a special USB device for a few seconds. The hash can later be cracked or used directly in some network attacks. These attacks can be pulled off with cheap devices, like the Hak5 LAN Turtle, which costs $50.

The USB device can be configured to masquerade as an USB-to-Ethernet LAN adapter in such a way that it becomes the primary network interface on the target computer. This is not difficult because: 1) operating systems automatically start installing newly connected USB devices, including Ethernet cards, even when they are in a locked state and 2) they automatically configure wired or fast Ethernet cards as the default gateways.

For example, if an attacker plugs a rogue USB-to-Gigabit-Ethernet adapter into a locked Windows laptop that normally uses a wireless connection, the adapter will get installed and will become the preferred network interface.

This particular vulnerability is only exposed when a pc is using a wireless connection.

Additionally, when a new network card gets installed, the OS configures it to automatically detect the network settings through the Dynamic Host Configuration Protocol (DHCP). This means that an attacker can have a rogue computer at the other end of the Ethernet cable that acts as a DHCP server.

Once an attacker controls a target computer’s network settings via DHCP, he also controls DNS (Domain Name System) responses, can configure a rogue internet proxy through the WPAD (Web Proxy Autodiscovery) protocol and more. The hacker essentially gains a privileged man-in-the-middle position that can be used to intercept and tamper with the computer’s network traffic.

According to experts, computers in a locked state still generate network traffic, allowing for the account name and hashed password to be extracted. The time it takes for a rogue USB device to capture credentials from a system using this attack is around 15 seconds.

Depending on the Windows version installed on the computer and its configuration, the password hashes will be in NT LAN Manager (NTLM) version 2 or NTLMv1 format. NTLMv2 hashes are harder to crack, but not impossible, especially if the password is not very complex and the attacker has access to a powerful password cracking rig.

There are also some relay attacks against network services where NTLM hashes can be used directly without having to know the user’s plaintext password.

Was all that pretty high tech, involved, and even confusing? This is a high stakes business. Investments into research and development of hacking schemes and equipment pay off. Money and time are invested and risks are taken to illegally obtain personal credentials and passwords. That should be their loss, not yours! Fortunately, despite all they have put into this clever trick, preventing this vector from stealing your personal information won’t cost you a penny or even cost you much time. You are aware and that is the first step.

  • When you leave your computer unattended, log out. SAFE
  • Stay hard wired not wireless when conducting work or using personal credentials. SAFE
  • Secure the physical environment of your workstation. SAFE

Let the bad guys spend their money and spin their wheels. As long as you are aware and prepared, they lose not you.