New Phishing Attack

This week we [Layer3] have seen a new phishing attack being launched within New Zealand, and it’s a zinger.

Scammers and hackers are getting smarter. Have a good firewall, antivirus and spam filtering within your organisation only goes so far to stop phishing attacks. What we’ve seen this week goes beyond traditional security measures to break out of the box in order to trick end users to enter their credentials.

I’ve blanked out the name to protect the victim. This is a real email I received today.

Here’s how it works:

Initial email

You receive an email, with an attachment, asking you to open it. We’ve all had these, but this one is a little different.

No alt text provided for this image

So far, it looks normal. The email address here is legit (I’ve checked the technical details). So you click the attachment.


The attachment is another email. When opening this email, it looks like there is a toolbar with another attachment. This isn’t an attachment, it’s a link. This link takes you to a legitimate Microsoft OneDrive account which is still active at the time of writing. Because of this, your security software and firewalls will not detect any malicious behaviour.

No alt text provided for this image

The link is legitimate

No alt text provided for this image

OneDrive PDF Attachment

Now you are viewing a PDF attachment on a legitimate Microsoft OneDrive account.

No alt text provided for this image

This PDF yet again has another link to download a PDF. This is where the attack happens. This link sends you to a credential harvesting page asking you to login via Office 365 or by using your Google account.

No alt text provided for this image

Upon selecting your provider, in this case, Office 365, you are prompted for your credentials

No alt text provided for this image

The link for this site is

No alt text provided for this image

Which is not a legitimate website.

If you have entered your information, your account has now been compromised.


The simple solution is to have your staff trained. We engage our customers with free security seminars all year round. These are hands on seminars aimed at engaging with staff to make them look at security differently.

Daniel Bohan showing staff how not to be reeled in

As well as running phishing simulators on and on-going basis to ensure staff and management stay vigilant.

If you’d like to see more of these sorts of stories, please let me know.

Windows 7 – It’s all over, and soon!

It’s quite hard to believe that Windows 7 is now 10 years old – it seems like only yesterday that I installed it.

Unfortunately, time is running out – it’s crunch time.

Windows 7 goes ‘end of support’ in January 2020. Windows 7 is in extended support now. This means no new features have been added to the operating system since January 2015 when mainstream support ended.

What does this mean for you, the business owner whose Windows 7 computers are working absolutely fine?

There are two big issues with the end of life of operating systems:

No further patches from Microsoft

This is the big one. Come end of life, Microsoft will stop releasing patches for the operating system. This means when an issue is found, which primarily will be security related, Microsoft will not release a patch. This will make your computer potentially vulnerable to this new threat.

These issues plagued Windows XP once it entered the end of life phase. Malware and ransomware created havoc on the operating system, which got so bad in 2017, Microsoft released a patch to help stop the Wannacry virus which was spreading around the globe like wildfire.

Your applications will no longer be updated

Slowly, applications will slowly drop support for Windows 7. You can expect your accounting software; CRM and most internet browsers updates will not be able to be installed on the operating system. This could potentially leave you in a situation where you are not compliant in your business.

So what are your options?

Upgrade your operating system? This is generally not a good option. If you are using Windows 7, you most likely have computers which are a number of years old. These computers will likely barely meet the minimum requirements of the latest operating system, Window 10. If you decide to upgrade your computers, you may find the performance to be frustratingly slow.

Buy new computers? If you have a technology roadmap in place, your organisation will already be replacing computers every 3-5 years. As part of this, Windows 10 should have been introduced to roadmap a year or two ago. If not, there’s nothing like the present.

A replacement or upgrade strategy needs to be in place to ensure computer and software compatibility.

Do nothing? I expect most businesses will update their operating systems, but if you decide to do nothing, then the best I could advise is to ensure your security protection is up-to-date.

We don’t want another Windows XP scenario, where it took years for Windows XP to disappear. This caused many of the malware/security outbreaks over the years. Because these operating systems were not supported, malicious groups were able to create viruses and malware to take advantage – you don’t want to become one of the statistics.

If you want to discuss your options, please get in touch. Especially if you have specific needs like manufacturing or HIPPA based compliance. We are specialists in this area.

Collection #1 – The biggest data breach of all time

Over the last few days, the biggest data breach of all time has come to light.

Collection #1 appears to be a set of information from a number of breaches. This information was being freely passed around on public forums.

The file contains 1,160,253,228 unique email addresses and password combinations. This amount of data surpasses that of the Yahoo breach (next biggest).

It is very easy for hackers to use this information to perform automated attacks. You may have already received an email last year in which the email contained a previous password you used at some point in time. This email was to scare you into sending bitcoin to an address in order to stop your search history being leaked (implying you were looking at ‘dodgy’ sites). I expect much more of this to come over the next few weeks/months.

If you wish to check your email address to see if it is in a list of hacked email addresses, you can visit If you wish to see if your password has been leaked in any of these breaches visit the sub site here

It is very important that everyone uses a unique password for each service they use. For instance, if you have a Hotmail account and use Office 365 at work, ensure the passwords are different. If you have trouble remember all these passwords, use a password manager such as lastpass.

If you haven’t changed your password in the last 6 months, do so now.

Security can be further improved by using two factor authentication (2FA). If you wish to know more, contact us.

2018 In Review

2018 has been an interesting year at Layer3.

We’ve kept our head down as we’ve been flat out implementing new services and on-boarding new customers.

Layer3 has gone through a bit of a transformation this year. A large chunk of our time has been spent on revamping our service offering, but also investing a large amount of time implementing new security practices and systems throughout our organisation, as well as our customers.

One customer we proposed to this year had very staunch requirements and required our full suite of IT management, network and New Zealand-based private cloud services. Part of the process led us to undergo comprehensive internal and external penetration testing by KPMG. Of course, we passed these tests and the organisation is now happily under Layer3 management.

The customer required strict security measures to be in place, such as perimeter threat gateways in all locations, deep packet inspection, two-factor authentication on all services, secure VPN connectivity from our datacenters and their offices to banks and telcos around New Zealand. This was a major project for Layer3 which went very smoothly.

A Heavy Focus on Security

2018 has been a year of very real security threats. Early on, Petra was wreaking havoc around the world. Facebook/Google had data leaks and privacy issues with public confidence in Facebook severely shaken and Google+ even shutting down in response. The threat of cryptoviruses hung in the air and phishing attacks were at an all-time high.

In turn, Layer3 expanded and strengthened our suite of security services. We’ve been running phishing workshops for our customers all year round, as well as running automated security/phishing tests for our customers as the attacks are becoming more sophisticated with a focus on the end user rather than trying to break through firewalls.

We’ve also redesigned our service plans from the ground up with security being at the core of our offering. The days of antivirus and a firewall being enough are over. We now take a three-dimensional approach to IT security – border security, user security and environmental security. Our new ManageX plans cover all of this, catering to organizations of any size and delivering a feature-rich programme to keep businesses safe from the ever-growing threat landscape, both external and internal.

Expanding Datacenter Services

During this time, we’ve also completed major upgrades at our datacenters. Our Auckland site’s capacity has doubled in size. In January 2019, our new backup-only services with more than 100TB of storage each will go online. This brings our total storage across all datacenters to more than 400TB which is considerable. To put that in perspective, that’s enough storage to store over 51,000 HD movies.

Over the Christmas break, we will be upgrading our Wellington datacenter, with triple gigabit premium connections to provide better speed, connectivity and stability to our customers.

Auckland Expansion

While we are based in the greater Wellington area, Layer3 actually supports customers around the country. We were pleased to welcome Nelson Airport this year to our custom CloudX platform.

A major area of growth though has been in Auckland. As a result, we decided it was time to put some feet on the ground there and you can expect our new Mt. Wellington office to be operation by mid-2019!

IT Nation

In November, I attended IT Nation in Orlando, Florida. This massive conference is the largest IT event in the world, stretched across three action packed days, with over 3,500 people in attendance from around the world. It felt like a huge workshop with lots of information about up-and-coming trends in the IT space. One of the big takeaways was security. Surprisingly, very few of the companies attending had a full set of security services. I was happy to be able to stand and say that Layer3 did and has done for the past two years.

The main theme of IT Nation this year was ‘everything as a service’. You can already see this happening, even outside of IT. The most recent example was Lime Scooters coming to the Hutt Valley last week. Ride sharing as a service will be a big thing over the next couple of years. While I was in America, I used Uber Express POOL everywhere. This is a ride sharing service with other people being picked up and dropped off at the same time. You get a cheap ride which takes slightly longer than a normal Uber ride. I can really see this taking off and replacing some forms of public transport.

Lime recently launched LimePods in Seattle, a new ‘as needed’ shared rental car service. Once autonomous vehicles become the norm, I see this as the future where owning a car won’t be necessary for many people – but that’s another story!

To bring this back to the IT space, ‘everything as a service’ is exactly what we have been developing and soft launching at Layer3 this year with our new ITX family of services. Covering management, cloud, security, network, voice and connectivity our new generation of service plans provide and manage your entire IT environment as a monthly service. From bandwidth to boardroom, everything is managed and monitored. It was wonderful to see all of the work reaffirmed at IT Nation and to know that we are well ahead of the curve, not just in New Zealand, but worldwide.

To the Future – 2019

Looking forward to 2019, there’s a lot happening. Cloud services are changing, providing more opportunities to enhance productivity but also new challenges to keep your systems and data secure. The options for businesses are now virtually endless.

However, it’s about making the right choice in the ever-growing sea of services and Layer3 will be ready to help each of our clients chart a path towards their individual goals.

Have a safe and happy Christmas and New Year.

Two-Factor Authentication

It’s always the way. I was meaning to write this post a couple of months ago, but as you do, you get busy. But in that time, there has been a lot of talk about two-factor authentication.

This talk has come about because of new threats arriving on a daily basis. More sophisticated than ever before.

As the name states, two-factor authentication, or 2FA for short, relies on another method of authentication rather than just the standard username and password. The second factor can be an SMS text message, a 2FA authenticator on your phone, a phone call or any number of other methods. Some of these methods are better than others.

The way 2FA works is when you log in/authenticate to your application or website, a second authentication method is sent via your preferred method. Once you approve the second authentication method, you will gain access to the application/website.

2FA has been around for a long time. Previously, the 2FA methods were quite cumbersome. Does anyone remember the hardware tokens that ANZ/BNZ use to give out? When you logged into internet banking, you’d use a token generator in order to log in. This was a very slow method (and not really used anymore). Hardware tokens are one of the stronger methods though.

You may be thinking ‘great! If I use 2FA, I won’t be compromised!’. While 2FA significantly increases your security for the application/website you are logging into, it can be compromised.

If you use the SMS or telephone method of authentication, hackers have been known to ring mobile providers and social engineer (pretending to be you) the call-in order to change your number onto their SIM card. This allows the attack to take over your number and complete the 2FA process themselves.

The other problem is that most 2FA authenticators are installed on a mobile phone. If you lose your mobile phone and your 2FA keys are not backed up somewhere, you will lose access to the applications and websites that are protected by 2FA. The process to remove 2FA on your accounts so you can gain access can be very troublesome – but there are ways to get around this listed below.

At Layer3, we’ve been using 2FA with our clients for some time. We use it when logging into your computer at work, and when using services such as Microsoft Office 365. Using 2FA on computers at work has stopped remote attackers a number of times. Using 2FA with Microsoft Office 365 makes it significantly harder for attackers to gain access to your email, especially when the option ‘always stay signed in’ is enabled.

If you’d like to start using 2FA outside of the workplace, and I highly suggest you do, there are some great applications in order to do this:

Authy: I recently moved to this application on my phone as it allows a backup of your 2FA keys to be backed up in their cloud service. Their cloud service protects your keys via strong encryption and a master key. You need the same phone number associated with your phone in order to restore your keys. Most 2FA websites and applications support Authy.

Google Authenticator: This has been the stock standard 2FA authenticator for some time. Google Authenticator works very well, but it lacks a backup feature.

Microsoft Authenticator: Same as the Google Authenticator, Microsoft Authenticator works with most Microsoft websites and Microsoft based accounts. Backup of keys is not currently available, but it is coming within the next month or two.

I highly recommend 2FA. It is not the end all solution, but it does provide significant protection over a standard username and password.

VPNFilter – A sophisticated threat to businesses

2018 has seen a lot of new cyber threats. Hackers, scammers and the like are getting smarter. VPNFilter takes me back to the famous Stuxnet virus which infiltrated Iran’s nuclear program.

VPNFilter is an advanced threat which targets predominantly home/small business routers. So far, the threat has infected over half a million routers worldwide. But this number is expected to grow as more is discovered about the threat.

The threat performs a number of hostile functions. One of these is whats called a man-in-the-middle attack. Once the router has become infected, internet traffic that passes through the router is actively spied upon and can be tampered with, without the victims knowing.

The main point of this attack at this point in time is to steal sensitive data, such as usernames and passwords or banking information. However, with more being found out about this threat from various researchers, it is becoming clear that VPNFilter has the potential to be a far greater threat.

Cisco is expected to release a report this Wednesday (14th June NZD). From Arstechica:

“Initially when we saw this we thought it was primarily made for offensive capabilities like routing attacks around the Internet,” Craig Williams, a senior technology leader and global outreach manager at Talos, told Ars. “But it appears [attackers] have completely evolved past that, and now not only does it allow them to do that, but they can manipulate everything going through the compromised device. They can modify your bank account balance so that it looks normal while at the same time they’re siphoning off money and potentially PGP keys and things like that. They can manipulate everything going in and out of the device.”

It has become apparent that more models and brands of routers are susceptible to this threat.

Layer3 provide a managed security gateways (security focused routers), among other security-focused services. Layer3 was alerted to this threat early. Currently, our security gateways are not listed as being compromised by VPNFilter. Customers with the affected routers have all been patched against the VPNFilter threat.

It is another reminder that security is the number one priority in IT and for Layer3 as a managed service provider.

What you need to know about ‘Meltdown’ & ‘Spectre’

Over the Christmas break, Intel has disclosed a security vulnerability within its processors. Google who initially found the issue, has released a statement which now shows further processor manufacturers like AMD and ARM might also be affected by a different variant of the issue, codename ‘Spectre’.

There is currently a non-disclosure agreement in place until the 9th of January until further details are known. This has expired early.

There is currently a patch which has been deployed for Linux systems. Microsoft is planning to release a patch this week. Microsoft Azure and Amazon Web Services (AWS) are patching immediately.

With the patch release for Linux, people have noticed and performed benchmarks indicating a 30% drop in performance when the patch is applied.

Until Layer3 have tested the patch(s) from Microsoft, we will not automatically release these patches to customers. This is so we can internally test the performance implications of these patches. While the performance issues won’t affect desktop/laptop computers much, the performance of servers could be a real issue.

Please bookmark this post as we will update it as this issue progresses.

Update 1 (06/01): Updates will be applied to Cloud Office v1 and v2 on 05/01/2018 at midnight. Outage window of 2 hours

Update 2 (09/01): Microsoft has pulled the update amid issues with AMD and Intel processors. Layer3 have not officially rolled out these patches yet to customers as we are waiting for our Antivirus vendor to finish testing compatibility with these new Microsoft patches. More information can be found here about Microsoft re-issuing the patches

We will begin patching our datacenter operating systems this weekend (13/01/2018). Please keep an eye on our status page for more information.

Update 3 (12/01): We are patching our virtual environments hypervisors this weekend. This does not include Microsoft patching, as we are still testing the patches and the performance impacts.

A New Phishing Threat

There is a new Phishing threat making the rounds which combine quite a bit of research on behalf of the attacker, along with a bit of social engineering.

Over the last few weeks, a number of our customers have seen what look like an internal email from either a CFO, CTO or CEO asking for funds to be released to a particular party. Normally the ‘owner’ of the company (no one likes to question the owner).

The attackers are buying domains which are very similar to the victim’s domain. As an example, the customer would by (with an extra R) and send emails imitating myself.

The emails usually contain a signature that is almost identical to the signature used by the victim. This shows the attacker has done research and possibly seen emails written from the company previously.

Because of the nature of this threat, it is almost impossible for IT/Security companies to block them effectively. However, there are steps your business can take to better protect yourself:

  • Train staff on what to look for in forged emails. This includes domain names, spelling mistakes, tones of voice etc
  • Remove key contacts from your website. The CFO and CEO are normally the main targets of this attack
  • Review your payment processes. Possibly including two levels of sign-off
  • Investigate doing an internal social engineering penetration test – this is something you can talk to Layer3 can assist with

As attackers become more sophisticated, it’s important to stay vigilant and ahead of threats. If you have any concerns about these threats, please contact us.

Petya – Not all Cryptoviruses are equal

The latest round of Cryptovirus hit yesterday. Petya, named after a similar virus, which shares very little with the original, hit with the same destructive force as the WannaCry virus last month, this time without a ‘kill switch’.

Originating in Ukraine via a company called M.E.Doc, a tax company, the cryptovirus was spread by using the auto-update feature within the tax software. I’m sure there will be more investigation on how this came to be (hacked, or inside job?).

At first, many believed this was another cryptovirus made for financial gain. However, it became quickly apparent that this virus was designed to cause as much destruction in a short amount of time as possible.

Within the first few hours, the crypto’s email address which is used to send your encryption key to unlock your files was disabled. If you look at the blockchain (effectively your BitCoin wallet) which the hackers have used, there have only been a little over 40 payments. At $300USD, that’s not a lot of money considering.

Analyzing the Petya virus further, it propagates throughout Windows networks using three different methods. First is the original method WannaCry used which was based on the leaked NSA tool, EternalBlue. The other two are more technical ways of using the Windows operating system to exploit security weaknesses where end users have ‘administrator’ privileges.

Based on the methods used, and few payments made to the cryptovirus Bitcoin wallet, coupled with the early takedown of the payment email address, I can conclude this was simply an attack to cause as much damage as possible.

We have had no reports of infection from our monitoring systems. All our customer’s devices and our own infrastructure were checked when the WannaCry virus was active. We doubled checked again today and found no issues.

This cryptovirus was well written and destructive, so what can you do to ensure to keep safe?

  • Make sure your antivirus is up to date
  • Don’t turn off Windows Updates (you’d be surprised)
  • Don’t turn off Windows UAC
  • Be vigilant when opening emails with attachment and links

If you would like a more technical explanation, Microsoft has published a great post.