Are you getting settled in your new home office? COVID-19 has changed people’s working habits drastically, but hackers are trying to take advantage, so how can organizations be prepared and why do companies need to analyze their network traffic?
Due to COVID-19, almost all of the world’s major IT companies have moved most employees to work from home. These include Amazon, Apple, Facebook, Google, Instagram, Microsoft, and Twitter, to name just a few. Some employees are now using their home laptops and desktops, which may not be properly configured for security. Indeed, criminals will always try to exploit the latest trends and anxieties for their own gains. The number of vulnerable corporate systems accessible to attackers is increasing every day, making risk reduction a matter of urgent concern.
Be prepared for phishing
Back in 2005, emails used to spread the Naiva.A Trojan had “What is avian influenza (bird flu)?” as their subject line. In 2009, messages warning of swine flu in the U.S., or an outbreak in Hollywood, helped cyber criminals to sell counterfeit medications and obtain personal data for future attacks. At the peak in 2009, such messages accounted for almost 4 per cent of spam worldwide. Similar attempts were made by hackers in India a month ago when they sent a malicious document titled “Preventive measures to cope with coronavirus” to obtain information about Chinese research.
Since January 2020, more than 4,000 COVID-19 information sources have been catalogued. Of these, 5 per cent were suspicious and 3 per cent were malicious. Fraudsters sent messages disguising themselves as the World Health Organization (WHO) about a cure for coronavirus or availability of express testing kits. As the WHO warns, look at the sender’s address, which in the case of the WHO should resemble “email@example.com”. If the part after the “@” is not “who.int”, then the sender is not affiliated with the WHO.
A phishing email titled “Coronavirus outbreak in your city (Emergency)” claimed to come from the U.S. Centers for Disease Control and Prevention (CDC). Instead of the genuine domain (cdc.gov), the fraudsters used the domain “cdc-gov.org”. Clicking the message link takes the user to a fake Microsoft Outlook login page, created to steal any usernames and passwords that are entered.
Sometimes it’s possible to spot a phishing message based on poor grammar or design. Attackers usually fail to adapt their messages very carefully. Links in such messages often go to a fake version of a popular site. On the fake site, the user is asked to enter their username and password. Naturally, do not click these links and do not enter your username or password. To visit a site of interest, either type the domain by hand or look it up using a search engine.
Remember that cyber criminals right now have a number of juicy materials at their fingertips to scare victims into opening messages, including flight cancellations, closure of public transport, quarantines, lockdowns, and sudden changes affecting companies or industries.
Besides the run-of-the-mill phishing attempts, we have also seen targeted attacks that leverage interest in COVID-19. Gamaredon, one APT group monitored by Positive Technologies, sent messages claiming to be from the Ukrainian Foreign Ministry. The malware was packaged in a document supposedly containing statistics on the spread of the coronavirus. In February, reports described phishing attacks targeting shipping companies, in which COVID-19 was also used as bait. The malicious attachment (a Microsoft Word file) exploited vulnerability CVE-2017-11882 in Microsoft Office.
Defend staff from BEC
Business Email Compromise (BEC) targets staff responsible for paying vendors and other third parties. This is a very targeted form of social engineering where criminals pose as the company’s executives, sending emails to finance & accounting staff. In most cases, the email address of the criminals’ messages closely resemble the address of the genuine executive. The message typically say something along the lines of, something unexpected has happened and money must be transferred right away to a new bank account. In reality, of course, this bank account is controlled by cybercriminals. The same criminals may also take advantage of the panic to demand urgent transfers of large amounts. So, as more employees work from home and face-to-face communication is reduced be sure to go the extra mile to verify who you’re actually communicating with. Employees responsible for outgoing transfers should use additional communication methods, such as phone calls or video conferencing, as extra precautions to ensure they are making transactions to the right person.
Keep software up to date
In most cases, malware attacks leverage vulnerabilities in legitimate programs and applications. This makes it important to perform patch management and install the latest versions of software anywhere possible, both on remote workstations and corporate systems. Centralized management of updates and patches is one way to automate this process; protection solutions can also verify whether updates and patches have been successfully installed.
Priority should be given to updating operating systems, productivity software, and antivirus protection. Warn employees about the danger of obsolete browsers, such as versions of Internet Explorer that are no longer supported. Before starting an update of a home computer, we recommend creating a restore point or system backup: some recent Windows 10 updates can cause the dreaded Blue Screen of Death (BSOD).
Don’t forget about the threat of ransomware. In Q4 2019, ransomware accounted for 36 per cent of malware infections at companies. Some criminals are retargeting efforts to concentrate on corporate users who have started to work from home. A few malware operators such as Maze and DoppelPaymer are showing a sort of social responsibility, announcing that they will no longer attack health services during the pandemic. But even so, other industries very much remain at risk. We advise users to keep copies of key files not only on their computer but on external drives or in secure cloud storage.
System administrators should eliminate at the very least the most dangerous vulnerabilities in their corporate infrastructure. When vulnerabilities with known exploits are still present, companies risk losing critical data and functionality of their IT systems. Issues in software such as Citrix have been used to great effect by ransomware hackers.
Here are the top three vulnerabilities to address:
- Citrix (CVE-2019-19781). Discovered by Positive Technologies researcher Mikhail Klyuchnikov, this vulnerability has been dubbed “Shitrix” due to delayed updates and the availability of the exploit. A month and a half after publication of the first details, the vulnerability had still not been fixed at almost 16,000 companies. The vulnerability is extremely dangerous and allows a local network from the Internet to be breached.
- PHP 7 deserialization (CVE-2019-11043). A vulnerability in PHP 7 allows a user to run arbitrary code without logging in. The issue affects nginx servers with FPM (a package for PHP script handling) enabled. It allowed attackers to infect users of NextCloud cloud storage with NextCry ransomware.
- Microsoft Windows Remote Desktop Services (CVE-2019-0708, BlueKeep). An attacker can install and remove programs on a compromised system, create accounts with maximum privileges, and read and modify sensitive information. The vulnerability affects Windows 7, Windows Server 2008, and Windows Server 2008 R2, all of which are still widespread in the corporate world. If using RDP, we also recommend patching similar vulnerabilities CVE-2012-0002 and CVE-2019-1181/1182.
Evidence shows that in favour of uptime and ease of access, important business applications (including ERP and document handling systems) may be hosted on the corporate perimeter. These applications used to be accessible only from inside the company, so they were not checked for vulnerabilities. In other words, they were not secure but it did not matter at the time. But when these applications (most often, web applications) are now suddenly moved to the perimeter, it is absolutely critical to have a web application firewall (WAF).
Secure home networks
Users should make sure that the admin password for their home Wi-Fi router is a unique, non-default one. The address for accessing the router web administration interface is typically indicated at the back of the router; this information is also available from the official site of the router manufacturer. It’s also useful to update the router firmware in order to eliminate any known vulnerabilities, as well as keep any smart devices on your home network up to date—including smart TVs, surveillance cameras, gaming consoles, and baby monitors.
Do not use weak passwords
When creating accounts or extending current ones, enforce a password policy with strict length and complexity requirements. Limit the lifetime of passwords to no more than 90 days and replace default passwords with stronger ones compliant with the password policy.
Enable two-factor authentication
When it comes to remotely accessing critical systems, we urge adopting two-factor authentication. In the absence of 2FA and timely patch installation, ERP systems (to name just one example) become extremely attractive for phishing and network breaching. Our experience shows that ERP systems are of great interest for financially motivated groups such as Cobalt, RTM, Silence, Lazarus, and TA505.
Set up remote access policies
Our statistics show that 67 per cent of companies use remote access software, including RAdmin, RDP, TeamViewer, and Ammyy Admin. Work-from-home arrangements will make this software even more irresistible, this includes employees who don’t have the experience to use it securely.
Positive Technologies’ monitoring indicates that the number of accessible Remote Desktop Protocol (RDP) hosts have grown since late February of this year. Some of these hosts are susceptible to the vulnerability CVE-2019-0708 (BlueKeep), which as mentioned before gives full control of Windows computers. To exploit it, an attacker needs only to send a special RDP request to a vulnerable Remote Desktop Services (RDS) version— with no authentication required.
What can companies do? First, install patches to eliminate the BlueKeep vulnerability, as well as its sister vulnerabilities CVE-2019-1181/1182. Second, funnel all remote access through a special gateway. On RDP, this is called a Remote Desktop Gateway (RDG), or on a VPN, VPN Gateway. Remotely connecting directly to a workstation is not safe.
We also urge standardizing remote access software: select the program that works best, and then limit the rights of local users. In some cases, sysadmins would do well to whitelist enabled software for remote systems using Windows AppLocker.
The main danger of TeamViewer, which is used at 58 per cent of companies, is that it can be used to provide access (even despite security controls and access rules) to third parties: say, relatives, friends, or colleagues at another company. Be sure to warn employees of the consequences of delegating their network access without prior approval.
Two signs of potential compromise include unusually long remote connections and connections made during non-working hours.
Deploy solutions to detect network intruders
For many companies, having so many employees working remotely is completely new. So, companies tend to concentrate on making sure their systems don’t collapse under the increased workload. As a consequence, given the time crunch, ensuring security of personal devices and corporate systems takes a backseat. Companies are effectively forced to connect home computers—some of them likely already infected or controlled by attackers—to their corporate infrastructure.
This is why it is wise to detect any intruders already in the infrastructure, to reduce their dwell time. The tool for this is Network Traffic Analysis (NTA), which detects targeted attacks both in real-time and retrospectively, by looking through saved copies of traffic. These solutions allow businesses to spot network attacks, such as running of malware or hacking tools, anomalies in encrypted traffic, exploitation of vulnerabilities, and attacks on the domain controller. It is even possible to detect previously undetected hacks. This approach reduces the risk of an information breach or inoperability of corporate systems.
Offer instructions and contact options for users
Administrators should make sure that employees know how to report security issues. Give users instructions to help them make the transition and configure their software. Create a special email address for them in case of issues, as well as a separate address to flag up any suspicious incoming emails to security staff and other employees of phishing attempts.