Loading . . .

CYBER RESILIENCE NEWSLETTER - MAY 2020

THE BUG STOPS HERE. AWARENESS AND PRECAUTIONARY MEASURES TO BEST MITIGATE AND PREVENT CYBER THREATS

Cyber threats are evolving rapidly and leveraging real-world events to deceive victims. With COVID-19 driving a surge in cloud adoption and remote working, we are seeing attacks targeting cloud users, remote workers and organisations in a whole host of differing sectors.

As the world continues to get to grips with the disruption caused by the wake of the Corona Virus Pandemic (COVID-19), business organisations must begin planning for life and business online, on a long-term basis, so as to be best prepared for the unknown – come what may and be most resilient thereto, however and whichever way possible.

As part of that reality, all must begin preparing and implementing strict, air tight measures to secure employees, networks and systems while working remotely; and must promptly take steps to mitigate the otherwise distinctly higher cybersecurity and data privacy risks facing any confidential and proprietary information.

THREAT LANDSCAPE:

Threat actors, have capitalised on the greater susceptibility of organisations and individuals in light of the Pandemic, to launch cyber campaigns designed to distribute varied cyber attacks – prominently in the form of malware to threaten confidential information of unsuspecting users.

It is pertinent to note that the number of new high risk or malicious COVID-19 themed domain names created every single day have steadily increased since the Pandemic captured the attention of the entire world.

Hereinbelow we have outlined a couple of examples of COVID-19 related cyberattacks in the early months of the Pandemic.

  1. Emotet malware - TA542:

The TA542 group behind the Emotet malware was one of the first reported threat groups to exploit COVID-19 and did so through malicious emails masquerading as official notifications from a disability welfare provider and other public health centers. The content instructed the recipients to download an attached ‘notice’ that contained COVID-19 preventive measures, but which instead deployed ransomware and other types of malware, stealing user credentials, browser history and other sensitive documents in the process.

  1. Coronavirus maps (Corona-virus-Map.com.exe and AZOrult malware):

Another example of a COVID-19 themed malware attack is that which specifically aims to target individuals looking at cartographic presentations of the spread of COVID-19 on the Internet and tricks them into downloading and running a malicious application (Corona-virus-Map.com.exe) that on its front-end shows a map from a legitimate online source but compromises the computer and related data on the backend. Downloading the file, which executes the malware leads to the decryption of saved passwords as well as the generation of output data[1].

Another replica website mimicking the legitimate John-Hopkins University coronavirus map prompts viewers to download and run a Windows application which infects their systems with the AZOrult malware designed to steal personal and sensitive information such as passwords and credit card data as well as to create a hidden backdoor to access the victim’s system[2].

THREAT PROGRESSION

As the impacts of the pandemic have continued to be felt through the months, the recent intensity and relentlessness of the cyber-attacks have taken center stage and are there for all to view with marked increases noted across the globe. Identity theft has taken a sharp upturn in Finland and the US since the start of the pandemic, wherein the US, taxpayer information has been used to steal identities and further apply to receive a victim’s stimulus relief check of $1200.

There has been no respite for the world’s healthcare sector either; the Redline Stealer and a Lokibot campaign respectively, a malware primarily targeting US-based healthcare and manufacturing facilities searching for a cure and an apparent campaign, identified as appearing from the Center for Disease Control providing WHO guidelines to battle COVID-19 have also been identified as being threats to organizational and individual proprietary and confidential information in the industry. Europe’s largest private hospital operator has also confirmed that their IT network was hit by a ransomware attack, using a variant called Snake.

Other notable cyber threats are those of CovidLock, an Android ransomware application promising access to a statistical tracker respectively and the use of the unemployed as money mules to move stolen funds.

In light of the above, it is quite clear that combatting cyber threats is an effort that requires continuing vigilance and proactiveness especially as we navigate the initial period of isolation and remote connectivity. Cyber security must be at the forefront of all organisations and individuals inclined to leverage the ability of the internet to ensure operational continuity and must take precautionary measures to this effect.

PRECAUTIONARY MEASURES.

The aforementioned examples are but a few of the cybercrime attacks that have leveraged COVID-19 themes to entice victims to download Trojan-style file attachments or click on malicious links pursuant to their financial goals or national interests. This form of social engineering attack is one of the greatest risks remote workers will face as they work remotely.

The key is for organization to train their employees on what social engineering is, how to spot the most common indicators of a social engineering attack, and what to do when they spot one.

There are some precautionary measures that organizations can adopt at a firm level and impose on an employee level in an attempt to limit the exposure risk of the organization’s proprietary and confidential information as employees continue to work remotely and access the organization’s secure data. Hereinbelow we will take you through some of the recommendations that can be followed to prevent being victimized by such attacks.

  1. ORGANISATIONAL AND EMPLOYEE CONSIDERATIONS:

To support the confidentiality and integrity of the data, the organization should develop system threat models to secure all the components of teleworking and remote access solutions as they continue to access secured resources. Some of the other considerations could include:

  1. Access to restricted systems:

As the organizations move towards remote/tele working, systems that have to-date only been accessible on-site, may need to be made available for remote access. It is vital for these systems to be reconfigured appropriately and for further authentication measures (such as Multi Factor Authentication) to be required to ensure the integrity of these key systems in a teleworking environment. Additionally, the employees should cycle between unique passwords and strong passphrases for all their accounts while only accessing proprietary and confidential information via a secure connection.

Further, the organization must keep logs of which employee accesses which segment of the company’s data or perhaps implement limitations on which employee can access which data.

  1. Availability of IT resources for teleworking:

It is quite possible that organizations will struggle to meet the demand for organization-issued devices that may be used for teleworking, simply because a large portion of the non-remote workforce has begun teleworking. This means that the organization is left with the option of either permitting their employees to utilize personal devices to access organization systems or to deploy older, stored laptops and other devices.

While neither of these scenarios are ideal, it is imperative for the organization to be flexible and in doing so implore the employees to keep their security and antivirus software up to date while regularly back up all important files on the devices, in addition to alternative devices, which they shall use to continue teleworking.

  1. Phishing attacks:

Remote working will increase the chances of employees falling victim to phishing attacks. Organizations may choose to set-up a security awareness session educating the employees of certain best practices to follow in order to identify and report suspicious activity. Some of the tips that the European Network and Information Security Agency (ENISA) provides, to avoid phishing attacks, include:

  1. Remote connections:

While the utilization of VPN’s (Virtual Private Networks) in tunnels and other IT solutions may allow for an increased remote connection load, the organization should ensure each employee ‘logs in’ via a secured and uncompromised connection to minimize the higher risk of malicious connections. A VPN tunnel allows the employee to access the organization’s computing resources through the secure tunnel.

  1. Data privacy risks:

It will not hurt the organization to remind their employees of certain protocols to follow while handling confidential or proprietary information as they work from home. There are certain considerations for the organization with respect to the security monitoring of each employee’s access of the organization’s data.

Ideally, the organization may also choose to store their data at a location separate from their physical business, in preparation for the worst. This ensures that the organization is not at the mercy of their cloud provider’s security, which could also be compromised, and can protect you against ransomware.

Consider it another line of defense, in addition to other security protocols that organizations follow.

  1. MERGERS AND ACQUISITIONS.

As a consequence of the entire corporate world altering strategies to adapt to the current digitized environment, the manner in which acquiring organisations will approach mergers and acquisitions must also change to champion the mitigation and management of cyber risk throughout the entire process.

An acquiring company in assessing the viability of an acquisition must prioritize the assessment of the cyber risks and subsequently adopt measures to mitigate these risks. In doing so, they must evaluate the integrity of the data privacy and cybersecurity protocols of a potential target company. The image below briefly

Image source: World Economic Forum (2019), available at: https://www.weforum.org/agenda/2019/03/4-ways-to-cyberproof-your-business-during-m-a/

 

highlights the safeguards to be taken during each stage of the process;  

 

Finally, while conducting the due diligence and an assessment of the risks to the target company, the acquiring company may wish to obtain some representations and warranties. Some of which to ensure that the seller has:

CONCLUSION

COVID-19 is a fluid situation and we all in this context, need to find a way to work around the ever-present barriers to stay secure online. It is imperative to protect every endpoint with continuous monitoring, updated security tools and precautionary measures. All parties should be vigilant, keep in mind the good data protection and cybersecurity habits while practicing good cyber hygiene.

Stay safe and practise good physical and cyber hygiene!

Team KARM.

Bibliography:

[1] Wei W, 'Beware Of 'Coronavirus Maps' – It's A Malware Infecting Pcs To Steal Passwords' (The Hacker News, 2020) https://thehackernews.com/2020/03/coronavirus-maps-covid-19.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Cyber+Security+Blog%29&_m=3n.009a.2183.ub0ao0e9y8.1d6u ,accessed 30 March 2020

[2] Anomali, 'Coronavirus (COVID-19) Global Pandemic Launches Cyber Attack Surge' (2020) page 6

 

Authored by Luna De Lange and Manav Joshi

To stay updated,

subscribe to our newsletter