Phishers Continue to Capitalize on Covid 19 Emergency

They say that every cloud has a silver lining. That has certainly been true for cyber-criminals during the Covid 19 emergency! While the country as a whole is experiencing 20% unemployment and general hardship, these folks continue to reap the rewards chaos inevitably brings to the larcenous. Here are some of the shenanigans that have darkened the news this week:

One article this week talks about “Hack for Hire” groups in India that are spoofing World Health Organization (WHO) emails to steal access credentials from businesses around the world (including the U. S.). These hacking emails come from hosted websites that are crafted to look like the official WHO website, and claim to provide direct notification from the WHO on Covid 19-related announcements. They are targeting financial services, consulting and healthcare organizations.

Another recent article discusses job applications containing Excel attachments masquerading as curriculum vitae. Businesses that click on these attachments are infected by a macro in the file that downloads Zloader malware on the system. Zloader stems from Zeus malware which tries to steal banking passwords and other financial data which could allow attackers to perform bogus financial transactions.

Similarly, another campaign is using medical leave forms to deploy a different banking Trojan. The subject line in these emails says that the email is a new employee request form for leave within the Family and Medical Leave Act. These email messages contain Microsoft Word attachments with names such as “Covid 19 FLMA center.space.doc.” Opening these attachments triggers a macro that launches IcedID malware which is another banking Trojan that attempts to steal financial data.

Another article this week states that phishers are impersonating companies’ IT support team and sending fake VPN configuration change notifications in the hopes that remote employees may be tricked into providing their Office 365 login credentials. It goes on to state that the phishers are betting on the high possibility that the recipients are working from home and need to use VPN for work-related tasks. In these emails, the original email headers show that the email has not been sent from the recipients’ organization, but the sender email has been spoofed to say it has.

All of the examples above show the need for continued vigilance by system users. In this climate, users should be suspicious of all the emails they receive. If in any doubt at all, users should not open the email. If the email looks like something they need to address, users should ensure that the messages are legitimate. One way to do this is to always be sure to check on the validity of the sender and links contained in the email. To do this, users can hover over the “from” display name and make sure it is really from the purported sender. When doing this, they should make sure to look for differences from the legitimate website name and the email they have received. Often, website names look legitimate but contain misspellings that the eye just skips over. For example, it is common for phishers to replace an “m” with an “rn” or to switch a lower case “L” with a number “1.” Only a slight change in the address is enough to ensure that the email is actually going somewhere else than the user thought it was.

Proper Network Segmentation & Configuration Control Keys to Resisting Ransomware

In the news this week was an article about a successful ransomware attack. It detailed how network access was achieved using email phishing and then went on to explain how the attackers leveraged this low-level network access to compromise the entire network. It was done by breaking password hashes in an attempt to gain access to local admin accounts, then trying these passwords on other hosts and domain administrator accounts. Compromise of a domain admin account then allowed the attackers to take control of the domain, which led to game over. This kind of attack scenario has been around for years and continues to work for a variety of reasons, two of which are inadequate network segmentation and configuration control.

Many of the networks we see are “flat.” In other words, there is no appreciable network segmentation in place. This woeful state of affairs allows any user on the network to see the entire setup, including “server space.” It also provides cyber criminals with many attack surfaces and helps them maneuver around the network. Such network implementations make it very difficult indeed to meet two of the hallmark principles of information security: need to know and least privilege.

By properly segmenting the network, you are allowing users access to only those network assets and information they need to perform their jobs. You are also giving yourself interfaces to implement access controls and monitoring. By employing internal firewalls between network segments, you can strictly control what enters and leaves each segment. This allows you to design appropriate security controls for each network segment, which can reduce cost and administration time. Another benefit of network segmentation can be reduced congestion and improved performance.

Another key to reducing the ability of attackers to compromise networks and the private information they contain is proper system configuration. One of the configuration problems we see very often has to do with the way network administrators onboard and administer network systems. We see administrators using the same admin passwords for whole groups of systems across the network. When an attacker compromises a user system and breaks the local admin password hash, they can then use that same password to access other systems and move laterally across the network. That is why it is best practice to use unique admin passwords for each different system. This intimidates network administrators who are often overworked and understaffed in the first place. However, unique passwords for each network entity are another hallmark security control that should be applied universally to meet best practices recommendations.

This situation is often exacerbated by network administrators that use the same password for administrator access and simple network access. If an attacker compromises the administrators network account, they can then sign in as a domain admin and, once again, game over. That is why we advocate strict control of privileged accounts on the network. Ideally, privileged accounts should require very strong access controls such as multipart authentication and should be monitored and alarmed.

Implementing proper network segmentation and configuration control makes your organization a hard target for attackers who are out to compromise your private information and systems. These controls are definitely worth the extra money and worker time to implement.

Crisis Highlights Need for MFA

Since World Password Day is the big news this week, there are a ton of study reports about password woes in the news. According to a Balbix study report, 99% of enterprise users reuse passwords either across work accounts, or between work and personal accounts. The report goes on to give statistics about password sharing, and states that the rapid uptick of remote working due to the Covid19 crisis has shifted the balance of control away from IT and towards employees.

Another report, released by SecureAuth, shows that management is worse than junior staff at practicing good password hygiene. Their survey states that 53% percent of people admitted to reusing passwords across multiple accounts. Among respondents using the same password, 62% said that they are using it across three to seven accounts; 10% said that they are using over 10 accounts with the same password. The article also highlights that people are so bad about this simply because keeping track of a number of different passwords is difficult and time consuming. Not to mention the fact that users need to change all those passwords regularly!

Another article sites the results of several password practices studies to state that, due to the Covid19 crisis, remote workers may be exposing their personal and business accounts to the risk of takeover due to poor password security. One study cited in this article also goes on to report that 17% of users share their work device password with a child or spouse, and that 36% of respondents admit to not having changed their home Wi-Fi password in over a year.

Another thing to consider is the ready compromise of even compliant, unique passwords due to phishing techniques. Phishing has proven itself to be the most successful password attack vector over recent years. Even veteran system users can occasionally be taken in by a clever phishing ploy.

Considering all of this, don’t you think it’s about time to bite the bullet and implement strong multi-factor authentication (MFA) techniques across the board!? Working with some of the most talented white-hat hackers in the world has shown me how easily a cyber criminal can compromise systems and move laterally across networks simply because of weak and shared passwords. It also has shown me how properly implemented MFA can thwart most of those attacks. There are only three factors one can use to identify oneself: something you know, something you have and something you are. I suggest using at least two of these factors. Better yet, why not use of all three?

Uptick in Covid19 Related Attacks Makes Strong Security Measures and IR Planning Even More Important

Every week during the last couple of months I have seen an ever-increasing number of cyber-attacks designed to exploit the present Covid19 crisis. Some recent instances include:

Fake websites that promise to provide vital information about Covid19 include videos that contain the Grandoreiro Trojan. Attempting to play the videos leads to a nasty and sophisticated payload being installed on visitor devices. A variety of techniques such as keystroke logging, blocking access to websites, unwanted restarts, access credential thefts and more are possible. This trojan is also very difficult to detect and remove.

Phishing emails supposedly from popular package carriers such as FedEx and UPS claim to be notifying customers about delivery delays due to a variety of reasons. These emails ask the recipient to open an attachment to fill in missing details or to follow links, but they actually contain the Remcos RAT or Bsymem Trojan.

The huge increase in remote working has prompted a ten-fold increase in brute-forcing campaigns against Microsoft’s Remote Desktop Protocol (RDP). It is no coincidence that a new module in the TrickBot malware called rdpScanDll has been added to aid attackers in this effort. These attacks are currently measured in the millions per week.

These are just a few of the huge number of Covid19 attacks that are currently being promulgated. So how are organizations to fight these attacks? One answer is the use of stronger security measures.

Probably the number one control that should implemented is multi-factor authentication (MFA). Proper use of MFA would virtually eliminate the danger of brute-force attacks. As for helping to further help secure against RDP attacks, organizations should use Network Level Authentication and only make RDP available through a corporate VPN. In addition, organizations should ensure that port 3389 is closed if RDP is not being used.

Another security control that organizations should ramp up is log monitoring. Monitoring is one of the only protections that can be effective if zero-day exploits are employed (which they almost certainly will be). Also, comprehensive user awareness training is a control that will pay big dividends if properly implemented and emphasized. Your system users can be your greatest security detriment or your greatest security asset; training and motivation make the difference.

However, organizations should not become complacent even if they do a good job of implementing strong security controls. History has repeatedly shown us that security compromises will occur even in the most tightly controlled networks. That is why it is equally important to ensure that your security incident response (IR) mechanisms are ready for the challenge.

Your IR plans should be fully up to date, and your IR teams should be fully trained. One idea is to perform table-top IR exercises often throughout the emergency. It would be a good idea for these exercises to not only incorporate scenarios taken from the real-world attacks that are currently being seen, but also from attacks that are predicted and likely to occur.

Organizations should also ensure that proper backups are being made. There should be multiple backups being made using different mechanisms. These backups should be encrypted while being transmitted or at rest. And because ransomware is so prevalent now, proper key management should be strictly enforced. Ensure that keys never reside on the systems they are meant to protect. Keys should also be air gapped from other systems or the Internet to the fullest extent possible. However, at the same time, these keys must be made accessible to properly authorized personnel. This means multiple key mechanisms and methods of storage and retrieval.

Security Measures Need to Tighten During a Pandemic

One thing that cyber-criminals love to see is businesses operating outside of their normal routines. Non-routine operations can cause confusion and chaos. New ways of operating must be developed and fielded on the fly. Personnel are often required to work from remote locations and may need to undertake duties that are new and unfamiliar to them. This is almost sure to cause IT personnel to become overwhelmed, which can cause delays that can seriously affect business operations.

And when it becomes a question of providing services or maintaining security, most businesses will opt for continuing services and dealing with security matters later. Such situations not only greatly increase the number of attack surfaces and vectors available for cyber-criminals to exploit, it also increases their chances of success in any given attack. The current pandemic situation has them all licking their chops!

Outside of war, I can’t think of more widespread and disruptive disaster scenario than a pandemic response of this magnitude. Unlike earthquakes or hurricanes or floods or most other catastrophes, pandemic interruptions are anything but localized; they affect virtually every business and person on the planet.

People are afraid of getting the flu, and of course they are also afraid of losing income and not being able to pay their bills. They fear that perhaps their employer companies will fold, and that they won’t be able to catch up once things settle back down. Such fears can lead to mistakes and security failures. That is why businesses should be increasing their security efforts, not letting them fall along the wayside.

Businesses should ensure that all their systems have logging enabled, and that monitoring of those logs is being undertaken. If possible, the number of employees dedicated to security monitoring should be increased. This effort will be much easier to implement if cross-training of personnel and full written operating procedures are in place; a lesson that should be learned from the current emergency and implemented in written pandemic planning.

In addition, businesses should ensure that secure mechanisms for remote working are in place. It is important that not only secure connection mechanisms are in place, but that multipart authentication techniques are used to the greatest extent possible. Whitelisting of authorized devices, tokens, digital certificates and biometrics should all be considered.

Just as important as technical security, businesses should ensure that all personnel are receiving security and awareness training. They should be fully trained in how to secure their laptops and home computers, how to connect to business assets securely and how to respond if they suspect they are vulnerable or being hacked. Responding to incidents quickly and correctly are key factors in minimizing damage from a security event.

Pandemic Planning Webinar Materials

John Davis and David Rose held a pandemic planning webinar on the 17th of March.

Here are the materials from the event, in case you were not able to attend.

PDF of slide deck: https://media.microsolved.com/Pandemic.pdf

MP4 recording of event: https://media.microsolved.com/2020-03-17%2010.00%20Pandemic%20Planning%20Update.mp4

Event Description:

MicroSolved’s John Davis and Dave Rose will explore pandemic plan updates in the age of the COVID-19 outbreak. They will discuss lessons learned, from  building a basic plan to updating existing plans. They will share the latest advice from our consulting practice, from State, Local and Federal resources and point out a variety of resources that are now available to assist organizations.

We hope this help folks and of course, if we can be of any assistance, please let us know. We are all in this together, and MSI is here to help wherever and whenever we can. Stay safe out there! 

Pandemic Planning: Different Types of Businesses Need Different Types of Plans

Pandemics are fairly rare, so organizations may not give them as much attention as other kinds of potential business interruptions. That means that pandemics such as COVID-19 (Coronavirus) can catch them unprepared. Of course, pandemic planning is highly dependent on the type of organization that is involved. This makes appropriate policies and procedures very different for different organizations.

Close contact (within 6 feet) between individuals is the number one factor in the spread of pandemic viruses. Any business environment that brings people into close contact are the most susceptible to the flu. For example, essential job types such as health care workers and first responders are obviously at very high risk since they are dealing directly with affected persons in many instances. Other businesses that are essential for day to day living such as banks, grocery stores and other retail organizations also pose a high risk of infection to customers and employees. After all, people in these businesses pass closely by one another, and what is worse, must stand in line to pay for their purchases or to do their banking business. Employees such as tellers or check out/counter workers have it worse since they must come in close contact with a large number of different people during the day.

Protecting yourself and your staff is most problematic for such organizations and workers. This is largely because of the manner in which flu viruses are transmitted. The number one vector is droplets from coughs or sneezes. These are introduced into the environment by people that don’t or can’t cover their mouths and noses when they cough or sneeze. If these droplets are inhaled or get in your eyes you may become infected. More insidiously, coughs or sneezes can also produce micro-droplets or aerosols. These can be so small that they are largely unaffected by gravity and may waft about the environment for some distance, and can even be small enough to penetrate dust masks and tissues. These are very hard to protect against, requiring high efficiency respirators/masks and face shields or goggles. In addition, infection may also be possible from touching infected surfaces and then touching your eyes, nose or mouth.

There are also many non-essential organizations or businesses that pose a high to medium risk of infection by pandemic viruses. These include concert venues, airlines, conventions, casinos, cruise ships, churches, and other venues where people are in close contact. There is an answer for these organizations, as unsavory as it is: simply cancel these types of gatherings. Unfortunately, the economic consequences of canceling such things can be very high (as can be seen in the recent downturns of the stock market). On the bright side, pandemics are usually of fairly short duration. This allows most businesses and organizations to recover once the threat has passed.

In contrast to these types of organizations are those that have little or no interaction with the public or suppliers. For example, offices and organizations that provide services over the internet or telephone are considered to be at low risk. They basically have to worry most about infection spreading among their employees. Fixes for these types of organizations include teleworking (preferred), employee awareness training, putting barriers or distance between employees, mandating that workers who are sick (or who suspect that they may have been infected) take sick leave/work remotely and ensuring that basic health and sanitation measures are in place at the workplace. In addition, anyone who becomes sick at work should be provided with a face mask and sent home or to a health care facility immediately. Businesses should also pay special attention to personnel that live with or have close contact with those who are at very high risk such as health care professional. These personnel should work remotely or should be tested for infection if at all possible. The latest studies suggest that Coronavirus may possibly be spread by infected people that do not yet have symptoms, or those whose symptoms have disappeared.

The number one rule for all people is this: if you are sick or think you may have been exposed to a pandemic virus, stay away from other people. If you must interact, wear a face mask (N95 or better if possible) and clean your hands often. And remember, you should continue to be careful for some time after your symptoms disappear. You may still be infectious.

Pandemic Planning Update Webinar Scheduled

WorldShieldWe are proud to announce a pandemic planning update webinar scheduled for Tuesday, March 17th at 10am Eastern.

MicroSolved’s John Davis and Dave Rose will explore pandemic plan updates in the age of the COVID-19 outbreak. They will discuss lessons learned, from  building a basic plan to updating existing plans. They will share the latest advice from our consulting practice, from State, Local and Federal resources and point out a variety of resources that are now available to assist organizations.

Click here to register. Recordings will be made available after the event. 

We want everyone to benefit from pandemic planning. Please let us know if you have questions or need assistance.

A vCISO Interview With Dave Rose

I had the pleasure to interview, Dave Rose, who does a lot of our virtual CISO engagements at MSI. I think you might enjoy some of his insights.

Q) In a few sentences, introduce yourself and describe your background that makes you a valuable virtual CISO. What are the keys to your success?

A) So my name is Dave Rose and I have been a CTO and in Technology for 25+ years. I started working daily with Risk as an Internal IT Auditor with the State of Ohio and expanded exponentially my knowledge and skills with JP Morgan Chase where I had day to day Risk responsibility for their Branch, ATM, Branch Innovation, Enterprise and Chase wealth Management applications. (548 to be exact!) What makes me a valuable CISO? In technology I have been audited by the best of them, SEC OCC,FINRA,Internal Audit, and been responsible for PCI and Basil compliance. I have had to review, implement and modify controls from NIST, ISO,SOX, GLBA, OWASP and CIS. In the financial industry I have worked with Agribusiness, Commercial Real Estate, Retail Banking, Investment Banking, Mutual Funds, Wealth Management, Credit Unions and 401K plans. As an IT/Operations manager/leader I have been responsible for Network Management, Finance, HR, Contract and Vendor Management, Help Desk, Development staff, Investment Operations, Sales, Cyber Engineers and Project Management, which I started my career performing. 

With the diversity that I listed above, there is a pretty good chance my past experience can help you to solve your current problems, now. A modicum of common sense, perseverance and a passion to do what right for the business while being responsible to the controls that make you successful has made me successful. 

Q) Speaking as a virtual CISO, what are some of the toughest challenges that your clients are facing this year?

A) I think that one of the biggest challenge that our clients are facing this year is Technology Deficit. I dont think this is anything new but with the deprecation of Win 7 and the threat of Ransomware, holding onto old technology with critical vulnerabilities is no longer an option. Whether is is hardware, software or code updates, companies cannot continue to mortgage technology debt to the future. Hate to be cliche but the time is now. 

Q) If you met with a board and they wanted to know what percentage of revenue they should be spending on information security, how would you answer that question?

A) I hate this question because it really does not have a good answer. A board asked me once “How much money would it cost me to get to a 3.5 on the NIST scale?” Money is only one facet of solving risk, there is culture, leadership, technology and business vision. Know and set the roadmap for all of those items for the next 5 years and your dollar investment will come naturally. So 6-7% (Rolls eyes)

Q) In terms of the NIST model, can you walk us through how you would prioritize the domains? If you came into a new organization, where would you start in the NIST model to bring the most value and what would the first 100 days look like?

A) There are two areas of the NIST model I would focus on, identify and protect. I would take a good hard look at access administration and all the components that make that up. Next I would look at log analysis and aggregation. I would spend the first hundred days doing a Risk Assessment of the entire environment but would also create a roadmap based on evaluation of current state for both Access Administration and Log Governance. Based on your results and determination of Risk and Reward (80/20 rule) map out the next 1-3 years. 

Q) If folks wanted to learn more about your insights or discuss having you work with them as a virtual CISO or security oversight manager, how can they reach you?

A) If you would like to talk further about these question, insights or would like to hear more about the MSI vCISO service, you can reach me at 614 372–6769, twitter @dmr0120 or e-mail at drose@microsolved.com!