Uptick in Covid19 Related Attacks Makes Strong Security Measures and IR Planning Even More Important

Every week during the last couple of months I have seen an ever-increasing number of cyber-attacks designed to exploit the present Covid19 crisis. Some recent instances include:

Fake websites that promise to provide vital information about Covid19 include videos that contain the Grandoreiro Trojan. Attempting to play the videos leads to a nasty and sophisticated payload being installed on visitor devices. A variety of techniques such as keystroke logging, blocking access to websites, unwanted restarts, access credential thefts and more are possible. This trojan is also very difficult to detect and remove.

Phishing emails supposedly from popular package carriers such as FedEx and UPS claim to be notifying customers about delivery delays due to a variety of reasons. These emails ask the recipient to open an attachment to fill in missing details or to follow links, but they actually contain the Remcos RAT or Bsymem Trojan.

The huge increase in remote working has prompted a ten-fold increase in brute-forcing campaigns against Microsoft’s Remote Desktop Protocol (RDP). It is no coincidence that a new module in the TrickBot malware called rdpScanDll has been added to aid attackers in this effort. These attacks are currently measured in the millions per week.

These are just a few of the huge number of Covid19 attacks that are currently being promulgated. So how are organizations to fight these attacks? One answer is the use of stronger security measures.

Probably the number one control that should implemented is multi-factor authentication (MFA). Proper use of MFA would virtually eliminate the danger of brute-force attacks. As for helping to further help secure against RDP attacks, organizations should use Network Level Authentication and only make RDP available through a corporate VPN. In addition, organizations should ensure that port 3389 is closed if RDP is not being used.

Another security control that organizations should ramp up is log monitoring. Monitoring is one of the only protections that can be effective if zero-day exploits are employed (which they almost certainly will be). Also, comprehensive user awareness training is a control that will pay big dividends if properly implemented and emphasized. Your system users can be your greatest security detriment or your greatest security asset; training and motivation make the difference.

However, organizations should not become complacent even if they do a good job of implementing strong security controls. History has repeatedly shown us that security compromises will occur even in the most tightly controlled networks. That is why it is equally important to ensure that your security incident response (IR) mechanisms are ready for the challenge.

Your IR plans should be fully up to date, and your IR teams should be fully trained. One idea is to perform table-top IR exercises often throughout the emergency. It would be a good idea for these exercises to not only incorporate scenarios taken from the real-world attacks that are currently being seen, but also from attacks that are predicted and likely to occur.

Organizations should also ensure that proper backups are being made. There should be multiple backups being made using different mechanisms. These backups should be encrypted while being transmitted or at rest. And because ransomware is so prevalent now, proper key management should be strictly enforced. Ensure that keys never reside on the systems they are meant to protect. Keys should also be air gapped from other systems or the Internet to the fullest extent possible. However, at the same time, these keys must be made accessible to properly authorized personnel. This means multiple key mechanisms and methods of storage and retrieval.