Rewterz Threat Alert – ColdLock Ransomware Hits Taiwanese Organizations
May 8, 2020Rewterz Threat Alert – New COVID-19 Themed Phishing Campaigns
May 11, 2020Rewterz Threat Alert – ColdLock Ransomware Hits Taiwanese Organizations
May 8, 2020Rewterz Threat Alert – New COVID-19 Themed Phishing Campaigns
May 11, 2020Overview
Earlier in our blog, we listed many cyber-attacks launched by adversaries that were making use of the COVID19 fear to target victims. This blog reflects upon the risks associated with sudden unprepared remote work that this pandemic has forced organizations into adopting. It discusses risks associated with remote collaboration tools, surge in phishing campaigns as employees work on unprotected home networks, and statistics of frauds using pandemic themes.
Remote Collaboration Tools
Traffic on the public Internet has grown by half this year while video conferencing bandwidth went up five times, all driven by social distancing and remote work requirements. According to Kentik, a provider of machine learning based network operations, video conferencing has seen a 500% increase. Overall, the week-to-week growth in bandwidth consumption matched the month-to-month growth seen last year. Comcast also saw virtual private network (VPN) traffic jump 40% and video conferencing traffic rise 212% since the beginning of March. Zoom alone has reportedly recorded 200 million daily users throughout March, up 20 times since December. It added more users in the first quarter of 2020 than in all of 2019.
As reliance upon remote collaboration tools increases unprecedentedly, one key question is, how safe the these apps and tools like Skype, Zoom, Slack and Webex are.
When organizations go remote, virtual meetings are inevitable. While remote collaboration tools relieve employers and employees, they induce anxiety and uncertainty in the IT teams. The fear is not baseless. The security posturing of these apps makes them particularly vulnerable to zero-day attacks and evasive malware. Many vulnerabilities in Zoom have been reported including one that leaks windows credentials. For security issues, Zoom has reached many headlines, but major security flaws also exist in other popular collaborative apps including Microsoft Teams and Slack. Few weeks back, phishing attacks were found targeting Webex credentials.
Now when these apps are an operational necessity and cybercriminals are actively searching for opportunities, these have become a wide attack surface. The active downloads of these apps are a delicious sight for cyber criminals making them drool over the endless trail of opportunities. The flaws and errors tend to linger in most open source tools and not in all cases is issuing patches a developer’s top priority.
Therefore, as we go online remotely, all employees need to understand that they are at risk, and that they are a risk for the entire organization. To enable endpoint security and to suppress their rising instincts of internet exploration on office gadgets, a basic training may help them understand how to avoid being a red carpet for an intruder into an organization’s infrastructure.
Risks to Organization’s Data
While these apps may just be for remote collaboration or video conferencing, they are a substantial risk for an organization. Much of the confidential transfer of information that was done under the company’s protected network is now being done on remote collaboration tools. What’s at risk? Sensitive, valuable and confidential information that is transferred through these apps. Additionally, the nature of vulnerabilities in these tools and apps may not limit the impact to these applications. As the flaw in Zoom reveals windows credentials, it may be exploited in many other attacks to take over a system.
Business Email Compromise
Phishing remains to be the master of horrors in current times, as it can initiate many kinds of cyber-attacks. For instance, credentials stolen via phishing may lead to a business email compromise (BEC). One business email compromise may sprout a chain reaction. Why? Because we are comfortable with responding to colleagues. As skeptical about unknown emails as we may be, we are likely to open and respond to an announcement from our HR, a meeting invite from a teammate, or a Google Form from our marketing team. It could turn into a clicking spree, compromising too many business emails before the organization gets a chance to detect it.
Some Solutions That Might Not Work
Can collaboration apps be eliminated altogether? Well, in prevalent economic uncertainty, enterprises cannot afford to go offline. And to stay online, they need the apps, which means they will be exposed to cyber-attacks. They are left with no choice but to accommodate risks to operations to avoid definite operational shutdown. Anti-malware and endpoint detection & response (EDR) tools may seem like lifesavers to some organizations too, but they will not catch zero-days and the threat continues to linger.
Many organizations will also attempt using free or outdated VPNs, unaware of how outdated VPNs can be exploited in the wild. The Pulse Secure VPNs exploited for a while may teach a good lesson. Therefore, selecting VPNs is also a challenge.
Exponential Surge in COVID19 Themed Attacks Continues
The attackers use the economic uncertainty as bait and target employees using home networks with offers of financial relief funds and corona safety kits from health organizations and NGOs.
Rewterz has released more than 40 advisories related to COVID19 phishing attacks. Unique ones of these are listed below:
- TA505 New CoronaVirus Campaign
- Gamaredon APT Using Covid-19 Lures
- Phishing Campaign Initiated By State Sponsored Groups
- Python RAT Uses Covid-19 Lures To Target Public And Private Sectors
- Trickbot Delivered Via Covid 19 Phishing Emails
- Grandoreiro Banking Trojan Takes Over Device For Fraudulent Transactions
- Cisco ‘Critical Update’ Phishing Attack Steals Webex Credentials
- Funds On Hold – Phishing Attack Targeting Banking Credentials
- Phishing Campaign Uses Covid-19 To Spread Lokibot
- Covid-19 Malicious URLs
- Covid-19 Threat Actors Impersonating CDC, WHO
- Formbook delivered by Covid-19 lure
- Hackers Start Capitalizing on Zoom’s Success to Spread Malware Amid Covid-19
- Zeus Sphinx Trojan Distributed via Covid-19 Relief Documents
- Fake CoronaAntivirus Distributing Blacknet Remote Administration Tool
- HawkEye Keylogger uses COVID19 Advice from WHO
- Coronavirus-Themed Domain Hosts A Phishing Kit
- Covid-Themed Malware Campaign Distributes Ransomware
- Koadic RAT – Multistage Malware Distributed through COVID’19 Document
- COVID themed targeting from North Korean Kimsuky
- Plugx Delivered by Covid-Themed Documents
- Coronavirus Campaigns – Kbot, Azorult, Coronavirus Ransomware, MBR Wiper
Other massive phishing campaigns that have been noticed using the COVID-19 theme to target victims are as follows:
- Microsoft reports having prevented a massive phishing campaign within 24 hours, that used 2,300 unique HTML attachments with messages disguised as COVID-19 financial compensation information. The web pages led to a fake Office 365 sign-in page to capture credentials. Successful phishing may lead to account takeover and may allow access to other apps leveraging the office 365 account.
- Another cloud security firm Zscaler reported a 30,000% increase in pandemic-related malicious attacks in March, compared to that observed in January.
- COVID-themed cyber-attacks in March amounted to 380,000, raised from 10,000 in February, compared to only 1,200 in January, reports Zscaler.
- Blocking 100 million messages per day, Google reports that around one fifth of all phishing emails on the Gmail platform use themes related to COVID19.
- Earlier in April, Google reported roughly 18 million email message rejections per day because they were identified as phishing messages preying on fears around the coronavirus pandemic.
- The 18 million COVID-19-related phishing messages were, according to Google, in addition to more than 240 million coronavirus-themed spam messages sent to Gmail accounts every day.
The Rise of RDP Attacks
- Attack surface is showing continued increase in exposure. The port scanning service Shodan reported in the end of March that the number of systems exposing the remote desktop protocol (RDP) had increased in the past month.
- The growth in the number of Brute-Force RDP attacks went from hovering around 100,000 to 150,000 per day in January and February to soaring to nearly a million per day at the beginning of March.
- At the same time, the number of Internet source scanning for the most common RDP port, 3389, jumped by 40% in March, according to the SANS Institute.
- Scanning service Shodan also saw an increase in exposed RDP ports — both the standard 3389 and an alternate 3388 — from January to February.
- It is perhaps no coincidence that the TrickBot malware added a new feature in March: A module called rdpScanDll, built for brute-forcing RDP accounts.
- According to the Ponemon Institute, the average breach discovery time is 191 days. It has forced some companies to rush to allow Microsoft Remote Desktop Protocol (RDP) access.
- Likewise, The Cyber Infrastructure Security Agency (CISA) has seen increased scanning for vulnerabilities in Citrix’s Application Delivery Controller and Gateway products. Vulnerabilities in Citrix products have recently been exploited by APT41 in a mass attack as first reported by FireEye.
Cyber security becomes a serious concern now more than ever before, as organizations are rapidly enabling remote work at the cost of security standards.
While vulnerabilities are revealed in the tools being used, and the surge in COVID related cyber-attacks continues, there is a parallel concern of exposed RDP ports.
RDP Attacks’ Impact
With remote work enabled, and security controls not yielding their best possible results, cherry on top is the availability of exposed RDP ports. With increased entry points, confidentiality breach may be one click away.
RDP is used to connect to an image of an employee’s desktop, often used by telecommuters and tech support personnel troubleshooting an issue. Successful attack would result in unauthorized remote access to the target computer with all the user’s privileges and access rights. Below is a distribution of RDP Brute-Force Attacks by date and country.
The chart above by Kaspersky shows recent spike in brute force attacks on RDP accounts, amounting to 100,000-150,000 per day in January and February, and soaring up to nearly a million per day at the beginning of March.
However, preventing a brute force on RDP is not rocket science, but enabling multifactor authentication and using strong passwords are the bare minimum conditions to prevent it.
Financial Frauds during the Pandemic
With so many security threats lingering in the cyberspace, and as many users jumping at the bandwidth, financial fraud is inevitable. Attackers are busy making money off COVID themed frauds. The Federal Trade Commission of USA reports the following statistics for Corona-related fraud from January to April, 2020. In a total of 25,406 complaints, a huge amount of $19.31 Millions has been lost. Below is the categorization of these reports:
Top products and services offered to target users are shown below:
Based on contact method of fraud, below is the recorded monetary loss:
Based on payment method of the transactions, below are the reported frauds:
What Organizations Should Do?
For Employees:
- Security awareness trainings should at least be conducted. Humans are your first line of defense because they become the entry points for attackers into the corporate infrastructure.
- Continue to train employees in security practices and be very open to providing help with using VPNs and multifactor authentication.
- Promote usage of video conferencing tools security features to protect gatherings from outsiders. For starters, use a unique ID for every single meeting, use a password for every meeting and make use of tools like ‘Lock Meeting Room’, which lets a host “close the door” when all the intended participants have arrived.
- Hosts can also limit controls, so the only person allowed to share content is the meeting host.
Additionally, it is crucial to teach every user the following best practices:
- Stick with reputable sources for COVID-19 information
- Be wary of requests for emergency funds via email (call the sender to confirm, even if it appears to be from a known contact)
- Do not open links or attachments from unknown sources
- Enable two-factor authentication
- Patch operating systems and apply security updates
- Activate SMS/email notifications for any financial transactions
For Employers:
- Get Two Factor Authentication (2FA) and Virtual Private Network (VPN) enabled, and make sure they’re updated and patched as VPNs can also be exploited by attackers. Also enable the usage of 2FA for VPN.
- Segment your network. Make sure your VPN lands in a DMZ and can’t talk to everything. If users are remoting into a desktop, they don’t need access to backend servers or infrastructure.
- Make RDP available only through corporate VPN, use Network Level Authentication (NLA), and close port 3389 if RDP is not in use.
- Least privilege should be your standard and access should only be granted to things extremely necessary for an employee’s job functionality.
- Educate your users. Make sure they understand the new risks and remind them often.
- Implement a strict security updates policy: You should deploy them as soon as they become available and on all accessible device in your information system. Some VPN and NAC technologies have feature to put user into a quarantine network before his system is checked for security updates. If system complies, user is allowed inside corporate network otherwise he is restricted to quarantine network.
- Make sure you perform and test backups regularly to ensure they are working. You should set up systematic logging of all access and activities of your infrastructure equipment (servers, firewall, proxy…), and workstations.
- Monitor remote connections and all access to files and folders in order to detect unusual access which could be the sign of an attack.
- With least privileges policy, network segmentation in place, virtual private network, 2 factor authentication, secured endpoints, and continuous security monitoring, an enterprise has a fighting chance with COVID19 cyberspace.
Protecting Active Directory:
- To improve the security of your corporate network, protect the remote use of AD credentials. Whenever an employee logs in to the corporate network from home, an access point is created that can often be exploited.
- For protected remote AD logins, strengthen passwords, use a secure virtual private network (VPN) for all remote desktop access, and enable two-factor authentication on these remote desktop connections.
- Whenever possible, limit VPN access to only authorized devices. Any attempt to connect from another device should be denied.
- The passwords should be long enough, complex, and unique for each service or piece of equipment used.
- You should also activate two-factor authentication on remote sessions, especially for connections to the corporate network.
Office365 Additional Recommendations:
- Assign Administrator roles using Role-based Access Control (RBAC). Avoid using the Global Administrator account unless necessary.
- Using AD’s numerous other built-in administrator roles instead of the Global Administrator account can limit assigning of overly permissive privileges to legitimate administrators.
- Enable Unified Audit Log (UAL): O365 has a logging capability called the Unified Audit Log that contains events from Exchange Online, SharePoint Online, OneDrive, Azure AD, Microsoft Teams, PowerBI, and other O365 services. An administrator must enable the Unified Audit Log in the Security and Compliance Center before queries can be run. UAL lets administrators investigate and search for malicious actions or policy violation within O365.
- Enable multi-factor authentication for all users. Threat actors also compromise normal user accounts in order to send phishing emails and attack other organizations using the apps and services the compromised user has access to.
- Disable legacy protocol authentication when appropriate. Using Azure AD Conditional Access policies can help limit the number of users who have the ability to use legacy protocol authentication methods. Taking this step will greatly reduce an organization’s attack surface.
- Enable alerts for suspicious activity, at least for logins from suspicious locations and for accounts exceeding sent email thresholds.
- Integrate Logs with your existing SIEM tool: Even with robust logging enabled via the UAL, it is critical to integrate and correlate your O365 logs with your other log management and monitoring solutions.