Addressing Cybersecurity Risks During the COVID-19 Pandemic
Around the world, organizations are taking unprecedented actions as a result of the COVID-19 pandemic. Business continuity plans that laid dormant are being fully exercised and new chapters are being added as workforces are mandated to telework in an effort to contain the spread of the virus. The focus of this week’s NJCCIC Bulletin is to address some of the cybersecurity risks that a remote workforce presents and to provide some best practices for mitigating those risks. The following is not a comprehensive list of best practices; however, it provides users and organizations with some guidance in managing the cybersecurity risks associated with a remote workforce. As reported in the news, there has been a significant increase in the demand for toilet paper, hand sanitizer, disinfectants, and other items associated with efforts to prevent and/or contain the spread of COVID-19. However, organizations are also significantly increasing their demands for remote access equipment, software, and services including, but not limited to, laptops, hard multi-factor authentication tokens, VPN concentrators, collaboration tools, bandwidth upgrades, and more. Individuals who have never worked remotely are being provided with laptops and told to work from home. For some organizations and individuals, this is unchartered territory. Telework Program Fundamentals: For many organizations, telework programs have been in practice for years – whether as part of the organization’s everyday work program or as a component of their business continuity plans. For those organizations, policies, educational programs, technologies, and support services for the remote workforce are well established. For organizations engaging in telework for the first time, defining expectations is a good starting point. First, create a telework policy that addresses the following: the scope of the telework program, roles and responsibilities, eligibility to telework (not all jobs can be performed remotely), work hours and paid time-off, the suitability of the alternate workplace and its related safety requirements, responsibility for equipment and supplies, operating costs and expenses, and requirements for physical and information security. Remote Access: In traditional virtual private networks (VPNs), individuals use VPN client software to establish a secure connection to an internal network. While still widely used, many remote users only require access to a set of web applications hosted within the organization’s network, not the entire internal network. IT departments should consider providing access to internal web applications via a portal where remote users can authenticate. Similarly, software-as-a-service (SaaS) applications hosted in the cloud and virtualized applications hosted on premise are often good options for limiting remote access to only what is necessary for that user. Organizations should scope VPN access accordingly to ensure the principle of least privilege is maintained. Regardless of which remote access method you offer, multi-factor authentication should be mandatory. Additionally, if remote devices are allowed to connect to your internal network, consider implementing a Network Access Control (NAC) solution to ensure only authorized devices are permitted to connect. Organization-Owned vs Personal Devices: Many SaaS and virtualized applications may be securely accessed by remote users through their personal devices if certain security controls are implemented. To reiterate, MFA should be mandatory for remote access to any application, network, or service your organization provides to teleworkers. In addition, organizations must implement controls to ensure sensitive files and information are not downloaded or stored on personal devices or personal cloud storage services. Sensitive data should only be stored on organizationally-controlled devices or authorized cloud storage services. Cloud service providers often offer conditional access controls to prevent the download of data to unauthorized devices. IT departments are advised to enforce these controls. For cloud services that do not provide the option to restrict the download of sensitive data, organizations are advised to implement a Cloud Access Security Broker (CASB) solution that provides these security controls. Device Security: Irrespective of whether a device is personally owned or organizationally owned, they are exposed to numerous risks when connecting to networks not controlled by the organization. Therefore, implementing strong security controls is paramount. This includes controls such as strong authentication, hardening the operating system, and applying the principle of least functionality to limit services, ports, and protocols to only those that are necessary. Protective technologies should be implemented, including anti-virus/anti-malware software, endpoint detection and response software, web content filtering software, host-based firewalls, device and file encryption, and the latest security patches. With a remote workforce, IT departments face a myriad of challenges in providing support, pushing security updates, and providing continuous monitoring and incident reporting and response services for remote devices and users. Additional best practices for cybersecurity can be found on the NJCCIC website at cyber.nj.gov.
Garden State Cyber Threat Highlight
Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.
Cyber Threat Actors Capitalize on Coronavirus
More social engineering campaigns have been publicized this week in which various cyber threat actors capitalize on the global concern over the novel coronavirus, COVID-19. Email and social media-based phishing scams referencing the virus attempt to convince recipients to open links or attachments to direct users to malicious websites or deliver malware, reveal sensitive information, or donate to fraudulent causes. Check Point researchers found that coronavirus-themed domains are 50 percent more likely to be malicious than other domains; over 4,000 coronavirus-related domains have been registered since January 2020. A malicious website purporting to be the live map for COVID-19 global cases run by Johns Hopkins University is circulating. This website infects site visitors with the information-stealing AZORult trojan. Researchers believe the website is being spread via infected email attachments, malvertisements, and social engineering. Over the last two weeks, malicious coronavirus-themed emails attempting to be delivered to State of New Jersey employees aimed to install malware or potentially unwanted programs (PUPs), or direct users to websites to steal user credentials. One phishing campaign included an .iso attachment that, when executed, delivers the GuLoader downloader, which downloads the LokiBot trojan. The NJCCIC recommends users remain vigilant and exercise caution with coronavirus-themed emails, posts, and links, ensuring to only use trusted sources – such as official government websites – for information on COVID-19. More information is provided in the CISA publication, “Defending Against COVID-19 Cyber Scams” and CISA Insights document “Risk Management for Novel Coronavirus (COVID-19).”
POSTPONED - Alice in Cyberspace 2020
In light of growing concern over COVID-19, the NJCCIC has made the decision to postpone the Alice in Cyberspace 2020 conference. While a new date has not yet been established, it will tentatively take place in Fall 2020. When a new date is confirmed, we will provide updates on our website and in the Weekly Bulletin.
Microsoft Exchange Vulnerability Actively Exploited
Threat actors, including advanced persistent threats (APTs), are actively exploiting a vulnerability, CVE-2020-0688, in Microsoft Exchange. Threat actors can send malformed requests to the Exchange control panel and run malicious code with SYSTEM privileges, giving the attackers full control of the server. At least three proof-of-concepts are on GitHub and a Metasploit module is also available. The NJCCIC recommends administrators of vulnerable Microsoft Exchange servers apply the patch as soon as possible after appropriate testing. Additional details on recent targeting and attacks can be found in the Volexity blog post.
Wormable Vulnerability Exists in SMBv3
A wormable remote code execution vulnerability exists in Server Message Block 3.1.1 (SMBv3) that could allow a remote, unauthenticated attacker to execute arbitrary code on an SMB Client or Server and take control of vulnerable systems. A patch is not yet available; however, Microsoft released an advisory to address the vulnerability. The advisory recommends disabling SMBv3 compression to prevent exploitation against SMBv3 Servers; this workaround does not prevent exploitation of SMB clients. Administrators may consider blocking TCP port 445 at the perimeter firewall to help protect systems behind the firewall from attempts to exploit the vulnerability. The NJCCIC recommends administrators apply the workaround provided by Microsoft, block TCP port 445 at the firewall if possible, and apply updates as soon as they become available.
SweynTooth Vulnerabilities Affecting Medical Devices
Security researchers discovered 12 vulnerabilities, dubbed SweynTooth, affecting the wireless communication technology known as Bluetooth Low Energy, which allows two devices to pair and exchange information while preserving battery life. The US Food and Drug Administration (FDA) informed patients, healthcare providers, and manufacturers that a threat actor could exploit the SweynTooth vulnerabilities on medical devices to crash the device, deadlock the device, or bypass security. So far, there are numerous medical device manufacturers affected by these vulnerabilities such as Texas Instruments, NXP, and Cypress; however, other manufacturers are assessing their devices, evaluating risk, and developing remediation plans. The NJCCIC advises manufacturers, healthcare providers and facility staff, and patients and caregivers follow the FDA recommendations and report any device issues via the MedWatch Voluntary Reporting Form.
AMD Processors Vulnerable to Side-Channel Attacks
Researchers behind Meltdown, Spectre, and ZombieLoad, discovered AMD CPUs could potentially be exploited to leak sensitive data from processors released between 2011 and 2019 via side-channel attacks. Dubbed the “Take A Way” method, the researchers were able to reverse-engineer AMD’s L1D cache way predictor to detect when the data was accessed by various processes. This information was then used to leak small pieces of data from the CPU in two new attacks, “Collide+Probe” and “Load+Reload.” At the time of this writing, AMD has not released new patches, claiming these “are not new speculation-based attacks.” The NJCCIC recommends users implement cybersecurity best practices including keeping systems up to date, following secure coding methodologies, installing the latest patches of critical libraries, and running updated anti-virus/anti-malware software. For technical details and more information, please review the AMD statement and the Graz University of Technology research paper.
US radio giant Entercom, owner of the Radio.com platform, reported a data breach occurring in August 2019 when an unauthorized party accessed database backup files containing Radio.com user credentials and personal information stored in third-party cloud hosting services. Since the breach, Entercom implemented password rotations, multi-factor authentication for cloud services, stronger password policies, and security training. Users are advised to change their passwords for Radio.com and for any other account using the same password, monitor their bank account activity and credit reports, and enroll in complimentary credit monitoring services.
Coronavirus Sparks Phishing, Disinformation, Tabletop Exercises, and Handwashing Comment: As the Coronavirus Disease 2019 spreads, threat actors will continue to capitalize on this international health crisis with phishing campaigns intending to download malware. Individuals —such as healthcare professionals, HR departments, shipping companies, and operators— are being targeted with emails referencing virus precautions, concerns, and updates in an effort to appear legitimate and convince users to open links or attachments. Since legitimate emails of this nature are expected to be communicated, it is important to pay careful attention to emails received, verifying the sender before taking any action. If there is a question to the legitimacy of an email, contact the sender via separate means of communication.
Cyber at a Glance
International Women’s Day: Awareness of Stalkerware, Monitoring, and Spyware Apps on the Rise Comment: Efforts are being made to reduce the excessive harm women experience as a result of stalkerware and other monitoring apps that allow access without consent to a user’s text messages, phone calls, cameras and microphones, files, search history, and GPS location. The ability to monitor individuals has been increasingly linked to cases of physical stalking, cyberstalking, and domestic violence, and this behavior disproportionately harms more women than men. Public awareness and training, device security, and information sharing are instrumental for better digital security and protection.
The information contained in this product is marked Traffic Light Protocol (TLP): WHITE. Disclosure is not limited. Subject to standard copyright rules, TLP: WHITE information may be distributed without restriction.
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.
We respect your right to privacy - click here to view our policy.