COVID-19: A biological hazard goes digital Examining the crisis within the crisis - Orange Cyberdefense
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
COVID-19: A biological hazard goes digital Examining the crisis within the crisis
2 Whitepaper: COVID-19: A biological hazard goes digital Table of contents 3
Table of Contents
Background: A global crisis....................................................................... 5
Summary of the findings............................................................................................................................. 6
If you only have five minutes....................................................................................................................... 7
Part I: Impact of the pandemic ................................................................. 9
Exacerbating factors................................................................................................................................. 10
Constant factors..........................................................................................................................................14
Mitigating factors....................................................................................................................................... 16
Part II: Responding to the cyber side of the crisis................................ 19
A proposed list of priorities...................................................................................................................... 21
What the future holds................................................................................................................................ 26
Part III: Analysis: what we have seen so far........................................... 29
Epidemiological Lab: Cyber-threats affilitaed with COVID-19 (OSINT source)............................... 35
Contributors & Sources............................................................................ 36
© Orange Cyberdefense www.orangecyberdefense.com Build a safer digital society
4 Whitepaper: COVID-19: A biological hazard goes digital Background 5
Charl van der Walt
Head of Security Research
Orange Cyberdefense
Background:
A global crisis
As the COVID-19 coronavirus pandemic continues to spread worldwide, cyber-
threat actors are trying to capitalize on the global health crisis by creating
malware or launching attacks with a COVID-19 theme. However, this kind of
exploitative behavior by the cybercrime ecosystem is only one part of a bigger
cybersecurity picture. Orange Cyberdefense is releasing this paper in order to
draw attention to a diverse set of facts that should be considered now.
As a global crisis, COVID-19 is having a significant impact on all aspects of
personal and corporate life, including cybersecurity. In this mood of fear,
uncertainty and doubt, there is an appropriately elevated level of threat
awareness, but also an exaggerated level of anxiety. In this context, the following
resource is our united effort as Orange Cyberdefense to share our knowledge,
insights and experience regarding what we think about cybersecurity in the heat
of this current COVID-19 crisis and in the post COVID-19 world that hopefully
isn’t too far away.
© Orange Cyberdefense www.orangecyberdefense.com Build a safer digital society
6 Whitepaper: COVID-19: A biological hazard goes digital Introduction 7
Summary of If you only have
findings five minutes…
The COVID-19 pandemic has changed your security
There are ten main themes we believe our customers
threat models in five important ways: es
should be considering:
You may have rushed to implement
Malware and phishing using COVID-19 as a pretext Your employees are more vulner-
1. 6. As more people work from home using poorly remote access systems without
able to social engineering and
is likely to escalate. We have also seen sophisticated designed and implemented remote access solutions, having the time to plan and execute
scams than normal.
instances of watering hole attacks using COVID-19 we anticipate that attacks against remote access as well as you’d like.
maps to drop exploits and malware. This report technologies, VPN gateways and poorly secured
describes several specific examples like this, and home and shared Wi-Fi access points will increase You have less control and visibility You, your team and your providers
the trend is likely to persist and escalate in different and contribute to serious compromises occurring. over the IT systems you protect may be operating with diminished
forms. than you’re used to. capacity.
7. The visibility of SIEM and security operations teams
2. There will be an uptick of general misinformation will become impaired as endpoints connect via the
campaigns distorting COVID-19-related facts to VPN or directly to the Internet and are therefore not Your users may be connecting
further diverse political agendas. Fact checking is subject to the same level of monitoring as when from systems and environments
essential. connected to the corporate LAN, thereby reducing the that are fundamentally insecure or
overall level of security a corporate can rely on. We poorly configured.
3. Positively, several ransomware crews have committed
also anticipate that CIRT and other Incident Response
to avoiding medical and research facilities from
their target lists. This is a welcomed reprieve but
capabilities will be impeded, contributing to greater Recommendations summary:
response delays and dwell times by attackers, or even
can’t be relied upon to have any substantial impact. If your security priorities in this context are not already clear to you, we propose that you focus on the fol-
a failure for attacks to be detected altogether.
‘Traditional’ threats like ransomware persist. lowing responses, in order of importance:e
8. During this time, more and more computing activity
4. In the meantime, we have seen targeted attacks
against medical organizations involved in researching,
will move to cloud, forcing security programs to ▪ Establish emergency response procedures and systems.
treating or otherwise responding to COVID-19,
consider local and cloud infrastructures in their ▪ Establish a security support hotline and prepare to expand the team providing support.
strategies.
especially in the western world, apparently to ▪ Review backup and Disaster Recovery (DR).
undermine the response to the pandemic. We 9. Most businesses are accelerating their move to ▪ Equip your users with the information they need to make good security decisions.
anticipate that this will continue as various state and online commerce, if they have not done so already,
hacktivist groups escalate their efforts especially in the retail sector. In the mad dash to
▪ Provide secure remote access.
go online, we expect there to be an accumulation ▪ Establish visibility over remote endpoints.
5. We assess that the impact of the pandemic in Iran will
of security debt as security is sacrificed in favor of
serve to inflame anti-US sentiment and that attacks to
subvert COVID-19 response efforts, cause suffering
speed-to-market. Remaining rational during the crisis
and even death will be viewed as a proportional 10. As more and more people work from home, we Advice is cheap in time of crisis. But every business is different, and we won’t pretend to know how individual
response within Iran’s conflict with the US, who is anticipate that corporate and crucial shared Internet businesses should respond to their particular security threat at this time. We would however offer the following high-
viewed as inflaming the situation via unreasonable infrastructure will be put under enormous strain. level guidelines to businesses who are evaluating the security threat and considering their response to the threat at
sanctions. Among other hacker groups targeting Performance will likely degrade, and even fail in some this time:
the pharmaceutical industry, state-backed Chinese instances. For most organizations, the IT function and
1. Understand that we are experiencing a state of heightened threat, but only slightly increased vulnerability. We
operators seem the most active and dangerous for BCP has become significantly more strategic.
cannot control the threat, but we can control the vulnerability, so let’s focus on that.
the sector. Considering this, we anticipate that state-
supported attacks will continue as the pandemic 2. Understand what has changed and what hasn’t. Your business’s threat model may be very different today than
spreads. it was yesterday, but it may also not be. If it hasn’t changed, then your strategy and operations don’t have to
either.
3. Form partnerships but avoid mobs. Your suppliers, service provider and even competitors are all in the same
boat, never more so than now. They may not have all the answers either, but now is the time to reach out and
find partners that have balanced and rational views and avoid communities that are promulgating hype and
hysteria.
4. Maintain context. IT and the Internet have survived for twenty years despite our various security failures. There
is no doubt that the situation today is worrying, and that the risk of a fundamental cybersecurity crisis in our
lifetime is real and can’t be ignored. However, right now, the crisis is medical and human. Don’t let the hype
about cybersecurity distract you from that.
5. Work smart, not hard. You will be able to achieve very little during this time of diminished capability, so spend
time and energy on considering what your primary concerns are and focusing on those.
© Orange Cyberdefense www.orangecyberdefense.com Build a safer digital society
8 Whitepaper: COVID-19: A biological hazard goes digital Part I: Recommendations 9
Part I:
Impact
of the pandemic
Many fundamental security realities are not really changed by the pandemic.
However, some critical challenges, particularly those concerning our own ability
to monitor and respond to threats and vulnerabilities, have become considerably
more difficult. On the other hand, we should note that the attacker is also human
and that attacker behaviors may also shift due to the impact of the virus, perhaps
even reducing the level of threat at this time.
How do we assess how our current level of threat is impacted by the COVID-19
pandemic?
In this section of the paper, we attempt to describe and summarize the impact
that the COVID-19 pandemic is having on the cyber threat model.
© Orange Cyberdefense www.orangecyberdefense.com Build a safer digital society
10 Whitepaper: COVID-19: A biological hazard goes digital Part I: Recommendations 11
According to report by Europol, factors that prompt We anticipate an escalation in attacks against VPN
changes in crime and terrorism include2: gateways and other remote access infrastructure as
newly implemented solutions may not be as secure
▪ High demand for certain goods, protective gear and
as they should be. Poorly secured home broadband
pharmaceutical products.
routers and shared Wi-Fi access points could also lead
▪ Decreased mobility and flow of people across and to additional attacks and compromise. There is also the
into the EU. potential for insecure personal devices being used to
▪ Citizens remain at home and are increasingly remotely connect to the corporate network, which may
indeed already be infected, potentially giving threat actors
teleworking, relying on digital solutions.
a foothold. This situation is exacerbated by a substantial
▪ Limitations to public life will make some criminal decrease in the level of visibility SIEM and SOC
activities less visible and displace them to home or operations have over user endpoints, and a still-prevalent
online settings. generation of endpoint security solutions are that not yet
Exacerbating Mitigating
factors factors ▪ Increased anxiety and fear that may create adapted to counter contemporary threats.
vulnerability to exploitation.
▪ Decreased supply of certain illicit goods in the EU. Increased use of mobile
Criminals are of course poised to take advantage of
and personal mobile devices
people’s weaknesses at this time. Mobile has been a challenging problem for the security
industry for some time. Devices are difficult to manage
el
With millions of citizens across the globe in total or partial via conventional security tools, don’t lend themselves
od
lockdown, there is a desperate desire worldwide for news well to the deployment of agents, and are frequently not
Constant
tM
factors and information on the pandemic and a generalised under the direct control of the enterprise. At the same
ea sense of fear and urgency. Attackers are presented time, direct (including exploits and malware) and indirect
hr
T with the perfect lure for all manner of attacks, including attacks (including malicious applications, phishing and
ging phishing, Business Email Compromise (BEC), watering smishing) have been increasing steadily and are a serious
er consideration for any security strategy. We should
Em holes and other scams. We should anticipate both an
anticipate that remote workers will be making more use
increase in the volume of social engineering attacks and
our users’ vulnerability to falling for such attacks. than ever of personal and corporate mobiles to access
both personal and professional data and systems online.
Exacerbating People should be acting more cautiously at this time, but
the truth is they will probably do the opposite. Homeworking makes
personal equipment vulnerable
We have addressed the risks of malware and malicious
mobile applications elsewhere in this report , but patch
factors This riskier behavior, along with a generally heightened
appetite for information and news updates, makes people
more vulnerable to social engineering and scams of every
In an attempt to slow the spread of the virus, many
organizations who normally would not encourage their
management for mobile devices is also likely to become
a problem during the crisis. As the 2018 data from our
Security Research Center in 2018 shows, it can take up
kind. staff working from home have now been forced to hastily to three months for just 40% of the Android installed base
Like so many other things in this crisis, some of the to adopt a new version of the operating system. Due to
implement homeworking policies and remote access
elements facing IT security practitioners are, if not wholly People are furthermore generally psychologically Apple’s walled-garden approach, iOS devices fare much
infrastructure.
‘unprecedented’, certainly very much worse than we’ve predisposed to prioritize short-term acute risks over long- better. However between 5% and 20% of users across
ever seen before. Several attributes of the pandemic are term vague risks, so they will be inclined to open a Word This introduces several additional risks, including: both platforms will never deploy important security
aggravating the cybersecurity situation. We will discuss document promising a coronavirus vaccine even if they patches.
these in detail in the section below. know it’s possibly malicious. ▪ An increased dependence on ‘virtual’
communications like email, social media, video
But human psychology during a crisis could be bad for conferencing, calls and texts, rendering users more As the crisis drives users to depend more than ever on
Increased vulnerability to coercion security in other ways also. vulnerable to social engineering attacks and less able corporate and personal mobile platforms to access data
to validate communications face-to-face. and services, the pre-existing challenges we faced with
The users we protect are more vulnerable to coercion at According to an article in Psychology Today1, it is securing the mobile ecosystem are aggravated. Some
this time. For most workers, the daily routine has been understood that people may in fact engage in more risky
▪ Boredom and social isolation leading to lowered
threats, like phishing, are addressed by existing solutions.
abruptly interrupted, especially for those with school-age vigilance and a heightened willingness to make riskier
behavior, such as drinking and smoking to help them Others, however, like mobile malware, malicious
children or who provide care for older relatives. decisions.
deal with their anxiety. The principle may apply equally applications and mobile operating system patching,
Psychology suggests that at a time of crisis and
to people opting to take risks with their cyber hygiene to ▪ An increased dependency on home IT and personal continue to challenge us and are increasing as a result of
help them cope with their anxiety about the pandemic. devices with unknown configurations and risk the crisis.
exaggerated anxiety, people may reduce their vigilance
profiles.
and increase their appetite for other risk-taking behaviors. Other elements are further elevating the risk level.
▪ An increased use of poorly patched and
misconfigured home Wi-Fi routers, which are also
increasingly being targeted by attackers.
© Orange Cyberdefense www.orangecyberdefense.com Build a safer digital society
12 Whitepaper: COVID-19: A biological hazard goes digital Part I: Recommendations 13
Organizations have reduced capacity The supply chain is also Internet and cloud migration attempts across the Mediterranean.
to perform security operations at an increased level of risk infrastructure are strained China:
The current security risk is further exacerbated by a Supply chain threats have already been a growing factor This is an unprecedented time for the Internet, with our
Our OSINT Unit also offers the following insights specific
reduction in capacity and operational agility within in corporate risk models for several years. Indeed, for previous architectural paradigms being blown out of the
to Chinese state-sponsored hacking:
corporate blue teams: many businesses, there is a direct correlation between water as businesses and their providers move en masse
suppliers’ level of security and their own, as recent to accommodate their entire workforce connecting
▪ A reduced level of care and vigilance by corporate
incidents like the notPetya malware campaign have remotely overnight.
Our hypothesis is that APT41 is the most active and
blue teams as they are personally distracted by the dangerous hacker group at this time (March 30, 2020),
illustrated. and that in the context of the COVID-19 outbreak, will
crisis, struggle to focus and indeed even fall ill.
With the increase in people working from home, it is resume espionage activities once the quarantine is
▪ A reduced ability to patch and harden corporate Earlier in 2020 the U.S. Department of Homeland Security
anticipated that there will also be a substantial strain over in China. We assess that patents and proprietary
computers that are not connecting to the company reported, that biopharmaceutical companies were among
put on crucial shared Internet infrastructure. This could information used to manufacture vaccines and quick
LAN. ten industries strategically targeted by Chinese hackers
result in critical infrastructure and services such as DNS, detection tests are at a high risk of being targeted.
to steal trade secrets, and that hackers were actively
▪ A reduced ability to deploy engineers onsite to
exploiting relationships between IT service providers
Microsoft Office 365, Zoom and WebEx, and other
conduct monitoring and patching of systems that are service providers, experiencing performance degradation Another hypothesis revolves around ideologically
and their pharmaceutical customers to affect successful motivated efforts to discredit the pharmaceutical sector,
not remotely accessible. or potential failure which could impact business
compromises3. through “cyber-hacktivism”. Anger generated by various
continuity.
▪ Rapidly deployed and poorly secured VPN and conspiracy theories regarding the search for treatment
remote access solutions, which are also being Supply chain compromise tactics have also been
for COVID-19 could lead hacktivists to launch denial of
characteristic of APT41’s most recent espionage
specifically targeted by attackers.
campaigns. The Chinese group is believed to have
The IT supply chain is under strain service attacks.
▪ A substantial decrease in the level of visibility SIEM access to production environments to inject malicious Everyone is affected by a crisis as insidious as the one The pharmaceutical and healthcare industries are
and SOC have over user endpoints, with users no code into legitimate files, which are later distributed to we are facing today. This includes the hardware, software difficult sectors to protect. Several threats could pose
longer connected to the corporate LAN. Even when victim organizations. and service providers your business depends upon for its risks, threatening data protection: high number of M&A
using VPNs, common configurations (e.g. split
own IT operations, including its ability to respond to the activities, machine learning and artificial intelligence,
tunneling) allow Internet access without the usual It’s not only Chinese hackers that target the supply chain. cyber-threats exacerbated by the crisis. numerous partner industries, but also threats from within
controls present when connecting from the office. The FBI also published a Private Industry Notification
the company (e.g. supply chain attacks).
▪ A rapid adoption of cloud-based solutions will create on March 30, warning of malware campaign named
As businesses across the globe in all sectors are
even more blind-spots as users need to access the Kwampirs - loosely linked with Iranian state-backed In the case of successful cyber-attack , the
hackers - that specifically targets the healthcare sector. impacted in diverse ways, their supply chains will also
corporate network less and less. Attack detection operate at reduced capacity. We can expect hardware consequences can be disastrous for the company. Data
in the cloud is a challenging endeavor, leaving blue Kwampirs is also believed to move laterally through the theft or espionage can lead to replication of clinical trials,
supply chain4. and software supply, support, professional services,
teams with little choice but to focus on endpoint assurance, compliance, incident response, forensics considerable financial loss, litigation and even dangerous
monitoring. and law enforcement all to be impacted negatively, consequences for patient health: downtime, spillage of
At this time of elevated risks, businesses must worry hazardous materials, production of ineffective or toxic
▪ A reduced ability to respond to suspected attacks
about the security of their suppliers and partners as
thus further reducing a business’ ability to deal with an
drugs and more7.
and compromises, enforce endpoint isolation escalated cyber-threat level.
and perform forensics. This could lead to greater much as their own. As in our response to the COVID-19
response delays and greater dwell times for pandemic, we’re directly dependent on one another to We anticipate that politically motivated attacks by state-
attackers, or even a failure for attacks to be detected bring cybersecurity threats under control. Geopolitical tensions are elevated supported actors against systems associated with
altogether. COVID-19 is a crisis of unprecedented scale, and it’s COVID-19 response efforts will continue apace with
various nation state attackers and hacktivists ramping
▪ A reduced capacity to communicate and coordinate Reliance on insecure fair to say the entire world is at war. While such crises
up their efforts. Indeed, we believe that the impact of
have the remarkable effect of drawing people together,
in the face of a cybersecurity crisis like Wannacry or IoT and OT will increase such times can also sadly sharpen and escalate existing the pandemic in Iran will inflame anti-US sentiment, with
notPetya. attacks to subvert COVID-19 response efforts, cause
Significant concerns about the security and privacy of conflicts over resources and ideology.
suffering and even death. Among other hacker groups
various IoT, OT and automation technologies (e.g. self-
Many IT teams have scrambled to cater for the sudden Iran and the Middle East: targeting the pharmaceutical industry, Chinese actors are
driving cars, and cleaning robots) have been expressed
wholescale migration to a work-from-home paradigm also active and dangerous for the sector.
frequently elsewhere.
and now need to continue operating through the crisis We assess that the impact of the pandemic in Iran will
to ensure protection, detection and response for critical serve to inflame anti-US sentiment and that attacks to
IT infrastructure, despite being themselves victims of As human-to-human contact becomes less frequent and subvert COVID-19 response efforts, cause suffering and
the pandemic. We can anticipate some leeway from workers of all kinds are encouraged to stay away from even death will be viewed as a proportional response
cybercrime ecosystems as they too are impacted by the public places, we anticipate that a reliance on robotics, within Iran’s conflict with the US, who is viewed as
crisis, but our observations to date suggest there won’t automated vehicles and other IoT and OT technologies inflaming the situation via unreasonable sanctions5.
be much. This leaves corporate IT significantly more will develop faster than previously thought. This is not in
vulnerable. itself a threat but exacerbates existing concerns about Furthermore, various ongoing regional conflicts, such as
the security of such technologies. those in Syria, Yemen, Libya, and Iraq may deteriorate
even further, with the BBC reporting that COVID-19
may be a ticking time bomb for the region as a whole6.
Further collapse of regimes may result in an escalation of
© Orange Cyberdefense www.orangecyberdefense.com Build a safer digital society
14 Whitepaper: COVID-19: A biological hazard goes digital Part I: Recommendations 15
Constant factors We should note however that the “security flaws in Citrix,
Cisco, and Zoho appliances and devices” predate the
pandemic, are well understood and should have been
A recent Reuters report also assessed that the financial
value of health data can be as much as ten times that of a
credit card number.11
Given the strong links between the commercial world and
the scientific world, large laboratories are often accused
of conflicts of interest. As a result, this sector has been
remediated long before the pandemic broke out. targeted by whistle-blowers and cyber-hacktivists.
Many dreadful elements of today’s crisis are completely There are three reasons for the interest by hacker
beyond any prior experience for our generation. However, Even less obvious issues, like the risks posed by groups in the pharmaceutical industry: firstly, there is a
The threat model that healthcare services need to
as much as criminals and other hackers are exploiting remote working via untrusted or poorly configured Wi-Fi profusion of intellectual property. Secondly, the sensitivity
consider and address during the COVID-19 crisis are not
the strain that people and systems are under at this time, access points, have been well understood by us and of patient data attracts potential hackers. Thirdly, the
actually new. Given the value of the data and systems
there is much about the current cybersecurity situation are discussed extensively in the industry. This article by pharmaceutical sector is a controversial sector: it mixes
that hospitals and similar organizations use, attacks and
that is fundamentally not different from what we’ve faced journalist Geoff White describes a paper our Security public health issues and commercial logic.
compromises against them were already commonplace.
in our previous reality. As this is the baseline assumption Research Center delivered on the subject and illustrates
we should operate from, we will only highlight a small this point: “The problem is, the Wi-Fi hotspot provider
number of these previous realities here. doesn’t just temporarily receive your machine’s Internet
traffic – it can potentially manipulate it as well, and that
Number of reported data breaches
Reported databreaches in the USA
Social engineering has can cause some serious security headaches.”9
359 365
always exploited current events The security vulnerabilities, whether technical or 327
As the COVID-19 pandemic spreads globally, so too have procedural, though they may be targeted more 314
phishing and malware campaigns looking to play on aggressively now, are generally well known and 278 269
people’s fears and hunger information. These campaigns understood by us and generally well within our abilities
have been detected using legitimate online maps tracking to remediate.
the spread of the virus, fake mobile applications, and 217
targeted email subjects and attachments as lures in 200 199
phishing emails. The notion of using current events to Humans have always been vulnerable
capture victim attention or gain their interest and trust The social engineering lure presented by the COVID-19
is as old as Internet security itself. So are the required crisis is only half of the problem. As we argued earlier,
responses. the other half of the problem is that humans are
fundamentally predisposed to fall for these kinds of
Generalised anxiety over the pandemic, combined with scams, even under the most ‘normal’ of circumstances.
people’s increased need for information and vulnerability
to coercion make the attacker’s exploitation of the 18
As much as the current situation appears to favor the
COVID-19 theme particularly insidious. However, these attacker, we should also note that the fundamental
threats are not in themselves, fundamentally new and do psychological biases that social engineering depends 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
not present us with any new challenges. Indeed, beyond on are fundamentally baked into the human condition.
reasoned messaging to our users to educate them This is perhaps bad news in that we’ve done poorly at Source: https://www.hipaajournal.com/healthcare-data-breach-statistics/
appropriately, we would advise customers not to get addressing these vulnerabilities even under ‘normal’
caught up in daily hysteria on the subject and concentrate circumstances. But it’s also good news in that this isn’t
on strategically countering the human crisis we face. a new mountain to climb It’s a mountain we’re already
Health services have Ransomware attacks against healthcare providers
have also been increasing over the past decade. Many
halfway up. a poor track record with security healthcare providers migrated from paper-based
Hackers gonna hack In a 2019 paper published by Orange Cyberdefense processes to electronic medical record solutions without
adequate cybersecurity controls, making them juicy
An article on Bleeping Computer describes an escalation Medical data has always we reported that “the number of health data exposed
targets for either intentional attacks or as collateral
increased by 73.6% with a total of 3,452,442 healthcare
in Chinese APT41 activity, correlating with the outbreak been valuable to cyber-criminals records stolen”.12 damage from drive-by ransomware campaigns. The most
of the coronavirus: “The Chinese state-sponsored group infamous example being the devastating incident with the
APT41 has been at the helm of a range of attacks that Targeted cyber-attacks against various industries have NHS in the UK.13
The healthcare sector, like any other sector, is undergoing
used recent exploits to target security flaws in Citrix, become increasingly common in recent years. The
massive digitalization to increase accessibility and
Cisco, and Zoho appliances and devices of entities from healthcare sector is no exception. In 2015, this reached
increase information sharing for better patient care. The While there is anecdotal evidence that activity by various
a multitude of industry sectors spanning the globe. It is its peak, especially affecting United States based
side effect of this is an increase in the attack surface. actors, including state-sponsored groups, is accelerating
not known if the campaign that started in January 2020 healthcare companies, with more than 113.27 million
Security knowledge and awareness, as well as budget, currently, the reality is that healthcare-related industries
was designed to take advantage of companies having to records being exposed.
are often in short supply. have been highly targeted for a long time before this
focus on setting up everything needed by their remote
In a report released by Orange Cyberdefense in 2019, current crisis. Our 2019 study on the subject shows that
workers while in COVID-19 lockdown or quarantine but, Data is not the only concern either. Medical devices, such
researchers concluded that “Health data is more medical records have a higher value than other PII on
as FireEye researchers found, the attacks are definitely of as heart rate monitors or insulin pumps, were designed
attractive to an attacker because it brings more value the black market, and of course medical services have
a targeted nature.”8 to serve a medical purpose. Yet security is often not
due to its multitude of information, e.g. financial data, PII, been targeted due to the valuable intellectual property
considered. The devices themselves might not have data they hold, and because frankly they have proven to be
As the article suggests, there seems little doubt that medical history” and that “stolen health data is sold for a
storage capabilities, but they still provide an entry point to a soft target for even the simplest attack vectors, like
threat actors of every kind will seek to leverage this crisis higher price per record on online markets in comparison
servers and other network devices that do store sensitive ransomware.
to their advantage. to other stolen data such as financial data.”10
data and are often critical to the operation of a medical
facility.
© Orange Cyberdefense www.orangecyberdefense.com Build a safer digital society
16 Whitepaper: COVID-19: A biological hazard goes digital 17
Mitigating The security community is rallying
“Hell hath no fury like the cybersecurity community
BBC reporter Joe Tidy has created a web application,
in conjunction with a number of corporate sponsors, to
track corona-related phishing emails. The site can be
(Un)funny as it may be, there is some reassurance in
the reality that most established IT security product,
support and services businesses have well-established
factors during a pandemic.”14
As is so often the case during real human crises, good
found at https:// coronavirusphishing.com/.
The ThreatCoalition is another such global volunteer
remote working structures and infrastructures. IT security
support and service providers worldwide have thus far
retained a high level of capability and can be expected to
people of the world are rallying together to offer their skills initiative focused on creating and sharing COVID-19 continue to adapt to new constraints, even as the crisis
It’s hard to see any silver lining in this cloud, but there are and resources. The same is true in cybersecurity, and related threat intelligence.16 unfolds.
some elements of this crisis that may play to our favor several notable efforts to develop and apply community-
and help to mitigate the cybersecurity risks we are likely driven initiatives are already emerging. We were already working from home
to face. We know how to fix this
CV19 – “one newly formed group of information security A common ‘joke’ in the cybersecurity technical
professionals, including company CISOs, penetration As should hopefully be clear if you’ve read this far
Attackers are people too community is that blue teamers and red teamers alike
testers, security researchers, and more, have vowed to in our report, there are no technical elements of the
were already socially isolated, living alone and never
do all they can to help provide cybersecurity support to current coronavirus cyber-threat landscape that are
While it is too early in the crisis to comment definitively on going out, even before self-isolation and lockdown
healthcare services across the UK and Europe.”15 fundamentally new.
this, it would seem safe to assume that criminal hackers, became the new normal.
scammers, hacktivists and state operators will all be
According to the Forbes article above, the five working At Orange Cyberdefense, for example, we threw the Even as conditions become more trying and appear to
impacted by this crisis, just like the rest of us.
principles of this initiative are: switch on working from home and closed our offices favor the attacker more than the defender, every single
1. Be honest and supportive worldwide almost overnight, with virtually no impact on technical weakness we need to counter has been seen
Offensive security operators, just like their defensive operations. While some elements of our business (like before, studied and addressed. We know how to solve
2. Always act with integrity sales or onsite technical support) will undoubtedly suffer, these problems. The challenge remaining to us now is
counterparts, are people with budgets and bosses.
They fall ill like the rest of us, have families they care 3. Be kind and respectful to other volunteers the rest of our operations have proceeded with barely a to think clearly, act strategically and work efficiently to
about and need to earn money to live. They need speedbump (apart from some conference call fatigue, address those problems that matter most using the few
4. Be flexible and collaborative perhaps).
supplies, equipment and resources to operate. Some resources still available to us.
even have ethics and moral codes. Although we have 5. Trust and use everyone’s expertise
seen early evidence of an escalation in both criminal and
state-supported activity, it would be reasonable to expect This kind of noble and altruistic thinking is exactly what
that attacker capabilities will also be diminished at this the world needs right now, and may help us turn the tide
time and may decrease even more as the full impact of on cybercrime.
the pandemic hits us and normal life is disrupted further.
© Orange Cyberdefense www.orangecyberdefense.com Build a safer digital society
18 Whitepaper: COVID-19: A biological hazard goes digital Part II: Responding to the cyber part of the crisis 19
Part II:
Responding to
the cyber side
of the crisis
In light of the threats and concerns raised above, we offer the following guidance
to businesses and professionals considering the cyber element of what might be
the most serious threat to global well-being since the second world war.
Just like the virus itself, there is a real and frightening risk to cybersecurity.
The consequences are not unavoidable, however, and the impact won't be
irrecoverable. Consider your cyber response strategy in this light and keep your
wits about you.
The world is currently overwhelmed with fear, uncertainty and doubt – emotions
that the security industry has been sadly vulnerable to and shamefully guilty of
exploiting.
© Orange Cyberdefense www.orangecyberdefense.com Build a safer digital society20 Whitepaper: COVID-19: A biological hazard goes digital Part II: Responding to the cyber part of the crisis 21
Don’t panic Talk sense to your people Prioritize The things that have not changed
The world is in panic right now over several real and As we discussed earlier in this paper, one area of As we’ve argued previously, we want to focus our As much as we are living through an unprecedented time
imminent threats. Let’s not make it worse by creating exaggerated threat has to do with people’s increased strained resources on elements of the threat that are in recent human history, there is really very little about the
unnecessary panic over cyber-threats also. Our level of vulnerability to social engineering, and attackers’ of most concern to us right now. Determining what the current threat landscape that is fundamentally new. As
guidelines for remaining rational in the crisis are as increased exploitation of the context to conduct social ‘important threats’ are is, however, very difficult. Indeed, such, our priorities from a cyber point of view don’t need
follows: engineering attacks. Remind your employees and it’s a challenge that we’ve spoken and written about to divert too much from what they were before the crisis:
IT teams to remain vigilant, provide them accurate extensively in the recent past. It’s our assessment that Phishing, spear-phishing, Business Email
1. Understand that we are experiencing a state of 1.
information and gentle guidance using examples. the cyber-threat landscape (even without an exacerbating Compromise (BEC) and other forms of social
heightened threat, but only slightly increased
global crisis) is too complex and fluid to reduce to simple engineering attack are nothing new. Neither is the
vulnerability. We cannot control the threat, but we However, to a team dealing with a global health crisis, lists or cheat sheets. At the risk of falling into that trap, we
can control the vulnerability, so let’s focus on that. reality that our users are fundamentally predisposed
the threat of not receiving essential communications suggest thinking about priorities during this crisis in terms to fall for these kinds of attacks. Our response to
2. Understand what has changed and what hasn’t. may be bigger than the threat of receiving malicious of two realities – the things that have changed, and the these attack vectors has not changed, despite the
Your business’s threat model may be very different communications. Consider this carefully when things that haven’t changed. elevated threat level.
today than it was yesterday, but it may also not be. If communicating with staff about emerging cyber-threats
it hasn’t changed, then your strategy and operations and their relative importance. The things that have changed 2. Attacks against cloud-based interfaces, remote
don’t have to either. access systems and VPN gateways have been
As should be clear from reading this paper, we assess escalating for some time now. Indeed, for this reason,
3. Form partnerships but avoid mobs. Your suppliers, Check on your suppliers that only a small aspect of the cyber-threat landscape a recent campaign by Chinese hacker group APT41
service provider and even competitors are all in has substantially changed as a result of the pandemic.
For many businesses, there is a direct correlation exploiting these techniques cannot definitively be
the same boat, never more so than now. They may We believe these are:
between suppliers’ level of security and their own, as linked to the crisis, despite the coincidental timing.
not have all the answers either, but now is the time
recent incidents like the notPetya malware campaign 1. Your people are more vulnerable to social The security weaknesses APT41 is exploiting, though
to reach out and find partners that have balanced
have illustrated. At this time of elevated risk, businesses engineering and scams than normal. perhaps more acute, are well understood and
and rational views and avoid communities that are
have to worry about the security of their suppliers and relatively simple to remediate.
promulgating hype and hysteria. 2. You have less control and visibility over the IT
partners as much as their own. As in our response to the 3. Remote working and facilitating secure remote
4. Maintain context. IT and the Internet have survived COVID-19 epidemic, we’re directly dependent on one systems you protect than you’re used to.
access for mobile workers is a very well understood
for twenty years despite our various security failures. another to bring cybersecurity threats under control. 3. Your users may be connecting from systems and problem and there are several technologies and
There is no doubt that the situation today is worrying, environments that are fundamentally insecure or approaches in our toolbox, suitable for almost any
and that the risk of a fundamental cybersecurity crisis Security and risk teams should consider opening and possibly just poorly configured. budget and level of technical sophistication.
in our lifetime is real and can’t be ignored. However, maintaining channels of communication with suppliers,
right now, the crisis is medical and human. Don’t let providers, consultants and partners who may have 4. You have rushed to implement remote access 4. The modern workforce has been mobile for two
the hype about cybersecurity distract you from that. access to sensitive systems and data. Discuss their systems without having the time to plan and execute decades now, and vendors and IT teams can offer
responses to the elevated threat levels at this time and as well as you’d like. several methods for monitoring, maintaining and
5. Work smart, not hard. You will be able to achieve
ensure that that they remain appropriate and in line with 5. You, your team and your providers may be operating managing remote endpoints. Even more complex
very little during this time of diminished capability,
your own. with diminished capacity. requirements, like remote isolation and triage, are
so spend time and energy on considering what your
easily met, even without a huge budget.
primary concerns are and focusing on those.
Stay in touch with your partners
Take the time to improve Service providers like Orange Cyberdefense are doing
everything in their means to remain ready and available
This is not a black-and-white scenario. If there are
elements of your infrastructure or processes that
to support clients. As we’ve discussed already, IT service Our proposed list of priorities
providers are generally well prepared to offer remote
we’re not ready when this crisis broke, there is time Proceeding from the breakdown we’ve modelled above; we would propose the following general set of priorities that
support and should by and large have resources available
now to review and improve them. Home computing businesses should be considering in light of the current threat landscape.
even as the crisis escalates. Not only is there a business
resources and remote access solutions can be improved
driver for service providers to retain and make capability
incrementally. Just as with our response to the pandemic: If your own security priorities are not already clear to you, we propose that you focus on the following responses, in
available, but many of them are also responding
every victory counts. order of importance:
altruistically to this crisis, helping where they can, when
they can. 1. Establish emergency response procedures and systems.
Hope for the best, plan for the worst There are also various government support initiatives (like 2. Establish a security support hotline.
It is possible things could get worse. As soon as time the NCSC in the UK) and community initiatives (like CV- 3. Review backup and Disaster Recovery (DR).
allows, invest some effort in considering your corporate 19, which we discussed before) that can offer guidance,
4. Equip your users with the information they need to make good decisions.
response in the event of a compromise or breach. advice and even direct support when required.17
Phishing, credential stuffing, compromise of remote 5. Provide secure remote access.
access systems, DDoS, ransomware and other extortion Reach out, maintain communications and stay in touch.
Our team and others have information, intelligence and 6. Establish visibility over remote endpoints.
attacks are of specific concern now. There are no single
or simple formulae for response, but getting the people, other resources available that can greatly assist you if the 7. Consider malicious mobile applications.
systems and processes in place to respond quickly and worst should happen, or to reduce the likelihood that it
does… 8. Consider patching and hardening of remote endpoints, including mobile.
safely to an incident is essential.
9. Review your insurance.
© Orange Cyberdefense www.orangecyberdefense.com Build a safer digital society22 Whitepaper: COVID-19: A biological hazard goes digital 23
Establish emergency Review backup and DR
response procedures and systems Two real threats even before the crisis, which have
Given everything that we’ve discussed, we need to arguably escalated due to the pandemic, are ransomware
assume that attacks will happen during this time and and Denial of Service.
that successful compromises are more likely than usual.
Take some time to review the state of your backups
Under this assumption, planning and preparation are
and the readiness of your data and Disaster Recovery 3. Implement multi-factor authentication. We would With users now working remotely on a large scale,
essential.
processes. argue that, for most businesses, authentication is enterprises without a robust endpoint detection and
Take some time to facilitate a planning session with key going to be a higher priority than confidentiality protection or response capabilities may find themselves
In this process, you need to think about home workers
IT and security role-players to consider your response right now. Review all your remote access systems flying blind through the eye of a crisis. Though endpoint
and the data they may be working with locally. If you don’t
capabilities in the event of a suspected compromise or (including web interfaces, VPN and remote access visibility is not something that should be rushed into,
already have a suitable backup system for remote users,
breach. Areas to consider here include: gateways) and consider how strong authentication businesses without any endpoint capabilities should be
then readily available public cloud solutions like Google
might be implemented. At this point, the form of the considering their options at this time.
▪ How would you detect a breach? What indicators Cloud, Dropbox and Microsoft OneDrive may present a
second factor is less important than having a second
might be available to you beyond the conventional, viable alternative under the circumstances. The two obvious routes to take for most endpoint
factor at all, so SMS and email-based systems are
e.g. reports from users or external service providers? configurations are:
also an option. Given a choice, however, a full push-
▪ Who needs to be informed and involved if there is a Equip your users with the information to-mobile solution – as is available from Okta, Duo, 1. Microsoft Sysmon: Microsoft's own free System
crisis? Google and Microsoft – is going to be the best option
they need to make good decisions in terms of usability, security and perhaps even ease
Monitor (Sysmon) is a Windows system service
▪ How might a response team communicate and
Users will more than ever form your first line of defense at of deployment.
and device driver that, once installed on a system,
collaborate, even under a worse-case scenario where remains resident across system reboots to monitor
trusted systems may be impacted? this time. The better educated and equipped they are to 4. Clarify and communicate smart password policies. and log system activity to the Windows event log.
recognize and counter cyber-threats, the better it will be We emphasize again that currently, attacks against It provides detailed information about process
▪ How would you communicate with other for your overall security posture. remote access technologies by using compromised creations, network connections, and changes to file
stakeholders like users, regulators, customers, board creation time. By collecting the events it generates
password is one of the key threats. If you’re not able
members and shareholders? Our studies of the psychology of social engineering using Windows Event Collection or SIEM agents
to implement strong Multi-Factor Authentication
suggest that your goal should be to equip and educate
▪ Are you in a position to isolate an endpoint or server,
users, rather than scare or punish them. Frequent
(MFA), then consider what you can do to ensure and subsequently analyzing them, you can identify
whether remotely or onsite? users make strong password choices at this time. malicious or anomalous activity and understand how
examples of attacks and reminders of how to respond intruders and malware operate on your network.
Specifically, users should be encouraged to:
▪ Do you have access to a capable incident response will be more useful than policies and testing at this time. Sysmon is relatively safe and easy to deploy,
team, whether in-house or via a partner? Vigilance regarding malicious mobile applications and ▪ Change their password (but not again until the crisis supports most contemporary Windows versions and
COVID-19 tracking sites should also be included here. is over),
▪ Do you have effective backup and Disaster Recovery
Providing users with rich and ready locations for useful ▪ Chose a password that they have definitely not used there are numerous commercial and open source
plan in place? When last was it tested? Could it be projects that offer configuration, management,
information and discussion on the developing crisis will elsewhere, and
collection and reporting support. See the MS-
tested now?
also reduce their desire to look elsewhere. ▪ Choose a passphrase that is long but easy to documentation for a starting point.18
▪ Do you have a policy position on ransomware and remember, rather than short and complex.
extortion? If you believe you would pay a ransom, do 2. Commercial EDPR: Several vendors offer reputable
Provide secure remote access 5. Manage your security devices. As discussed
you have the funds and systems available to do so? Endpoint Detection, Protection and Response
earlier, current campaigns like APT41 are actively
You should also consider your negotiating strategy products, including Crowdstrike, Cybereason,
Secure and reliable remote access to the Internet and targeting specific corporate systems like Citrix
and appoint a negotiating team ahead of time. Cylance, Palo Alto TRAPS and others. Many of
corporate systems appears to be the biggest challenge Application Delivery Controller (NetScaler ADC)
these solutions are highly reliable, proven effective
▪ Do you understand your regulatory requirements, facing our customers right now. The best solution to and Citrix Gateway (NetScaler Gateway) servers,
and easy to deploy and manage. Some also offer a
for example with regards to the UK ICO, and are you this challenge will vary dramatically from customer to Zoho ManageEngine Desktop Central and Cisco
variety of ‘isolation’ features that allow one to take
prepared to follow them in the event of breach? customer, but the following principles should serve to RV320 and RV325 routers. Unpatched Pulse VPN
an endpoint partially offline while incident triage and
guide the design of any remote access architecture: servers are another popular target. These attacks are
forensics can be performed.
remarkable because they exploit known and patched
Establish a security support hotline 1. Clearly understand your threat model. We would
vulnerabilities and even use free or commercial
assert at this time that the primary challenge is Aside from these obvious solutions, other options exist to
Your users are feeling highly anxious right now and cyber- hacking tools. In other words – they are real, but they
to provide appropriate authentication and access achieve the same ends. For example, VPN agents can be
threats are certainly adding to anxiety levels. are not difficult to fix. Ensure that you know where
control to data and corporate systems. Encryption used to implement virtual network isolation, while open
all your Internet-facing remote access technologies
between the user endpoint and the Internet, via source products like Google’s Remote Response (GRR)
Providing users and even customers with a number or are, and that each is appropriately patched and
their mobile Internet or their own home Internet, is offer workable remote triage and forensics options.
address they might use to speak to someone rationally configured.
arguably less of a concern right now.
about technical and cognitive attacks they may suspect,
or about their own systems and behaviors, could be a 2. Make sure you secure DNS. Several contemporary
attacks involve redirecting DNS requests in order to Establish visibility
powerful tool for reducing the level of anxiety and indeed
improving your security posture. If you already have present phishing or watering hole sites or conduct over remote endpoint
a support hotline, prepare for (at least initially) a rapid Person in the Middle attacks. Pay careful attention to
how you control the DNS servers that your workers A shocking realization for many businesses at this time is
increase in the volume of calls, emails and other available how much their attack detection and security monitoring
methods of communication. use, whether by using VPN configurations or simply Consider malicious
having them hardcode DNS resolvers on endpoints. capabilities depend on the perimeter.
© Orange Cyberdefense www.orangecyberdefense.com Build a safer digital societyYou can also read
