Both nation state Advanced Threat Groups (APTs) and cyber criminals have ramped up their scanning for unpatched VPNs and other remote working tools, with publicly known vulnerabilities in Citrix/Netscaler, Fortinet, Pulse Secure and Palo Alto products, as well as unsecured RDP endpoints under particular attack.
That’s according to the UK’s National Cyber Security Centre (NCSC) and US Department of Homeland Security (DHS), in a joint advisory that highlights a sustained pivot to COVID-19-based phishing attacks against organisations and individuals, with malware delivered in the guise of gov’t or medical help, among other techniques.
The NCSC particularly highlights scans for CVE-2019-19781: a vulnerability in Citrix’s Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway for which a fix exists.
(Basic cyber hygiene like regular patching is a large part of avoiding this kind of attack. All the vulnerabilities cited have already been widely reported, so it is likely to be companies with inattentive/overstretched IT or security teams that are vulnerable.)
The joint advisory also cites a report by Reposify that identifies a 127 per cent increase in internet connected RDP endpoints. This means that there are now more than 4.7 million publicly exposed remote desktop protocols for hackers to take a shot at. (RDP should not be internet-facing and where it is, should use multi-factor authentication).
In its analysis Reposify noted that: “Last year approximately 1.5 million exposed Remote Desktop Protocol servers were attacked by a botnet named GoldBrute which also used brute-force methods. And the cost? A steep one. In 2018, Hancock Health hospital was forced to pay over $50K in ransom to regain access to critical data that was encrypted after the hospital server running RDP services was compromised.”
COVID-19 Hacking: But…
Despite the huge surge in COVID-themed attacks, contrary to numerous vendor reports, “from the data seen to date, the overall levels of cyber crime have not increased” the NCSC and CISA said: information that may surprise many.
That’s not to say the shift to pandemic themes is not proving effective. The NCSC notes that: “The techniques used by attackers prey on people’s appetite for information and curiosity towards the outbreak, with phishing emails and SMS messages using the virus as a lure to trick people into revealing credentials or downloading malicious software.”
It is important to note that it appears that general levels of cybercrime are not increasing in a significant manner but the tactics and techniques used to deploy malware are changing to suit the current crisis.
The NCSC has identified four key trends in the nature of threats over the last month such as;
- Phishing, using the subject of coronavirus or COVID-19 as a lure
- Malware distribution using coronavirus or COVID-19 themed lures
- Registration of new domain names containing coronavirus or COVID-19 related wording
- Attacks against newly (and often rapidly) deployed remote access or remote working infrastructure
A key technique used – now a mainstay for hackers – is social engineering which involves taking advantage of and manipulating human curiosity or concern by tailoring emails or scams to suit the targeted victim.
Unfortunately in the current climate nearly everyone is eager for news – particularly good – about COVID-19, hackers are taken advantage of that curiosity.
Threat actors are using the credibility of gov’t agencies and medical organisations such as the World Health Organization (WHO) to lend authenticity to their scams. One such scam discovered by the NCSC involves a SMS phishing campaign that pretended to be from the UK gov’t promising a payment of £458 to all residents affected by the virus.
This then linked to a government themed phishing page that simulates a normal GOV.UK page. This shows that hackers are already taken advantage of government compensation schemes.
Bryan Ware, CISA Assistant Director for Cybersecurity commented that: “We urge everyone to remain vigilant to these threats, be on the lookout for suspicious emails and look to trusted sources for information and updates regarding COVID-19. We are all in this together and collectively we can help defend against these threats”.