View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
April 9, 2020updated 14 Apr 2020 9:37am

US, UK Warn of Widespread Scanning for Unpatched VPNs, Citrix Vulnerability

"We are all in this together and collectively we can help defend against these threats."

By CBR Staff Writer

Both nation state Advanced Threat Groups (APTs) and cyber criminals have ramped up their scanning for unpatched VPNs and other remote working tools, with publicly known vulnerabilities in Citrix/Netscaler, Fortinet, Pulse Secure and Palo Alto products, as well as unsecured RDP endpoints under particular attack.

That’s according to the UK’s National Cyber Security Centre (NCSC) and US Department of Homeland Security (DHS), in a joint advisory that highlights a sustained pivot to COVID-19-based phishing attacks against organisations and individuals, with malware delivered in the guise of gov’t or medical help, among other techniques.

The NCSC particularly highlights scans for CVE-2019-19781: a vulnerability in Citrix’s Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway for which a fix exists.

(Basic cyber hygiene like regular patching is a large part of avoiding this kind of attack. All the vulnerabilities cited have already been widely reported, so it is likely to be companies with inattentive/overstretched IT or security teams that are vulnerable.)

The joint advisory also cites a report by Reposify that identifies a 127 per cent increase in internet connected RDP endpoints.  This means that there are now more than 4.7 million publicly exposed remote desktop protocols for hackers to take a shot at. (RDP should not be internet-facing and where it is, should use multi-factor authentication).

In its analysis Reposify noted that: “Last year approximately 1.5 million exposed Remote Desktop Protocol servers were attacked by a botnet named GoldBrute which also used brute-force methods. And the cost? A steep one. In 2018, Hancock Health hospital was forced to pay over $50K in ransom to regain access to critical data that was encrypted after the hospital server running RDP services was compromised.”

COVID-19 Hacking: But…

Despite the huge surge in COVID-themed attacks, contrary to numerous vendor reports, “from the data seen to date, the overall levels of cyber crime have not increased” the NCSC and CISA said: information that may surprise many.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

That’s not to say the shift to pandemic themes is not proving effective. The NCSC notes that: “The techniques used by attackers prey on people’s appetite for information and curiosity towards the outbreak, with phishing emails and SMS messages using the virus as a lure to trick people into revealing credentials or downloading malicious software.”

It is important to note that it appears that general levels of cybercrime are not increasing in a significant manner but the tactics and techniques used to deploy malware are changing to suit the current crisis.

The NCSC has identified four key trends in the nature of threats over the last month such as;

  • Phishing, using the subject of coronavirus or COVID-19 as a lure
  • Malware distribution using coronavirus or COVID-19 themed lures
  • Registration of new domain names containing coronavirus or COVID-19 related wording
  • Attacks against newly (and often rapidly) deployed remote access or remote working infrastructure

Social Engineering

A key technique used – now a mainstay for hackers – is social engineering which involves taking advantage of and manipulating human curiosity or concern by tailoring emails or scams to suit the targeted victim.

Unfortunately in the current climate nearly everyone is eager for news – particularly good – about COVID-19, hackers are taken advantage of that curiosity.

Threat actors are using the credibility of gov’t agencies and medical organisations such as the World Health Organization (WHO) to lend authenticity to their scams. One such scam discovered by the NCSC involves a SMS phishing campaign that pretended to be from the UK gov’t promising a payment of £458 to all residents affected by the virus.

COVID-19 hackingThis then linked to a government themed phishing page that simulates a normal GOV.UK page. This shows that hackers are already taken advantage of government compensation schemes.

COVID-19 hackingBryan Ware, CISA Assistant Director for Cybersecurity commented that: “We urge everyone to remain vigilant to these threats, be on the lookout for suspicious emails and look to trusted sources for information and updates regarding COVID-19. We are all in this together and collectively we can help defend against these threats”.

See Also: Google Cloud Confirms Sweeping Outage, Blames IAM API Issues

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU