Special thanks to Tim Hux and Sorcha Healy for their assistance.
The demand for remote working as a result of the COVID-19 pandemic will invariably place pressures on organizations to ensure the availability of corporate resources in geographic locations outside of corporate control. Such demands go beyond the provision of additional capacity, with potentially remote working policies and security awareness assets in urgent need of updating and communication.
These demands are being required against the reported backdrop of cybercriminals and potential nation states continuing and even leveraging the global crisis for their own personal gain. Without respite, many cybercriminal groups appear to be continuing attacks against many sectors including healthcare. Furthermore, there are even those threat actors actively using concern related to COVID-19 as a lure to invoke user behaviour. This post is not intended to be exhaustive and will be updated as we make more resources available to enable organizations and users to stay safe and connected.
We have identified and reviewed multiple reports related to the criminal use of COVID-19 as potential bait, whether that be phishing emails, domains, malware, etc. While its use is not unexpected, with criminals always trying to leverage large events to their advantage, it is disappointing to see at a time when the world needs to come together that there are those who have scant regard for the sense of community. Our subsequent focus at this time is to attempt to determine whether any geographies specifically being targeted. The chart below maps our visibility of the targets for all known (at the time of writing) threats leveraging COVID-19.
Figure 1. Targeted COVID-19 related threats by country
As we see, the geographic dispersion of “targets” is relatively wide and includes many countries we typically see on the list of broader phishing targets. However, there are some anomalies, in particular Panama, Taiwan, and Japan. This requires us to undertake further analysis but does suggest that certain campaigns may be targeting specific countries.
It is equally important to add that this landscape is changing daily, with more threats being identified and included as part of our detection across the entire product portfolio (where appropriate). Moreover, the McAfee Advanced Threat Research (ATR) team is undertaking deeper analysis into the findings to understand why certain countries are receiving more threats related to COVID-19 than others, as well a deeper dive into sector analysis. We will regularly report any relevant details, and of course share all IoCs with the wider community to ensure we all remain safe. As we continue to hunt for further threat artefacts, we will make our findings available through this forum.
Working from home threats contextualized
All over the world large numbers of people are rushed to work from home unprepared, sometimes even from their personal devices. Often, these devices are not maintained with proper security measures and possibly leave organizations open to various attacks.
Over the last year we have published several articles on how targeted ransomware attacks are fuelling the increased demand in the underground for compromised corporate networks. One often-used criminal access method is through “commodity malware,” such as banking malware and info-stealers. The criminals are actively sifting through thousands of logs hoping to find corporate network or remote management credentials.
Commodity malware is often focused directly at consumers, so accessing corporate networks from possible pre-infected personal machines without adequate security measures creates a much larger attack surface for cybercriminals. This increases the risk of an organization falling victim to a potential breach and ransomware lockdown.
Figure 2. A screenshot of the popular KPOT info stealer, part of an underground advertisement to sell stolen credentials. (notice the malware collects VPN, RDP and Mail credentials)
Just like we are all fighting to flatten the COVID-19 curve by social isolation and washing our hands, we should aim to flatten the cyber-attack surface of our organizations by having proper cyber security hygiene by using multi-factor authentication, VPNs, and robust End-Point security software.
Employees working from home will need clear guidance on acceptable security practices from an organizational perspective:
- Remote working policy guidance: While many organizations may employ wider guidance on cybersecurity/privacy guidance within their organizations there will likely be employees unaware of the expectations for remote working. Equally, this may also apply to security expectations, therefore any such policy must be reviewed but also effectively communicated to a wider group of employees now working from outside the organization’s offices.
- Asset classification: With a larger set of the workforce now working from home, previously inaccessible information assets will need to be available for remote use. Subsequently, enhanced security measures will be necessary to ensure that information is only made available to those with a clear need to know.
- Strong authentication: With passwords ubiquitous, and two-factor authentication now commonplace, ensuring the appropriate level of authorization for key assets is in place will be critical.
- Awareness: All of the processes, and technology deployed within an organization can be simply undone by a lack of awareness. Ensuring all employees are made aware of the potential risks of connecting remotely is critical. It is especially important to be aware of cloud services authorized for work purposes and extra vigilant for targeted phishing emails.
- VPN access: The term untrusted network is rarely a consideration when working in the office, however with so many employees connecting from externally located environments there is the potential for certain networks to be untrusted. While many will not be venturing into public spaces to limit social contact, there is no assurance that the connection every employee is connecting from is secure. Therefore, leveraging a VPN will be imperative, and indeed organizations may want to enforce certain assets only being accessible via the VPN.
Secure Mobile Working
Here are some key considerations for those responsible for enabling secure remote working capability:
- Protecting against accidental data loss. Data encryption is fundamental to good device security hygiene and essential for enabling secure mobile working. Ensure that you have situational awareness of the end user security controls and can quickly report on the status when the inevitable question comes down from the CISO.
- Providing an equivalent level of threat prevention. While on the office network or VPN, end user devices enjoy a defense in depth capability. However, do they have that same protection when not on the VPN? Using anti-malware solutions which employ cloud-based behavior analysis and threat intelligence combined with cloud-based web security can help ensure an equivalent level of security both on and off the network.
- Secure cloud collaboration. Many employees will need to leverage cloud-based services such as Microsoft Teams and WebEx to collaborate both internally and externally. Ensure you can apply your corporate DLP policies to those cloud-native applications and that your users are fully aware of the authorized collaboration tools at their disposal.
- Secure cloud access. Attackers will leverage spear-phishing emails with Corona Virus themes and watering hole attacks from compromised web sites to target workers and prey on the situation. Reduce the attack surface by tightening web security policies and block access to risky cloud services.
- Phishing incident response. You will not be able to prevent everything so having a balanced security capability with detection and response is important. Security Operations should review incident response procedures for phishing, deploy Cloud-based EDR for rapid identification of compromised remote end user devices, and ensure users know how to submit suspect emails to the SOC.
A wealth of good advice and information is freely available including the Security Awareness Work-from-Home Deployment Kit from the SANS Institute which provides “multiple assets that address everything from securing a home network to best practices when working remotely to identifying social engineering attacks.” While the need to enable access as quickly as possibly is understandable, there are those hoping to exploit this urgency for their own personal gain.
We will continue to make resources available to further enable secure home working, as well as insights into the threat landscape from this blog.
Please register for the webinar detailing Adaptable Security for Flexible Working Environments here: https://mcafee.zoom.us/webinar/register/WN_AeXoyA-tT_eUFZ2_NvhpSA