Understanding COVID-19 Attacks & Strategies - GNYHA
Transcript of Understanding COVID-19 Attacks & Strategies - GNYHA
UnderstandingCOVID-19Attacks &Strategies
TLP:AMBERDisclosure is limited
April 10, 2020
CTOC THREAT INTELLIGENCE BRIEFING
OUR STORYFounded in 2013, Sensato was the frst healthcare
cybersecurity frm. Sensato continues to build on a
legacy of quality by maintaining 100% Customer
Satisfaction and 100% On-Time/On-Budget
Delivery of Commitments.
PRODUCTS & SERVICESSensato develops integrated cybersecurity
solutions that are specifcally crafted to support
critical infrastructure environments.
INNOVATIONSince 2013 the company has been recognized as a
leading innovator in cybersecurity and continues to
embrace innovation as a core part of its DNA.
PARTNERSSensato partners include the FDA, State and
National Hospital Associations, Premier GPO,
State and Federal intelligence agencies and
others.
ABOUT SENSATOCOMPLY. DETECT. RESPOND
The mission of Sensato is to
stand between you and
those that would do your
patients harm!
Sensato maintains strong partnerships across thehealthcare industry, as well as supporting organizationswhich help provide threat intelligence insights andadditional response capabilities.
NOTABLE PARTNERSHIPS
COMPLY. DETECT. RESPOND.
THE SENSATO SOLUTION STACKCOMPLY. DETECT. RESPOND
True innovation takes a certain amountof rebellious spirit and a passion forasking ‘what if?’ Since 2013, Sensatohas been a little different, some may sayrebellious, we like to say, ‘just the rightamount of renegade!’
THE RIGHT AMOUNT OF RENEGADE
3
2
1
The only medical device cybersecuritysolution that meets or exceeds FDA HCOrecommendations in the industry.
The Sensato Cybersecurity Tactical OperationsCenter (CTOC) is specifcally designed tosupport critical operations that go well beyondthe traditional SOC.
Sensato Nightingale is a real-timeintegrated cybersecurity platform thatis designed specifcally for criticalenvironments.
NIGHTINGALE
CTOC
MDCOP
Disclaimer: For InformationPurposes Only
The information that is shared as part ofthis presentation and briefing is forinformational purposes only. There is nowarranty or promise as to the accuracy ofthe information presented.
You are directed to perform your ownresearch and validate all information priorto making any decision.
Presentation is Being Recorded
TIB Classification: TLP-AMBER
Classification Level When should it be used? How may it be shared?
TLP:AMBER
Limited disclosure, restrictedto participants’ organizations
Sources may use TLP:AMBERwhen information requiressupport to be effectively actedupon, yet carries risks toprivacy, reputation, oroperations if shared outside ofthe organizations involved.
Recipients may only shareTLP:AMBER information withmembers of their ownorganization, and with clientsor customers who need to knowthe information to protectthemselves or prevent furtherharm.
TIB Outline
• Intelligence Background• Attack Vectors• COVID-19 Defender’s Toolkit• Q&A
Intelligence Background
• COVID-19 Cybersecurity State of the Union
Quick Overview
As of March 30, 2020, the FBI's Internet Crime Complaint Center(IC3) has received and reviewed more than 1,200 complaints relatedto COVID-19 scams.
In recent weeks, cyber actors have engaged in phishing campaignsagainst first responders, launched DDoS attacks against governmentagencies, deployed ransomware at medical facilities, and createdfake COVID-19 websites that quietly download malware to victimdevices.
More than 500 Android applications with coronavirus-related stringsin their files uploaded to the Google Play Store, and many areconfirmed to be malicious. While some links redirect users to theGoogle Play Store, others entice them to download and installapplications from .apk files directly. This activity has been going onfor almost two months.
Attack Vectors
• COVID-19 Cybersecurity State of the Union
Attack Vector Analysis
Nation State
Organized Actors
Highly organized groups
such as APT41 (China), as
well as North Korea, Russia
and Iran/Syria
Fist Wave
C y b e r - c r i m i n a l g r o u p s
leveraging nation-state tools
and approaches.
Second Wave
Attackers will optimize their attacks and
refocus on those which provide high
ROI.
Next Wave(s)
Optimization
AttackerProfiles
Date Threat description Type2020-04-09 00:00:00 FBI public service announcement about the increased cyber threats surrounding COVID19 pandemic Misc
2020-04-08 00:10:00 The exposure to compromised e-commerce websites is greater than ever. 26% increase in webskimming in March.
Malware
2020-04-08 00:00:00 ‘Latest vaccine release for Corona-virus(COVID-19)’ malspam spreads NanocoreRAT malware Malware
2020-04-08 00:00:00 NCSC Advisory: COVID-19 exploited by malicious cyber actors Misc
2020-04-07 00:00:00 Fake COVID19 website is spreading FirebirdRAT via fake DHL emails Malware
2020-04-06 00:00:00 Rush to adopt online learning under COVID-19 exposes schools to cyberattacks Misc
2020-04-04 00:00:00 Sophisticated COVID-19–Based Phishing Attacks Leverage PDF Attachments and SaaS to Bypass Defenses Phishing, Malware
2020-04-04 00:00:00 CDC Warns of COVID-19-Related Phone Scams, Phishing Attacks Phishing
2020-04-03 00:00:00 Malware spread via pirated COVID-19 themed WordPress plugins Malware
2020-04-02 00:00:00 Vulnerability Researchers Focus on Zoom App’s Security Misc
2020-04-02 00:00:00 As unemployment claims soar, cyber workforce remains strong Misc
2020-04-02 00:00:00 Hackers linked to Iran target WHO staff emails during coronavirus Targeted attack
2020-03-31 00:00:00 Coronavirus Trojan Overwriting The MBR Malware
2020-03-31 00:00:00 Criminals Resurrect A Banking Trojan To Push COVID-19 Relief Payment Scam Ransomware
2020-03-30 00:00:00 Indian Cybercrime Officials Release a List of Potentially Dangerous Coronavirus-related Domains Phishing
2020-03-30 00:00:00 Phishing Attack Says You’re Exposed to Coronavirus, Spreads Malware Malware
2020-03-30 00:00:00 Phishing Attacks Increase 350 Percent Amid COVID-19 Quarantine Malware, Phishing
2020-03-30 00:00:00 Investigate | COVID-19 Cybercrime Daily Update Misc
2020-03-25 00:07:00 F-secure summary of COVID-19 email attacks Scam
2020-03-25 00:06:00 Fake HM Government SMS / website scam Scam
2020-03-23 00:15:00 Coronavirusmedicalkit.com “predatory wire fraud scheme” shut down Scam
2020-03-22 00:00:00 COVID-19: Impact on the Cyber Security Threat Landscape Study
2020-03-21 00:00:00 Malwarebytes explains coronavirus scams Scam, Phishing
20200320 Coronavirus Sets the Stage for Hacking Mayhem Misc
2020-03-20 00:00:00 Coronavirus Used in Malicious Campaigns Malware
20200320 US authorities battle surge in coronavirus scams, from phishing to fake treatments Phishing
20200320 How to Recognize Malicious Coronavirus Phishing Scams Phishing
20200320 COVID-19 Scams Are Everywhere Right Now. Here’s How to Protect Yourself? Phishing
20200320 Malware called BlackWater pretending to be COVID-19 information Malware
20200320 Coronavirus: Huge Surge in Fake News on Facebook, WhatsApp in India Fake news
20200320 Phishing email impersonating WHO chief begins to circulate Phishing
20200319 Cybercriminals are using COVID-19 discount codes to sell malware and fake items Malware
Show older
Click icon to add picture
APT41 Campaign
• APT41 has directly targetedorganizations in at least 14 countriesdating back to as early as 2012. Thegroup’s espionage campaigns havetargeted healthcare, telecoms, and thehigh-tech sector.
• PT41 often relies on spear-phishingemails with attachments such ascompiled HTML (.chm) files to initiallycompromise their victims. Once in avictim organization, APT41 can leveragemore sophisticated TTPs and deployadditional malware. For example, in acampaign running almost a year, APT41compromised hundreds of systems andused close to 150 unique pieces ofmalware including backdoors, credentialstealers, keyloggers, and rootkits. APT41has also deployed rootkits and MasterBoot Record (MBR) bootkits on a limitedbasis to hide their malware and maintainpersistence on select victim systems.
DDoS & Bots– Dark_Nexus
A new aggressive botnet, dubbedDark_Nexus by Bitdefender researchers,has been identified targeting variousInternet of Things (IoT) devices rangingfrom ASUS and D-link routers to videorecorders.
The botnet appears to borrow codefrom both Mirai and Qbot, thoughresearchers believe that much of itscore functions are original.
Dark_Nexus was first identified inDecember 2019 and is frequentlyupdated, with over 30 versionsdiscovered in a three-month period.Additionally, payloads are customizedfor 12 different CPU architectures andare spread using Telnet credentialstuffing and other exploits.
A new persistence tactic observeddisables the infected device fromrebooting by removing restartpermissions. Compromised devicescould be used in distributed denial-of-service (DDoS) attacks.
Attack Collateral
• COVID-19 Cybersecurity State of the Union
Defender Toolkit
• COVID-19 Cybersecurity State of the Union
COVID-19 Cyber Defense – Level I
• Brief Your Executives• Review Continuity of Operations• Validate Backup Strategy Can Protect Against Ransomware• Secure Your VPN• Educate All Users• Deploy IOC to Firewalls• Institute Organizational Safewords for Email and SMS
COVID-19 Cyber Defense – Level II
• Configure email System to Target “COVID-19” messages.• Evolve your password length and complexity.• Require MFA for VPN Server, Firewall, Domain Controllers and
HVT/High Asset Value Systems• Block IP from Outside U.S.• Consider Mobile Device Anti-Virus Software• Evolve Backup Frequencies• Harden Collaboration Tools
COVID-19 Cyber Defense – Zoom Hardening
General setup:
Create meeting set-up templates for employees
Require multifactor for logins in the enterprise for user accounts
Require encryption for third-party endpoints
Require PIN or passcode for Personal Meeting IDs (PMIs)
Require passwords for instant meetings
Hosting:
Create invite-only meetings so that only those invited can join
Generate random meeting (scheduled) ID when scheduling events, anddon’t use public meeting IDs to host public events
Require a password to join, and consider using numeric passwords toease process for phone participants
Use “waiting room” feature to control who can join meetings
Disable allowing participants to join before host
Mute participants upon entry to avoid distractions
Lock meetings once the meeting starts, which will restrict even thosewith passwords from joining
Information sharing during meetings:
Set “only host” under “who can share”to prevent participants from screensharing
Disable video for participants if thereis concern the feature could be abused
Consider turning off annotations isthere is concern doodling will be doneon screens
Disable file transfer if there is concernover sensitive information being shared
Allow one participant at a time toshare their screen (vs. multipleparticipants)
If recording, stop recording based onmeeting content and sensitivity, anddon’t allow (by company policy) forrecordings to be saved to unapprovedcloud services
Chat during meetings:
Enable end-to-end encryption for“chat”
Consider disabling auto-saving of chatsand prevent participants from savingchats
Consider disabling private chat if thereare concerns about lack of focus, andconsider preventing GIFs and otherfiles used in chat
COVID-19 Cyber Defense – Teams Hardening
General SETUP:
Enforce least privilege
Require two-factor authentication for all users to use service
Enable Microsoft Advanced Threat Protection (ATP) in Teams (and SharePointand OneDrive) if licensing allows
Enable Safe Links in Teams to validate URLs and safety at time of clicking
Maintain oversight if allowing users to create new Teams
Consider if employees using Teams can edit or delete sent messages
Create different channels in Teams to manage direct conversations
Access control:
Set who can join meetings through Lobby settings (people in my organization,people in my organization and trusted organizations, everyone)
Decide if individual Guest users can access Teams from outside the organization
Add or block domains that can communicate with your Teams (i.e., decide ifyou will allow external domain access)
Hosting controls:
Enable structured meetings forpresenters to control what attendeescan do in a meeting
Presenters shall have full control.
Attendees can’t: mute or removeothers, admit others to join, start orstop recording, take control
Content controls:
Decide which cloud services files canbe stored to (e.g., ShareFile, Dropbox,Box, Google Drive, etc.)
Require second form of authenticationto access meeting content
Consider setting a content PIN
Classify data to manage sensitiveinformation and sharing in Teams
Prevent ability to download data tounmanaged devices
COVID-19 Cyber Defense – Go-To-MeetingHardening
GENERAL SETUP:
Enable two-factor authentication for employees
Set unique meeting IDs
Set meeting lock to restrict attendees once the meeting hasstarted
Set organizer privileges to allow attendees before or duringsessions
Consider allowing chat or banning completely
Determine who can record, and set expiration dates onrecording content
HOSTING:
View complete list of participants and remove unknownattendees
Set a password to protect meeting attendance
Manage who has access to meeting content – whether allmeetings or select
Control who can share their device
COVID-19 Cyber Defense – WebEx Hardening
GENERAL SETUP:
Set meetings to unlisted
Require passwords for all meetings and sessions
Set enforcement of using a meeting password when joiningby phone or video conferencing systems
HOSTING:
Do not allow join before host
Require sign-in when joining meetings and sessions
Enforce personal room locking after a defined period oftime
Do not allow unauthenticated users
Configure alerting if someone joins meeting while you areaway
Recommend users don’t share audio PIN or host key withanyone
Recommend users only share applications versus entirescreen to reduce exposure of content
COVID-19 Cyber Defense – Google MeetsHardening
GENERAL SETUP:
Administrators should use two-factor authentication
Only allow administrators to create groups and set them toprivate
Consider disabling email from outside of the domain forcommunication to Groups
Decide who can contact directly vs. anyone with phonenumber or email address (likely option is those who haveemail address can contact directly and invite)
Monitor health of Hangouts settings (G Suite for Enterpriseand Education)
CHAT:
Warn users when chatting outside of their domain
Set a chat invitation policy
Consider not saving chat history
COVID-19 Cyber Defense – Slack Hardening
GENERAL SETUP:
Set up and enforce two-factor authentication for employees
Enable single sign-on (SSO)
Manage app approval
Pre-approve apps to allow install without requesting approval
Restrict apps not allowed
Choose members who can manage app requests
Use Slack Enterprise Key Management to use your own keys stored inAWS Key Management Service to encrypt messages and files
Enable data loss prevention (DLP) integration with Slack (availablewith Cisco, McAfee, Netskope, Palo Alto Networks)
Turn off Slack email notifications
Enable audit logs API
USAGE CONTROLS:
Whitelist allowed domains to stop employees from logging in fromunapproved Slack spaces
Enable guest accounts for contractors or interns but limit channelaccess
Set session duration before requiring reauthentication
Manage users with System for Cross-Domain Identity Management(SCIM) provisioning (e.g., Okta, Azure AD, OneLogin, Ping, etc.)
Block file downloads and copying on unmanaged devices
Set who can post in #general
Set public file-sharing policy
Consider restricting access to channels based on time of day
Set workspace retention policies
COVID-19 Cyber Defense – TeleworkerHardening
Verify Baselines
O/S Patch Levels
Application Patch Levels
Firewall Configurations for End-User Devices
Hygiene Assessment
Force Change of All Passwords
Require Stronger Passwords
Deploy MFA if Possible (Maybe Just VPN)
Ask Users to Update Home Network Firmware/Systems
Insider Threats
Likely Increase – Monitor Network Behavior
Monitor for Shadow IT Applications
Reduce User of File Sharing/Crypto Mining
COVID-19 Cyber Defense – DDoS and Bots
General Increase in DDos Attacks Against VPN
Mini-DDOS Attacks
Assure VPN is Patched
Determine Fallback Plans
Validate ISP Support and Capabilities
BOT Attacks Against IOT
Physical Security Systems Patched
IoT Systems Patched
Which of these systems are cloud based?
Third-Party Networks
Medical Devices?
Infrastructure?
HOST INTRUSION DETECTIONMonitoring of host level attacks and attempts.
DECEPTION TECHNOLOGIESA last line of defense that is an attacker’s
worst-case scenario.
ASSET FINGERPRINTING32,386 fngerprint database that includes
hardware, IoT, IC & medical devices.
.
NETWORK INTRUSIONDETECTIONReal-time deep packet inspection and event
correlation.
VULNERABILITY DETECTIONCVSS level vulnerability assessment & risk
correlation..
ASSET MANAGEMENTAsset identifcation and tracking with support for
asset valuation and high-value target support.
NIGHTINGALE: DETECTION MANAGERCOMPLY. DETECT. RESPOND
24x7 Security Operations Center (Sensato-CTOC)
[email protected] 844.732.7286 www.sensato.co
Sensato
John GomezCEO
Sensato CTOC: Coronavirus TIBCOMPLY. DETECT. RESPOND.