UnderstandingCOVID-19Attacks &Strategies

TLP:AMBERDisclosure is limited

April 10, 2020

CTOC THREAT INTELLIGENCE BRIEFING

OUR STORYFounded in 2013, Sensato was the frst healthcare

cybersecurity frm. Sensato continues to build on a

legacy of quality by maintaining 100% Customer

Satisfaction and 100% On-Time/On-Budget

Delivery of Commitments.

PRODUCTS & SERVICESSensato develops integrated cybersecurity

solutions that are specifcally crafted to support

critical infrastructure environments.

INNOVATIONSince 2013 the company has been recognized as a

leading innovator in cybersecurity and continues to

embrace innovation as a core part of its DNA.

PARTNERSSensato partners include the FDA, State and

National Hospital Associations, Premier GPO,

State and Federal intelligence agencies and

others.  

ABOUT SENSATOCOMPLY. DETECT. RESPOND

The mission of Sensato is to

stand between you and

those that would do your

patients harm!

Sensato maintains strong partnerships across thehealthcare industry, as well as supporting organizationswhich help provide threat intelligence insights andadditional response capabilities.

NOTABLE PARTNERSHIPS

COMPLY. DETECT. RESPOND.

THE SENSATO SOLUTION STACKCOMPLY. DETECT. RESPOND

True innovation takes a certain amountof rebellious spirit and a passion forasking ‘what if?’ Since 2013, Sensatohas been a little different, some may sayrebellious, we like to say, ‘just the rightamount of renegade!’

THE RIGHT AMOUNT OF RENEGADE

3

2

1

The only medical device cybersecuritysolution that meets or exceeds FDA HCOrecommendations in the industry.

The Sensato Cybersecurity Tactical OperationsCenter (CTOC) is specifcally designed tosupport critical operations that go well beyondthe traditional SOC.

Sensato Nightingale is a real-timeintegrated cybersecurity platform thatis designed specifcally for criticalenvironments.

NIGHTINGALE

CTOC

MDCOP

Disclaimer: For InformationPurposes Only

The information that is shared as part ofthis presentation and briefing is forinformational purposes only. There is nowarranty or promise as to the accuracy ofthe information presented.

You are directed to perform your ownresearch and validate all information priorto making any decision.

Presentation is Being Recorded

TIB Classification: TLP-AMBER

Classification Level When should it be used? How may it be shared?

 TLP:AMBER 

Limited disclosure, restrictedto participants’ organizations

Sources may use TLP:AMBERwhen information requiressupport to be effectively actedupon, yet carries risks toprivacy, reputation, oroperations if shared outside ofthe organizations involved. 

Recipients may only shareTLP:AMBER information withmembers of their ownorganization, and with clientsor customers who need to knowthe information to protectthemselves or prevent furtherharm. 

TIB Outline

• Intelligence Background• Attack Vectors• COVID-19 Defender’s Toolkit• Q&A

Intelligence Background

• COVID-19 Cybersecurity State of the Union

Quick Overview

As of March 30, 2020, the FBI's Internet Crime Complaint Center(IC3) has received and reviewed more than 1,200 complaints relatedto COVID-19 scams.

In recent weeks, cyber actors have engaged in phishing campaignsagainst first responders, launched DDoS attacks against governmentagencies, deployed ransomware at medical facilities, and createdfake COVID-19 websites that quietly download malware to victimdevices.

More than 500 Android applications with coronavirus-related stringsin their files uploaded to the Google Play Store, and many areconfirmed to be malicious. While some links redirect users to theGoogle Play Store, others entice them to download and installapplications from .apk files directly. This activity has been going onfor almost two months.

Attack Vectors

• COVID-19 Cybersecurity State of the Union

Attack Vector Analysis

Nation State

Organized Actors

Highly organized groups

such as APT41 (China), as

well as North Korea, Russia

and Iran/Syria

Fist Wave

C y b e r - c r i m i n a l g r o u p s

leveraging nation-state tools

and approaches.

Second Wave

Attackers will optimize their attacks and

refocus on those which provide high

ROI.

Next Wave(s)

Optimization

AttackerProfiles

Date Threat description Type2020-04-09 00:00:00 FBI public service announcement about the increased cyber threats surrounding COVID19 pandemic Misc

2020-04-08 00:10:00 The exposure to compromised e-commerce websites is greater than ever. 26% increase in webskimming in March.

Malware

2020-04-08 00:00:00 ‘Latest vaccine release for Corona-virus(COVID-19)’ malspam spreads NanocoreRAT malware Malware

2020-04-08 00:00:00 NCSC Advisory: COVID-19 exploited by malicious cyber actors Misc

2020-04-07 00:00:00 Fake COVID19 website is spreading FirebirdRAT via fake DHL emails Malware

2020-04-06 00:00:00 Rush to adopt online learning under COVID-19 exposes schools to cyberattacks Misc

2020-04-04 00:00:00 Sophisticated COVID-19–Based Phishing Attacks Leverage PDF Attachments and SaaS to Bypass Defenses Phishing, Malware

2020-04-04 00:00:00 CDC Warns of COVID-19-Related Phone Scams, Phishing Attacks Phishing

2020-04-03 00:00:00 Malware spread via pirated COVID-19 themed WordPress plugins Malware

2020-04-02 00:00:00 Vulnerability Researchers Focus on Zoom App’s Security Misc

2020-04-02 00:00:00 As unemployment claims soar, cyber workforce remains strong Misc

2020-04-02 00:00:00 Hackers linked to Iran target WHO staff emails during coronavirus Targeted attack

2020-03-31 00:00:00 Coronavirus Trojan Overwriting The MBR Malware

2020-03-31 00:00:00 Criminals Resurrect A Banking Trojan To Push COVID-19 Relief Payment Scam Ransomware

2020-03-30 00:00:00 Indian Cybercrime Officials Release a List of Potentially Dangerous Coronavirus-related Domains Phishing

2020-03-30 00:00:00 Phishing Attack Says You’re Exposed to Coronavirus, Spreads Malware Malware

2020-03-30 00:00:00 Phishing Attacks Increase 350 Percent Amid COVID-19 Quarantine Malware, Phishing

2020-03-30 00:00:00 Investigate | COVID-19 Cybercrime Daily Update Misc

2020-03-25 00:07:00 F-secure summary of COVID-19 email attacks Scam

2020-03-25 00:06:00 Fake HM Government SMS / website scam Scam

2020-03-23 00:15:00 Coronavirusmedicalkit.com “predatory wire fraud scheme” shut down Scam

2020-03-22 00:00:00 COVID-19: Impact on the Cyber Security Threat Landscape Study

2020-03-21 00:00:00 Malwarebytes explains coronavirus scams Scam, Phishing

20200320 Coronavirus Sets the Stage for Hacking Mayhem Misc

2020-03-20 00:00:00 Coronavirus Used in Malicious Campaigns Malware

20200320 US authorities battle surge in coronavirus scams, from phishing to fake treatments Phishing

20200320 How to Recognize Malicious Coronavirus Phishing Scams Phishing

20200320 COVID-19 Scams Are Everywhere Right Now. Here’s How to Protect Yourself? Phishing

20200320 Malware called BlackWater pretending to be COVID-19 information Malware

20200320 Coronavirus: Huge Surge in Fake News on Facebook, WhatsApp in India Fake news

20200320 Phishing email impersonating WHO chief begins to circulate Phishing

20200319 Cybercriminals are using COVID-19 discount codes to sell malware and fake items Malware

Show older

Click icon to add picture

APT41 Campaign

• APT41 has directly targetedorganizations in at least 14 countriesdating back to as early as 2012. Thegroup’s espionage campaigns havetargeted healthcare, telecoms, and thehigh-tech sector.

• PT41 often relies on spear-phishingemails with attachments such ascompiled HTML (.chm) files to initiallycompromise their victims. Once in avictim organization, APT41 can leveragemore sophisticated TTPs and deployadditional malware. For example, in acampaign running almost a year, APT41compromised hundreds of systems andused close to 150 unique pieces ofmalware including backdoors, credentialstealers, keyloggers, and rootkits. APT41has also deployed rootkits and MasterBoot Record (MBR) bootkits on a limitedbasis to hide their malware and maintainpersistence on select victim systems.

DDoS & Bots– Dark_Nexus

A new aggressive botnet, dubbedDark_Nexus by Bitdefender researchers,has been identified targeting variousInternet of Things (IoT) devices rangingfrom ASUS and D-link routers to videorecorders.

The botnet appears to borrow codefrom both Mirai and Qbot, thoughresearchers believe that much of itscore functions are original.

Dark_Nexus was first identified inDecember 2019 and is frequentlyupdated, with over 30 versionsdiscovered in a three-month period.Additionally, payloads are customizedfor 12 different CPU architectures andare spread using Telnet credentialstuffing and other exploits.

A new persistence tactic observeddisables the infected device fromrebooting by removing restartpermissions. Compromised devicescould be used in distributed denial-of-service (DDoS) attacks.

Attack Collateral

• COVID-19 Cybersecurity State of the Union

Defender Toolkit

• COVID-19 Cybersecurity State of the Union

COVID-19 Cyber Defense – Level I

• Brief Your Executives• Review Continuity of Operations• Validate Backup Strategy Can Protect Against Ransomware• Secure Your VPN• Educate All Users• Deploy IOC to Firewalls• Institute Organizational Safewords for Email and SMS

COVID-19 Cyber Defense – Level II

• Configure email System to Target “COVID-19” messages.• Evolve your password length and complexity.• Require MFA for VPN Server, Firewall, Domain Controllers and

HVT/High Asset Value Systems• Block IP from Outside U.S.• Consider Mobile Device Anti-Virus Software• Evolve Backup Frequencies• Harden Collaboration Tools

COVID-19 Cyber Defense – Zoom Hardening

General setup:

Create meeting set-up templates for employees

Require multifactor for logins in the enterprise for user accounts

Require encryption for third-party endpoints

Require PIN or passcode for Personal Meeting IDs (PMIs)

Require passwords for instant meetings

Hosting:

Create invite-only meetings so that only those invited can join

Generate random meeting (scheduled) ID when scheduling events, anddon’t use public meeting IDs to host public events

Require a password to join, and consider using numeric passwords toease process for phone participants

Use “waiting room” feature to control who can join meetings

Disable allowing participants to join before host

Mute participants upon entry to avoid distractions

Lock meetings once the meeting starts, which will restrict even thosewith passwords from joining

Information sharing during meetings:

Set “only host” under “who can share”to prevent participants from screensharing

Disable video for participants if thereis concern the feature could be abused

Consider turning off annotations isthere is concern doodling will be doneon screens

Disable file transfer if there is concernover sensitive information being shared

Allow one participant at a time toshare their screen (vs. multipleparticipants)

If recording, stop recording based onmeeting content and sensitivity, anddon’t allow (by company policy) forrecordings to be saved to unapprovedcloud services

Chat during meetings:

Enable end-to-end encryption for“chat”

Consider disabling auto-saving of chatsand prevent participants from savingchats

Consider disabling private chat if thereare concerns about lack of focus, andconsider preventing GIFs and otherfiles used in chat

COVID-19 Cyber Defense – Teams Hardening

General SETUP:

Enforce least privilege

Require two-factor authentication for all users to use service

Enable Microsoft Advanced Threat Protection (ATP) in Teams (and SharePointand OneDrive) if licensing allows

Enable Safe Links in Teams to validate URLs and safety at time of clicking

Maintain oversight if allowing users to create new Teams

Consider if employees using Teams can edit or delete sent messages

Create different channels in Teams to manage direct conversations

Access control:

Set who can join meetings through Lobby settings (people in my organization,people in my organization and trusted organizations, everyone)

Decide if individual Guest users can access Teams from outside the organization

Add or block domains that can communicate with your Teams (i.e., decide ifyou will allow external domain access)

Hosting controls:

Enable structured meetings forpresenters to control what attendeescan do in a meeting

Presenters shall have full control.

Attendees can’t: mute or removeothers, admit others to join, start orstop recording, take control

Content controls:

Decide which cloud services files canbe stored to (e.g., ShareFile, Dropbox,Box, Google Drive, etc.)

Require second form of authenticationto access meeting content

Consider setting a content PIN

Classify data to manage sensitiveinformation and sharing in Teams

Prevent ability to download data tounmanaged devices

COVID-19 Cyber Defense – Go-To-MeetingHardening

GENERAL SETUP:

Enable two-factor authentication for employees

Set unique meeting IDs

Set meeting lock to restrict attendees once the meeting hasstarted

Set organizer privileges to allow attendees before or duringsessions

Consider allowing chat or banning completely

Determine who can record, and set expiration dates onrecording content

HOSTING:

View complete list of participants and remove unknownattendees

Set a password to protect meeting attendance

Manage who has access to meeting content – whether allmeetings or select

Control who can share their device

COVID-19 Cyber Defense – WebEx Hardening

GENERAL SETUP:

Set meetings to unlisted

Require passwords for all meetings and sessions

Set enforcement of using a meeting password when joiningby phone or video conferencing systems

HOSTING:

Do not allow join before host

Require sign-in when joining meetings and sessions

Enforce personal room locking after a defined period oftime

Do not allow unauthenticated users

Configure alerting if someone joins meeting while you areaway

Recommend users don’t share audio PIN or host key withanyone

Recommend users only share applications versus entirescreen to reduce exposure of content

COVID-19 Cyber Defense – Google MeetsHardening

GENERAL SETUP:

Administrators should use two-factor authentication

Only allow administrators to create groups and set them toprivate

Consider disabling email from outside of the domain forcommunication to Groups

Decide who can contact directly vs. anyone with phonenumber or email address (likely option is those who haveemail address can contact directly and invite)

Monitor health of Hangouts settings (G Suite for Enterpriseand Education)

CHAT:

Warn users when chatting outside of their domain

Set a chat invitation policy

Consider not saving chat history

COVID-19 Cyber Defense – Slack Hardening

GENERAL SETUP:

Set up and enforce two-factor authentication for employees

Enable single sign-on (SSO)

Manage app approval

Pre-approve apps to allow install without requesting approval

Restrict apps not allowed

Choose members who can manage app requests

Use Slack Enterprise Key Management to use your own keys stored inAWS Key Management Service to encrypt messages and files

Enable data loss prevention (DLP) integration with Slack (availablewith Cisco, McAfee, Netskope, Palo Alto Networks)

Turn off Slack email notifications

Enable audit logs API

USAGE CONTROLS:

Whitelist allowed domains to stop employees from logging in fromunapproved Slack spaces

Enable guest accounts for contractors or interns but limit channelaccess

Set session duration before requiring reauthentication

Manage users with System for Cross-Domain Identity Management(SCIM) provisioning (e.g., Okta, Azure AD, OneLogin, Ping, etc.)

Block file downloads and copying on unmanaged devices

Set who can post in #general

Set public file-sharing policy

Consider restricting access to channels based on time of day

Set workspace retention policies

COVID-19 Cyber Defense – TeleworkerHardening

Verify Baselines

O/S Patch Levels

Application Patch Levels

Firewall Configurations for End-User Devices

Hygiene Assessment

Force Change of All Passwords

Require Stronger Passwords

Deploy MFA if Possible (Maybe Just VPN)

Ask Users to Update Home Network Firmware/Systems

Insider Threats

Likely Increase – Monitor Network Behavior

Monitor for Shadow IT Applications

Reduce User of File Sharing/Crypto Mining

COVID-19 Cyber Defense – DDoS and Bots

General Increase in DDos Attacks Against VPN

Mini-DDOS Attacks

Assure VPN is Patched

Determine Fallback Plans

Validate ISP Support and Capabilities

BOT Attacks Against IOT

Physical Security Systems Patched

IoT Systems Patched

Which of these systems are cloud based?

Third-Party Networks

Medical Devices?

Infrastructure?

HOST INTRUSION DETECTIONMonitoring of host level attacks and attempts.

DECEPTION TECHNOLOGIESA last line of defense that is an attacker’s

worst-case scenario.

ASSET FINGERPRINTING32,386 fngerprint database that includes

hardware, IoT, IC & medical devices.

.

NETWORK INTRUSIONDETECTIONReal-time deep packet inspection and event

correlation.

VULNERABILITY DETECTIONCVSS level vulnerability assessment & risk

correlation..

ASSET MANAGEMENTAsset identifcation and tracking with support for

asset valuation and high-value target support.

NIGHTINGALE: DETECTION MANAGERCOMPLY. DETECT. RESPOND

24x7 Security Operations Center (Sensato-CTOC)

info@sensato.co 844.732.7286 www.sensato.co

Sensato

John GomezCEO

Sensato CTOC: Coronavirus TIBCOMPLY. DETECT. RESPOND.