Healthcare Cybersecurity

Active Threat Warning Issued About SharePoint RCE Vulnerability

Posted by HIPAA Journal

The UK National Cyber Security Centre (NCSC) has recently issued a security alert advising organizations to patch a serious remote code execution vulnerability in Microsoft SharePoint. The DHS Cybersecurity and infrastructure Security Agency is also urging organizations to patch the flaw promptly to prevent exploitation.

The vulnerability, tracked as CVE-2020-16952, is due to the failure of SharePoint to check the source markup of an application package. If exploited, an attacker could run arbitrary code in the context of the SharePoint application pool and SharePoint server farm account, potentially with administrator privileges.

To exploit the vulnerability an attacker would need to convince a user to upload a specially crafted SharePoint application package to a vulnerable version of SharePoint. This could be achieved in a phishing campaign using social engineering techniques.

The vulnerability has been assigned a CVSS v3 base score of 8.6 out of 10 and affects the following SharePoint releases:

  • Microsoft SharePoint Foundation 2013 Service Pack 1
  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Server 2019

SharePoint Online is not affected by the vulnerability.

SharePoint vulnerabilities are attractive to hackers as SharePoint is commonly used by enterprise organizations. Previous SharePoint vulnerabilities have been extensively exploited, two of which were listed in CISA’s list of the top 10 most exploited vulnerabilities between 2016 and 2019.

Microsoft issued an out-of-band patch to correct the flaw this week. The patch needs to be applied to correct the vulnerability as there are no mitigations to prevent exploitation of the flaw. The patch changes the way SharePoint checks the source markup of application packages.

A proof of concept exploit for the vulnerability has been publicly released on GitHub by security researcher Steven Seeley, who discovered the flaw and reported it to Microsoft. The PoC could easily be weaponized so there is a high risk of exploits being developed and used in attacks on organizations. At the time of the release of the patch, Microsoft was unaware of any cases of exploitation of the flaw in the wild.

According to NCSC, “This PoC can be detected by identifying HTTP headers containing the string runat=’server’ – as well as auditing SharePoint page creations.”

Rapid7 researchers have warned that the vulnerability has a very high value to hackers due to the ease at which the vulnerability can be exploited to gain privileged access.

“The bug is exploitable by an authenticated user with page creation privileges, which is a standard permission in SharePoint, and allows the leaking of an arbitrary file, notably the application’s web.config file, which can be used to trigger remote code execution (RCE) via .NET deserialization,” explained Rapid7.  The patch should be applied as soon as possible to prevent exploitation.

The post Active Threat Warning Issued About SharePoint RCE Vulnerability appeared first on HIPAA Journal.

Universities Targeted in Silent Librarian Spear Phishing Campaign

Posted by HIPAA Journal

The Iran-based hacking group known as Silent Librarian – aka Cobalt Dickens and TA407 – has recommenced spear phishing attacks on universities in the United States and around the world. The hacking group has been conducting attacks since 2013 to gain access to login credentials and steal intellectual property and research data. Credentials and data stolen in the attacks are subsequently sold via the hacking group’s portals.

The U.S. Department of Justice indicted 9 Iranians in connection with the attacks in 2018, but the indictments have had no effect on the campaigns which have continued. Those individuals have yet to be brought to justice.

The spear phishing campaigns usually recommence in September to coincide with the start of the new academic year. The hackers have developed many different phishing websites which are used in the campaigns, and while many of these sites are taken down, sufficient numbers are used to ensure the campaigns can continue. This year, the group is known to be using sites hosted in Iran, which could hamper efforts to have the sites shut down due to a lack of cooperation between Iran and the United States and Europe.

Spear phishing emails are highly targeted and are sent to relatively few individuals at each targeted institution. The emails often spoof university libraries and prompt users to click links and login to the university’s web portal.

The domains used in the campaign closely resemble the official domains used by the universities. For instance, attacks on Western University Canada use login.proxy1.lib.uwo.ca.sftt.cf instead of login.proxy1.lib.uwo.ca, and the campaign targeting Stony Brook University uses the domain blackboard.stonybrook.ernn.me instead of blackboard.stonybrook.edu.

The threat group is known to use URL shortening services for links to the phishing domains to mask the true destination URL. Malwarebytes, which discovered the latest campaign, reports that Silent Librarian is using Cloudflare this year for most of their phishing hostnames to hide the real origin of the sites, which are mostly hosted in Iran this year.

The landing pages on the phishing pages are virtual carbon copies of those used by the universities being targeted, so if a user lands on one of those pages and fails to identify the incorrect URL, there is a strong likelihood that login credentials will be entered and captured by the group.

This year’s campaign could be even more effective. Many students and staff are remote due to COVID-19, which could potentially be exploited to steal more credentials and data.

The hacking group is known to have conducted attacks on at least 40 organizations and more than 140 educational institutions since 2013 and was discovered to have stolen more than 30 TB of data between 2013 and 2017. Malwarebytes reports that well over a dozen universities are known to have been targeted in the latest campaign, but says only a small sample of the emails have been intercepted and the campaign is likely to be far more extensive.

The post Universities Targeted in Silent Librarian Spear Phishing Campaign appeared first on HIPAA Journal.

Patch Wormable ‘Bad Neighbor’ Windows TCP/IP Flaw Now, Warns CISA

Posted by HIPAA Journal

On October 2020 Patch Tuesday, Microsoft released a patch to correct a critical remove code execution vulnerability in the Microsoft Windows Transmission Control Protocol (TCP)/IP stack. The flaw concerns how the TCP/IP stack handles Internet Control Message Protocol version 6 (ICMPv6) Router Advertisement packets. The flaw was assigned a CVSS v3 score of 9.8 out of 10.

While all patches should be applied promptly to prevent exploitation, there is usually a delay between patches being released and exploits being developed and used offensively against organizations; however, due to the severity of the flaw and the ease at which it can be exploited, patching this vulnerability is especially important. So much so that the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) took to Twitter to urge all organizations to apply the patch immediately.

An attacker could exploit the flaw remotely in a Denial of Service attack, resulting in a ‘blue screen of death’ system crash; however, exploitation could also allow the remote execution of arbitrary code on the vulnerable systems. To exploit the flaw, an unauthenticated hacker need only send specially crafted ICMPv6 Router Advertisement to a vulnerable Windows computer – A device running Windows 10 1709 to 2004, Windows Server versions 1903 to 2004, or Windows Server 2019.

While there have been no known exploits of the vulnerability in the wild, the flaw will be attractive to hackers. McAfee Labs reports that a proof-of-concept exploit for the flaw was sent to Microsoft Active Protection Program members that it reports is “extremely simple and perfectly reliable.”  In addition to being easy to exploit, the vulnerability is potentially wormable, so attacking one device could easily see all other vulnerable devices on the network similarly compromised.

McAfee Labs nicknamed the vulnerability “Bad Neighbor” as it resides in the ICMPv6 Neighbor Discovery “Protocol”, using the Router Advertisement type, and is due to the TCP/IP stack improperly handling ICMPv6 Router Advertisement packets that use Option Type 25 (Recursive DNS Server Option) and a length field value that is even.

If it is not possible to patch immediately, mitigations need to be implemented to reduce the potential for exploitation.

Microsoft recommends administrators disable ICMPv6 RDNSS to prevent exploitation. This can be achieved using a simple PowerShell command:

netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable

However, this option will disable RA-based DNS configuration, so cannot be used on network infrastructure that relies on RA-based DNS configuration. Also, this mitigating measure is only effective on Windows 10 1709 and later versions.

Alternatively, it is possible to prevent exploitation by disabling ipv6 traffic on the NIC or at the network perimeter, but this is only possible if ipv6 traffic is not essential.

The post Patch Wormable ‘Bad Neighbor’ Windows TCP/IP Flaw Now, Warns CISA appeared first on HIPAA Journal.

CISA/FBI: APT Groups Chaining Legacy Vulnerabilities with Netlogon Flaw

Posted by HIPAA Journal

A joint advisory has been issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warning about sophisticated advanced persistent threat actors chaining exploits for multiple vulnerabilities in cyberattacks against federal and state, local, tribal, and territorial (SLTT) government networks, critical infrastructure, and election support systems. While there have been successful attacks on the latter, no evidence has been found to suggest any election data have been compromised to date.

Several legacy vulnerabilities are being targeted along with more recently discovered vulnerabilities, such as the Windows Server Netlogon remote protocol vulnerability – CVE-2020-1472 – also known as Zerologon. A patch for the flaw was issued by Microsoft on August 2020 Patch Tuesday but patching has been slow.

Chaining vulnerabilities in a single cyberattack is nothing new. It is a common tactic used by sophisticated threat groups to compromise networks and applications, elevate privileges, and achieve persistent access to victims’ networks

The advisory did not specify which APT groups are conducting the attacks, although Microsoft recently issued an alert about the Mercury APT group – which has links to Iran – exploiting the Zerologon flaw to gain access to government networks. Those attacks have been ongoing for at least two weeks.

CISA and the FBI explained in the advisory that attacks start with the exploitation of legacy vulnerabilities in VPNs and network access devices. In several attacks, initial access to networks was gained by exploiting the Fortinet FortiOS Secure Socket Layer (SSL) VPN vulnerability – CVE-2018-13379 and, to a lesser extent, the MobileIron vulnerability – CVE-2020-15505. The latter vulnerability is also being exploited by ransomware gangs following the publication of a PoC exploit for the flaw.

While the latest campaigns have been conducted exploiting the above vulnerabilities, CISA/FBI warn that other legacy vulnerabilities in Internet facing infrastructure could similarly be exploited in attacks such as:

  • Citrix Gateway/Citrix SD WAN WANOP vulnerability – CVE-2019-19781
  • Pulse Secure vulnerability – CVE-2019-11510
  • F5 BIG-IP vulnerability – CVE-2020-5902
  • Palo Alto Networks vulnerability – CVE-2020-2021
  • Citrix NetScaler vulnerability – CVE2019-19751
  • Juniper vulnerability – CVE-2020-1631

Once a flaw has been exploited to gain access to the target’s network, the attackers then exploit more recently discovered vulnerabilities such as the Zerologon flaw, which allows them to elevate privileges to administrator, steal usernames and passwords, and access Windows Active Directory servers and establish persistent access to networks. Legitimate tools such as MimiKatz and CrackMapExec are often used in the attacks.

Due to the high potential for exploitation of the Zerologon flaw, Microsoft issued multiple alerts urging organizations to apply the patch as soon as possible, as have CISA and the CERT Coordination Center.

CISA and the FBI have suggested several mitigations to block these attacks, the most important of which is patching the above vulnerabilities. Patching vulnerabilities in software and equipment promptly and diligently is the best defense against APT groups.

Other important steps to take are concerned with more traditional network hygiene and user management such as:

  • Implement multi-factor authentication on all VPN connections, ideally using physical security tokens which are the most secure method of MFA, or alternatively using authenticator app-based MFA.
  • Strong passwords should be set for all users and vendors who need to connect via VPNs.
  • Discontinue unused VPN servers.
  • Conduct audits of configuration and patch management programs.
  • Monitor network traffic for unexpected or unapproved protocols, especially outbound traffic to the Internet.
  • Use separate admin accounts on separate administration workstations.
  • Update all software to the latest versions and configure updates to be applied automatically where possible.
  • Block public access to vulnerable unused ports such as port 445 and 135.
  • Secure Netlogon channel connections by updating all domain controllers and read-only domain controllers.

CISA and the FBI suggest any organization with Internet facing infrastructure should adopt an “assume Breach” mentality.

“If there is an observation of CVE-2020-1472 or Netlogon activity or other indications of valid credential abuse detected, it should be assumed the APT actors have compromised AD administrative accounts, the AD forest should not be fully trusted, and, therefore, a new forest should be deployed,” explained CISA/FBI in the alert.

Since fully resetting an AD forest is difficult and complex, organizations should consider seeking assistance from third-party cybersecurity firms with experience of successfully completing the task.

The post CISA/FBI: APT Groups Chaining Legacy Vulnerabilities with Netlogon Flaw appeared first on HIPAA Journal.

CISA Issues Alert Following Increase in Emotet Malware Attacks

Posted by HIPAA Journal

Following a period of dormancy between February 2020 and July 2020, the Emotet botnet sprang back to life and recommenced spam runs distributing the Emotet Trojan. Since August 2020, attacks on state and local governments have increased sharply, prompting the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) to issue a cybersecurity alert for all industry sectors.

The Emotet botnet resumed activity in July with a massive phishing campaign using messages with malicious Word attachments and hyperlinks. Since then, multiple spam runs have been conducted which typically consist of more than 500,000 emails. The Emotet Trojan is a dangerous banking Trojan which is used as a downloader of other types of malware, notably the TrickBot and Qbot Trojans. The secondary payloads in turn deliver other malware payloads, including Ryuk and Conti ransomware.

One infected device could easily result in further infections across the network. Emotet infects other devices in a worm-like fashion, creating multiple copies of itself which are written to shared drives. Emotet also brute forces credentials and distributes copies of itself via email. Emotet is capable of hijacking genuine email threads and inserting malicious files. Since the emails appear to have been sent by known contacts in response to previously sent messages, there is a higher probability of the email attachments being opened.

The Trojan is continuously evolving using dynamic link libraries and regularly has new capabilities added. The capabilities of the Trojan make it difficult to eliminate from networks. The Trojan can be removed from infected devices, but they can quickly be reinfected by other compromised devices on the network.

CISA and the Multi-State Information Sharing & Analysis Center (MS-ISAC) have been collecting data on Emotet attacks and Emotet loader downloads since botnet activity resumed in July. CISA’s EINSTEIN Intrusion Detection System, which protects federal, civilian executive branch networks, identified around 16,000 alerts about Emotet activity since July, including potentially targeted attacks on state and local governments. Compromises have also been reported in Canada, France, Italy, Japan, New Zealand, and the Netherlands.

CISA regards Emotet as one of the most prevalent ongoing threats, and its secondary malware payloads of TrickBot and Qbot are also significant threats, as are the ransomware payloads they deliver.

The phishing emails used to distribute the Emotet loader are diverse and often change. COVID-19 themes emails have been used this year along with many lures aimed at businesses. The email attachments are typically malicious Word documents, although password protected zip files have also been used to evade anti-spam and anti-phishing solutions. The emails often claim that attachments have been created on mobile device and require the user to enable content (and by doing so enable macros) to view the files.

To prevent Emotet malware attacks, CISA and MS-ISAC recommend adopting cybersecurity best practices which include applying protocols to block suspicious attachments, including attachments that cannot be scanned by AV solutions such as password-protected files. Antivirus software should be used on all devices and set to update automatically, suspicious IPs should be blocked, DMARC authentication and multi-factor authentication should be implemented, organizations should adhere to the principle of least privilege, and should segment and segregate networks and disable file and printer sharing services (if possible).

The full list of recommended mitigations are detailed in the CISA alert.

The post CISA Issues Alert Following Increase in Emotet Malware Attacks appeared first on HIPAA Journal.

CISA Releases Telework Toolkit to Help Businesses Transition to a Permanent Telework Environment

Posted by HIPAA Journal

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has published a Telework Essentials Toolkit to help business leaders, IT staff, and end users transition to a permanent teleworking environment.

The COVID-19 pandemic forced businesses to rapidly change from having a largely office-based workforce to allowing virtually all employees to work from home to reduce the risk of infection. The speed at which the transition had to be made potentially introduced security vulnerabilities that weakened organizational cybersecurity defenses. The CISA Toolkit is intended to provide support to organizations to help them re-evaluate and strengthen their cybersecurity defenses and fully transition into a long-term teleworking solution.

The Toolkit includes three personalized modules that include best practices for executive leaders, IT professionals and teleworkers, and include the security considerations appropriate to each role.

Executive leaders are provided with information to help them drive cybersecurity strategy, investment, and develop a cyber secure hybrid culture in their organization. Resources are provided to help business leaders develop organizational policies and procedures for remote working, implement cybersecurity training to improve understanding on risks and threats when accessing organizational systems and data remotely, and moving organizational assets beyond the traditional perimeter where they may not be accessible to the organization’s monitoring and response capabilities. Advice is provided on addressing the basics of cyber hygiene with the workforce and providing clear and regular updates on cybersecurity best practices.

Guidance for IT professionals is focused on the policies, procedures, and tools that need to be implemented to ensure teleworkers can work and access the resources they need remotely. The guidance explains the importance of patching promptly and implementing effective vulnerability management practices, the need for zero trust architecture, multi-factor authentication, regular data backups, and DMARC validation to address the risks of phishing and business email compromise in relation to remote working environments. IT leaders must also stipulate the tools and applications that must be used when working remotely and provide training on how to use those tools securely.

Everyone has a role to play in the transition from temporary to permanent remote working, including end users. The third module is aimed at teleworkers and provides advice on the steps that need to be taken to work securely from home. These include making sure home networks are properly configured and hardened, following organizational secure practices and policies, increasing awareness of phishing and social engineering threats, and promptly communicating any suspicious activities to the IT security team.

The CISA Telework Essentials Toolkit can be downloaded on this link.

The post CISA Releases Telework Toolkit to Help Businesses Transition to a Permanent Telework Environment appeared first on HIPAA Journal.

Treasury Department Warns of Sanctions Risks if Facilitating or Paying a Ransomware Payment

Posted by HIPAA Journal

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has warned that companies that facilitate ransom payments to cybercriminals on behalf of victims of the attacks could face sanctions risks for violating OFAC regulations. Victims of ransomware attacks that pay ransoms to cyber actors could similarly face steep fines from the federal government if it is discovered that the criminals behind the attacks are already under economic sanctions.

“Demand for ransomware payments has increased during the COVID-19 pandemic as cyber actors target online systems that U.S. persons rely on to continue conducting business,” explained OFAC in its advisory on potential sanctions risks for facilitating ransomware payments. “Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”

Several individuals involved in ransomware attacks over the past few years have been sanctioned by OFAC, including the Lazarus Group from North Korea which was behind the WannaCry 2.0 ransomware attacks in May 2017, two Iranians believed to be behind the SamSam ransomware attacks that started in late 2015, Evil Corp and its leader, Maksim Yakubets, who are behind Dridex malware, and Evgeniy Mikhailovich Bogachev, who was designated the developer of Cryptolocker ransomware, first released in December 2016.

Paying ransoms to sanctioned persons or jurisdictions threatens U.S. national security interests. “Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims,” explained OFAC.

“U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes,” wrote OFAC.

Civil monetary penalties may be imposed for sanctions violations, even if the person violating sanctions was unaware that they were engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC. Any facilitator or payer of ransom demands to sanctioned individuals, entities, or regimes could face a financial penalty up to $20 million.

Many entities do not disclose ransomware attacks or report them to law enforcement to avoid negative publicity and legal issues, but by failing to report they are hampering law enforcement investigations into attacks. OFAC explained in its advisory that the financial intelligence and enforcement agency will “consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.”

The advisory also includes contact information for victims of ransomware attacks to discover if there are sanctions imposed on threat actors, and whether payment of a ransom may involve a sanctions nexus.

OFAC has advised against paying any ransom demand. Not only does payment of a ransom risk violating OFAC regulations, there is no guarantee that payment of the ransom will result in valid keys being supplied, the criminals may not delete stolen data, and they could issue further ransom demands. Payment of a ransom may also embolden cyber actors to engage in further attacks.

OFAC has only offered advice and warned of sanctions risks if payments are made to certain threat actors. Aside from implementing a ban on paying any ransom payment, the attacks are likely to remain profitable and will continue. Only when the attacks cease to be profitable are cybercriminals likely to stop conducting attacks.

The post Treasury Department Warns of Sanctions Risks if Facilitating or Paying a Ransomware Payment appeared first on HIPAA Journal.

NIST Publishes Updated Security and Privacy Controls Guidance for Information Systems and Organizations

Posted by HIPAA Journal

The National Institute of Standards and Technology (NIST) has released updated guidance on Security and Privacy Controls for Information Systems and Organizations (NIST SP 800-53 Revision 5).

This is the first time that NIST has updated the guidance since 2013 and is a complete renovation rather than a minor update. NIST explained that the updated guidance will “provide a solid foundation for protecting organizations and systems—including the personal privacy of individuals—well into the 21st century.”

The updated guidance is the result of years of effort “to develop the first comprehensive catalog of security and privacy controls that can be used to manage risk for organizations of any sector and size, and all types of systems—from super computers to industrial control systems to Internet of Things (IoT) devices.”

This is the first control catalog to be released worldwide that includes privacy and security controls in the same catalog. The guidance will help to protect organizations from diverse threats and risks, including cyberattacks, human error, natural disasters, privacy risks, structural failures, and attacks by foreign intelligence agencies. The controls detailed in the guidance will help organizations take a proactive and systematic approach to protecting critical systems, components and services and will ensure they have the necessary resilience to protect the economic and national security interests of the United States.

The guidance is intended to help government agencies and their third-party contractors meet the requirements of the Federal Information Security Management Act and it will be mandatory for government agencies to implement the new provisions detailed in the updated guidance. The guidelines are voluntary for private sector organizations, although the private sector is being encouraged to adopt the new guidelines to tackle privacy and security issues.

There have been several major updates to the guidance, which include:

  • New, ‘state-of-the-practice’ controls to protect critical and high value assets. The revisions have been based on the latest threat intelligence and cyber attack data and will improve cyber resiliency, support secure system design, security and privacy governance and accountability.
  • Information security and privacy controls have been integrated into a seamless, consolidated control catalog for systems and organizations.
  • Controls are now outcome-based, with the entity responsible for implementing the controls removed from the document. The guidance now focuses on the protection outcome from implementing the controls.
  • Standards have been incorporated for supply chain risk management with guidance provided on how to integrate those standards throughout an organization.
  • The guidance incorporates next generation privacy and security controls, and includes guidelines for how to use them.
  • Control selection processes have been separated from the controls to make it easier for the controls to be used by different communities of interest.
  • Descriptions of content relationships have been improved, clarifying the relationship between requirements and controls and the relationship between security and privacy controls.

“The controls offer a proactive and systematic approach to ensuring that critical systems, components, and services are sufficiently trustworthy and have the necessary resilience to defend the economic and national security interests of the United States,” explained Ron Ross, NIST Fellow and co-author of the document.

The post NIST Publishes Updated Security and Privacy Controls Guidance for Information Systems and Organizations appeared first on HIPAA Journal.

CISA Issues Alert Following Surge in LokiBot Malware Activity

Posted by HIPAA Journal

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert following a surge in LokiBot malware activity over the past two months.

LokiBot – also known as Lokibot, Loki PWS, and Loki-bot – first appeared in 2015 and is an information stealer used to steal credentials and other sensitive data from victim machines. The malware targets Windows and Android operating systems and employs a keylogger to capture usernames and passwords and monitors browser and desktop activity. LokiBot can steal credentials from multiple applications and data sources, including Safari, Chrome, and Firefox web browsers, along with credentials for email accounts, FTP and sFTP clients.

The malware is also capable of stealing other sensitive information and cryptocurrency wallets and can create backdoors in victims’ machines to provide persistent access, allowing the operators of the malware to deliver additional malicious payloads.

The malware establishing a connection with its Command and Control Server and exfiltrates data via HyperText Transfer Protocol. The malware has been observed using process hollowing to insert itself into legitimate Windows processes such as vbc.exe to evade detection. The malware can also create a duplicate of itself, which is saved to a hidden file and directory.

The malware may be relatively simple, but that has made it an attractive tool for a wide range of threat actors and LokiBot is used in a wide variety of data compromise use cases.  Since July, CISA’s EINSTEIN Intrusion Detection System identified a significant increase in LokiBot activity.

LokiBot is most commonly distributed via email as a malicious attachment; however, since July, the malware has been distributed in a variety of different ways, such as links to websites hosting the malware sent by SMS and via text messaging apps.

Information stealers have proven popular during the COVID-19 pandemic, especially LokiBot. LokiBot was the most commonly detected information stealer in the first half of 2020, according to F-Secure.

CISA has shared best practices to adopt to strengthen defenses against LokiBot and other information stealers. These include:

  • Deploying antivirus software and ensuring virus definition lists are kept up to date
  • Applying patches for vulnerabilities promptly
  • Disabling file and printer sharing services. If not possible, set strong passwords or use AD authentication
  • Use multi-factor authentication on accounts
  • Restrict user permissions to install and run software applications
  • Enforce the use of strong passwords
  • Provide training to the workforce and encourage workers to exercise caution when opening email attachments
  • Deploy a spam filtering solution
  • Use a personal firewall on workstations and configure the firewall to deny unsolicited connection requests
  • Monitor web activity and consider using a web filter to prevent employees from accessing unsavory websites
  • Scan all software downloaded from the Internet prior to executing

The post CISA Issues Alert Following Surge in LokiBot Malware Activity appeared first on HIPAA Journal.