COVID-19 has forced many organizations to rapidly scale up the numbers of employees working from home, which has created new opportunities for cybercriminals to conduct attacks. Cyberattacks on remote workers have increased substantially during the COVID-19 lockdown, with application-level protocols used by remote workers to connect to corporate systems now being extensively targeted.

Remote Desktop Protocol (RDP) is a proprietary communications protocol developed by Microsoft to allow employees, IT workers, and others to remotely connect to corporate systems, services, and virtual desktops. The protocol has been used by many organizations to allow their employees to work from home on personal computers.

RDP has also proven to be popular with cybercriminals. In line with the increase in remote workers accessing systems via RDP, cybercriminals have stepped up attacks. New data from Kaspersky show a major worldwide increase in brute force attacks on RDP.

In order to connect via RDP, employees typically need to enter a username and password. Brute force attacks on RDP are conducted to guess those passwords, which involves trying different password combinations until the right one is guessed. That can take a long time for complex passwords, but the attacks start with dictionary words and passwords obtained in prior data breaches. Annual worst passwords lists show a great deal of people still choose easy to remember passwords, which can be correctly guessed in these automated RDP attacks in a matter of seconds.

Once the credentials have been correctly guessed, they can be used to remotely connect to whatever systems an employee is authorized to access. Even if a fairly low-level set of credentials is compromised, it can give hackers the foothold in the network to conduct extensive attacks on the organization. These unauthorized logins using stolen credentials can be difficult for IT security teams to identify.

Once access is gained, attackers can take control of email accounts and send phishing emails internally to other employees. As has been made clear in the many phishing incidents reported by healthcare providers in recent months, a single email account compromise could result in a data breach involving hundreds, thousands, or even hundreds of thousands of patents’ protected health information. Ransomware and other malware can also be installed.

The scale of the attacks is alarming. “During the last year, there were some spikes of such attacks in different regions, but they were mainly local and small,” said, Kaspersky security researcher, Dmitry Galov. “Right now, we can see that almost worldwide, the amount of attacks increased significantly. For instance, in February we witnessed 93,102,836 attacks globally. In April, the figure was already 326,896,999.”

The number of RDP brute force attacks in the United States more than doubled between January 2 and March 3, and almost tripled by April 7, when there were 1.4 million RDP brute force attacks detected.

Increase in Brute Force RDP Attacks. Source: Kaspersky

The brute force RDP attacks are likely to continue at high levels for the foreseeable future, and certainly until the number of remote employees reduces once the COVID-19 crisis is over.

There are several steps that companies can take to reduce the risk of these attacks succeeding. One of the most important steps to take is to implement password policies that force users to set strong passwords that are difficult to guess. Two-factor authentication is also important. If a password is guessed, a second factor must be provided before a connection is allowed. Employees should also use a corporate VPN to connect remotely along with Network Level Authentication (NLA) measures to block unauthorized access attempts. Kaspersky also warns that if RDP is not being used by remote employees, port 3389 should be disabled.

The post Worldwide Spike in Brute Force RDP Attacks During COVID-19 Pandemic appeared first on HIPAA Journal.

The World Health Organization is one of the leading agencies combating COVID-19 and has proven to be an attractive target for hackers and hacktivists, who have stepped up attacks on the organization during the COVID-19 pandemic. Cyberattacks on WHO are at five times the level they were at this time last year.

Last month, WHO confirmed hackers had tried to gain access to its network and those of its partners by spoofing an internal WHO email system and the attacks have kept on coming. Last week, SITE Intelligence Group discovered the credentials of thousands of individuals involved in the fight against COVID-19 had been dumped online on 4chan, Pastebin, Telegram, and Twitter. Around 25,000 email and password combos were leaked in total, including around 2,700 credentials for WHO staff members. WHO said the data had come from an old extranet system and most of the credentials were no longer valid, but 457 were current and still active.

In response, WHO said it performed a password reset to ensure the credentials could no longer be used, internal security has been strengthened, a more secure authentication system has been implemented, and security awareness training for its staff is being improved.

The remainder of the dumped credentials came from organizations such as the Gates Foundation, Centers for Disease Control and Prevention, and the National Institutes of Health. It is not clear where the data came from or who leaked it online, but the credentials have been used far right groups to attack organizations working on vaccines and conducting other activities related to COVID-19.

“Ensuring the security of health information for member states and the privacy of users interacting with us is a priority for WHO at all times, but also particularly during the COVID-19 pandemic,” said WHO CIO, Bernardo Mariano. “We are grateful for the alerts we receive from Member States and the private sector. We are all in this fight together.”

Mariano also confirmed that ongoing phishing campaigns are being conducted that spoof WHO to trick people into making donations to a fictitious fund similar to the COVID-19 Solidarity Response Fund that is overseen by WHO and the United Nations. Campaigns are also being conducted by nation-state hacking groups that spoof WHO to trick people into downloading malware that is used for espionage.

Malicious attacks using COVID-19 and coronavirus themes have soared over the past few weeks. Data released by cybersecurity firm Zscaler shows there has been a 30,000% increase in COVID-themed attacks in March compared. In March there were around 380,000 attempted COVID-19 themed attacks, compared to around 1,200 in January and 10,000 in February.

There was an 85% increase in COVID-19-themed phishing attacks on remote enterprise users, a 17% increase in threats directed at enterprise clients, and the company blocked 25% more malicious websites and malware samples in March. The company also detected 130,000 suspicious or malicious newly registered domains that included words such as Wuhan, test, mask, and kit.

Many of the attacks are succeeding. Figures from the FTC indicate around $19 million has been lost to COVID-19 related scams since January 2020, with $7 million lost in the past 10 days. Figures released by Google earlier this month revealed that in a single week it blocked 18 million COVID-19 phishing emails. While the number of COVID-19 themed attacks has increased sharply, overall the number of attacks has remained fairly constant. Microsoft reports that the number of cyberattacks has not significantly increased during the COVID-19 pandemic. Threat actors are simply repurposing their infrastructure and switching from their regular campaigns to COVID-19 related attacks.

The post WHO Confirms Fivefold Increase in Cyberattacks on its Staff appeared first on HIPAA Journal.

A bipartisan group of Senators has written to the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security and U.S. Cyber Command requesting healthcare-specific cybersecurity guidance on how to deal with coronavirus and COVID-19-related threats.

Richard Blumenthal, (D-CT), Mark Warner (D-VA), Tom Cotton (R-AR), David Perdue (R-GA), and Edward J. Markey (D-MA) penned the letter in response to the escalating cyber espionage and cybercriminal activity targeting the healthcare, public health, and research sectors during the COVID-19 pandemic.

The letter cites a report from cybersecurity firm FireEye which identified a major campaign being conducted by the Chinese hacking group, APT41, targeting the healthcare sector. The hacking group is exploiting vulnerabilities in networking equipment, cloud software and IT management tools to gain access to healthcare networks – The same systems that are now being used by telecommuting workers for providing telehealth during the pandemic. Several other threat groups with links to China have also stepped up their attacks and are using COVID-19-themed campaigns on U.S. targets.

Threat actors in Russia, Iran, and North Korea have also been conducting attacks on international health organizations and public health institutions of U.S. allies. There have also been several misinformation campaigns that have been linked to Russia, Iran, and China which are attempting to derail the response of the United States to the pandemic.

The healthcare industry was already struggling to defend against attacks from nation state hackers and cybercriminal gangs before the SARS-CoV-2 pandemic. Healthcare organizations are now stretched and stressed due to the COVID-19 pandemic and the situation is now critical. If the cyberattacks succeed, there is a major risk of disruption of the public health response.

Hospitals are dependent on electronic data such as electronic medical records, email, and their internal networks, many of which are heavily reliant on legacy equipment. Any attack that causes disruption will see resources diverted and critical time lost. Even a relatively minor attack has potential to cause major disruption. As an example, the Senators cited an attack on the Department of Health and Human Services. A relatively minor technical issue was experienced with email, but it was enough to hamper the efforts of the HHS to coordinate the federal government’s service.

Ransomware attacks that take EHRs out of action have even greater potential to cause disruption, and the consequences of these attacks can be grave. “During this moment of national crisis, the cybersecurity and digital resilience of our healthcare, public health, and research sectors are literally matters of life-or-death,” wrote the Senators.

The Senators have called for the two agencies to use the expertise and resources that have been developed to defend against these threats and to take the necessary measures to protect the healthcare industry during the coronavirus pandemic.

The Senators have requested private and public cyber threat intelligence such as indicators of compromise from attacks on the healthcare, public health, and research sectors to be broadly shared to help network defenders block the attacks. They have also requested the agencies coordinate with the HHS, Federal Trade Commission (FTC), and Federal Bureau of Investigation (FBI) to help increase awareness of cyberespionage, cybercrime, and disinformation campaigns.

The Senators have asked for the National Guard Bureau to be provided with threat assessments, resources, and additional guidance to support personnel supporting state public health departments and local emergency management agencies to ensure they have the information they need to defend critical infrastructure from cybersecurity breaches.

The agencies have been asked to consult with partners in the private healthcare, public health, and research sectors on the resources and information needed to improve defenses against attacks, such as vulnerability detection tools and threat hunting.

To counter the disinformation campaigns that are being conducted, the Senators have asked the agencies to consider issuing public statements “to put advisories on notice”, similar to the joint statement issued in relation to election interference on March 2^nd.

Finally, they asked the agencies to evaluate further necessary action to defend forward to detect and deter attempts to intrude, exploit, and interfere with the healthcare, public health, and research sectors.

The post Senators Call for CISA and U.S. Cyber Command to Issue Healthcare-specific Cybersecurity Guidance appeared first on HIPAA Journal.

The Department of Homeland Security’s Cybersecurity Infrastructure Security Agency (CISA) has issued a warning to all organizations using Pulse Secure VPN servers that patching vulnerabilities will not necessarily prevent cyberattacks. CISA is aware of attacks occurring even after patches have been applied to address known vulnerabilities.

CISA issued an alert about a year ago warning organizations to patch a vulnerability (CVE-2019-1151) in Pulse Secure Virtual Private Network appliances due to a high risk of exploitation. Many companies were slow to apply the patch, and hackers took advantage.

CVE-2019-1151 is an arbitrary file reading vulnerability affecting Pulse Secure VPN appliances. The vulnerability was identified in the spring of 2019 and Pulse Secure released a patch to address the vulnerability in April 2019. Several advanced persistent threat groups are known to have exploited the vulnerability to steal data and install malware and ransomware. By exploiting the vulnerability and stealing credentials, the attackers were able to gain persistent access to networks even after the vulnerability was patched, if credentials were not also changed at the same time.

CISA observed threat actors exploiting the vulnerability to deploy ransomware at several government agencies and hospitals, even after patches had been applied. First, the vulnerability was exploited to gain access to the network through vulnerable VPN devices. The threat actors were then able to obtain plaintext Active Directory credentials, and those accounts were used with external remote services for access, remote services for lateral movement, and the attackers then deployed ransomware and malware and/or exfiltrated and sold sensitive company data.

The attackers used Tor infrastructure and virtual private servers to minimize the chance of detection when they were connected to victims’ VPN appliances. Many victims failed to detect the compromise as their antivirus and intrusion detection systems did not detect the remote access as suspicious, as genuine login credentials and remote services were used. Some attackers used LogMeIn and TeamViewer to ensure they had persistent access even if the primary connection was lost.

When patches are applied to address vulnerabilities that are known to be actively exploited in real world attacks, organizations then need to conduct analyses to determine if the vulnerability has already been exploited to gain access to their networks. Patching will prevent any further threat actors from exploiting the vulnerability, but if a network compromise has already occurred, applying the patch will not kick the attackers out of systems.

CISA has now developed a tool that can be used by organizations to determine if the Pule Secure VPN vulnerability has already been exploited. The tool can be used to scan the log files of Pulse Secure VPN servers to determine if the gateway has been compromised. In addition to helping system administrators triage logs, the tool will also scan for Indicators of Compromise (IoCs) associated with exploitation of the Pulse Security vulnerability.

“If organizations find evidence of malicious, suspicious, or anomalous activity or files, they should consider reimaging the workstation or server and redeploying back into the environment. CISA recommends performing checks to ensure the infection is gone even if the workstation or host has been reimaged,” wrote CISA.

In addition to performing the scans, CISA recommends changing Active Directory passwords and conducting a search for unauthorized applications, scheduled tasks, and any remote access tools that have been installed that have not been approved by the IT departments. Scans should also be performed to identify any remote access Trojans and other malware that may have been installed.

Many organizations that use VPN servers to allow remote access do not use multi-factor authentication, which means that any stolen credentials can be used to gain access to networks via the VPN gateways. With multi-factor authentication in place, use of stolen credentials becomes much harder, as a second factor will be required before access is granted.

The post CISA Warns of Continuing Attacks on Pulse Secure VPNs After Patching appeared first on HIPAA Journal.