Government cyber advice, examples of phishing campaigns, and things you should patch in the times of COVID-19.
Vol. 3 Iss. 12 22/03/2020, last updated 06/04/2020 Robin Oldham ~9 Minutes
Subscribe to Robin's Newsletter
Last week I eschewed Covid-19 news entirely in favour of the other security stories that might have missed your attention. A lot has changed in the last seven days and it’s disingenuous and, frankly, unavoidable to continue writing this newsletter in that manner.
Cyber security marketing has long been about fear, uncertainty and doubt (FUD). Here, I am trying to take a more pragmatic and positive approach to the topic.
Organisations have quickly stood up remote working facilities for staff that statistically some of which will be vulnerable, and there is growing evidence of cyber-criminals taking advantage of the global pandemic in phishing campaigns.
So this week I’m focussing on the cyber security aspects of the global pandemic. Where you can find good advice for secure remote working (both as an individual, and as a business) and any security updates for remote working technologies that you should be aware of.
🛡 Cybersecurity advice from government and recognised sources
There has been some excellent advice published by government cyber agencies this week. (Dwarfed, seemingly, by the amount of marketing materials from security vendors.) These are the ones I’d recommend paying attention to - they cover advice for individuals, and for employers:
The UK’s National Cyber Security Centre’s guide on home working: “How to make sure your organisation is prepared for an increase in home working, and advice on spotting coronavirus (COVID-19) scam emails” This is by far the most straightforward guidance I’ve seen and the precautions are sensible for organisations of all sizes. ncsc.gov.uk
The US’ Cybersecurity & Infrastructure Security Agency’s alert on enterprise VPN security has a good list of mitigations that larger, or more advanced organisations to consider. us-cert.gov
If you’ve got all of that sorted, then NIST’s blog post on “Preventing Eavesdropping and Protecting Privacy on Virtual Meetings” has some reminders on how to protect video and audio conferences. nist.gov
⚠️ Patching info for IT and security teams stretched by the explosion in remote working
I’ve focussed on widely-used software or remote working technology here.
Adobe Acrobat Reader, APSB20-13 addresses five critical vulnerabilities CVE-2020-3795, 3799, 3792/3793/3801/3801/3805, 3807, 3797 adobe.com
VMware Fusion / Workstation / Remote Console / Horizon Client, two important vulnerabilities CVE-2020-3950, 3951 vmware.com
Cisco Webex player apps, two high vulnerabilities CVE2020-3127, 3128 cisco.com
Cisco SD-WAN, three high vulnerabilities CVE-2020-3264, 3266, 3265 cisco.com
👍 Examples of cyber-criminal’s campaigns to watch out for as an individual
Criminal groups are trying to cash in on the pandemic for their own gains. They’re typically variations on a phishing campaign that you might be sent via email, or shared via message on social media.
Phishing emails often rely on creating a sense of urgency to panic you into action you wouldn’t normal take and so a global pandemic and personal health concerns create just these sorts of conditions.
Stop, take a deep breath, and consider before clicking links, especially if they are demanding or urging you to do something immediately. Also worth remembering, official guidance will always come from your government, and not from your mate Kev on Facebook!
Here are some of the examples:
- WHO chief emails claiming to offer coronavirus drug advice plant keyloggers on your PC zdnet.com
- The fake Coronavirus tracking apps that actually tracks your location, photos, camera and microphone cnet.com, cyberscoop.com
- Gov.UK branding from ‘Government Gateway’ phishing emails promising a ‘tax refund (rebate)’ H/T @CyberGoGiver
- Information-stealing malware pretending to be ‘[email protected]’ projects that donate your computing power to finding a cure for the disease bleepingcomputer.com
- ‘Dirty little secret’ extortion emails using details from previous data breaches and threatening to give your family coronavirus sophos.com
- A coronavirus-tracking app locked users’ phones and demanded $100 (there is now a password/tool available if you have been a victim of this) cyberscoop.com
Not to be left out, APT36 who are believed to be linked to Pakistani intelligence, have been using health advisories to target Indian government officials. malwarebytes.com
Lastly, if you, or a family member, has been a victim of cybercrime then report it to law enforcement, then the Cyber Helpline may be able to step you through other steps to take thecyberhelpline.com
4,000 Domains registered relating to coronavirus since January…
8% of which have been found to be malicious or suspicious, according to Check Point checkpoint.com
3 days typical time elapsed between an organisation being infiltrated and deployment in most ransomware attacks, with
Other newsy bits
Privacy vs Surveillance in public health crisis
This week reports surfaced that Israel’s Shin Bet security service has been authorised to use surveillance technology to track Covid-19 victims after (FT). Meanwhile, the Hong Kong government has obtained 60,000 wristbands that pair with smartphones to track new arrivals and check they are following quarantine restrictions (The Register). (Apparently, you can also expect surprise video calls from the Office of the Government Chief Information Officer as part of checks too!) Wired has a write up exploring some of the ways in which our mobile devices may be used to help fight public health crisis. For example in the tracing of victims during the early stages of an outbreak could be assisted by mobile phone location data. This could also quickly become meaningless in built-up metropolitan areas. Another use-case is in the tracking of infection hotspots. Cross-referenced between multiple victims authorities may be able to identify common locations that were the source of infection, and therefore other potentially infected individuals who were present at the same restaurant/theatre/etc. The Electronic Frontier Foundation has published a good set of principles they propose authorities abide by in order to help balance the public good while protecting individual privacy: be proportionate, based in science and not bias, have an expiration, be transparent, subject to due process. The word ‘unprecedented’ has been overused this week, however, in times like these, it is unlikely that this will not be the end of novel uses of surveillance technology. One thing is for sure: public support will quickly wane if powers are not solely used for good. ft.com ($), theregister.co.uk, wired.com ($), eff.org
Money mules and fake charities
Criminals need to be able to launder their ill-gotten gains into ‘clean’ cash that they can use. In fraud and cyber-crime cases this is typically carried out by ‘money mules’ who move currency from A to B. Sometimes they may not even realise that they are involved in a criminal enterprise. Such is the case with the volunteers to a fake coronavirus charity exposed by Brian Krebs. It’s a fascinating read and good example of how criminals lure individuals in, keep them busy with menial tasks and then get them carrying out fraudulent transactions. With people being laid off by employers and looking for work, or just wanting to volunteer to help those in their community, there is ‘no shortage’ of potential recruits. krebsonsecurity.com
Attacks, incidents & breaches
- Small business loans app blamed a 500,000 financial records leak from S3 bucket theregister.co.uk
- Fintech company Finastra suffers disruption from ransomware attack theregister.co.uk.com
- Hackers hit NutriBullet website with credit card-stealing malware techcrunch.com
- Rogers Data Breach Exposed Customer Info in Unsecured Database bleepingcomputer.com
- Well, that’s nice of them… DoppelPaymer and Maze ransomware groups will not target healthcare organisations with ransomware during pandemic bleepingcomputer.com
- New TrickBot tool targets telecommunications in U.S., Hong Kong cyberscoop.com
- New Nefilim Ransomware Threatens to Release Victims’ Data bleepingcomputer.com
- Sodinokibi Ransomware Data Leaks Now Sold on Hacker Forums bleepingcomputer.com
- CERT France warns local governments being targeted by a new version of the Pysa (Mespinoza) ransomware zdnet.com
- APT28 has been scanning vulnerable email servers for more than a year; now using compromised accounts in spear-phishing campaigns zdnet.com
Internet of Things
- Hackers breach FSB contractor and leak details about IoT hacking project zdnet.com
- … also… Criminals exploiting vulnerabilities in Zyxel NAS and Lilin DVRs arstechnica.com
- Doctors in the US can start using Facebook Messenger and FaceTime to diagnose patients, without worrying about violating privacy laws cnet.com
- Freedom of Information coverup clerk stung for £2k after deleting council audio recording theregister.co.uk
- The ‘Russian interference’ report is still to be published, but UK ministers will no longer claim ‘no successful examples’ of Russian interference theguardian.com
Mergers, acquisitions and investments
- Insight Partners sells security firm Checkmarx to Hellman & Friedman for $1.15B techcrunch.com
Pale Blue Dot
A bit of reflection this week from one of my favourite readings: Carl Sagan’s comments on Pale Blue Dot, a photograph of the Earth taken by the space probe Voyager 1 from 3.7 billion miles away is it exited the solar system…
(The Earth is that bright spot in the right hand sunbeam, just under half-way down.)
Here’s what Carl Sagan had to say about it:
Look again at that dot. That’s here. That’s home. That’s us. On it everyone you love, everyone you know, everyone you ever heard of, every human being who ever was, lived out their lives. The aggregate of our joy and suffering, thousands of confident religions, ideologies, and economic doctrines, every hunter and forager, every hero and coward, every creator and destroyer of civilization, every king and peasant, every young couple in love, every mother and father, hopeful child, inventor and explorer, every teacher of morals, every corrupt politician, every “superstar,” every “supreme leader,” every saint and sinner in the history of our species lived there–on a mote of dust suspended in a sunbeam.
The Earth is a very small stage in a vast cosmic arena. Think of the rivers of blood spilled by all those generals and emperors so that, in glory and triumph, they could become the momentary masters of a fraction of a dot. Think of the endless cruelties visited by the inhabitants of one corner of this pixel on the scarcely distinguishable inhabitants of some other corner, how frequent their misunderstandings, how eager they are to kill one another, how fervent their hatreds.
Our posturings, our imagined self-importance, the delusion that we have some privileged position in the Universe, are challenged by this point of pale light. Our planet is a lonely speck in the great enveloping cosmic dark. In our obscurity, in all this vastness, there is no hint that help will come from elsewhere to save us from ourselves.
The Earth is the only world known so far to harbor life. There is nowhere else, at least in the near future, to which our species could migrate. Visit, yes. Settle, not yet. Like it or not, for the moment the Earth is where we make our stand.
It has been said that astronomy is a humbling and character-building experience. There is perhaps no better demonstration of the folly of human conceits than this distant image of our tiny world. To me, it underscores our responsibility to deal more kindly with one another, and to preserve and cherish the pale blue dot, the only home we’ve ever known.
Now is a time to pull together but keep apart. Wherever in the world you are reading this I hope that you and your families are healthy and that you have what you need. Please, take care, be kind, and wash your hands.
Get this weekly information security newsletter of cyber security and privacy articles, events and topics that have caught my eye, some intersting stats, plus a summary of other news.
There are hundreds of subscribers who get it direct to their inbox, every Sunday, at 7:00pm. They tell me it's pretty good, is an interesting read, and saves them time.