The COVID 19 pandemic is a health challenge for humanity, but that does not prevent its use for criminal, espionage or flu activities.
The Thales report "COVID-19: Cyber Threat Assessment" is an excellent summary of what happens in cyberspace as a result of COVID 19. Dated 24 March 2020, it can be downloaded from the Thales website (link).
Let's take a look together at the study.
First of all, we must point out that according to analysts all over the world there is an increase in cyber campaigns linked to the dissemination of news on COVID 19 and the dissemination of software used for viewing and tracking the COVID 19 situation (both on PC and on mobile devices) . The attack vector is therefore directly linked to the spread of the biological virus.
Analysts indicate that it is fear that drives the search for more and more information, forgetting the necessary attention to security, causing both a greater spread of malware (ransomware, spyware, etc.) and a greater spread of fake news.
Several hacker groups have however said they have no intention of attacking hospitals even though attacks against Paris hospitals, Brno University Hospital (Czech COVID 19 test laboratory) and the US Department of Healt have been reported.
The groups reported for taking part in these world campaigns are: Vicius Panda, Mustang Panda, Kimsuky, APT 36, Hades group, TA542.
Of great interest, the recommendations of the ANSSI (Agence nationale de la sécurité des systèmes d'alformation) on teleworking which we briefly summarize below and we think may also be valid for us:
- do not expose on the internet, for any reason, the web interfaces of Microsoft Exchange servers not updated to the latest security patch;
- do not give access to file-sharing servers through the SMB protocol;
- if you expose or if you need to expose new services on the Internet, update the security patches (both to software and hardware) as soon as possible and enable log-in mechanisms. If possible, use two-factor authentication;
- perform offline backups;
- use access through VPN (IPSEC or TLS) to avoid direct exposure on the Internet;
- regularly check the access logs of services exposed on the Internet or showing suspicious behavior.
Also follow the additional indications of Thales, also summarized below:
- use trusted information channels (government, national ...);
- pay attention to the sensationalism of certain media;
- cross-checking of information;
- bring to mind the "teleworkers" attention to information security;
- at the state level, give priority to Cyber Threat Intelligence;
- combine IDS and Cyber Threat Intelligence, when you have capacity and availability.
We add to pay attention to the management of the services, we avoid the own goals!
Some of my brief considerations
The Report is certainly interesting and emphasizes, in addition to malware, the use of cyber for the dissemination of news, messages and information that could be considered as information campaigns. This means that the COVID 19 pandemic case is used (or rather suspected to be employed) by foreign powers to cover the operations of Influence. Nothing strange, in my opinion, but it is good to point it out because it is not always said so clearly.
I think it is clear to everyone that in this period many people have carried out operations Influence, both by means of public messages and by means of acts, aimed at the "belly" of public opinion, Italian and otherwise. Unfortunately, operations carried out by all States, both those considered "friends" and those considered "enemies".
Last recommendation to managers: in times of emergency it takes little to overestimate or underestimate the needs of a sector. The IT sector has not been in good health since before the COVID 19 crisis, further feeding it would not be wise, even in the face of the pandemic!
Few words to the wise.
To learn more:
- https://www.thalesgroup.com/en/market-specific/critical-information-syst...
- https://blog.malwarebytes.com/101/2018/12/how-threat-actors-are-using-sm...
- https://www.ssi.gouv.fr/uploads/2018/10/guide_nomadisme_anssi_pa_054_v1.pdf
