Cyber criminals using coronavirus to their advantage
April 8, 2020 11:19 am
9 min read
Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
You can’t avoid them by social distancing. You can’t kill them with disinfectant wipes. They don’t die on cardboard and you can’t even see them under a microscope. They’re the cybersecurity threats spawned by scummy hackers taking advantage of the pandemic disruption. Federal Drive with Tom Temin got an update from someone who’s been following this professionally: Vice President of Public Sector and Health Care at Crowdstrike, James Yeager.
Tom Temin: There do seem to be a fresh batch of cyber threats related to all of this. What do you see going on?
James Yeager: We’ve certainly seen an increase in activity surrounding cyber criminals in the wake of COVID-19. There’s been a rather considerable spike in some rather nefarious cyber activity. You know, we’re tracking who’s behind it. What’s their objective? And we’re doing our best to try and communicate to both the most sophisticated cyber professionals as well as the lay person, what their approach should be, given that we’ve got a little bit of a new normal here from a professional on operating model. But the threat is real and the activity is significant.
Tom Temin: Well, let’s start with the objectives. What seem to be what it is that these people are after in the first place?
James Yeager: Yeah, so I think we can kind of categorize it in a general sense to activity that’s consistent with what we’ve seen with other national, regional and global events, such as what we’ve seen with elections and what we’ve seen in recent months resulting from rising tensions in the Middle East, specifically in Iran. And really, it’s just a considerable amount of disinformation, right? These campaigns are aimed at creating a distraction for the employees, for the users if you will, allowing them to kind of take their eye off the ball, let their guard down, and then seemingly, the adversary is able to kind of sneak in the back door, if you will, while no one’s looking, while people are sleeping at the wheel and then looking to do their harm. And the activity that we’ve observed really generally comes from two primary tactics, the first is phishing and the other is kind of targeting remote services. And we’ve we’ve observed very specific activity in each of those arenas that I’m happy too elaborate for you on.
Tom Temin: Yeah, I think phishing is the well known one and for some reason maybe people are more gullible when they’re teleworking. But what about the remote services, that’s really what’s blossom so much in this teleworking phase.
James Yeager: Yeah, no doubt about it. So it is possible that companies, and Crowdstrike is no different here. We’re certainly subscribing to this as well, since we’re software as a service company. But it’s likely that companies are gonna increase the use of software as a service and cloud based remote connectivity services in order to sustain operability and enable and support employees while they work from home. So things like standing up remote working services could certainly pose a potential security risk when combined with the possible human element in the human error enabled security lapses that you just talked about when you made reference to phishing. So criminal actors in particular are gonna continue to seek and collect credentials for these services potentially allowing them to gain access to these SAS accounts and to the organizational data that’s in the victim’s sites. So e-crime is really in the notion of big game hunting. If you’re not familiar, so what we’ve seen historically from Crowdstrike is that e-criminals were working in a very isolated manner relative to their campaigns in the gains in the returns from the sum of their campaigns were very limited financially, right? So not not not a big lure for them. So what they’ve started to do is effectively ban together in a more broader strategic campaign, with ransomware being the primary threat vector. And so e-crime, big game hunting and ransomware in particular leverages remote desktop protocols, or RDP, to do brute forcing or password spraying for initial entry. And as many of the more sophisticated big game hunting actors remain highly active at this at the current time, they’re likely going to continue to attempt to capitalize on possible staffing issues, staffing shortages, staffing disruptions in this kind of new normal. And that’s gonna bring a lot of complexity to the organizations as they deal with new compromise and employee devices, whether it’s government furnished equipment or BYOD.
Tom Temin: So it sounds like the attacks can really be two attacks in one. You can get the ransomware, but you can also get the data even if he didn’t go after the ransomware also.
James Yeager: Yeah, that’s absolutely right. And again, that the objective is gonna vary based on the activity originating from the adversary of the adversary group. Right? You know, e-criminal actors are gonna be generally more focused on being disruptive and seeking financial gains. When you look at targeted intrusions relative to nation state activity, you’re going to see highly destructive attacks. And again, I think what we’re seeing some common themes around phishing, targeted remote services, even phishing and robocall and technical support scams. A lot of these behaviors and TTPs are not altogether uncommon with what we’ve seen of late in over historical stretch of time, Tom. But really, it’s about the reach that they gain because this is truly a global event.
Tom Temin: And it sounds like it’s possible that some of the disinformation campaigns you mentioned could maybe soften up people for what comes next, which is phishing or some other type of follow up. I’m thinking of the story about the New York Times, about a company that had allegedly created a two day or two hour test or something for coronavirus. It was false. It got picked up by national media and on some of the wire services. Could having people believe that then lead them to be more gullible to, hey here’s where you can get it.
James Yeager: Yeah, absolutely right. I mean, there’s there’s a lot of time, attention and energy being paid to this particular topic for reasons that are obvious to all of your listeners. But again, these activities, regardless of what the entry point or the infection point might be, are really gonna kind of target the fear and ultimately look to sensationalize the user community. So a lot of us have grown accustomed to working from home, right? But certainly we’re seeing an exponential rise in the use of personal devices on email for business continuity, even handling sensitive information. When corporate assets are now being provisioned and proper deployment and configuration of some of these remote services is a question, that puts a rather burdensome tax on the lay person who isn’t accustomed to working from home. And if you’re dealing with personal livelihood, if you’re a primary or sole provider of income to your family and your loved ones, and there’s fear that your paycheck may be in harms way if you don’t operate with the same continuity and same consistency as if you were working in the office, you’re going to do whatever you need to do to be efficient and effective in your day to day work environment. But now you’re home, so you’re gonna take some shortcuts.
Tom Temin: And so your best advice for agency and corporate CISOs and CIOs, the people responsible for the safety here. What should they be doing now?
James Yeager: Well, you know, there’s a lot of different variables here. I think it certainly starts with taking a step back, and hopefully, we’re several weeks into this now, so hopefully these steps back have been taken already. But taking a look at your security policies, right? How enabled are you to protect against some of these threat vectors for a increase in remote workforce and telework? Are you able to enforce basic policies around secure WiFi and VPN. Are you able to enforce other security hygiene factors like two factor authentication? We don’t have some of the same security controls that we have at home that we have in the office. You don’t have a massive firewall and web gateway sitting in your home office. Neither do I. So as we get away from those conventional security confines that helped protect us. We’ve got to really examine if our security policies and security controls are their to prevent us from hurting ourselves, whether it’s incidental or otherwise. The other thing that I would say is it’s highly essential that security updates are available and kind of enabled on all of your devices, whether, again, whether this is government furnished equipment or whether you’re empowering some sort of bring your own device type of capacity to accessing the remote workforce. It’s also important that you’ve got some mechanisms to be able to mobilize a strategy in the event that something catastrophic is gonna happen. I think for a lot of organizations, it’s really no longer a matter of if a cyber incident is gonna take place during the next several weeks or months. It’s a matter of when. How prepared are you to be able to express your resolve and be able to put a team in place to be able to go re mediate and do the clean up.
Tom Temin: So the CISO might be in pajamas, but the cybersecurity programs got to be dressed for the show
James Yeager: At all times, Right? And much like is the case for the health care professionals who are doing God’s work across the globe. Right? Great work, and I don’t think this is a perfect analogy, but everyone is being taxed and tested beyond their conventional limits, right? So security professionals are being forced to work shift work, working around the clock. And what that does is that introduces physical mental fatigue. Again, the adversaries are anticipating this, right? And so they are are attempting to wreak their havoc during the middle of the night and during kind of off peak hours, maybe catching someone when they’re not the sharpest. But they do need to be prepared to work around the clock. And we’re encouraging the federal government and all of our customers and prospects to make sure that they’ve got basic things in place, like having an instant response retainer. How can you leverage industry professionals to support you in kind of a surge capacity when you’re at your weakest and when you’re at your most vulnerable?
Tom Temin: James Yeager is Vice President of Public Sector and Health Care at Cyber Security Company Crowdstrike. Thanks for joining me.