In response to elevated risk to Canadian health organizations, Canadian Centre for Cyber Security (GC-CSE) has released an alert and guidance for IT and cyber security professionals.
Excerpt from CCCS alert …
“Sophisticated Threat Actors
Sophisticated threat actors may choose to target Canadian organizations involved in supporting Canada’s response to the pandemic including organizations within the medical research community. These actors may attempt to gain intelligence on COVID-19 response efforts and potential political responses to the crisis or to steal ongoing key research towards a vaccine or other medical remedies, or other topics of interest to the threat actor. Organizations should exercise increased monitoring in order to detect attempted compromises by sophisticated threat actors. Attempts to compromise an organization by a sophisticated threat actor may leverage social engineering, spear-phishing campaigns, critical vulnerabilities, compromised credentials or a combination of these and other threat vectors.
The impact of a ransomware incident on Canadian organizations involved in supporting Canada’s response to the COVID-19 pandemic could be more severe during the current pandemic than if it were to occur in a non-crisis environment. It is therefore recommended that organizations take extra care in identifying, as early as possible, vulnerabilities and possible compromises that may lead to ransomware being deployed. The Cyber Centre strongly advises that all organizations become familiar with and practice their business continuity plans, including restoring files from back-ups and moving key business elements to a back-up infrastructure.
The Cyber Centre recommends that organizations review its existing ransomware advice, available here:
The Cyber Centre assesses that vulnerabilities related to telework are of particular concern during the current pandemic. As organizations rush to make more infrastructure available to remote users, configuration errors may be made and unpatched software may be deployed. Multiple critical vulnerabilities have been identified in VPN devices over the past year, and multiple successful exploitations in the past have led the Cyber Centre to assess that they are likely to be leveraged for renewed compromise attempts over the short term. Recently disclosed vulnerabilities in Microsoft Windows and Linux operating systems, particularly those affecting remote desktop usage and certificate authentication, are also likely to be targeted.
The Cyber Centre particularly recommends applying patches and mitigations for the following critical vulnerabilities as soon as possible:
AL19-009 Critical Microsoft Remote Desktop Vulnerability
AL19-010 Active Exploitation of the Telerik UI for ASP.NET AJAX
AV19-167 Microsoft Security Advisory – August 2019 Monthly Rollup
AL19-016 Active exploitation of VPN vulnerabilities
AL20-003 Citrix Exploitation
AL20-004 Microsoft Internet Explorer 0-Day
AL20-005 Detecting Compromises relating to Citrix CVE-2019-19781
AL20-006 Microsoft Exchange Validation Key RCE Vulnerability
AL20-007 Microsoft SMBv3 Vulnerability
AV20-010 Microsoft Security Advisory – January 2020 Monthly Rollup
AV20-032 Microsoft Security Advisory – February 2020 Monthly Rollup
AV20-044 Apache Tomcat Security Advisory
AV20-053 Lets Encrypt Certificate Advisory
AV20-064 Microsoft Security Advisory – March 2020 Monthly Rollup
These Alerts and Advisories can be found on the Cyber Centre web site: https://cyber.gc.ca/en/alerts-advisories”
Read the rest of article and mitgation strategies…