The Cybersecurity and Infrastructure Security Agency has issued several alerts over the past week warning government agencies and other private sector organizations to be vigilant about security, especially with the bulk of the workforce working remotely.
Last week’s alerts underscored the fact that organizations are trying to keep their employees safe from online threats as they connect to the internal network with personal devices and increasingly rely on cloud applications to keep working. The most recent alert, issued jointly by the United Kingdom’s National Cyber Security Centre, warned of a password spraying campaign “actively targeting organizations involved in both national and international COVID-19 responses.”
“Actors may seek to obtain intelligence on national and international healthcare policy, or acquire sensitive data on COVID-19-related research,” CISA and NCSC said.
The nation-state actors behind the password spraying campaign have targeted healthcare entities in multiple countries, along with international healthcare organizations. Password spraying refers to using a single password against multiple accounts in hopes that one of those accounts had used that particular password. If that password doesn’t work, attackers try again with another. It is harder for websites to detect that that failed login attempts are part of the same attack because they are not happening right after another, the way it would in a brute-force attack.
The joint warning from NCSC and CISA echoed an earlier one from Google that state-sponsored groups were using COVID-19-themed tactics to target international health organization such as the World Health Organization and other public health agencies. Attacks included messages crafted to appears as if they had been sent by remote workers, websites impersonating pages of public heath agencies, and messages to government workers with phony offers. The goal was to trick recipients into entering their Google credentials, said Shane Huntley of Google Threat Analysis Group. Google had added extra security protections to more than 50,000 “high risk accounts.
Google is detecting about 18 million pandemic-themed malware or phishing messages per day, and 240 million COVID-linked spam messages hitting Gmail servers.
CISA also said state-sponsored groups were scanning networks looking for a specific remote code execution vulnerability in Citrix (CVE-2019-19781) and other vulnerabilities in VPN software from Palo Alto Networks, Fortinet, and Pulse Secure. Victim entities include healthcare systems, pharmaceutical companies, academia and medical research organizations, and local governments. CISA and NCSC are currently investigating several incidents.
“These organizations’ global reach and international supply chains increase exposure to malicious cyber actors. Actors view supply chains as a weak link that they can exploit to obtain access to better-protected targets. Many supply chain elements have also been affected by the shift to remote working and the new vulnerabilities that have resulted,” the alert said.
Organizations are advised to keep their VPNs, network infrastructure, and remote devices up-to-date with the latest security patches, turn on multi-factor authentication on user accounts, and protect the management interfaces of critical operational systems.
CISA provided recommendations and reminders to enterprises and government agencies on how to protect their remote workforce. The alerts underscored the fact that organizations are trying to keep their employees safe from online threats as they connect to the internal network with personal devices and increasingly rely on cloud applications to keep working.
For organizations that didn’t already have infrastructure in place to support a large number of people working remotely, the abrupt shift to a full “work from home” workforce meant there was a rush to deploy cloud collaboration services such as Office 365, CISA said in its alert. Organizations may not have had the time to figure out—or implement—the optimal security configurations of these services.
“Hasty deployment can lead to oversights in security configurations and undermine a sound O365-specific security strategy,” CISA said.
Organizations are advised to use multi-factor authentication for both administrator and user accounts in Office 365. This is particularly important for administrator accounts because Microsoft Entra ID Global Administrators—equivalent to the Domain Administrator in an on-premises Microsoft Entra ID environment—have the highest privileges within Office 365 environments. Multi-factor authentication is not enabled by default for these accounts.
“This is the best mitigation technique to protect against credential theft for O365 administrators and users,” CISA wrote.
Global Administrator accounts should be only used “when absolutely necessary.” Instead organizations should follow the principle of “least privilege” and assign one of the built-in administrator roles to administrator accounts with very specific set of privileges. That way, if the account is ever compromised, the impact on the network is limited.
Other recommendations include enabling Unified Audit Log (UAL) in the Security and Compliance Center to see events from Exchange Online, SharePoint Online, OneDrive, AzureAD, Microsoft Teams, PowerBI, and other O365 services.Even with UAL’s robust logging, organizations should still integrate and correlate the O365 logs with other log management and monitoring solutions to detect anomalous activity. Legacy protocol authentication should also be disabled since they do not support multi-factor authentication. If that isn’t possible, usage be limited to specific users.
“CISA encourages organizations to implement an organizational cloud strategy to protect their infrastructure assets by defending against attacks related to their O365 transition and better securing O365 services,” the agency said.
CISA also issued a memo reminding government agencies that they are legally required to use the federally-approved EINSTEIN 3 Accelerated (E3A) DNS resolution service for all devices connected to federal government networks. E2A DNS sinkholing capability overrides harmful, public DNS records, preventing users from accessing malicious sites. Federal employees using unsupported third-party DNS encryption services to connect to government networks can potentially allow attacks to enter the infrastructure.
“In most instances where agencies bypass our protections, the reasons for non-use are well-intentioned,” wrote Bryan Ware, assistant director of CISA. “We will also begin providing regular reports to agencies highlighting where bypass is occurring, and work with them to improve our understanding of the many and varied ways the federal workforce use their devices in service to the public.”
Finally, CISA also launched an information website for companies on how to secure their employees who are working remotely. The site provides tips, best practices, and guidance on topics such as secure video conferencing and security threats the employees should be aware of.