Number: AL20-008 – Update 1
Date: 20 March 2020
AUDIENCE
This Alert is intended for IT professionals and managers of notified organizations. Recipients of this information may redistribute it within their respective organizations.
PURPOSE
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
OVERVIEW
The Cyber Centre assesses that the COVID-19 pandemic presents an elevated level of risk to the cyber security of Canadian health organizations involved in the national response to the pandemic. The Cyber Centre therefore recommends that these organizations remain vigilant and take the time to ensure that they are engaged in cyber defense best practices, including increased monitoring of network logs, reminding employees to practice phishing awareness and ensuring that servers and critical systems are patched for all known security vulnerabilities.
While this Alert highlights risks to the medical and health communities in Canada during the COVID-19 crisis, the advice and guidance also applies to other Canadian businesses, particularly those with employees teleworking through VPNs. Suggested mitigations and best practices are outlined below.
UPDATE
This product has been updated to highlight additional patches and mitigations for critical vulnerabilities.
DETAILS
The Cyber Centre assesses that the COVID-19 pandemic presents an elevated level of risk to the cyber security of Canadian health organizations involved in the national response to the pandemic, including but not limited to medical research, manufacturing, distribution and policy-making organizations. Specifically:
- Sophisticated threat actors may attempt to steal the intellectual property (IP) of organizations engaged in research and development related to COVID-19, or sensitive data related to Canada’s response to COVID-19; and
- Cyber criminals may take advantage of the COVID-19 pandemic, using the increased pressure being placed on Canadian health organizations to extract ransom payments or mask other compromises.
Sophisticated Threat Actors
---------------------------
Sophisticated threat actors may choose to target Canadian organizations involved in supporting Canada’s response to the pandemic including organizations within the medical research community. These actors may attempt to gain intelligence on COVID-19 response efforts and potential political responses to the crisis or to steal ongoing key research towards a vaccine or other medical remedies, or other topics of interest to the threat actor. Organizations should exercise increased monitoring in order to detect attempted compromises by sophisticated threat actors. Attempts to compromise an organization by a sophisticated threat actor may leverage social engineering, spear-phishing campaigns, critical vulnerabilities, compromised credentials or a combination of these and other threat vectors.
Ransomware
----------
The impact of a ransomware incident on Canadian organizations involved in supporting Canada’s response to the COVID-19 pandemic could be more severe during the current pandemic than if it were to occur in a non-crisis environment. It is therefore recommended that organizations take extra care in identifying, as early as possible, vulnerabilities and possible compromises that may lead to ransomware being deployed. The Cyber Centre strongly advises that all organizations become familiar with and practice their business continuity plans, including restoring files from back-ups and moving key business elements to a back-up infrastructure.
The Cyber Centre recommends that organizations review its existing ransomware advice, available here:
https://cyber.gc.ca/en/guidance/ransomware-how-prevent-and-recover-itsap00099
Critical Vulnerabilities
------------------------
The Cyber Centre assesses that vulnerabilities related to telework are of particular concern during the current pandemic. As organizations rush to make more infrastructure available to remote users, configuration errors may be made and unpatched software may be deployed. Multiple critical vulnerabilities have been identified in VPN devices over the past year, and multiple successful exploitations in the past have led the Cyber Centre to assess that they are likely to be leveraged for renewed compromise attempts over the short term. Recently disclosed vulnerabilities in Microsoft Windows and Linux operating systems, particularly those affecting remote desktop usage and certificate authentication, are also likely to be targeted.
The Cyber Centre particularly recommends applying patches and mitigations for the following critical vulnerabilities as soon as possible:
AL19-009 Critical Microsoft Remote Desktop Vulnerability
AL19-010 Active Exploitation of the Telerik UI for ASP.NET AJAX
AV19-167 Microsoft Security Advisory - August 2019 Monthly Rollup
AL19-016 Active exploitation of VPN vulnerabilities
AL20-003 Citrix Exploitation
AL20-004 Microsoft Internet Explorer 0-Day
AL20-005 Detecting Compromises relating to Citrix CVE-2019-19781
AL20-006 Microsoft Exchange Validation Key RCE Vulnerability
AL20-007 Microsoft SMBv3 Vulnerability
AV20-010 Microsoft Security Advisory - January 2020 Monthly Rollup
AV20-032 Microsoft Security Advisory - February 2020 Monthly Rollup
AV20-044 Apache Tomcat Security Advisory
AV20-053 Lets Encrypt Certificate Advisory
AV20-064 Microsoft Security Advisory - March 2020 Monthly Rollup
These Alerts and Advisories can be found on the Cyber Centre web site: https://cyber.gc.ca/en/alerts-advisories
MITIGATION
In view of these risks, the Cyber Centre recommends that all Canadian health organizations involved in the national response to the pandemic take the time to ensure that they are actively engaged in cyber defense best practices.
Special consideration should be given to the following areas:
- Stay aware of ongoing phishing activities related to COVID-19:
o https://cyber.gc.ca/en/guidance/cyber-hygiene-covid-19
- Employees working from home could put a strain on telework services. Ensure appropriate security policies have been put in place, and monitor logs for malicious activity:
o https://www.cyber.gc.ca/en/guidance/telework-security-issues-itsap10016
o https://www.cyber.gc.ca/en/guidance/virtual-private-networks-itsap80101
- Always keep in mind these top 10 security actions:
o https://cyber.gc.ca/en/top-10-it-security-actions
- Review recently published Alerts and Advisories highlighting vulnerabilities that may affect your environment:
o https://cyber.gc.ca/en/alerts-advisories
- Organizations that do not have a robust cyber defense capability may wish to consider consulting with private vendors of such services.
NOTE TO READERS
The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment. We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.
The Cyber Centre can be contacted at:
Email: contact@cyber.gc.ca
Toll Free: 1-833-CYBER-88 (1-833-292-3788)