Alert - Canadian organizations exploited via unpatched devices and inadequate authentication

Number: AL20-020
Date: July 28 2020

AUDIENCE

This Alert is intended for IT professionals and managers. Recipients may redistribute this Alert.

PURPOSE

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

OVERVIEW

The Cyber Centre has become aware of recent and continuing exploitation of vulnerable network infrastructures in Canada. The Cyber Centre strongly recommends that organizations immediately patch critical infrastructure and implement two-factor authentication (2FA) where possible.

DETAILS

In recent months, the Cyber Centre has been made aware of several compromises of computer networks in Canada. The compromises took advantage of vulnerable, less secure implementations of remote access services. Footnote 1Footnote 2 In each case, a threat actor was able to compromise infrastructure exposed to the internet because it was not properly secured via 2FA and/or because software running on an exposed server was not patched to the latest version.

The malicious activities were reported to the Cyber Center in June and July 2020. Incidents included intensive reconnaissance-style scanning of target networks, followed by the successful compromise of vulnerable and improperly secured servers and network access devices. In some instances, malware was installed, and compromised infrastructure may have been used in attempts to compromise different networks and/or other organizations. Threat actors may have remained active on compromised networks for a period of months before their activities were detected.

The Cyber Centre has published numerous Advisories and Alerts related to significant vulnerabilities which could allow unauthenticated access to organizations’ remote services and lead to remote code execution, or further exploitation of an organization’s infrastructure. Footnote 3 It should be noted that even non-vulnerable systems exposed to the Internet may be subject to compromise should a threat actor obtain valid credentials with even limited system privileges.

The Cyber Centre is urging Canadian organizations to apply all security updates to their internet-facing services and enable 2FA for all remote access accounts.

Organizations failing to apply security updates in a timely manner and not using 2FA are exposing themselves to compromises such as information theft and ransomware.

SUGGESTED ACTION

The Cyber Centre recommends that system administrators:

  • Assess their networks for the presence of vulnerable software, particularly where it is installed on devices exposed to the internet, and patch as soon as possible to the latest version.
  • Implement 2FA on all internet-facing remote access services, starting with perimeter security devices such as Firewalls and remote access gateways for teleworkers and administrators. Footnote 4
  • Consider measures to limit the amount of sensitive information that malicious actors can collect about their networks by:
    • Using open source tools to scan their networks for un-necessary or inadequately secured open ports.
    • Implementing an intrusion protection system to reduce the effectiveness of malicious vulnerability scanning activities.
    • Configuring internet-facing web servers with minimalist error pages that don’t leak product and version information.


NOTE TO READERS
The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment.  We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.

Date modified: