COVID-19 may not be the only virus health organisations need to worry about.
The current COVID-19 crisis afflicting the world has changed the lives of billions of people. Forced into isolation in both our private and working lives, more employees than ever before are now working from home across most industries. With this major crisis leaving many hospitals and healthcare organisations on the edge of their breaking point and more vulnerable to serious technological disruption, it was almost inevitable that the technological vultures known as cyber criminals would soon be circling, looking to maximise profits against vulnerable, high-value targets.
The following article is intended to shine a light on some of the recent concerns surrounding cyber security during COVID-19 that are occurring around the globe, and will provide readers with some quick safety tips and resources for further information. All information provided is general in nature, as we are not IT security advisers, and recommend specialist consultation where possible.
The Current Situation – Cyber Security During COVID-19
Healthcare organisations have traditionally prioritised spending (and rightly so) on equipment and staff over ICT infrastructure, which has unfortunately led to healthcare organisations often being behind the curve when it comes to cyber security with the perception of being “soft-targets” to cyber criminals.
Australia is no exception, as illustrated by the well-publicised ransomware attack affecting multiple Victorian hospitals in October of last year (ACS, 2019). Figures released by the Office of the Australian Information Commissioner (OIAC) showed the Healthcare provider sector to have the highest number of reported data breaches for the entirety of 2019 (OAIC, 2019).
A worldwide increase in serious cyber crime attacks against vulnerable health industry targets has prompted a tightening of cyber security during COVID-19. Interpol has released a purple notice to its 194 member countries warning of the increased number of targeted ransomware attacks (Interpol, 2020), and the World Health Organisation has also reported a two-fold increase in attempted cyber attacks; both on their organisation, and other organisations in countries such as Spain, England, America and Thailand.
A particularly severe event in the Czech Republic left a major hospital and COVID-19 testing centre without access to critical equipment, forcing the delay of surgical procedures and relocation of some patients to other institutions (Humanitarian Law & Policy, 2020).
Cyber Attack Vectors
Though ransomware/crypto attacks are often the most publicised methods of attack, increases in multiple attack types have been observed and warned against by numerous security agencies including the FBI, Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) to name a few (www.us-cert, 2020). Some of the more common ways in which attacks happen have been listed below.
Human/Social Engineering Risks
Regardless of the security posture of any organisation, and despite even the most robust IT systems, the weakest point in any infrastructure is always the user. Some common methods used to manipulate users into circumventing security controls are listed below.
There is a reason phishing emails are such a common occurrence, despite “Nigerian Prince” type scams being the “oldest trick in the book”—people are still falling for them, so they’re still being used. In this context, likely scenarios are emails convincing users to open malicious attachments that steal personal information or install remote access trojans (RAT).
Emails can also convince the user to click links to malicious websites that mine the user’s IP address or install Remote Access Trojans.
Several recent phishing campaigns have been observed on our shores, with emails purporting to be from the WHO and Australia Post for the exact reasons listed above.
Business Email Compromise (BEC) Attacks
Closely related to the phishing, several email scams have been reported whereby users are conned into donating money to COVID-19 charities, including some purporting to be from the WHO.
An additional form of a BEC is a spoofed email pretending to be from one of the targeted business’s VIPs, directing an employee to provide passwords or transfer funds to different accounts.
Closely related to the above voice phishing (vishing), is an impersonated phone call attempting to verbally achieve similar goals to phishing, by coercing a user into providing personal details, credit card numbers or browsing malicious web links.
SMS phishing (Smishing) uses SMS messages for similar purposes to vishing.
Tech Support Scams
Tech support scams may take any of the above forms and usually involve a malicious actor attempting to convince a user that they need to “urgently” access their computer remotely to fix an issue, when in reality they are after computer access to install a RAT or otherwise cause harm.
Obtaining remote access to a target system is particularly effective in circumventing firewalls, as often rules are applied that ignore returning traffic if it was initiated inside the network. Meaning while a malicious actor can’t launch malicious traffic directly from an outside source, they can have a user initiate first contact and then gain access via the reply traffic.
DDOS Attacks (Distributed Denial of Service)
There have been some minor increases in DDOS-type activities, where malicious individuals try to overwhelm systems with massive traffic volumes for botnet armies etc. Firewall policies can mitigate these as can most ISPs.
Software and Operating Systems
End of life or out of date OS software is always a security risk in organisations. Microsoft ended support for Windows 7 and Server 2008r2 in January of this year, meaning any newly discovered security vulnerabilities will not be patched in these operating systems and they should be upgraded as soon as possible.
Even the latest versions of operating systems are vulnerable without adequate security patching and up to date Anti-malware software.
Remote Access Technologies
The rapid expansion and increased reliance on work from home infrastructure, tools such as VPN appliances/concentrators, RDP endpoints, communications platform (Zoom, Skype) and remote access platforms such as Citrix, have exacerbated security risks and formed threats such as poor network design, configuration mistakes and out of date devices and software.
Several vulnerabilities were found to have been exploited in major vendor products including Citrix, Palo Alto and Fortinet. Likewise, an increase in phishing attacks centred around popular communications software products Zoom and Teams, where in some instances sessions were even hijacked by external sources.
A majority of these issues can be avoided, by merely ensuring OS, hardware and software products are up to date with the latest patches, and by using security controls such as strong passwords and two-factor authentication.