On May 13, 2020, the Federal Bureau of Investigation (FBI) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a joint Public Service Announcement (PSA) about a threat to academic institutions and business entities engaged in COVID-19-related research and development entitled People’s Republic of China (PRC) Targeting of COVID-19 Research Organizations.
In the PSA, the FBI and CISA warn that PRC-affiliated cyber actors and non-traditional collectors may try to steal intellectual property and public health data related to COVID-19 vaccines, treatments, and testing. According to the PSA, “[t]he potential theft of this information jeopardizes the delivery of secure, effective, and efficient treatment options for our citizens.” In response, the FBI and CISA issue the following guidance:
The FBI and CISA urge all organizations conducting research in these areas to maintain dedicated cybersecurity and insider threat practices to prevent surreptitious review or theft of COVID-19-related material.
- Assume that press attention affiliating your organization with COVID-19 related research will lead to increased interest and cyber activity;
- Patch all systems for critical vulnerabilities, prioritizing timely patching for known vulnerabilities of internet-connected servers and software processing internet data;
- Actively scan web applications for unauthorized access, modification, or anomalous activities;
- Improve credential requirements and require multi-factor authentication; and
- Identify and suspend access of users exhibiting unusual activity.
This PSA comes on the heels of a joint alert issued last month by CISA and the United Kingdom’s National Cyber Security Centre (NCSC) entitled COVID-19 Exploited by Malicious Cyber Actors. In that alert, CISA and NCSC noted that they are both “seeing a growing use of COVID-19-related themes by malicious cyber actors. At the same time, the surge in teleworking has increased the use of potentially vulnerable services, such as virtual private networks (VPNs), amplifying the threat to individuals and organizations.” According to CISA and NCSC, threats observed include the following, which we similarly identified in a post last month:
- Phishing, using the subject of coronavirus or COVID-19 as a lure;
- Malware distribution, using coronavirus- or COVID-19- themed lures;
- Registration of new domain names containing wording related to coronavirus or COVID-19; and
- Attacks against newly—and often rapidly—deployed remote access and teleworking infrastructure.
We have previously written about the special threats to trade secrets caused by increased remote work, particularly for companies that are rapidly deploying new technologies without proper security vetting. CISA and NCSC described the threat in more technical detail, but offer similar recommendations as we have for protecting trade secrets and other intellectual property:
Many organizations have rapidly deployed new networks, including VPNs and related IT infrastructure, to shift their entire workforce to teleworking.
Malicious cyber actors are taking advantage of this mass move to telework by exploiting a variety of publicly known vulnerabilities in VPNs and other remote working tools and software. In several examples, CISA and NCSC have observed actors scanning for publicly known vulnerabilities in Citrix. Citrix vulnerability, CVE-2019-19781, and its exploitation have been widely reported since early January 2020. Both CISA and NCSC provide guidance on CVE-2019-19781 and continue to investigate multiple instances of this vulnerability’s exploitation.
Similarly, known vulnerabilities affecting VPN products from Pulse Secure, Fortinet, and Palo Alto continue to be exploited. CISA provides guidance on the Pulse Secure vulnerability and NCSC provides guidance on the vulnerabilities in Pulse Secure, Fortinet, and Palo Alto.
Malicious cyber actors are also seeking to exploit the increased use of popular communications platforms—such as Zoom or Microsoft Teams—by sending phishing emails that include malicious files with names such as “zoom-us-zoom_##########.exe” and “microsoft-teams_V#mu#D_##########.exe” (# representing various digits that have been reported online). CISA and NCSC have also observed phishing websites for popular communications platforms. In addition, attackers have been able to hijack teleconferences and online classrooms that have been set up without security controls (e.g., passwords) or with unpatched versions of the communications platform software.
The surge in teleworking has also led to an increase in the use of Microsoft’s Remote Desktop Protocol (RDP). Attacks on unsecured RDP endpoints (i.e., exposed to the internet) are widely reported online, and recent analysis has identified a 127% increase in exposed RDP endpoints. The increase in RDP use could potentially make IT systems—without the right security measures in place—more vulnerable to attack.
Relevant to the issue of so-called “Zoombombing,” CISA and the NCSC recommend the following “tips for defending against online meeting highjacking”:
- Do not make meetings public. Instead, require a meeting password or use the waiting room feature and control the admittance of guests;
- Do not share a link to a meeting on an unrestricted publicly available social media post. Provide the link directly to specific people;
- Manage screensharing options. Change screensharing to “Host Only”;
- Ensure users are using the updated version of remote access/meeting applications; and
- Ensure telework policies address requirements for physical and information security.
We will continue to monitor alerts and recommendations issued by law enforcement and intelligence services in the US and abroad that concern the protection of trade secrets and report on anything of note.
The FBI encourages victims to report information concerning suspicious or criminal activity to their local field office (www.fbi.gov/contact-us/field). For additional assistance and best practices, such as cyber hygiene vulnerability scanning, please visit https://www.cisa.gov/coronavirus.