Published on March 16, 2020
As the Coronavirus (COVID-19) continues to disrupt communities throughout the world in unprecedented ways, we at Securonix Threat Research team, would like to take this opportunity to reiterate our commitment to enhance monitoring capabilities during this tough time.
We have started to see several organizations cancel events, and businesses shift their workforce to working remotely. For companies that haven’t historically allowed work from home, this has forced a rapid change in business culture. This shift is exacerbated by the existing trend towards using cloud applications in the enterprise, and the security risks, monitoring, compliance, and response challenges that it brings.
As a result, we at Securonix, have created a task force of Data Scientists, Threat Researchers and Detection Engineers to support our customers to see through this period of global emergency to ensure you get the right level of visibility and detection coverage.
Here are the key threat and behavior indicators we have developed threat models for and if you are a customer, they are ready to be configured in your environment. Please reach out to your Securonix Customer Success account team to enable these use cases in your environment.
There is no cost to setup these use cases in your environment.
Phishing Detection Behavior Indicators
Our Threat Research team has observed over 5000 unique domains created just in the last 96 hours with the words “corona” or “covid” in them, an organization gets an average of around 350 emails a day from external senders about this topic, illustrating the importance of having advanced phishing detection behavior indicators enabled in your environment..
Attackers have used specially crafted weaponized documents/links with the theme of exploiting the public’s fears and concerns about the Coronavirus impersonating Centers for Disease Control and Prevention (CDC) , impersonating internal employees – Leadership, members of Human Resources, as well as, co-workers by setting up visually similar/ typosquatted domains and email accounts, sending documents illustrating guidelines, safety measures, as well as, latest updates about the virus to lure employees into having a stager run/dropped.
Malware Detection Behavior Indicators
The Securonix Threat Research team has identified an active campaign that involves installing malicious implants showing a Coronavirus activity map obtained from a legitimate source on a victim’s computer while performing malicious activity in the background including stealing access credentials, reporting to a botnet channel to a C2 server that appears to be hidden behind a Cloudfront hop point and is accessed via HTTP.
Employees saving corporate materials to personal devices that have not been appropriately configured with security systems (e.g., company-sanctioned level of anti-virus software, password protection technologies, or secure network connections) while working remotely increase the risk of exposure to cybercriminals. Monitoring assets to identify ones that are high risk, i.e. Unpatched assets, disabled protection and also identifying misuse of technology for streaming and other personal purposes increasing exposure to Malware, as well as, an organization’s attack surface.
With many organizations now opening up remote access for the first time to a broad segment of their workforce, attackers have begun exploiting users with less secure access in terms of weak passwords, lack of MFA.
Insider Threat Behavior Indicators and VPN Monitoring
Work from home has been one of the most sorted techniques for malicious and unintentional insiders to exfiltrate confidential data. With this increased “off-corporate” network activity, Insider Threat detection teams should focus on ramping up additional use cases and detection content on identifying these threats.
Sudden changes to the business culture has also resulted in lack of opportunities for companies to enable their employees on how to securely to work remotely – ability to identify legitimate looking phishing emails, not approving unknown/random MFA requests, avoiding credential sharing with a peer, and most importantly, keeping their endpoints secure, especially with organizations that have allowed users to connect remotely from their personal machines.
Use cases and insight reports on identifying the rise in these types of insider threats will be covered in the upcoming advisory.
This section of the advisory is primarily targeted towards HR teams and managers with concerns around identifying decrease in productivity. Working remotely comes with its own sets of distractions, our primary goal with Productivity monitoring, is to ensure business continuity is not impacted with decline in productivity. Additionally, few customers have also shown interest to add “Inherent Risk Indicators” such as inappropriate web browsing, short lived remote sessions, drop in communication to identify decrease in productivity.
We recognize these are turbulent times for many people in our community and we want you to know the entire Securonix team is working hard.