NZ IT managers urged to revisit security following hasty lockdown changes

CERT NZ cites a rise in ransomware and RDP attacks during the COVID-19 pandemic, at a time when companies may have made changes that compromise security.

Application security  >  Software code + data protected with a lock

If they haven’t already, IT managers should be going back over all the changes they made at speed during the first COVID-19 lockdown to ensure the correct security protocols are in place. That’s the advice from CERT NZ, whose half-yearly report shows a spike in security incidents in April and May 2020.

CERT NZ recorded 3,102 incidents between 1 January and 30 June 2020 — a 42% increase on the same time period last year. Deputy director Declan Ingram says the move to lockdown occurred during a number of high-profile technical vulnerabilities in remote access solutions, further compounding the issue for IT managers and chief security officers.

“We also saw a lot of organisations that moved to open up RDP [Remote Desktop Protocol] and of course after that we’ve seen numerous ransomware campaigns targeting RDP,” he says. “So really our messaging around COVID, and the important thing for IT managers to do now, is to make sure that they go back over all of those changes that were made very, very quickly and make sure that all of the t’s were crossed and the i’s were dotted, in terms of the security governance associated with those changes. And to make sure they haven’t moved that risk profile of the organisation somewhere that’s going to get them into trouble.”

Dealing with the rise in ransomware

Ingram says that after the WannaCry ransomware attack, in which “the world scared itself with what could happen and how bad it could be”, ransomware threats dropped off for a while.

But a viable business model began to emerge, and ransomware has now become about “pure economics”, Ingram says. “When ransomware started, it was $200 to get systems back and the target was general home users. Now what we are seeing is well-resourced groups that are systematically profiling and targeting organisations to go after millions and millions of dollars. So, the thing is with this kind of stuff, the more money that these crime groups make, the more they’re able to invest in their campaigns.”

CERT NZ profiles a couple of multi-stage malware threats in its report, including Ryuk, which is used to target enterprise environments. “The reports of Ryuk seen by CERT NZ came via one of our partners, who shared a number of IP addresses that had previously been compromised by another malware, such as Trickbot or Emotet. The attackers were now using that compromise to deploy the Ryuk ransomware. CERT NZ proactively worked with the ISPs to identify the infected parties and provide them with advice on recovering from the compromise.”

Ingram says CERT advises against paying the ransom if your organisation is attacked, noting that those who do face the double penalty of paying off the criminals and then paying to restore their systems. Then there is the legal position to consider if the criminals are caught and prosecuted.

Also, paying ransoms just helps fund and encourage illegal and harmful activity. “The only reason that these kinds of things occur is because organisations pay the ransom. If people stopped paying ransoms, these attacks would stop because the business model breaks,” he says.

No denial-of-service attacks in first six months of 2020

Despite the high-profile DDoS attack on the NZX last week, there are no incidences mentioned in this CERT report. “We had 84 denial-of-service incidents reported to us in 2019, and we don’t have any the current two quarter reports,” Ingram says. Although he does note that CERT issued an advisory on DDoS late last year.

He wouldn’t comment on the NZX attacks as CERT’s policy is not to discuss individual cases in order to preserve confidentiality and ensure that organisations continue to seek their help.

His advice for IT managers concerned about DDoS is to talk to their upstream provider as prevention is the best cure. “The important thing for an organisation at this point is to have the system in place to protect them from a DDoS prior to one occurring. Every protection system could be overloaded but having a conversation with your upstream provider and potential commercial organisations that can provide extra levels of support. … These services can get quite expensive, so you need to look at the cost versus the value,” he says.

Later on Monday the National Cyber Security Centres put out an advisory, noting “it is aware of an ongoing campaign of denial-of-service (DoS) attacks affecting New Zealand entities.”

“The campaign has included the targeting of a number of global entities, predominantly in the financial sector. The NCSC strongly encourages all organisations in this sector to consider the risk to their organisation of DoS and ensure appropriate mitigations are in place.”

Phishing incidents the most reported

Guarding against DDoS attacks is “one very small component” in an organisation’s security programme, Ingram says. “You’ll see in our security report that most of the incidents that are reported are to do with phishing, so you are going to need to make a significant investment in your email systems and how you manage your user accounts and your user education to do with phishing,” he points out.

“The important thing is to keep everything in context, and that’s one of the great things about the quarterly report, it shows all the people all the things that are being reported and it gives context and meaning to what people are really experiencing,” Ingram says.

Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)