INTERPOL report shows shift in cyber attacks from individuals to governments and critical health infrastructure

An INTERPOL assessment of the impact of COVID-19 on cybercrime has shown a significant target shift from individuals and small businesses to major corporations, governments and critical infrastructure.

With organizations and businesses rapidly deploying remote systems and networks to support staff working from home, criminals are also taking advantage of increased security vulnerabilities to steal data, generate profits and cause disruption.

In one four-month period (January to April) some 907,000 spam messages, 737 incidents related to malware and 48,000 malicious URLs – all related to COVID-19 – were detected by one of INTERPOL’s private sector partners.

“The increased online dependency for people around the world, is also creating new opportunities, with many businesses and individuals not ensuring their cyber defences are up to date.

“The report’s findings again underline the need for closer public-private sector cooperation if we are to effectively tackle the threat COVID-19 also poses to our cyber health,” concluded the INTERPOL Chief.

Key findings highlighted by the INTERPOL assessment of the cybercrime landscape in relation to the COVID-19 pandemic include:

Online Scams and PhishingThreat actors have revised their usual online scams and phishing schemes. By deploying COVID-19 themed phishing emails, often impersonating government and health authorities, cybercriminals entice victims into providing their personal data and downloading malicious content.Around two-thirds of member countries which responded to the global cybercrime survey reported a significant use of COVID-19 themes for phishing and online fraud since the outbreak.

Disruptive Malware (Ransomware and DDoS)Cybercriminals are increasingly using disruptive malware against critical infrastructure and healthcare institutions, due to the potential for high impact and financial benefit.In the first two weeks of April 2020, there was a spike in ransomware attacks by multiple threat groups which had been relatively dormant for the past few months.Law enforcement investigations show the majority of attackers estimated quite accurately the maximum amount of ransom they could demand from targeted organizations.

Data Harvesting MalwareThe deployment of data harvesting malware such as Remote Access Trojan, info stealers, spyware and banking Trojans by cybercriminals is on the rise. Using COVID-19 related information as a lure, threat actors infiltrate systems to compromise networks, steal data, divert money and build botnets.

Malicious DomainsTaking advantage of the increased demand for medical supplies and information on COVID-19, there has been a significant increase of cybercriminals registering domain names containing keywords, such as “coronavirus” or “COVID”. These fraudulent websites underpin a wide variety of malicious activities including C2 servers, malware deployment and phishing.From February to March 2020, a 569 per cent growth in malicious registrations, including malware and phishing and a 788 per cent growth in high-risk registrations were detected and reported to INTERPOL by a private sector partner.

Misinformationn increasing amount of misinformation and fake news is spreading rapidly among the public. Unverified information, inadequately understood threats, and conspiracy theories have contributed to anxiety in communities and in some cases facilitated the execution of cyberattacks.Nearly 30 per cent of countries which responded to the global cybercrime survey confirmed the circulation of false information related to COVID-19. Within a one-month period, one country reported 290 postings with the majority containing concealed malware. There are also reports of misinformation being linked to the illegal trade of fraudulent medical commodities.Other cases of misinformation involved scams via mobile text-messages containing 'too good to be true' offers such as free food, special benefits, or large discounts in supermarkets.

Future primary areas of concern highlighted by the INTERPOL report include.

  • A further increase in cybercrime is highly likely in the near future. Vulnerabilities related to working from home and the potential for increased financial benefit will see cybercriminals continue to ramp up their activities and develop more advanced and sophisticated modi operandi.
  • Threat actors are likely to continue proliferating coronavirus-themed online scams and phishing campaigns to leverage public concern about the pandemic.
  • Business Email Compromise schemes will also likely surge due to the economic downturn and shift in the business landscape, generating new opportunities for criminal activities.
  • When a COVID-19 vaccination is available, it is highly probable that there will be another spike in phishing related to these medical products as well as network intrusion and cyberattacks to steal data.

Protect Operational Technologies and Control Systems Against Cyber Attacks

Cyber actors have demonstrated their willingness to conduct cyber attacks against critical infrastructure by exploiting Internet-accessible Operational Technology (OT) assets. Due to the increase in adversary capabilities and activities, the criticality to U.S. national security and way of life, and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to harm to US interests or retaliate for perceived US aggressive.

Today, the National Security Agency and Cybersecurity and Infrastructure Security Agency released an advisory for critical infrastructure OT and control systems assets to be aware of current threats we observe, prioritize assessing their cybersecurity defenses and take appropriate action to secure their systems.

“Operational technology assets are pervasive and underpin many essential national security functions, as well as the Defense Industrial Base,” Anne Neuberger, Director of NSA's Cybersecurity Directorate noted. “We encourage all stakeholders to apply our joint recommendations with DHS CISA.”

“As we’ve said many times, our adversaries are capable, imaginative and aim to disrupt essential services, so it is important that we make sure we are staying ahead of them." Bryan Ware, Assistant Director for Cybersecurity, CISA. “Our goal at CISA is to lead and encourage a proactive ‘whole community’ assessment and response to significant threats and ensure we provide the right tools and services at the right time.”

NSA and CISA continue to collaborate on cybersecurity issues and share information about how to best secure National Security Systems, Department of Defense systems, and the Defense Industrial Base as well as other critical infrastructure, against foreign threats, ultimately keeping America and our allies safe.

CISA Adds Top Cybersecurity Experts to Join Covid-19 Response Efforts

The Cybersecurity and Infrastructure Security Agency (CISA) announced today the addition of two leading cybersecurity experts to support the agency’s COVID-19 response efforts. Josh Corman is joining CISA as a Visiting Researcher, and Rob Arnold will join CISA’s National Risk Management Center as a Senior Cybersecurity and Risk Management Advisor. Corman and Arnold were both hired using authorities granted under the CARES Act, which allows agencies to hire staff to temporarily support the COVID-19 response.

“The COVID-19 pandemic has resulted in noticeable shifts in cyber risk calculations for organizations of all sizes,” said CISA Director Christopher Krebs. “The hardware, software, and services that underpin our connected infrastructure have absolutely been tested and stressed in this telework-heavy environment. At the same time, certain organizations and sectors of our economy have become more attractive targets for adversaries.”

“This changing threat landscape demands an ‘all-hands-on-deck’ approach and for us to bring the best and brightest minds to the front lines, and the authority granted to us by the CARES Act makes it possible to quickly recruit and add top experts to our team,” added Director Krebs. “Josh and Rob are two examples of the type of innovative leaders that will help us build up our technical capabilities while at the same time improve our engagement with our industry and security researcher community partners during this critical time.”

Josh Corman has an extensive private sector and nonprofit background in IT security and public policy. Corman recently served as the Chief Security Officer at PTC and the Director for the Cyber Statecraft Initiative at the Atlantic Council’s Brent Scowcroft Center for Strategy and Security. He is also the co-founder of IAmTheCavalry.org, a non-profit collection of volunteers dedicated to improving cybersecurity in areas that can save lives. Corman was also a member of the Congressional Health Care Industry Cybersecurity Task Force, which developed a report on the state of cybersecurity in the healthcare industry. In his new role, he will advise on CISA’s integrated industry engagement efforts supporting the COVID response, provide cybersecurity expertise on healthcare infrastructure, and support CISA’s control systems and life safety initiatives.

Rob Arnold most recently served as the founder and CEO of Threat Sketch, a strategic cyber risk management firm that helps small organizations manage cybersecurity at the executive level. He has a wealth of experience in advising businesses and organizations in implementing cyber risk management practices. In addition to co-founding the North Carolina Center for Cybersecurity and authoring a book that explains cyber risk management to business executives, Arnold serves on multiple academic advisory boards for cybersecurity degree seeking programs. At CISA, he will focus on helping the agency better understand shifts in cyber risk from COVID-related factors and how the critical infrastructure community can best fortify its defenses in response.

NIST’s Post-Quantum Cryptography Program Enters ‘Selection Round’

The race to protect sensitive electronic information against the threat of quantum computers has entered the home stretch.

After spending more than three years examining new approaches to encryption and data protection that could defeat an assault from a quantum computer, the National Institute of Standards and Technology (NIST) has winnowed the 69 submissions it initially received down to a final group of 15. NIST has now begun the third round of public review. This “selection round” will help the agency decide on the small subset of these algorithms that will form the core of the first post-quantum cryptography standard.

“At the end of this round, we will choose some algorithms and standardize them,” said NIST mathematician Dustin Moody. “We intend to give people tools that are capable of protecting sensitive information for the foreseeable future, including after the advent of powerful quantum computers.”

The latest details on the project appear in the Status Report on the Second Round of the NIST Post-Quantum Cryptography Standardization Process (NISTIR 8309) - https://csrc.nist.gov/publications/detail/nistir/8309/final - which was published recently. NIST is asking experts to provide their input on the candidates in the report.

“We request that cryptographic experts everywhere focus their attention on these last algorithms,” Moody said. “We want the algorithms we eventually select to be as strong as possible.”

Classical computers have many strengths, but they find some problems intractable — such as quickly factoring large numbers. Current cryptographic systems exploit this difficulty to protect the details of online bank transactions and other sensitive information. Quantum computers could solve many of these previously intractable problems easily, and while the technology remains in its infancy, it will be able to defeat many current cryptosystems as it matures.

Because the future capabilities of quantum computers remain an open question, the NIST team has taken a variety of mathematical approaches to safeguard encryption. The previous round’s group of 26 candidate algorithms were built on ideas that largely fell into three different families of mathematical approaches.

“Of the 15 that made the cut, 12 are from these three families, with the remaining three algorithms based on other approaches,” Moody said. “It’s important for the eventual standard to offer multiple avenues to encryption, in case somebody manages to break one of them down the road.”

Cryptographic algorithms protect information in many ways, for example by creating digital signatures that certify an electronic document’s authenticity. The new standard will specify one or more quantum-resistant algorithms each for digital signatures, public-key encryption and the generation of cryptographic keys, augmenting those in FIPS 186-4, Special Publication (SP) 800-56A Revision 3 and SP 800-56B Revision 2, respectively.

For this third round, the organizers have taken the novel step of dividing the remaining candidate algorithms into two groups they call tracks. The first track contains the seven algorithms that appear to have the most promise.

“We’re calling these seven the finalists,” Moody said. “For the most part, they’re general-purpose algorithms that we think could find wide application and be ready to go after the third round.”

The eight alternate algorithms in the second track are those that either might need more time to mature or are tailored to more specific applications. The review process will continue after the third round ends, and eventually some of these second-track candidates could become part of the standard. Because all of the candidates still in play are essentially survivors from the initial group of submissions from 2016, there will also be future consideration of more recently developed ideas, Moody said.

“The likely outcome is that at the end of this third round, we will standardize one or two algorithms for encryption and key establishment, and one or two others for digital signatures,” he said. “But by the time we are finished, the review process will have been going on for five or six years, and someone may have had a good idea in the interim. So we’ll find a way to look at newer approaches too.”

Because of potential delays due to the COVID-19 pandemic, the third round has a looser schedule than past rounds. Moody said the review period will last about a year, after which NIST will issue a deadline to return comments for a few months afterward. Following this roughly 18-month period, NIST will plan to release the initial standard for quantum-resistant cryptography in 2022.

Protecting Operational Technologes and Control Systems Against Cyber Attacks

Cyber actors have demonstrated their willingness to conduct cyber attacks against critical infrastructure by exploiting Internet-accessible Operational Technology (OT) assets. Due to the increase in adversary capabilities and activities, the criticality to U.S. national security and way of life, and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to harm to US interests or retaliate for perceived US aggressive.

Today, the National Security Agency and Cybersecurity and Infrastructure Security Agency released an advisory for critical infrastructure OT and control systems assets to be aware of current threats we observe, prioritize assessing their cybersecurity defenses and take appropriate action to secure their systems.

“Operational technology assets are pervasive and underpin many essential national security functions, as well as the Defense Industrial Base,” Anne Neuberger, Director of NSA's Cybersecurity Directorate noted. “We encourage all stakeholders to apply our joint recommendations with DHS CISA.”

“As we’ve said many times, our adversaries are capable, imaginative and aim to disrupt essential services, so it is important that we make sure we are staying ahead of them." Bryan Ware, Assistant Director for Cybersecurity, CISA. “Our goal at CISA is to lead and encourage a proactive ‘whole community’ assessment and response to significant threats and ensure we provide the right tools and services at the right time.”

NSA and CISA continue to collaborate on cybersecurity issues and share information about how to best secure National Security Systems, Department of Defense systems, and the Defense Industrial Base as well as other critical infrastructure, against foreign threats, ultimately keeping America and our allies safe.

For more detailed information, please review the joint advisory - https://us-cert.cisa.gov/ncas/alerts/aa20-205a - which includes recently observed tactics, techniques, and procedures, as well as related recommendations.

Security Guidelines for Storage Infrastructure

Storage infrastructure—along with compute (encompassing OS and host hardware) and network infrastructures—is one of the three fundamental pillars of Information Technology (IT). However, compared to its counterparts, it has received relatively limited attention when it comes to security, even though data compromise can have as much negative impact on an enterprise as security breaches in compute and network infrastructures.

In order to address this gap, NIST is releasing Draft Special Publication (SP) 800-209, Security Guidelines for Storage Infrastructure, which includes comprehensive security recommendations for storage infrastructures. The security focus areas covered in this document not only span those that are common to the entire IT infrastructure—such as physical security, authentication and authorization, change management, configuration control, and incident response and recovery—but also those that are specific to storage infrastructure, such as data protection, isolation, restoration assurance, and data encryption.

Storage technology, just like its computing and networking counterparts, has evolved from traditional storage service types, such as block, file, and object. Specifically, the evolution has taken two directions: one along the path of increasing storage media capacity (e.g., tape, HDD, SSD) and the other along the architectural front, starting from direct attached storage (DAS) to the placement of storage resources in dedicated networks accessed through various interfaces and protocols to cloud-based storage resource access, which provides a software-based abstraction over all forms of background storage technologies. Accompanying the evolution is the increase in management complexity, which subsequently increases the probability of configuration errors and associated security threats. This document provides an overview of the evolution of the storage technology landscape, current security threats, and the resultant risks. The main focus of this document is to provide a comprehensive set of security recommendations that will address the threats. The recommendations span not only security management areas that are common to an information technology (IT) infrastructure (e.g., physical security, authentication and authorization, change management, configuration control, and incident response and recovery) but also those specific to storage infrastructure (e.g., data protection, isolation, restoration assurance, and encryption).

Guide can be downloaded at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-209-draft.pdf

ENISA unveils its New Strategy towards a Trusted and Cyber Secure Europe

The European Union Agency for Cybersecurity (ENISA) is unveiling its new strategy, which outlines the Agency’s strengthened path towards achieving a high common level of cybersecurity across the Union. The strategy was developed to fulfil the Agency’s permanent mandate established last year by the EU Cybersecurity Act (CSA). Under the strategy, the Agency takes on the vision of ‘A Trusted and Cyber Secure Europe’ and enhanced mission: “to achieve a high common level of cybersecurity across the Union in cooperation with the wider community.''

Jean-Baptiste Demaison, Chair of the ENISA Management Board, stated: "The EU Agency for Cybersecurity with its permanent mandate and enhanced role and capabilities will be instrumental in supporting Member States and EU institutions to face the cyber challenges of the future."

Juhan Lepassaar, Executive Director of the European Union Agency for Cybersecurity, said: “Our new strategy acts as a compass, guiding the Agency’s work towards a trusted and cyber secure Europe. It will strengthen our key relationships within the cybersecurity ecosystem and equally it will be a key driver for the Agency to follow new values.”

What are the strategic objectives?

The strategy proposes concrete goals for the Agency in the form of seven strategic objectives that will set the priorities for European Union Agency for Cybersecurity in the coming years. These strategic objectives are as follows:

1 - Empowered and engaged communities across the cybersecurity ecosystem;
2 - Cybersecurity as an integral part of EU polices;
3 - Effective cooperation amongst operational actors within the Union in case of massive cyber incidents;
4 - Cutting-edge competences and capabilities in cybersecurity across the Union;
5 - A high level of trust in secure digital solutions;
6 - Foresight on emerging and future cybersecurity challenges;
7 - Efficient and effective cybersecurity information and knowledge management for Europe.

What we want to achieve?

  • An EU-wide, state-of-the-art body of knowledge on cybersecurity concepts and practices that builds cooperation amongst key actors in cybersecurity, promotes lessons learned, EU expertise and creates new synergies;
  • An empowered cyber ecosystem encompassing Member States’ authorities, EU institutions, agencies and bodies, associations, research centres and universities, industry, private actors and citizens, who all play their role in making Europe cyber secure;
  • Proactive advice and support to all relevant EU-level actors bringing in the cybersecurity dimension in the policy development lifecycle through viable and targeted technical guidelines;
  • Cybersecurity risk management frameworks that are in place across all sectors and followed throughout the cybersecurity policy lifecycle;
  • Continuous cross-border and cross-layer support to cooperation between Member States, as well as with EU institutions. In particular, in view of potential large scale incidents and crises, support the scaling up of technical operational, political and strategic cooperation amongst key operational actors to enable timely response, information sharing, situational awareness and crises communication across the Union;
  • Comprehensive and rapid technical handling upon request of the Member States to facilitate technical and operational needs in incident and crises management;
  • Aligned cybersecurity competencies, professional experience and education structures to meet the constantly increasing needs for cybersecurity knowledge and competences in the EU;
  • An elevated base-level of cybersecurity awareness and competences across the EU while mainstreaming cyber into new disciplines;
  • Well prepared and tested capabilities with the appropriate capacity to deal with the evolving threat environment across the EU;
  • Cyber secure digital environment across the EU, where citizens can trust ICT products, services and processes through the deployment of certification schemes in key technological areas;
  • Understanding emerging trends and patterns using foresight and future scenarios that contribute to mitigating the cyber challenges of the Agency’s stakeholders;
  • Early assessment of challenges and risks from the adoption of and adaptation to the emerging future options, while collaborating with stakeholders on appropriate mitigation strategies;
  • Shared information and knowledge management for the EU cybersecurity ecosystem in an accessible, customised, timely and applicable form, with appropriate methodology, infrastructures and tools, coupled and quality assurance methods to achieve continuous improvement of services.
    How will ENISA use the strategy?

The strategy’s high-level objectives are directed at shaping a more digitally secure environment for Member States, EU Institutions, Agencies and Bodies, SMEs, academia and all of Europe’s citizens. The European Union Agency for Cybersecurity will use the new strategy to map out its annual work programme to improve security across the Union, and specifically to:

  • Better identify and understand the future cybersecurity capabilities needed to maintain competitiveness and preparedness.
  • Build on the Agency’s trusted relationships with stakeholders and communities within the cybersecurity ecosystem across Europe.
  • Guide ENISA communications within and beyond the Union, to non-EU countries and international organisations.
  • Deepen the knowledge and information sharing of ENISA expertise to reach larger audiences and increase awareness of digital security.
  • Provide cybersecurity stakeholders a clear understanding of the Agency’s priorities and actions.
  • Shape the future outlook of cybersecurity across the Union.

The strategy is both an aggregation of the tasks identified by the Cybersecurity Act and the developed synergies within Articles 5-12 of the CSA.

This publication by the European Union Agency for Cybersecurity outlines the Agency’s strategic objectives to boost cybersecurity, preparedness and trust across the EU under its new strengthened and permanent mandate.

CISA releases new strategy to improve industrial control system cybersecurity

The Cybersecurity and Infrastructure Security Agency (CISA) released a strategy to strengthen and unify industrial control systems (ICS) cybersecurity for a more aligned, proactive and collaborative approach to protect the essential services Americans use every day.

The strategy, Securing Industrial Control Systems: A Unified Initiative is intended to help architects, owners and operators, vendors, integrators, researchers, and others in the ICS community build capabilities that lead to more secure ICS operations. Ultimately, it strives to move CISA and the ICS community beyond reactive measures to a more proactive ICS security focus.

“In recent years, we have seen industrial control systems around the world become a target for an increasing number of capable, imaginative adversaries aiming to disrupt essential services,” said Christopher Krebs, Director of CISA. “As attackers continue trying to exploit vulnerabilities in ICS, we need to make sure we’re staying ahead of them. Together with our partners in the ICS industry and the security community, this strategy will lead us to new, unified initiatives and security capabilities that will markedly improve the way we defend and secure ICS.”

Although ICS owners and operators manage their own security, CISA’s mission is to assist through delivery of a broad portfolio of ICS security products and services, especially when an exploitation may threaten people or property or undermines confidence in critical infrastructure safety and reliability.

The CISA ICS initiative is a five-year plan that builds on the collaborative work already done and the existing support CISA provides to the community. It also elevates ICS security as a priority within CISA, coalescing CISA’s organizational attention around the implementation of a unified, “One CISA” strategy. The initiative organizes our efforts around four guiding pillars:

Pillar 1: Ask more of the ICS Community, deliver more to them.

Pillar 2: Develop and utilize technology to mature collective ICS cyber defense.

Pillar 3: Build “deep data” capabilities to analyze and deliver information that the ICS community can use to disrupt the ICS cyber kill chain.

Pillar 4: Enable informed and proactive security investments by understanding and anticipating ICS risk.

The CISA ICS Strategy can be found at www.cisa.gov/ICS.

Italy & Romania Take Down €20m Cyber Fraud Ring

The Italian National Postal and Communication Police Unit (Polizia Postale e delle Comunicazioni) and the Romanian National Police (Poliția Română), supported by Europol and Eurojust, dismantled an organised criminal group involved in financial fraud, cybercrime and money laundering.

On 7 July, Italian and Romanian law enforcement authorities carried out 12 house searches and arrested 12 individuals (8 in Italy and 4 in Romania). The operation led to the seizures of personal computers, credit cards, properties, vehicles and other assets with an overall estimated value of over €1.5 million.

The criminal organisation was using a wide network of money mules in Italy, created to launder criminal proceeds from a variety of cybercrime activities. The criminal group was involved in financial frauds and cyber scams such as rental fraud (fraud through the advertisement of non-existent properties to rent) and CEO fraud (impersonating a company official to trigger large transfers to bogus accounts). With these frauds, the criminals were deceiving victims across Europe into making wire transfers to Italian bank accounts, owned by the money mules. It is estimated that the criminal group has generated up to €20 million losses per year for victims across Europe.

Europol supported the operation by facilitating information exchange and providing analytical support. During the two action days, Europol deployed an expert to Italy to cross-check in real time operational information against Europol’s databases and provide leads to the investigators in the field.

Eurojust facilitated the coordination of the operation and the cooperation between the judicial authorities involved in the case.

The EU Cybersecurity Act’s first anniversary: one step closer to a cyber secure Europe

On 27 June 2020, the European Union Agency for Cybersecurity (ENISA) celebrated the first anniversary of the EU Cybersecurity Act (CSA) and its strengthened role towards securing Europe’s information society. The CSA gave the Agency a permanent mandate, a new list of tasks and increased resources, and also established the EU cybersecurity certification framework.

The Agency now plays a key role in setting up the framework and builds on its past work towards achieving a high common level of cybersecurity across the European Union by actively supporting Member States, EU institutions, industry, academia and citizens. Regarding the framework, the Agency is close to completing the first cybersecurity certification scheme and is making rapid progress towards a second one, on cloud services.

The mandate has also expanded the Agency’s role in supporting capacity-building and preparedness capabilities, as well as operational cooperation - areas that continue to be put to the test during the COVID-19 pandemic. ENISA acted quickly at the onset of the pandemic by preparing awareness campaigns, sets of tools and publications offering in-depth guidance on cyber safety for organisations, businesses and citizens, all publically available on the webpage COVID19.

Under its expanded role in policy development and implementation, ENISA has thrived, especially in the area of emerging technologies. For 5G security, ENISA has been involved in each phase and continues to support the European Commission and Member States as a common toolbox is being implemented. Last year, the Agency also supported the EU Member States with developing an EU-wide joint risk assessment regarding the 5G roll out, and delivered a 5G threat landscape report, which analyses threats at a more technical level. On Artificial Intelligence, the Agency has set up a 15-member ad-hoc working group on Cybersecurity for AI that will further advance European expertise on AI threats and solutions.

In addition, ENISA has welcomed the newly mandated tasks around research and innovation by creating the EU cybersecurity skills framework and fostering collaboration amongst the four cybersecurity pilot projects of the European Cybersecurity Competence Network.

1 2