The novel coronavirus outbreak (COVID-19) has prompted many organizations in Mainland China and Hong Kong to execute their business continuity plan (BCP). During the last epidemic in 2003, the SARS outbreak lasted for nine months\u2014and with an infection rate that is increasing rapidly, this new coronavirus has the potential to cause prolonged periods of commercial disruption, and heavy reliance on BCPs.<\/p>\n\n\n\n
The most common practice in a BCP is to give employees the ability to work from home through VPN for secure, remote access. Although VPN is already commonly used in the business world, this medical epidemic has created a sudden surge in massive and prolonged use in affected regions, which may expose organizations to unforeseen risks. This article details a few security blind spots that may arise.<\/p>\n\n\n\n
In December 2019, a new vulnerability\non VPN\u2014CVE-2019-14899\u2014was discovered.1<\/sup>\nAmazon \u00ae engineer, Colm MacC\u00e1rthaigh, described it as \u201cextremely clever\u201d and\n\u201cvery impressive.\u201d This attack works across many different VPNs and “the\nVPN technology used does not seem to matter.\u201d2<\/sup>\nIt appeared to be a variation of the TCP sequence prediction attack, where\nthe attacker observes to determine the TCP sequence to insert a malicious data packet\nand effectively hijack the VPN tunnel. <\/p>\n\n\n\n This type of attack could be very\neffective in targeted hijacking campaigns, and it works across any device and\nVPN. Unsuspecting employees accessing VPN through an unsecured home Wi-Fi\nnetwork become susceptible.<\/p>\n\n\n\n MacC\u00e1rthaigh, who develops Amazon Web Service\u2019s VPN products, warned that the attack can pose an even more serious threat if combined with domain name system (DNS) spoofing.<\/a>3<\/sup> It\u2019s easy for attackers to profile DNS requests and reply based on the size and position of the data packets; DNS is often the first traffic in a sequence, and a DNS query is made before VPN is established. As a result, \u201chijacking traffic via DNS is usually much more powerful than payload injection,\u201d4<\/sup> and can be used as a part of the VPN hijacking attack. A variation of this attack can also be used to steal VPN passwords, giving attackers free access to the corporate network.<\/p>\n\n\n\n During the renowned DNS hijacking campaign by the Sea Turtle hackers in 2019, Cisco Talos reported that the perpetrators were able to steal email and other login credentials, and redirect all email and VPN traffic to fake servers controlled by the attackers. The attackers hijacked either the domain name registrar or the DNS service provider to gain access to business-critical domains of the victim organizations. Once a domain name is hijacked, the attacker can obtain the secure sockets layer (SSL) or transport layer security (TLS) digital certificate for the targeted domain (e.g., vpn.victimcompany.com), which allows them to \u201cdecrypt the intercepted email and VPN credentials and view them in plain text.\u201d5<\/sup><\/p>\n\n\n\n Other hackers have replicated the Sea Turtle attack, as evidenced by the increased number of DNS hijacks, and high-profile registrars hacked since. This trend is likely to continue, as it\u2019s far more cost effective to hijack DNS then attack anything within a well-protected firewall. <\/p>\n\n\n\n VPNs can be set up either by using an IP address directly, or through your DNS. The benefit of using DNS is the flexibility it offers; hence, this is a popular option. With this, the domain name and DNS hijacking issues discussed above create another dimension of risk. To mitigate these risks, companies should review both the security of both their registrar and DNS.<\/p>\n\n\n\n I. Registrar security<\/strong> \u2013 Attackers can gain control over the nameserver record hosted with your domain name registrar, which links a domain to your DNS, if your account at your registrar is compromised. This allows them to redirect your core domains to any DNS, enabling all types of man-in-the-middle attacks. A registrar breach happens completely outside your firewall<\/strong> and must be mitigated through proper third-party risk management. An effective risk mitigation strategy includes:<\/p>\n\n\n\n It\u2019s important to note that the domain behind your VPN connection might be different from your core domain. Domain names used internally could be neglected and may not be considered vital, needing attention and security controls. These domains could be considered to be of low importance, or were set up by an ex-employee or contractor, and your current network engineer may no longer have full visibility. We highly recommend that you conduct an internal audit to account for any domain used for internal critical systems, especially business continuity-related services, and to ensure proper security controls. If such domains are hacked, your BCP will fail.<\/p>\n\n\n\n II. DNS security and availability<\/strong> \u2013 The attacker can also hijack the DNS server directly. As long as your VPN connection uses the DNS, either a registrar or DNS hijack could completely shut down your BCP. Here are some best practices to mitigate DNS hijacking:<\/p>\n\n\n\n VPN can either be encrypted through IPSec or SSL. Due\nto easier implementation, low cost, and higher scalability, SSL VPN is becoming\nmore popular. With a lack of licenses, and the difficulty in implementing IPSec\nVPN systems when there is a sudden need to scale up access during a BCP\nsituation, companies may have implemented SSL VPN for their remote employees. <\/p>\n\n\n\n If this is the case, it\u2019s essential to consider the risks related to digital certificate management, which often arise from bad habits. Unfortunately, mismanagement happens rather regularly, even to large organizations, like LinkedIn\u00ae, causing significant loss to businesses.<\/p>\n\n\n\n If your organization has implemented SSL VPN in your BCP process, it\u2019s critical to review your policy to ensure the certificate will not expire. Some best practices are:<\/p>\n\n\n\n It\u2019s an unfortunate fact that in any emergency, there will be cyber criminals waiting to capitalize on the situation. \u201cAs people grow concerned about the Wuhan coronavirus \u2026 cyber criminals are preying on their fear, with phishing emails claiming to have advice on protective safety measures. Emails have been seen in the U.S. and U.K.\u201d6<\/sup><\/p>\n\n\n\n To date, CSC has detected 63 domain\nregistrations containing the word \u201ccorona\u201d ranging from informative sites, eCommerce\nsite selling masks, to information site with subtle recommendations to buy\ncertain branded medicine. If your company is related to medical supplies or\npharmaceuticals, be aware that counterfeiters could be using phishing campaigns\nto promote counterfeit products, no matter whether your product actually has anything\nto do with corona virus.<\/p>\n\n\n\n Phishers, on the other hand, are\nunlikely to use the name of the virus in the email or the domain name; it would\nbe too easy for anti-virus software to detect it. Instead, they use the brand\nas a hook for the victim to view a report on a macro-enabled Word document or\nan infected .PDF, hence infecting their machine. Companies need to be aware of the\npotential use of their brand as a means to phish, because in such cases,\nclients will be the victims and the brand will be damaged. <\/p>\n\n\n\n Phishing attacks can target your\ncompany internally through spear-phishing, whaling, or business email compromise\n(BEC) of your executives and employees, or externally, targeting your clients\nby using your brand name in a domain or brand spoofing phishing campaign. These\nattacks should be on the radar of the Information Security team.<\/p>\n\n\n\n For internally-focused phishing, it is\nrecommended that domain message authentication, reporting, and conformance (DMARC)\nprotocol is implemented to control the email rejection policy set up by your sender\npolicy framework record. You should ensure your email gateway supports DMARC, to\neffectively filter spoofed emails pretending to be your employees or partners. <\/p>\n\n\n\n For externally-focused phishing, we recommend\nimplementing an anti-fraud monitoring service. It is the only way to protect\nclients who may not have sophisticated firewalls and email gateways to protect\nthem. <\/p>\n\n\n\n A BCP is\nused to ensure business as usual during a crisis, however if the systems that\nit uses, such as VPN, as well as DNS, domains, and digital certificates that\nsit outside the firewall are at risk, the BCP itself could expose organizations\nto vulnerabilities. Being mindful of these security blind spots can mitigate\nbusiness continuity risks by ensuring the right security controls and policies\nare place. <\/p>\n","protected":false},"excerpt":{"rendered":" The novel coronavirus outbreak (COVID-19) has prompted many organizations in Mainland China and Hong Kong to execute their business continuity plan (BCP). During the last epidemic in 2003, the SARS outbreak lasted for nine months\u2014and with an infection rate that is increasing rapidly, this new coronavirus has the potential to cause prolonged periods of commercial […]<\/p>\n","protected":false},"author":13,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[9,171,521],"tags":[],"class_list":["post-8703","post","type-post","status-publish","format-standard","hentry","category-brands","category-cyber-security","category-send-email"],"acf":[],"yoast_head":"\n2. Stealing VPN passwords through DNS hijacking<\/strong><\/h3>\n\n\n\n
3. Domain name and DNS security could affect VPN<\/strong><\/h3>\n\n\n\n
\n
\n
4. SSL VPN and digital certificate management risks<\/strong><\/h3>\n\n\n\n
\n
digital certificates, consider a digital certificate management service that
can enable automatic renewal and installation for both your internal and
external certificates.<\/li>\n\n\n\n
will always be a chance that a digital certificate will expire unnoticed; as Murphy\u2019s
Law states, whatever can go wrong, will go wrong. Your vendor\u2019s ability to respond
quickly during an incident becomes critical. They should have 24\/7 support and
preferably not be online only or accessible only through web forms.<\/li>\n\n\n\n
Authority\u00a0Authorization (CAA) record, which helps create a governance
framework for your digital certificates. It helps prevents rogue SSL issuance
on your domain, as well as prevent employees from purchasing from unauthorized
vendors.<\/li>\n<\/ul>\n\n\n\n5. Phishing attacks during emergencies <\/strong><\/h3>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n\n