What the WHO Attack Teaches Us About Redefining Risk

March 31, 2020 Jessica Sirkin

As governments, organizations and individuals around the world grapple with unprecedented and rapidly evolving circumstances, opportunistic cyber attackers are making moves.

According to Reuters, a group of attackers launched a phishing campaign earlier this month targeting the World Health Organization (WHO). Experts believe the attack was orchestrated by a sophisticated nation-state group with the goal of harvesting credentials used by WHO employees to access critical systems and applications.

Alexander Urbelis, the cybersecurity researcher who first sounded the alarm, explained to InfoRiskToday that the attackers utilized sub-domains in an attempt to compromise WHO’s Active Directory Federated Service, a single sign-on service. He was able to identify from the structure of the URL that the attack targeted the WHO log-in portal and to identify that this was a brand new targeting of the WHO.

While unsuccessful, the attack is one in a string of recent cyber attacks on the agency. WHO Chief Information Security Officer Flavio Aggio told Reuters that the number of attempts to compromise the WHO or impersonate it in order to target others have “more than doubled.”

 A New Category of Institutions Under Attack

This surge in attacker activity is impacting public and private organizations alike, particularly those focused on healthcare, medical research and current relief work. For example, cybercriminals posing as the U.S. Centers for Disease Control and Prevention (CDC) sent out phishing emails offering information on the COVID-19, reports Bloomberg.

Additionally, the U.K.’s National Crime Agency is investigating an alleged ransomware attack against a drug testing company that develops vaccines, according to The Wall Street Journal. Meanwhile, as attacks against organizations mount, millions of U.S. citizens seeking financial assistance from the new $2 trillion government relief package are ripe targets for stimulus scams, warns the FBI.

This wave of new attacks is particularly concerning as it focuses on a new set of institutions that have not previously been targeted at this scale and with such force. Compounding the issue, most of these organizations are simultaneously facing the gargantuan challenge of supporting and securing a newly remote workforce.

The Hidden, Persistent Problem and Breaking the Cyber Attack Chain

Though some reports of attacks have emerged, many organizations may not yet know that they’ve been targeted and compromised.

Crisis situations can create a vacuum of information that attackers exploit to launch new attacks. They abuse the crisis in hopes that the broader issues will provide a distraction that minimizes the typical appropriate response. And, while organizations have collectively gotten better and faster at discovering breaches over the years, the global median dwell time before any detection – external or internal – is still 78 days.  Unfortunately, 78 days is ample time for attackers to find, access and steal sensitive data and information.

As with the attempted WHO attack, most attackers seek to gain a foothold by stealing credentials as a first step in the cyber attack chain. They often use these credentials to compromise an endpoint such as a desktop, laptop, mobile device or server. From there, they conduct reconnaissance, then begin moving laterally in search of the privileged credentials needed to get into specific systems. Since they’ve acquired legitimate credentials, it’s easy for attackers to move through the network undetected, escalating privileges in search of their target.

To identify the threat, the organization must have a strong handle on what legitimate communications and authentication look like – or the attacker can easily slip under the radar. Then they patiently wait, sometimes completely dormant, while the organization focuses its attention elsewhere. Some attackers exfiltrate sensitive information little by little, while others wait for the perfect moment to deliver a devastating blow. Attackers can wait for as long as they need, so the actual blow may not come until after the current crisis eases.

As this current situation unfolds, we can expect more attacks of this nature on critical infrastructure and assets. Organizations – particularly government agencies, private companies and healthcare providers – need to be hyper-vigilant and redefine how they’re assessing risk in this new normal. Employee education on phishing and other popular endpoint attack methods is critical to prevent attacks from taking hold. But it cannot end there.

Contrary to popular belief, the greatest risk organizations currently face is containing attackers before they can affect or access critical data and assets – not stopping initial attacker infiltration, which is impossible to prevent 100 percent of the time. Managing access to privileged accounts and credentials is an effective way to break the cyber kill chain, minimize the moves a threat actor can make after infiltrating an organization, and ultimately, prevent a data breach or disruption.

To learn more, read “5 Reasons to Prioritize Privileged Access Management (PAM)” or explore our free collection of cybersecurity resources.

 

Previous Article
Enable Developers with Self-Service Secrets Management
Enable Developers with Self-Service Secrets Management

With digital transformation pushing organizations to rapidly deploy new apps and services, too often, devel...

Next Article
5 Types of Remote Users You Need to Take into Account
5 Types of Remote Users You Need to Take into Account

The physical location of users matters less and less in how we conduct business in the new normal. Even bef...