Cybersecurity Update: Malware Blacklist and Remote Desktop Vulnerabilities

Seyfarth Shaw LLP
Contact

Seyfarth Synopsis: In the past week, the cybersecurity community has seen a dramatic increase in the number of attacks being made on healthcare organizations around the globe. Despite the despicable nature of these attacks by malicious attackers trying to get rich off the suffering of others, there is a force of good that’s arisen from the cybersecurity community recently to help combat the threats.

The COVID-19 Cybersecurity Threat Intelligence League was formed by Ohad Zaidenberg last week, and has quickly grown into over 900 cybersecurity experts who are volunteering their time and experience to help healthcare organizations defend against the malicious threat actors. The group is comprised of malware researchers, white hat hackers, CISOs, cyber consultants, reverse engineers, coders, software providers, etc. Seyfarth’s own Richard Lutkus is involved with the group and is helping with cybersecurity related legal issues that members have. As part of the FBI’s InfraGard Special Interest Group for Legal, Richard is helping information be shared between law enforcement (including DHS, FBI, etc.) and private sector organizations.

One of the immediately useful results of the group’s collective wisdom is a publicly available list of IP addresses, URLs, file (hashes), and domains that are known to be related to COVID malware, ransomware, phishing, or other malfeasance. The link below contains each categorical list. Network administrators or cyber professionals can use these links to help protect their networks from these growing threats. It’s likely this list will be updated frequently. The list works by helping block malicious sites and applications from connecting the victim to the threat actor. When that connection fails, the malicious intent is frustrated. Thus, even when an employee accidentally clicks a malicious link, this can serve as a first line of defense to stop the malicious website from opening.

https://github.com/COVID-19-CTI-LEAGUE/PUBLIC_RELEASE

Beyond the list above, there is a major threat that has bubbled up to the surface recently.  In our prior article, we discussed the increase in remote workers being a threat to organizations. It appears that threat is being acted upon by malicious threat actors already. Seyfarth’s cybersecurity team is aware of over 767,000 computers around the world currently online that have exposed Remote Desktop Protocol (aka “RDP”) sessions and whose login credentials are being actively sold on the DarkWeb.  Typically, this service operates on port 3389 or 3390. Normally, having this exposed to the Internet is bad enough without source-IP limitations at the firewall level. However, because of a Microsoft bug (CVE-2019-0708) from last year relating to Remote Desktop, certain unpatched systems are extremely high risk if not patched.  We are seeing many unpatched systems, unfortunately, and now we have evidence of active exploitation of those systems.

While the list of currently vulnerable and exploited systems mentioned above cannot be shared publicly, if you are a firm client, we can search the list for you and report back. Please share the above information with your CISO, CIO, CTO, or CSO (or anyone who fills that role for your organization) so that you can better defend against these ongoing threats.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Seyfarth Shaw LLP | Attorney Advertising

Written by:

Seyfarth Shaw LLP
Contact
more
less

Seyfarth Shaw LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.