The Computer Incident Response Center of Costa Rica (CSIRT-CR) issued an alert to the information officers of public institutions and political parties about a malicious software (malware) called Drovorub.
The CSIRT-CR, which belongs to the Ministry of Science, Technology and Telecommunications (Micitt), explained in the middle of this month of August that the malware belongs to a group called APT28 (Fancy Bear) that focuses on this type of entity. The initial alert came from the National Security Agency and the Federal Bureau of Investigation (FBI) in the United States.
Drovorub attacks Linux-based systems that are out of date in order to break into them and steal information. (It should be remembered that many servers run on open source systems.) The US authorities link it to attempts to hack the Internet of Things system devices to gain access to networks and to enter data systems.
It is not, of course, the only attack that has occurred lately
A report from the cybersecurity firm, Fortinet, indicates that in the first semester of 2020, more than 51 million computer attacks against institutional, business and personal systems and devices were detected in Costa Rica.
Since the beginning of the COVID-19 Pandemic, cybersecurity specialists have warned that hackers were trying to enter corporate systems, taking advantage of vulnerabilities in the home networks of employees transferred to telework.
“We see increasing target cybercriminal activity in Costa Rica as hackers continue to launch sophisticated attack methods targeting unsuspecting victims, regardless of their location,” said Joaquín Martínez, manager of Fortinet Costa Rica.
Digitization and security
The Pandemic accelerated digitization with telecommuting, corporate services, e-commerce, remote learning, virtual events, telemedicine, application development, and communication, among others.
“In two months, progress was made in the digital transformation, which would have taken 24 months,” said Verónica Peña, Microsoft’s regional director of modern work solutions, security and surface.
Users, companies and institutions, some in better shape depending on their previous technological advances, initially focused on thus maintaining operations in the midst of the emergency and confinement. The priority was to respond to the situation.
As the months have passed – on the verge of completing a full emergency semester – the actions have been aimed at recovering part of normality amid the reality of a second wave of infections and changes in economic measures.
Security took priority in the background, in parallel and silently, as a central concern of IT managers
The situations with some corporate services happened as fleetingly as silently, unlike the situation suffered by the online services of the Costa Rican Institute of Aqueducts and Sewers and the Box Correos service of Correos de Costa Rica.
A report from the firm PwC indicated that 78% of the firms had already made progress in terms of training and raising awareness with their collaborators on security matters.
During the pandemic crisis, investments in virtual private networks (VPNs), virtual desktops (VDIs), mobile device management, end-point security, and identity-based network architecture were critical to moving to remote work.
With this, they faced the increase in attacks since the beginning of the emergency, recognized by 60% of the 114 companies surveyed in Central America and the Dominican Republic between July 28 and August 18.
As hackers also use advanced technologies to attack, companies found it invaluable to have data-driven risk management tools such as real-time threat intelligence, data analytics, and cyber risk quantification.
“Investments in resilience capabilities were useful for crisis management, such as business continuity and disaster recovery planning and managed detection and response services,” said the PwC report, released on August 24.
Types of attacks
Among the attacks detected are attempts to obtain user passwords (phishing), emails that impersonate the sender’s identity (spoofing), messages with links to false pages or incite the download of a file containing malware. Both Fortinet and PwC also cautioned that remote work setups generate increased exposure and escalation of social engineering campaigns.
Social engineering in these months focuses on trying to get users to visit websites or click on malicious links, as well as provide personal information over the phone, under pretexts related to the Pandemic.
Fortinet’s report highlighted malware attacks such as RTF / CVE, HTML / ScrInject, and W32 / Mimikatz The first is aimed at detecting Microsoft Office documents to exploit vulnerabilities.
The second is a Trojan that establishes remote access and captures what the user types on their keyboard, collects system information, downloads and uploads files, and performs denial of services attacks, among others. The third is another Trojan that steals passwords and sends them to the hacker.
All of them are imperceptible to a user, except that some of them have symptoms such as the use of resources of computers and devices, which reduces computational performance.
Measures taken
According to PwC, most companies expect an increase in cyber attacks in the next six months. Access attempts without credentials would become more frequent, as well as denial of service attacks.
They will also face more risks in data theft and what that implies for companies in legal terms according to information protection regulations. Security firms emphasize the need to increase user preparedness and make them aware of avoiding falling into the traps of hackers. According to PwC that is where the strategies of the companies point.
Will it be enough?
In the meantime, precautions are never too late. To confront the Drovorub take the following measures: update the servers and equipment, update the Linux kernel to version 3.7 or higher, and verify that the network does not have unusual behavior.
Always, change the passwords of the servers, workstations, of the email accounts and other accesses (also the bank passwords). Reinforcing the configuration with capital letters, special characters, numbers and 12 digits minimum. And please don’t show or hand them to anyone.