Five Security Blind Spots from Prolonged Implementation of a Business Continuity Plan

February 20, 2020February 21, 2020

By Alban Kwan,
regional director, East Asia Share this post

The novel coronavirus outbreak (COVID-19) has prompted many organizations in Mainland China and Hong Kong to execute their business continuity plan (BCP). During the last epidemic in 2003, the SARS outbreak lasted for nine months—and with an infection rate that is increasing rapidly, this new coronavirus has the potential to cause prolonged periods of commercial disruption, and heavy reliance on BCPs.

The most common practice in a BCP is to give employees the ability to work from home through VPN for secure, remote access. Although VPN is already commonly used in the business world, this medical epidemic has created a sudden surge in massive and prolonged use in affected regions, which may expose organizations to unforeseen risks. This article details a few security blind spots that may arise.

1. VPN hijacking

In December 2019, a new vulnerability on VPN—CVE-2019-14899—was discovered.¹ Amazon ® engineer, Colm MacCárthaigh, described it as “extremely clever” and “very impressive.” This attack works across many different VPNs and “the VPN technology used does not seem to matter.”² It appeared to be a variation of the TCP sequence prediction attack, where the attacker observes to determine the TCP sequence to insert a malicious data packet and effectively hijack the VPN tunnel.

This type of attack could be very effective in targeted hijacking campaigns, and it works across any device and VPN. Unsuspecting employees accessing VPN through an unsecured home Wi-Fi network become susceptible.

MacCárthaigh, who develops Amazon Web Service’s VPN products, warned that the attack can pose an even more serious threat if combined with domain name system (DNS) spoofing.³ It’s easy for attackers to profile DNS requests and reply based on the size and position of the data packets; DNS is often the first traffic in a sequence, and a DNS query is made before VPN is established. As a result, “hijacking traffic via DNS is usually much more powerful than payload injection,”⁴ and can be used as a part of the VPN hijacking attack. A variation of this attack can also be used to steal VPN passwords, giving attackers free access to the corporate network.

2. Stealing VPN passwords through DNS hijacking

During the renowned DNS hijacking campaign by the Sea Turtle hackers in 2019, Cisco Talos reported that the perpetrators were able to steal email and other login credentials, and redirect all email and VPN traffic to fake servers controlled by the attackers. The attackers hijacked either the domain name registrar or the DNS service provider to gain access to business-critical domains of the victim organizations. Once a domain name is hijacked, the attacker can obtain the secure sockets layer (SSL) or transport layer security (TLS) digital certificate for the targeted domain (e.g., vpn.victimcompany.com), which allows them to “decrypt the intercepted email and VPN credentials and view them in plain text.”⁵

Other hackers have replicated the Sea Turtle attack, as evidenced by the increased number of DNS hijacks, and high-profile registrars hacked since. This trend is likely to continue, as it’s far more cost effective to hijack DNS then attack anything within a well-protected firewall.

3. Domain name and DNS security could affect VPN

VPNs can be set up either by using an IP address directly, or through your DNS. The benefit of using DNS is the flexibility it offers; hence, this is a popular option. With this, the domain name and DNS hijacking issues discussed above create another dimension of risk. To mitigate these risks, companies should review both the security of both their registrar and DNS.

I. Registrar security – Attackers can gain control over the nameserver record hosted with your domain name registrar, which links a domain to your DNS, if your account at your registrar is compromised. This allows them to redirect your core domains to any DNS, enabling all types of man-in-the-middle attacks. A registrar breach happens completely outside your firewall and must be mitigated through proper third-party risk management. An effective risk mitigation strategy includes:

Using enterprise-class providers. Avoid low-cost, low-security providers with a security breach history.
Ensuring your registrar provides registry lock services and has DNS security extensions (DNSSEC)enabled.
Ensuring your registrar login portal has proper two-factor authentication (2FA) implemented. If possible, avoid SMS-based 2FA.
Locking your vital domains at the registry(not to be confused with registrar lock).

It’s important to note that the domain behind your VPN connection might be different from your core domain. Domain names used internally could be neglected and may not be considered vital, needing attention and security controls. These domains could be considered to be of low importance, or were set up by an ex-employee or contractor, and your current network engineer may no longer have full visibility. We highly recommend that you conduct an internal audit to account for any domain used for internal critical systems, especially business continuity-related services, and to ensure proper security controls. If such domains are hacked, your BCP will fail.

II. DNS security and availability – The attacker can also hijack the DNS server directly. As long as your VPN connection uses the DNS, either a registrar or DNS hijack could completely shut down your BCP. Here are some best practices to mitigate DNS hijacking:

Use enterprise-class services. Avoid low-cost, low-security DNS services, especially free DNS.
Ensure your DNS login portal has proper two-factor authentication implemented, avoiding SMS-based 2FA.
Ensure your DNS service provider has 24/7 support and is able to make corrections through the system. If the service requires you to log a ticket and manually update your zone, the risk during an emergency is too high.
Monitor DNS zone file changes. While registry-registrar locks prevent unauthorized changes to your domain nameserver records in the WHOIS in a DNS hijack, it does not lock the zone. Partner with a provider who can offers monitoring or integrate monitoring with your SIEM.

Refer to 6 Ways to Strengthen DNS Security to learn more about securing your DNS.

4. SSL VPN and digital certificate management risks

VPN can either be encrypted through IPSec or SSL. Due to easier implementation, low cost, and higher scalability, SSL VPN is becoming more popular. With a lack of licenses, and the difficulty in implementing IPSec VPN systems when there is a sudden need to scale up access during a BCP situation, companies may have implemented SSL VPN for their remote employees.

If this is the case, it’s essential to consider the risks related to digital certificate management, which often arise from bad habits. Unfortunately, mismanagement happens rather regularly, even to large organizations, like LinkedIn®, causing significant loss to businesses (example 1, example 2, example 3).

If your organization has implemented SSL VPN in your BCP process, it’s critical to review your policy to ensure the certificate will not expire. Some best practices are:

If your organization has a significant number of digital certificates, consider a digital certificate management service that can enable automatic renewal and installation for both your internal and external certificates.
If automatic renewal is not preferred, there will always be a chance that a digital certificate will expire unnoticed; as Murphy’s Law states, whatever can go wrong, will go wrong. Your vendor’s ability to respond quickly during an incident becomes critical. They should have 24/7 support and preferably not be online only or accessible only through web forms.
Implement Certification Authority Authorization (CAA) record, which helps create a governance framework for your digital certificates. It helps prevents rogue SSL issuance on your domain, as well as prevent employees from purchasing from unauthorized vendors.

5. Phishing attacks during emergencies

It’s an unfortunate fact that in any emergency, there will be cyber criminals waiting to capitalize on the situation. “As people grow concerned about the Wuhan coronavirus … cyber criminals are preying on their fear, with phishing emails claiming to have advice on protective safety measures. Emails have been seen in the U.S. and U.K.”⁶

To date, CSC has detected 63 domain registrations containing the word “corona” ranging from informative sites, eCommerce site selling masks, to information site with subtle recommendations to buy certain branded medicine. If your company is related to medical supplies or pharmaceuticals, be aware that counterfeiters could be using phishing campaigns to promote counterfeit products, no matter whether your product actually has anything to do with corona virus.

Phishers, on the other hand, are unlikely to use the name of the virus in the email or the domain name; it would be too easy for anti-virus software to detect it. Instead, they use the brand as a hook for the victim to view a report on a macro-enabled Word document or an infected .PDF, hence infecting their machine. Companies need to be aware of the potential use of their brand as a means to phish, because in such cases, clients will be the victims and the brand will be damaged.

Phishing attacks can target your company internally through spear-phishing, whaling, or business email compromise (BEC) of your executives and employees, or externally, targeting your clients by using your brand name in a domain or brand spoofing phishing campaign. These attacks should be on the radar of the Information Security team.

For internally-focused phishing, it is recommended that domain message authentication, reporting, and conformance (DMARC) protocol is implemented to control the email rejection policy set up by your sender policy framework record. You should ensure your email gateway supports DMARC, to effectively filter spoofed emails pretending to be your employees or partners.

For externally-focused phishing, we recommend implementing an anti-fraud monitoring service. It is the only way to protect clients who may not have sophisticated firewalls and email gateways to protect them.

A BCP is used to ensure business as usual during a crisis, however if the systems that it uses, such as VPN, as well as DNS, domains, and digital certificates that sit outside the firewall are at risk, the BCP itself could expose organizations to vulnerabilities. Being mindful of these security blind spots can mitigate business continuity risks by ensuring the right security controls and policies are place.