As the threat posed to our health posed by COVID-19 increased, so did the number of cyber-attacks targeting notable organisations all over the world. Just a month after the world went into lockdown, the WHO reported a five-fold increase in cyber-attacks, warning the public to be beware of fraudulent emails seeking to capitalise on uncertainty.
Uncertainty usually represents a golden opportunity for cyber-attackers, and it’s clear from the past few months that a global health catastrophe is no different. Rather than scaling back their operations, criminals have actively increased their efforts to maximise profits during the crisis, showing their mindset remains unchanged.
Attackers continue to use the same methods that worked for them long before 2020: find a way in, then target privileged access, or accounts with access to critical controls and confidential data, to unlock doors. It’s with this in mind that we’ve decided to examine attackers’ favourite intrusion techniques – phishing, and a popular malware choice – ransomware.
Social Engineering and Phishing: attackers target fears and concerns
If you were to build a profile of the most capable cyber-attacker out there, the chances are they would be an expert in social engineering. The best out there carefully study human behaviour and reverse-engineer our digital footprints to uncover what makes us click. They take the understanding that people crave order, familiarity and safety, are curious, and want to stay informed, and look to prey on these innate human traits. Phishing therefore remains an effective technique for hackers; according to Verizon’s 2020 DBIR, it remains the number one form of socially-driven breach.
It can be a profitable route for attackers that can do it right, as they need only slightly adjust their tactics to align with the story of the day. Take the phishing campaign directed at high-level executives at more than 150 businesses using Office 365 earlier this year. The attackers knew most executives were at that point working from home and used it to their advantage. While these attacks are nothing new, as hackers often create fake Microsoft 365 login pages to trick email users into entering their credentials, we’ve observed a ‘twist’ to this approach.
Clever attackers have also made hay targeting office workers working from home. They’ve done so by targeting temporary access tokens that allow users to sign in to all Microsoft applications. Stealing and using these temporary tokens allows hackers to bypass Multifactor Authentication (MFA) and retain access to networks by ‘legitimately’ refreshing the token. Even if a user changes their password, the token remains valid and cannot be revoked.
The pandemic has also created new channels of attack in the form of video and chat apps such as Microsoft Teams, Slack, and Zoom. Many of these have become a primary interface for organisations. Attackers have noticed this change in behaviour and added these cloud-based applications to their phish list, using the same general techniques they’ve used with email since hacking begun.
Why? Because criminals can easily distribute malicious files, code, and even GIFs within these SaaS apps that allows them scrape user data, steal credentials, and take over enterprise-wide accounts.
We should expect to see more innovation from cyber-attackers as organisations continue onboard more cloud applications and services to support remote working. Ultimately, criminals can keep phishing, with ease, provided they keen changing the bait. Enforcing the rule of ‘least privilege’ and protecting credentials are critical.
Ransomware: seeking profit in crisis
Ransomware has always been most effective when targeting sensitive and confidential information. As the pandemic continues, reports of ransomware targeting hospitals and healthcare providers have highlighted the dangerous consequences of these attacks. Cyber-criminals understand that downtime can be the difference between life and death, and have taken to targeting important organisations, in the knowledge that many will pay out hefty ransoms to get operations back up and running quickly.
During this time, attackers have also extended their sights to a new sector – research and development and biotechnology companies working fast to find a coronavirus cure. As an example, Russian hacking group APT29 recently attempted to hack one of the UK’s coronavirus research labs, according to intelligence services.
This news serves as evidence that nation-state cyber attackers are targeting workers’ devices as they compete with other nations to find a cure and inform their own country’s response. And more often than not, they are searching for privileged credentials to establish a foothold. From there they can move laterally, maintain persistence on the network, and steal sensitive research little by little. In some cases, they may wait weeks or even months for the “perfect moment” to deploy ransomware to further exploit the victimised organisations.
Research, development, and biotech organisations are also coming into the spotlight. Many are highly vulnerable because they have not been targeted as intensely in the past, and are still maturing their security programs. A large number also don’t have the budget to dedicate to security that large corporates do. These industries may be the fashionable target now, but no organisation is safe from ransomware, which is only growing in popularity due to risky work-from-home habits and the rise in ransomware-as-a-service.
Ransomware attacks are not something new, but what’s changed most is the narrative. Security incidents and breaches linked to COVID-19 have been amplified by frenzied news coverage and constant social media chatter. The public, hungry for information and updates, is drawn to the drama. As a result, security is now at the forefront of conversation.
Taking a look at security practices
We’re not out of the woods with this pandemic yet. Organisations are considering permanent changes to their remote work policies, and with some workers return to the office, there is still a lot to be determined when it comes to working practices and security. However, this first phase has revealed some trends about the way people behave and how businesses need to adapt their security policies to certain employee behaviours.
The time to scrutinise security practices is well upon us. It is particularly important for organisations to access how they’re protecting privileged access – and chart the subsequent path for change. Now is the time to protect your organisation from future loss and strengthen your security posture to ensure long-term success.
Author: Lavi Lazarovitz, Head of Security Research at CyberArk Labs