COVID-19 Exploited By Cybercriminals
Cybercriminals are extremely agile. Not in a gymnastic way, but in the way they can react rapidly to a newsworthy event and use that as the cover story for a new set of threats. Or more accurately, to redecorate old threats and give them a new lease of life. They only need to reword their phishing emails so they refer to the news story, rebrand the email in the appropriate corporate livery, and send them out. They can do this with hardly any effort and in next to no time.
And of course, cybercriminals are heartless. As soon as the COVID-19 pandemic hit, phishing emails were arriving in people’s inboxes offering malicious links or attachments that purportedly contained information regarding infection rates, how to claim furlough payments, offering vaccines or cures, and supplies of sanitizer and face masks. Shortly after the phishing emails, the infected bogus websites and the malicious smartphone apps appeared.
Even worse, knowing that the COVID-19 pandemic made them even more critical than under normal conditions, healthcare and medical facilities have been specifically targeted with ransomware attacks. The health care staff are rushed, stressed, and more likely to fall for a phishing email because of the pressure-cooker conditions they’re operating in. The institution is also more likely to pay the ransom if they think that will get them back online faster. That there are lives at risk doesn’t bother the cybercriminals at all.
COVID-19 forced a huge change with offices sitting practically empty and the majority of may workforces working from home. And those circumstances provided yet another set of opportunities to the threat actors.
Working from Home
The COVID-19 lockdowns have forced usually office-based employees to work from home. Personnel without a laptop and who cannot take their office desktop out of the building have been forced to use whatever hardware they happen to have at home.
A typical domestic laptop or desktop is less secure than a corporate machine. They won’t be subject to regular security and bug-fix patches, nor are they likely to have business-grade endpoint protection software on them—if they have any at all. They can have any software application under the Sun installed on them, whether it is reputable or not, or secure or not. And if it is the family computer, the other family members are going to want to use it too, including kids and teenagers.
As a result of using home computers, company material has been transported to the homes of the workforce and copied to unregulated home computers. It is being worked on locally, which is less secure, is not centrally managed, and it is not included in the corporate backup scheme. The net result is the risk of data loss is magnified.
The device they’re working on is unlikely to have a password that would satisfy your password policy, and it is unlikely that their Wi-Fi password would either. And that’s if they work from home and not from a cafe or library on a public Wi-Fi.
Many businesses already had some capability to accommodate remote workers but they didn’t have the capacity to handle the majority of staff working from home. They were faced with the challenge of rapidly scaling up to meet the sudden demand of the majority of the workforce not coming into the office. Worse, other businesses had no remote working capability at all and had to quickly implement a solution that should allow outside connections into their networks.
All IT infrastructure decisions need to be given careful thought and review, but remote access is one that demands the highest levels of due care and attention. The focus should be on finding the right solution for the business, one that brings with it robustness and security—not finding the fastest thing you can implement. That type of haste breeds insecurity.
Cloud Working
Microsoft has said that its commercial cloud revenue has been boosted by the pandemic, with an increase of 31 percent. The scramble to go to the cloud to facilitate home working will no doubt harbor many examples of the same phenomenon: “What’s important right now is to get it working, we can fine-tune and lock it down later.”
Of course, a move to the cloud would be appropriate for many organizations. The cloud was built for power, scale, and integration, and most on-premise solutions simply can’t match its level of integrated security—or lack the budget to even try. But running to the cloud harum-scarum isn’t going to end well. Plan your migration carefully.
Video Conferencing
Video conferencing became the new phone call. The upsurge in the use of products like Zoom was unprecedented. Whenever there is a game-changing uptake of a particular technology the cybercriminals are running right alongside searching for new exploits.
Zoom in particular came into the spotlight for a lack of end-to-end encryption and other security shortfalls. The company actually took the step to freeze new development to allow their developers to work through the backlog of freshly discovered vulnerabilities.
In a time-critical situation, staff training and expertise are often overlooked in the rush to embrace a new product or technology. Employees with no previous experience were dropped in at the deep end and had to learn as they went along. Running any software with the bare minimum of knowledge is always a bad idea, but especially so with any kind of software that connects and unites remote sessions.
Crowded video conferences allow unauthorized participants to exploit either poorly configured—or completely ignored—security settings and to join the conference and hide in the crowd. They may either lurk and listen in, or behave in inappropriate and disruptive ways. This gave birth to a new phrase, “Zoom-bombing.”
As with all popular platforms, Zoom credentials can be purchased on the Dark Web with over half a million account credentials available in April 2020. Not only will they let a threat actor into a Zoom call, because people often reuse passwords elsewhere the chances of those credentials working in other accounts are high. That increases the success rate of credential stuffing attacks.
Steps You Can Take
Review any steps that you have been forced to take in haste. Remind staff of company policies and procedures because even the basics can get side-stepped when working conditions are not the norm.
Diligently review the security of recent infrastructure changes. If you’ve recently implemented remote access for workers, consider engaging with a penetration testing service. If you’ve migrated to the cloud because of the pandemic, check all exposed services, databases, and APIs are protected and locked down. New accounts may be assigned to cloud resources or remote access to offices. Remind homeworkers that all corporate accounts require robust passwords or pass-phrases. Implement two-factor authentication where possible. Create and implement guidelines for using domestic computers on corporate networks. Advise staff on—and provide guidance for—updating and patching operating systems, software, and endpoint protection suites. Homeworkers must not leave logged-on sessions unattended. They must log off when they leave their computer. Prohibit users from using their personal email accounts for business correspondence. Business documents must reside in business storage. They should never be placed in personal cloud storage. Hard copy documents must be stored out of sight when not in use, preferably in a locked cabinet. Advise staff to check that emails or phone calls allegedly from the IT team or tech support are genuine before collaborating with their requests. Remind staff to double-check links in emails by hovering the mouse over them before clicking. Attachments from unknown senders should be deleted. Have staff report anything suspicious. Communicate frequently with your workforce to alert them of the type of scams and attacks that have been detected, to help them stay informed, vigilant, and safe.