The COVID-19 pandemic is disrupting life and businesses across the globe. Institutions like government offices, finance, healthcare, and businesses are rapidly transitioning to digital media to keep their employees safe and operations unhampered. Due to this dynamic situation, organizations are experiencing new paradigms that significantly impact the security aspect of operations.
“Work from Home” is the term that has become the new normal for organizations due to the pandemic. For some businesses, remote working is not new. For them, the only changes they need to make are — upgrading their network and data access policies and scaling their IT infrastructure. But for some organizations, working from home is a completely new paradigm, and for that, they are not prepared to address the needs from the technology, operations, and policies perspective. They are facing several challenges in these areas. But the main challenge is securing their crucial and sensitive business data as attack surfaces become wider due to remote working arrangements.
Recently, a joint alert was issued by the US and UK Federal cyber agencies stating that the COVID-19 pandemic is being exploited by hackers to compromise the endpoints used for remote work by employees of businesses and organizations. United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), and the United Kingdom’s National Cyber Security Centre (NCSC) shared the observations focusing on some of the latest incidents. According to the alert, many fraud schemes and phishing scams are launched to take advantage of the heightened emotional quotient due to the pandemic.
In the crosshairs of cybercriminals are individual users, enterprises, and big organizations. The cybercriminals are implementing social engineering tactics that will lure the end-users to take actions on email or links shared by them via social media. The idea is to capitalize on the curiosity and concern around the pandemic.
Endpoint security is a critical concern for CXOs and IT managers because most of the compromises and infections happen at end-user devices. The challenges that IT teams face are:
- Remote workers use personal devices or emails while accessing critical business data
- Appropriate deployment and configurations of business services to remote users, corporate virtual private networks, and new advanced authentication methods like two-factor authentications, etc.
Using a corporate VPN is the safest option while transferring business data and accessing digital corporate assets. But most countries have restrictions and directives for the legality of VPNs.
Types of Threats
Phishing is the most conventional type of attack executed by cybercriminals. In this type of attack, an email containing a call to action is dispatched to the target users, encouraging them to visit the website after which these criminals steal valuable information like login details, credit card data, and personal information of the victims. Using the website, attackers can inject malware and keyloggers to endpoint systems that run like a process and continuously log data and perform malicious activities. It also allows attackers to sniff out data exchanged with business servers.
Phishing attacks are not only implemented using email but also via text messages (SMS). Attackers can also ask for financial help or provide information about non-existent government schemes around regarding the pandemic to get personal details or gain access to mobile phones to steal sensitive information.
Additionally, personal user credentials or business credentials might be at risk. An attacker can impersonate email service providers like Gmail or Outlook and ask for the password to visit the webpage with email subject lines like “Important update on COVID-19 viruses.”
Another type of phishing attack that attackers are implementing is sending an email containing an attachment carrying malware. The attachment can be a Word or a PDF document with a title like “Important advisories for COVID-19” or “Insurance helpline information for employees in COVID-19 Pandemic.” When a victim opens the file, the malware gets executed and starts performing malicious activities on the system. It is found that the Trickbot Malware is widely used to leverage the COVID-19 situation. It started with targeting Italian users. This malware compromised the system by running a macro to install more ransomware (like a Trojan) that can steal credentials, log data, and hack wireless routers.
Targeted Attacks Against Newly and Rapidly Deployed Remote Access Infrastructure
Hackers are also targeting specific business segments to steal data. This includes large enterprises, government agencies, healthcare firms, banking firms, and so on. Hackers are performing a focused attack to take advantage of the less secure and newly deployed remote infrastructure as most of the organizations are new to such kind of operational environment. Attackers are exploiting the vulnerabilities in corporate VPN systems and Citrix servers.
Misconfiguration and Usage of Vulnerable Applications
With the remote working trend, the number of endpoints has increased. As most of the endpoint users are located at remote locations from the organization premises, it is difficult for the IT team to manually configure endpoint systems (laptops or desktops) and install the necessary software to stay secure from the various cyber threats. Manual intervention increases the chances of misconfiguration. Recent studies published by research firms and leading security providers point out misconfiguration is the biggest cause for security breaches or vulnerabilities.
Several VPN solutions provided by leading security firms are also found to be vulnerable to security breaches that can be exploited. Even video conferencing tools like Zoom are found to be troubled by security vulnerabilities. Hackers can carry out targeted attacks on such systems by exploiting a vulnerability and hijack meetings to steal sensitive information. Zoom was recently banned by Google and the Taiwan government. There could be instances wherein a remote worker will use such vulnerable open solutions or Android applications in their systems to provide a backdoor entry to hackers into the system.
- Organizations should release guidelines for protection against individually targeted phishing scams. Technical measures should be taken so that such emails do not reach the remote users.
- Individuals should double-check the authenticity of emails before clicking on any email attachment.
- Individuals should avoid sharing information with websites that seem enticing, especially with regard to COVID-19.
- IT teams should quickly deploy endpoint detection and response solutions that enable automated policy enforcement, detection, and incident response.
- IT teams should provide a list of authorized applications for remote users to use for their systems and telecommunication. Also, existing applications in systems need to patch immediately. Meetings scheduled in video conference applications should be set as private and password-protected.
- Authentication breaches are a common type of attack. SMS-based authentication can reduce the possibility of bypassing the authorization modules. Organizations should deploy SMS-based or multifactor authentication (MFA) at endpoint as well as network infrastructure layers. Also, IT teams should make it mandatory for employees to update the password periodically to make it stronger.
The basic nature of cybercriminals is opportunistic, looming around targets and taking advantage of their weaknesses to break into systems. There are two major types of opportunities that they seek:
- People are scared and hungry for more information around events like COVID-19. In panic mode, they surf the internet, visit fake pages, and fall prey to phishing scams.
- Endpoints for remote access have increased due to remote working, increasing surface areas for cybercriminals to target.
With this shift in IT security paradigms, IT teams and security architects need to focus on new endpoint security countermeasures to detect threats in real-time, using automation solutions. Also, end-users of businesses should make sure that false applications are verified by IT teams.
The New Stack is a wholly owned subsidiary of Insight Partners. TNS owner Insight Partners is an investor in the following companies: Real.