With COVID-19 across the globe, we have seen near-constant headlines of cyberattacks in organizations amidst of chaos. The Twitter accounts of some of the major companies and individuals were hacked recently to get donations in cryptocurrency, leading to the accounts getting blocked to investigate the issue. India has also seen a sudden spike in the number of cyberattacks with the transformation of work processes to adopting Work From Home and creating a catalytic effect for cyberattacks. The hacking community is becoming smarter and sophisticated, making it more vital than ever to have a reliable digital strategy.
Warren Buffett once said, “Don’t let a good crisis go to waste.” Cyber attackers have long subscribed to this mantra, and it’s clear from the past few months that they are continuing to follow this approach.
According to the PwC report 'Covid-19 crisis, the impact of cybersecurity on Indian organizations', more than a dozen fake versions of PM Care Fund websites have emerged, putting security and information at risk.
In fact, new Microsoft research indicates that malware attacks linked to coronavirus were “barely a blip” in the total volume of threats it typically sees each month. It was noted that the attacks peaked in March, then plateaued into a new normal and seen to settled back into business as usual: “typical phishing and identity compromise patterns.”
Attackers continue to use the same tried-and-true methods that worked for them long before 2020: find a way in, then target privileged access to unlock doors and get to where they want to go.
Phishing: Gaining a Foothold Through Social Engineering
Cyber attackers are excellent practitioners of psychology. They carefully study human behaviour and reverse-engineer our digital footprints to uncover what makes us tick and click. They understand that people crave order and safety and are curious to stay informed. Phishing preys on these basic human needs and remains highly effective. It’s the number one form of social-driven breach, according to the 2020 DBIR.
The Indian Computer Emergency Response Team (CERT-In) had recently issued a warning of a potential phishing attack aiming to gain access to personal and financial information. A number of similar attacks have already been reported, as executives and employees alike work from home.
While these attacks, in themselves, are nothing new – attackers often drive users to fake website pages to trick email users into entering their credentials or downloading malicious files– we have observed a “twist” to this approach in recent months that targets temporary tokens (aka access tokens) that are generated to allow Single Sign-On (SSO) for Microsoft 365 and all Microsoft applications. By stealing and using these temporary tokens, attackers can bypass Multifactor Authentication (MFA) and persist on the network by “legitimately” refreshing the token. What’s more, even if a user changes their password, the token remains valid and cannot be revoked.
Video and chat apps have become the new face of the organization during this time of remote work. The users faced a tide of issues after the attackers added these cloud-based applications to their phish list, making these apps highly vulnerable.
Within these SaaS apps, they can easily distribute malicious files, code and even GIFs to scrape user data, steal credentials and even take over entire enterprise-wide accounts. Or, by compromising employees’ digital identities – particularly those of privileged users like sys admins – attackers can develop persistence and siphon sensitive data from these collaboration tools – daily reports, financial data, IP and more.
At the end of the day, it’s still phishing. Enforcing least privilege, credential theft protection and application control across endpoints – whether they’re at home or the office – is critical.
Ransomware: Attacks of Opportunity
Ransomware has always been most effective when targeting critical and time-sensitive information. As the name suggests, it is no less than a virtual kidnapping of data and information that could cost a fortune to organizations if lost. As the pandemic surged, reports of ransomware targeting hospitals and healthcare providers underscored the dangerous – even deadly – consequences of these attacks. Understanding that downtime can spell the difference between life and death, cyber criminals have actively targeted these critical organizations, knowing the hefty ransoms they could demand to get operations back and running quickly.
During this time, attackers extended their sights to a new sector – research and development and biotechnology companies working fast to find a coronavirus cure. For example, in one instance, a fake email page designed to steal passwords was sent to a top executive. As more organizations progress their vaccine research, cybercriminals with varying motives have increased attacks.
As nations make efforts to find a cure, and also inform their own country’s response, nation-state APT attackers are launching RDP attacks or targeting workers’ endpoints in search of privileged credentials to establish a foothold and move laterally. From there, they can maintain persistence on the network and steal sensitive research little by little. In some cases, they may wait weeks or even months for the “perfect moment” to deploy ransomware to further exploit these victim organizations.
R&D and biotech organizations are particularly vulnerable with less or no precedence of attacks in the past while they catch up with the security standards in an exposed virtual ecosystem. But, while these industries may be the target du jour, no organization is safe from ransomware.
The recent agreement between India and Israel to expand cooperation in cybersecurity may help plummet the exposed vulnerabilities amid increased digitization. What’s changed most during this time of uncertainty is the narrative. Security incidents and breaches linked to COVID-19 are amplified by frenetic news coverage and constant social media chatter.
So, Now It’s Your Turn: Don’t Let a Good Crisis Go to Waste
The end to the problem is not in sight yet and requires continued efforts from authorities at all levels, particularly as organizations consider permanent changes to remote work policies. But this first phase has revealed some important truths about the way people behave and work and how businesses need to adapt for this new reality.
Now is the time to scrutinize your security practices—particularly how you’re protecting privileged access – and chart your path for change. By taking this opportunity, you can protect your organization from future loss and strengthen your security posture to ensure long-term success.
By Rohan Vaidya, Managing Director, Sales, CyberArk India