Authored by: Lavi Lazarovitz, CyberArk Research Lab Team Leader
Since COVID-19 began to spread rapidly across the globe, we’ve seen near-constant headlines of cyber attacks hitting organisations in the midst of chaos. An elite group of cyber criminals launched a sophisticated phishing campaign in mid-March, trying to break into the World Health Organisation (WHO) and access critical systems and applications. One of the largest hospitals and COVID-19 testing facilities in the Czech Republic was hit by an attack and forced to cancel operations and relocate patients to other hospitals. Meanwhile, spikes in financially motivated attacks seemed to peak as the United States confirmed its first case of COVID-19.
Warren Buffett once said, “Don’t let a good crisis go to waste.” Cyber attackers have long subscribed to this mantra, and it’s clear from the past few months that they are continuing to follow this approach. An FBI lead described these trends as a “collision of highly motivated cyber threat actors and an increase in opportunities.”
But while some threat actors ramped up efforts to maximise profits amidst the crisis – nothing has substantially changed in their approach.
In fact, new Microsoft research indicates that malware attacks linked to coronavirus were “barely a blip” in the total volume of threats it typically sees each month. The global nature and universal impact of the crisis simply made cyber criminals’ work easier. Microsoft notes the attacks peaked in March, then plateaued into a new normal. While these attacks are still more frequent than in January and February, the vast majority of the threat landscape, according to the Microsoft study, has settled back into business as usual: “typical phishing and identity compromise patterns.”
Attackers continue to use the same tried-and-true methods that worked for them long before 2020: find a way in, then target privileged access to unlock doors and get to where you want to go. It’s in that spirit that we wanted to examine attackers’ favourite intrusion technique –phishing – and a popular malware choice – ransomware.
Phishing: Gaining a Foothold through Social Engineering
Cyber attackers are the ultimate psychologists. They carefully study human behaviour and reverse-engineer our digital footprints to uncover what makes us tick – and what makes us click. They understand that people crave order and safety and that they are curious and want to stay informed. Phishing preys on these basic human needs and remains highly effective. It’s the number one form of social driven breach, according to the 2020 DBIR. Attackers simply need to re-skin these tactics to align with the crisis or story of the day.
Take the Office 365 phishing attacks, for example. In early May, reports emerged of a phishing campaign that hit high-level executives using Office 365 at more than 150 businesses. A number of similar attacks have been reported, as executives and employees alike work from home.
While these attacks, in of themselves, are nothing new – attackers often create fake, malicious Microsoft 365 login pages to trick email users into entering their credentials – we’ve observed a “twist” to this approach in recent months that targets temporary tokens (aka access tokens) that are generated to allow Single Sign-On (SSO) for Microsoft 365 and all Microsoft applications. By stealing and using these temporary tokens, attackers can bypass Multifactor Authentication (MFA) and persist on the network by “legitimately” refreshing the token. What’s more, even if a user changes their password, the token remains valid and cannot be revoked.
Video and chat apps – like Microsoft Teams, Slack, WebEx, Zoom and Google Hangouts – have become the new face of the organisation during this time of remote work. Attackers have added these cloud-based applications to their phish list, using the same general techniques they’ve used with email since forever.
Within these SaaS apps, they can easily distribute malicious files, code and even GIFs to scrape user data, steal credentials and even take over entire enterprise-wide accounts. (Read more about this in the Labs Teams’ research piece, “Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams.”) Or, by compromising employees’ digital identities – particularly those of privileged users like sys admins – attackers can develop persistence and siphon sensitive data from these collaboration tools – daily reports, financial data, IP and more.
As organisations onboard more cloud applications and services to support their remote workers, we can expect to see more innovations like these from attackers. But, at the end of the day, it’s still phishing. Enforcing least privilege, credential theft protection and application control across endpoints – whether they’re at home or the office – is critical.
Ransomware: Attacks of Opportunity
Ransomware has always been most effective when targeting critical and time-sensitive information. As the pandemic surged, reports of ransomware targeting hospitals and healthcare providers underscored the dangerous – even deadly – consequences of these attacks. Understanding that downtime can spell the difference between life and death, cyber criminals have long targeted these critical organisations, knowing that they will often pay out hefty ransoms to get operations back and running quickly.
During this time, attackers extended their sights to a new sector – research and development and biotechnology companies working fast to find a coronavirus cure.
As they compete with other nations to find a cure, and also inform their own country’s response, nation-state APT attackers are launching RDP attacks or targeting workers’ endpoints in search of privileged credentials to establish a foothold and move laterally. From there, they can maintain persistence on the network and steal sensitive research little by little. In some cases, they may wait weeks or even months for the “perfect moment” to deploy ransomware to further exploit these victim organisations. Microsoft research shows how criminal groups are using popular strains, like Robbinhood, Maze and REvil, to carry out “long-tail” ransomware attacks.
R&D and biotech organisations are particularly vulnerable, since they’ve not been targeted heavily in the past and many are still maturing their security programs. But, while these industries may be the target du jour, no organisation is safe from ransomware. It’s a widely used attack vector that continues to grow in popularity thanks to risky work-from-home habits and the rise in ransomware-as-a-service.
What’s changed most during this time of uncertainty is the narrative. Security incidents and breaches linked to COVID-19 are amplified by frenetic news coverage and constant social media chatter. The public, hungry for information and updates, is drawn to the drama – and headlines of sophisticated scams and ruinous ransomware have delivered on that. As a result, security is now at the forefront of conversation.
So, Now It’s Your Turn: Don’t Let a Good Crisis Go to Waste
We’re not out of the woods yet and there’s still much to be learned, particularly as organisations consider permanent changes to remote work policies. But this first phase has revealed some important truths about the way people behave and work and how businesses need to adapt for this new reality.
Now is the time to scrutinise your security practices—particularly how you’re protecting privileged access – and chart your path for change. By taking this opportunity, you can protect your organisation from future loss and strengthen your security posture to ensure long-term success.