Cyber attacks in the pandemic era: More of the same?

Attackers are useing the same methods that worked for them long before 2020

Since Covid-19 began spreading across the globe, we’ve seen near-constant news headlines of cyber-attacks targeting important and prestigious organisations all over the world.

An elite group of cyber-criminals launched a sophisticated phishing campaign in mid-March, trying to break into the World Health Organization (WHO) to access critical systems. One of the largest hospitals and coronavirus testing facilities in the Czech Republic was hit by an attack and forced to cancel operations and relocate patients to other hospitals. More recently, Russia’s APT29 hacking group targeted virus research centres in Britain.

The global crisis has boosted levels of uncertainty for most. But for cyber-attackers, uncertainty is synonymous with opportunity. It’s clear from the past few months that a global health catastrophe is no different, too. Rather than scaling back their operations, some criminals have actively increased their efforts to maximise profits during the crisis, showing their mindset remains unchanged.

In fact, Microsoft research indicates that malware attacks linked to coronavirus were “barely a blip” in the total volume of threats it sees each month. The firm notes that the attacks peaked in March, then plateaued. Although these attacks are still more frequent than in January and February, the majority of the threat landscape, according to the Microsoft study, has settled back into “typical phishing and identity compromise patterns.”

Attackers continue to use the same methods that worked for them long before 2020: find a way in, then target privileged access to unlock doors.  It’s with this in mind that we wanted to examine attackers’ favourite intrusion technique – phishing, and a popular malware choice – ransomware.

Phishing: Gaining a foothold through social engineering

The best cyber-attackers are brilliant social engineers. They carefully study human behaviour and reverse-engineer our digital footprints to uncover what makes us click. They understand that people crave order, familiarity and safety, are curious, and want to stay informed. Phishing preys on these innate human traits and therefore remains an effective technique for hackers. According to Verizon’s 2020 DBIR, it remains the number one form of socially-driven breach.

Attackers need only ‘re-skin’ their tactics to align with the story of the day. Take the phishing campaign directed at high-level executives at more than 150 businesses using Office 365 earlier this year. The attack exploited the development that most executives were at that point working from home. While these attacks are nothing new, as hackers often create fake Microsoft 365 login pages to trick email users into entering their credentials, we’ve observed a ‘twist’ to this approach.

In recent months, criminals have been targeting temporary access tokens that allow users to sign in to all Microsoft applications. Stealing and using these temporary tokens allows hackers to bypass Multifactor Authentication (MFA) and remain on the network by ‘legitimately’ refreshing the token. Even if a user changes their password, the token remains valid and cannot be revoked.

The pandemic has also created a new angle of attack is the use of video and chat apps – Microsoft Teams, Slack, and Zoom. Many of these have become a primary interface for organisations during this period. Attackers have noticed this change in behaviour and added these cloud-based applications to their phish list, using the same general techniques they’ve used with email since hacking begun.

Why? Because criminals can easily distribute malicious files, code, and even GIFs within these SaaS apps that allows them scrape user data, steal credentials, and take over enterprise-wide accounts.

As organisations onboard more cloud applications and services to support their remote workers, we can expect to see more innovation from cyber-attackers. Ultimately, criminals can change the bait, but it’s all still phishing. Enforcing the rule of ‘least privilege’ and protecting credentials are critical.

Ransomware: Attacks of opportunity

Ransomware has always been most effective when targeting critical and time-sensitive information. As the pandemic continues, reports of ransomware targeting hospitals and healthcare providers have underscored the dangerous consequences of these attacks. Cyber-criminals understand that downtime can be the difference between life and death, and have long targeted important organisations, in the knowledge that they will often pay out hefty ransoms to get operations back up and running quickly.

During this time, attackers extended their sights to a new sector – research and development and biotechnology companies working fast to find a coronavirus cure. As an example, Russian hacking group APT29 recently attempted to hack one of the UK’s coronavirus research labs, according to intelligence services.

As they compete with other nations to find a cure and inform their own country’s response, nation-state APT attackers are targeting workers’ devices in search of privileged credentials to establish a foothold. From there they can move laterally, maintain persistence on the network, and steal sensitive research little by little. In some cases, they may wait weeks or even months for the “perfect moment” to deploy ransomware to further exploit the victimised organisations.

Research, development, and biotech organisations are particularly vulnerable, since they have not been targeted as intensely in the past, and many are still maturing their security programs. Many also don’t have the budget to dedicate to security that large corporates do. But while these industries may be the fashionable target now, no organisation is safe from ransomware, which is only growing in popularity due to risky work-from-home habits and the rise in ransomware-as-a-service.

What’s changed most is the narrative. Security incidents and breaches linked to Covid-19 have been amplified by frenetic news coverage and constant social media chatter. The public, hungry for information and updates, is drawn to the drama. As a result, security is now at the forefront of conversation.

Time to assess security practices

We’re not clear of the pandemic yet. There’s still much to be learned, particularly as organisations consider permanent changes to remote work policies. Nonetheless, this first phase has revealed some important realities about the way people behave and how businesses need to adapt for this new reality.

Now is the time to scrutinise your security practices – particularly how you’re protecting privileged access – and chart your path for change. Take the opportunity, to protect your organisation from future loss and strengthen your security posture now to ensure long-term success.