Earlier in our blog, we listed many cyber-attacks launched by adversaries that were making use of the COVID19 fear to target victims. This blog reflects upon the risks associated with sudden unprepared remote work that this pandemic has forced organizations into adopting. It discusses risks associated with remote collaboration tools, surge in phishing campaigns as employees work on unprotected home networks, and statistics of frauds using pandemic themes.
Traffic on the public Internet has grown by half this year while video conferencing bandwidth went up five times, all driven by social distancing and remote work requirements. According to Kentik, a provider of machine learning based network operations, video conferencing has seen a 500% increase. Overall, the week-to-week growth in bandwidth consumption matched the month-to-month growth seen last year. Comcast also saw virtual private network (VPN) traffic jump 40% and video conferencing traffic rise 212% since the beginning of March. Zoom alone has reportedly recorded 200 million daily users throughout March, up 20 times since December. It added more users in the first quarter of 2020 than in all of 2019.
As reliance upon remote collaboration tools increases unprecedentedly, one key question is, how safe the these apps and tools like Skype, Zoom, Slack and Webex are.
When organizations go remote, virtual meetings are inevitable. While remote collaboration tools relieve employers and employees, they induce anxiety and uncertainty in the IT teams. The fear is not baseless. The security posturing of these apps makes them particularly vulnerable to zero-day attacks and evasive malware. Many vulnerabilities in Zoom have been reported including one that leaks windows credentials. For security issues, Zoom has reached many headlines, but major security flaws also exist in other popular collaborative apps including Microsoft Teams and Slack. Few weeks back, phishing attacks were found targeting Webex credentials.
Now when these apps are an operational necessity and cybercriminals are actively searching for opportunities, these have become a wide attack surface. The active downloads of these apps are a delicious sight for cyber criminals making them drool over the endless trail of opportunities. The flaws and errors tend to linger in most open source tools and not in all cases is issuing patches a developer’s top priority.
Therefore, as we go online remotely, all employees need to understand that they are at risk, and that they are a risk for the entire organization. To enable endpoint security and to suppress their rising instincts of internet exploration on office gadgets, a basic training may help them understand how to avoid being a red carpet for an intruder into an organization’s infrastructure.
While these apps may just be for remote collaboration or video conferencing, they are a substantial risk for an organization. Much of the confidential transfer of information that was done under the company’s protected network is now being done on remote collaboration tools. What’s at risk? Sensitive, valuable and confidential information that is transferred through these apps. Additionally, the nature of vulnerabilities in these tools and apps may not limit the impact to these applications. As the flaw in Zoom reveals windows credentials, it may be exploited in many other attacks to take over a system.
Phishing remains to be the master of horrors in current times, as it can initiate many kinds of cyber-attacks. For instance, credentials stolen via phishing may lead to a business email compromise (BEC). One business email compromise may sprout a chain reaction. Why? Because we are comfortable with responding to colleagues. As skeptical about unknown emails as we may be, we are likely to open and respond to an announcement from our HR, a meeting invite from a teammate, or a Google Form from our marketing team. It could turn into a clicking spree, compromising too many business emails before the organization gets a chance to detect it.
Can collaboration apps be eliminated altogether? Well, in prevalent economic uncertainty, enterprises cannot afford to go offline. And to stay online, they need the apps, which means they will be exposed to cyber-attacks. They are left with no choice but to accommodate risks to operations to avoid definite operational shutdown. Anti-malware and endpoint detection & response (EDR) tools may seem like lifesavers to some organizations too, but they will not catch zero-days and the threat continues to linger.
Many organizations will also attempt using free or outdated VPNs, unaware of how outdated VPNs can be exploited in the wild. The Pulse Secure VPNs exploited for a while may teach a good lesson. Therefore, selecting VPNs is also a challenge.
The attackers use the economic uncertainty as bait and target employees using home networks with offers of financial relief funds and corona safety kits from health organizations and NGOs.
Rewterz has released more than 40 advisories related to COVID19 phishing attacks. Unique ones of these are listed below:
Other massive phishing campaigns that have been noticed using the COVID-19 theme to target victims are as follows:
Cyber security becomes a serious concern now more than ever before, as organizations are rapidly enabling remote work at the cost of security standards.
While vulnerabilities are revealed in the tools being used, and the surge in COVID related cyber-attacks continues, there is a parallel concern of exposed RDP ports.
With remote work enabled, and security controls not yielding their best possible results, cherry on top is the availability of exposed RDP ports. With increased entry points, confidentiality breach may be one click away.
RDP is used to connect to an image of an employee’s desktop, often used by telecommuters and tech support personnel troubleshooting an issue. Successful attack would result in unauthorized remote access to the target computer with all the user’s privileges and access rights. Below is a distribution of RDP Brute-Force Attacks by date and country.
The chart above by Kaspersky shows recent spike in brute force attacks on RDP accounts, amounting to 100,000-150,000 per day in January and February, and soaring up to nearly a million per day at the beginning of March.
However, preventing a brute force on RDP is not rocket science, but enabling multifactor authentication and using strong passwords are the bare minimum conditions to prevent it.
With so many security threats lingering in the cyberspace, and as many users jumping at the bandwidth, financial fraud is inevitable. Attackers are busy making money off COVID themed frauds. The Federal Trade Commission of USA reports the following statistics for Corona-related fraud from January to April, 2020. In a total of 25,406 complaints, a huge amount of $19.31 Millions has been lost. Below is the categorization of these reports:
Top products and services offered to target users are shown below:
Based on contact method of fraud, below is the recorded monetary loss:
Based on payment method of the transactions, below are the reported frauds:
Additionally, it is crucial to teach every user the following best practices: