Recent news headlines suggest that we’re currently living through a cybersecurity maelstrom. Private and public organizations both large and small are being hacked almost every week. Just this month, Norway’s parliament suffered a cyber-attack which impacted both government ministers and opposition leaders, showing just how easily hackers can target those in positions of influence. Other attempts on well-known organizations this year include one on the World Health Organization back in March, and Russian APT29 hacking group’s attacks on virus research centers in Britain in July.
The pandemic is the principal reason for this purported rise in criminal activity. It is an unusual situation for human society, something we haven’t dealt with in living memory. We are uncertain of what is to come, even now. And as we all know, periods of prolonged uncertainty often prove to be a watershed for a wave of cyber-hunting. One thing that hasn’t changed, however, is cybercriminals’ methods of attack. In fact, Microsoft research indicates that malware attacks linked to coronavirus were “barely a blip” in the total volume of threats it monitors. Although they were more frequent than in January and February, the threat landscape has now settled back to “typical phishing and identity compromise patterns.”
It’s with this in mind that we wanted to examine attackers’ favorite intrusion technique – phishing, and a popular malware choice – ransomware.
You can change the bait, but it’s still phishing
According to Verizon’s 2020 DBIR, phishing remains the number one form of socially-driven breach. The best cyber-attackers are also brilliant at understanding human behavior patterns. They track our habits online, and then use this to support their attacks. As long as human beings remain prone to persuasion and error – traits that are built into our DNA – phishing’s success will persist. That being said, the method behind each attack or campaign is most often the same. Attackers need only ‘re-skin’ their tactics to align with the story of the day.
One example is the recent phishing campaign that used Microsoft 365 to target high ranking executives at over 150 businesses. Attacks using Microsoft 365 are nothing new, but this time the attackers used a simple insight to their advantage: most of their targets would be working from home.
In recent months, criminals have been targeting temporary access tokens that allow users to sign in to all Microsoft applications. Stealing and using these temporary tokens allows hackers to bypass Multifactor Authentication (MFA) and remain on the network by ‘legitimately’ refreshing the token they’ve seized. Even if a user changes their password, the token remains valid and cannot be revoked.
Another new angle of attack is through collaboration apps – such as Microsoft Teams, Slack, and Zoom, which have become a primary interface for organizations during this period. Attackers have noticed this change in behavior and added these cloud-based applications to their phish list, using the same general techniques they’ve used with email since hacking begun.
Why? Because criminals can easily distribute malicious files, code, and even GIFs within these SaaS apps that allows them scrape user data, steal credentials, and take over enterprise-wide accounts. Criminals can change the bait, but it’s still phishing. And as long as these methods continue to prove successful, attackers will rely on them. Protecting credentials to defend against attacks like those using Microsoft 365 is vital.
Holding research to ransom
Every organization should fear a successful ransomware attack. They can cause massive damage, and often cause weeks of downtime when targeting important organizations. The pandemic has typified this, with hospitals and healthcare centers being subject to numerous attacks. Ransomware attacks are an attractive choice of weapon for the cybercriminal as victimized organizations will often pay out a hefty ransom. They have no choice if their data has been successfully breached and they haven’t proactively backed it up.
During the pandemic, attackers extended their sights to a new sector – R&D and biotechnology companies working fast to find a coronavirus cure. As mentioned earlier, Russian hacking group APT29 recently attempted to hack one of the UK’s coronavirus research labs, according to intelligence services. As they compete with other nations to find a cure and inform their own country’s response, nation-state APT attackers are targeting workers’ devices in search of privileged credentials to establish a foothold. From there they can move laterally, maintain persistence on the network, and steal sensitive research little by little. In some cases, they may wait weeks or even months for the “perfect moment” to deploy ransomware to further exploit the victimized organizations.
Research, development, and biotech organizations are particularly vulnerable, since they haven’t been as popular a target in the past, and many are still maturing their security programs. Many also don’t have the budget to dedicate to security that large corporates do. But while these industries may be the fashionable target now, no organization is safe from ransomware, which is only growing in popularity due to risky work-from-home habits and the rise in ransomware-as-a-service.
Above all, it’s the narrative that has changed the most. Security incidents and breaches linked to COVID-19 have been amplified by frenetic news coverage and constant social media chatter. The public, hungry for information and updates, is drawn to the drama. As a result, security is now at the forefront of conversation.
Learning from the pandemic
We’re still in the early stages of learning from our mistakes during the pandemic. That doesn’t mean we can’t learn from the security lessons of the past six months. It’s important to take what we do know and use the knowledge to adapt with speed and efficiency. Security practices must be reconsidered, with a special focus on the threats that phishing and malware present. No organisation is exempt from the scrutiny of attackers, whatever form of ‘normal’ we’re living in.
- Lavi Lazarovitz, Head of Security Research, CyberArk Labs.