As the nation’s businesses hunkered down to work at home, criminal groups not only continued their attacks, but also adapted their tactics to exploit the security gaps that opened up.
Over the last few weeks, we saw an increase in attacks targeting a workforce that is now almost entirely relying on VPN connections and cloud-based applications. From consultant and investment firms to manufacturers and retailers, businesses in all sectors are under threat from attacks exploiting the Covid-19 crisis.
Here is a rundown of the biggest threats we have seen in the wild, and what organisations can do to protect themselves.
VPN brute-force attacks
It has been reported that the use of VPNs skyrocketed 33 per cent in the first weeks of the lockdown. Threat actors sought to exploit this trend by targeting VPN portals with brute-force attacks – attempting to gain access with previously stolen credential lists. This method, also known as credential stuffing, relies on users recycling the same username and password combinations for different logins. If the attacker has a match from a previous breach, they will gain network access.
Watch for unusual authentication behaviour that indicates brute-force attempts. Hundreds of failed login attempts from the same IP will be a very obvious indicator, but attackers may also play the long game, requiring a more in-depth analysis that takes in different sources such as perimeter telemetry and Active Directory. In one instance, a manufacturing firm was targeted with a slow and steady attack that used multiple IPs over a longer period.
Malicious Azure apps
A recent trend involves targeting users with phishing attacks that include fake, malicious Azure application links. Azure use soared during the lockdown, with Microsoft reporting a 775 per cent increase in Azure tenants over the last month alone. This means many employees are using Azure apps to facilitate remote working for the first time, providing a prime target for phishing attacks.
Organisations need to track Azure application consent requests and watch for signs of attack. Criminals can gain network access very quickly after their victim downloads the malicious app. Time is not on your side – you need to react in real-time. You must identify compromised accounts that begin to exhibit unusual activity. Behavioural analytics can help tip the odds in your favour.
For many workers, the lockdown has been their first foray into remote working, leaving them particularly vulnerable to attack. Threat actors can use fake Office 365 login screens to steal credentials and authentication tokens, giving them everything they need to impersonate the user and login from their own device.
Multifactor authentication (MFA) is designed to prevent compromise through stolen credentials, but attackers can use man-in-the-middle attacks to intercept the authentication token and login from their machine.
To identify an attack in progress, keep an eye on usual activity such as simultaneous logins from different locations, as well as those that don’t match the user’s normal activity patterns. When you’re watching for unusual behaviour, you can shut it down before it escalates.
Command and control via phishing
Phishing remains a common attack vector and cybercriminals have now seized the opportunity to incorporate Covid-19 to make emails more convincing and trick users into clicking malicious links. Doing so will download a malware payload that enables the attacker to establish a connection to their command and control (C2) server. From here, they can begin rapidly escalating their attack to gain more privileges and infiltrate the network.
To block these attacks, monitor network behaviour that resembles a C2 connection. A deep inspection of all DNS and web proxy traffic can reveal malware that is attempting to hide communication in the normal flow of traffic.
If an attacker slips through the net, behavioural analytics is one of the best ways to spot a compromised account before the attacker gains momentum.
Not every cyber-threat originates from outside the business. Some of the most dangerous threats originate from malicious insiders who actively seek to undermine the business for profit or due to a personal vendetta. We also often encounter insiders who harvest data to feather the nest for a position with another company, often without realising they are doing anything wrong.
To mitigate the threat, firms should first ensure they have a strong handle on the location of all sensitive data and the accounts that have permission to access it. From here, they can detect unusual activity: in one recent instance, an employee at a manufacturing firm was using a service account to browse emails that should have been out of bounds to them. We were able to determine who had been using the service account and trace the activity back to their machine.
As remote working continues to be the new normal, cybercriminals will continue refining their strategies. A more fractured remote workforce is harder to secure, especially for firms that have made the shift quickly and raced to get their employees up and running.
However, by tracking the methods used by cybercriminals, organisations can concentrate their efforts on securing the key areas that will most effectively mitigate risks. Closely monitoring network traffic and user behaviour in real time will provide an edge in identifying attacks before they can escalate.
Matt Lock, Technical Director UK, Varonis