Cybercriminals are experts at making the most of whatever they’re given. The current pandemic is no different, and they have been quick to profit from their victims’ fears. Adaptability has always been the hallmark of malicious actors, and the proliferation of “remote-everything” attacks is a prime example of the nimbleness of the cybercrime ecosystem. To survive, organizations must be able to match and exceed that agility.
How are bad actors manifesting their natural agility in the current environment? FortiGuard Labs has seen a substantial increase in viruses over the last quarter. During the first quarter of 2020, for example, we documented a 17 percent increase in viruses in January, a 52 percent increase in February, and an alarming 131 percent increase in March when compared to the same months in 2019. Many of these are included in a related spike in malicious phishing attachments, of which we have documented an average of about 600 new attacks every day.
Interestingly, there has been a corresponding drop in more traditional attack methods. For example, during the first quarter, there was a reduction of botnets per month, by 66 percent, 65 percent and 44 percent, compared to the same time period in 2019. Likewise, IPS-based triggers also dropped by 71 percent in January and 58 percent in March compared to 2019, with a slight uptick in February. This suggests that cybercriminals are adjusting their attack strategies in order to take advantage of the current crisis.
What Are Cybercriminals Doing?
Though they begin with phishing, these attacks have a goal of either stealing the end user’s personal information, or even targeting businesses through their new teleworkers. That’s why the majority of these phishing attacks contain malicious payloads – including ransomware, viruses and remote access trojans (RATs) designed to provide criminals with remote access to endpoint systems, and even Remote Desktop Protocol (RDP) exploits.
There has been a tremendous increase in the latter, which few corporate IT entities generally allow. The fact that RDP attacks are on the rise, then, means that hackers are likely looking for hastily erected IT infrastructures intended to enable remote work, which may include the use of remote-desktop access tools without deploying equivalent web application firewalls or endpoint detection and response (EDR) solutions.
The security situation is hampered further by the fact that, due to the pace at which this transition to telework took place, not all organizations were able to procure enough laptops for every employee who now needs to work remotely. As a result, many teleworkers are using their personal devices to connect into the corporate network. And those devices – which are also being used for things like social media, shopping and streaming entertainment – are generally far less protected by desktop security and endpoint-protection solutions than corporate devices, which means that they are far more vulnerable to the malware being pushed by these new phishing attacks.
Because these devices are all connected to the home network, they don’t even need to be attacked directly. Instead, attackers have multiple avenues of attack that can be exploited. This includes other computers, tablets, gaming and entertainment systems, and even online internet of things (IoT) devices such as digital cameras, smart appliances and smart home tools – like doorbells, alarm systems, climate-control devices and smart lighting. The ultimate goal is finding a way back into a corporate or school network and its valuable digital resources.
What Can We Do?
To remain viable long-term, organizations must remain secure. Here are three essential steps in the battle to keep remote workers – and your network – safe.
Training and continuous education: With the sudden surge in remote work, cybersecurity education is more important than ever. Train your remote workers – and their families – about things like phishing and malicious websites and how to stop them. Give them a basic understanding of today’s threat landscape, including common tricks and strategies used by cybercriminals; a familiarity with essential cybersecurity concepts; and an introduction to critical security principles and technologies. This will help employees understand the threats they may face, especially now that so many more people may be accessing the internet from the same home network. Encourage the concept of cyber-distancing by staying wary of suspicious requests, unknown attempts and contact, and unsolicited information. And this isn’t just a point-in-time type of requirement; regular training centered on cybersecurity hygiene should be a part of standard operations.
Endpoint protection: Adding an EDR solution to end-user devices can go a long way toward protecting your network. A good EDR solution provides both pre-infection and post-infection defenses to keep endpoints – and your network – free from malicious malware. It does this by providing antivirus capabilities (often tied to the kernel) on the front end, combined with the ability to stop advanced attacks in real time, even if the endpoint has been compromised, by detecting, defusing and remediating live incidents.
Using AI and automation: Automation and artificial intelligence offer a way to supplement human cybersecurity teams and staffs that are already crunched for time. With an advanced AI-based solution in place, files and URLs can be rapidly analyzed and labeled as clean or malicious – which helps security teams then quickly determine where they need to put their focus. Automating time-consuming manual investigations allows teams to identify and classify threats in real-time so they can then be remedied quickly – ideally before they cause extensive damage. What’s more, while traditional cybersecurity threats continue to advance, cybercriminals are also looking to develop and launch more sophisticated, AI-based attacks. To keep pace, organizations need to fight fire with fire.
Cybercriminals are making the most of this pandemic, ratcheting up the volume and variety of attacks to prey on the fearful and inexperienced during uncertain times. But organizations aren’t helpless. By practicing ongoing good cyber-hygiene, keeping abreast of the latest threat intelligence, and by implementing the above recommendations, you can emerge stronger and more agile than ever before.
Derek Manky is Chief of Security, Insights & Global Threat Alliances, FortiGuard Labs.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.