Information technologies have let us quickly adapt to new conditions. Now that we are working entirely online and remotely, we have faced new challenges and risks. The reasons for this are clear – we get distracted, we lose the direct contact with colleagues, we get used to new tools, processes, and ways of working. This is reflected in the threats we see.
The main threats we have observed in the last few months are the following:
- Ransomware – the type of malware that holds access to important data and systems to ransom by encrypting them.
- Stolen or brute-forced credentials – Our usernames and passwords for the company email, cloud services, VPN, and others, in the wrong hands.
- Phishing – attacks that aim at manipulating us to share information or perform another type of action.
- Misconfigurations and missed software updates – postponing software updates that fix weaknesses in operating systems and applications, as well as mistakes in the way we configure services and devices.
And now let us discuss them in more detail.
Ransomware is a type of malware (just like viruses and trojans for example) that asks for a ransom, once it has encrypted important data or restricted access to applications and systems. The first encounters with ransomware date back to the late 1980s. In the last 7 years, however, ransomware has affected more and more organizations – both large and small, public, and private. There is a change in the methods used by the people and groups behind this type of attack. They often threaten organizations with data leak if they do not pay the requested ransom. This has been the case with Dussmann Group recently, for example.
Ransomware can cause great damage to any organization, regardless of its size. Losses can reach millions of Euro, as in the case of Norsk Hydro in 2019 or Garmin a few months ago. However, a smack organization hit by ransomware could be quick to leave the market, unless it manages to swiftly regain access to data and restore its operations.
The different ransomware families use a few vectors, or paths, to meet their goal. The main vectors are malicious attachments or links to malicious files. These can reach us not only over the email, but in social media, chat applications, and SMS for example. The second vector relies on the unsecured Remote Desktop Protocol (RDP), which is good scenarios that allow us to control a remote workstation. There is a joke that gives another meaning to the RDP abbreviation – Ransomware Deployment Protocol. RDP opens the door wide for malicious actions. All it takes is a set of a username and a password – and these may already be known or brute-forced. The third vector are compromised or malicious websites. They exploit vulnerabilities of our browsers or operating systems – we just need to visit them for the malicious code to be executed, without our knowledge. Or we can be tricked to execute it, by following on-site instructions to apply an update to our browser for example.
Stolen or brute-forced credentials
More than 89% of attacks rely on stolen or brute-forced credentials. These may for our company email, web applications and services (Google Drive, Dropbox, Salesforce), for remote access VPN and, as mentioned above, RDP.
Malicious people and groups can obtain them in several ways. For example, we make it easy for them by reusing the same weak passwords over and over again with different services. Our password leaks once (because a forum got breached) and our company email, protected by the same password, is welcoming them. We may also voluntarily share our Office365 or Google Workspace password, following the instructions of a phishing email.
That is why phishing is one the main threats we focus on today. As a social engineering attack, it aims at exploiting our weaknesses (to get distracted, to be lured by a sense of urgency or a tempting offer) and triggering a desired action – to execute the attached file for example. Phishing attacks can use many channels apart from email – phone call, social media, and chat messages, just to name a few.
Some of the phishing scenarios rely on the fact that we are away from the office and things do not always work without any issues. In such situations a request by a colleague from IT to change a password or open the attached configuration file may not seem out of ordinary. Other scenarios try to satisfy our desire to know more about the pandemic and potential solutions.
Misconfigurations and missed software updates
Along with the mistakes we make as human beings, misconfigurations, and software vulnerabilities increase malicious attentions’ chance of success. One such example is unprotected Remote Desktop Protocol services, as mentioned earlier in this publication. Another example are updates of operating systems and applications. We postpone and miss them for myriads of reasons – we do not have access to all systems or because of complex infrastructure, it takes more time. There are also significant gaps in the ways publicly accessible systems and services (such as web servers, websites, and apps) are secured.
To this already complex situation, we add home routers – our gateway to things in life and work on the internet today. They are less secure than the devices we use in the company environment. At the same time, we do not care enough about them – we rarely check for firmware updates and do not disable unnecessary services on them.
With this publication, we wanted to discuss the nature of the main threat we see today – while we work from home, in a distracting environment, fear, and inconvenience.
If you are curious to learn about the main security measures that are important and applicable to any organization, make sure to download our free cybersecurity guide here.